Threat Research

Advanced CyberChef Techniques for Configuration Extraction – Detailed Walkthrough and Examples

CTI

The article demonstrates advanced CyberChef techniques (Registers, Regular Expressions, Fork/Merge, Subtract, AES Decrypt, Drop Bytes, Gunzip) chained into a 22-operation recipe to extract configuration and stages from a multi-stage NetSupport loader sample. It walks through three decoding stages: decimal-array subtraction to reveal a PowerShell AES-encrypted blob, extraction of key and IV via regex/registers, AES decryption and GZIP decompression to reveal the final script. #NetSupportLoader #MalwareBazaar

Keypoints

  • Demonstrates advanced CyberChef operations — Registers, Regular Expressions, Flow Control (Fork/Merge), Subtract, AES Decrypt, Drop Bytes, and Gunzip — to automate multi-stage decoding.
  • Sample used: SHA256 befc7ebbea2d04c14e45bd52b1db9427afce022d7e2df331779dae3dfe85bfab (from Malware Bazaar).
  • Stage 1: extract subtraction constant with a Register+regex, Fork the decimal array by commas, append the constant, Subtract, then From Decimal to reveal a second-stage PowerShell script.
  • Stage 2: Register+regex to capture a 44-char Base64 AES key, extract the Base64 blob, Base64-decode, Register the first 16 bytes as IV, Drop those 16 bytes, AES Decrypt (using registers for key/IV), remove trailing NULLs, then Gunzip to obtain stage 3.
  • Stage 3: same pattern as stage 1 but with multiple arrays and a different subtraction constant (e.g., 4274); uses nested Forks to separate arrays and values, append key, Subtract, and From Decimal to reconstruct final text.
  • Recipe is portable across similar samples by leveraging regex-based registers instead of hardcoding keys/values, enabling automated extraction for NetSupport loader variants.
  • Total recipe uses 22 CyberChef operations to fully decode all three stages in one continuous workflow.

MITRE Techniques

  • [T1027] Obfuscated Files or Information – Obfuscation via “obfuscated using a large array of decimal integers” used to hide script contents and configuration.
  • [T1059] Command and Scripting Interpreter – PowerShell staged scripts are used to execute and unpack payloads: “a powershell script utilising AES decryption.”
  • [T1132] Data Encoding – Use of Base64 to hide payloads: “large AES Encrypted and Base64 encoded blob.”
  • [T1140] Deobfuscate/Decode Files or Information – Use of CyberChef operations to reverse obfuscation and encryption: “use CyberChef operations to reverse the obfuscation and encryption applied to the malware stages.”
  • [T1105] Ingress Tool Transfer – Multi-stage retrieval and unpacking of additional scripts/content (downloading/extracting further stages) as part of the loader’s operation: “downloading and execution of additional stages of the malware.”

Indicators of Compromise

  • [SHA256] sample – befc7ebbea2d04c14e45bd52b1db9427afce022d7e2df331779dae3dfe85bfab (sample demonstrated from Malware Bazaar)
  • [Source URL] original post – https://embee-research.ghost.io/advanced-cyberchef-operations-netsupport/

This technical walkthrough focuses on building a reusable CyberChef recipe to extract configuration and payloads from a NetSupport loader that uses multi-stage obfuscation. Start by using Register operations combined with targeted regular expressions to capture dynamic values (for example, the subtraction constants and a 44-character Base64 AES key) so the recipe does not rely on hardcoded values. For decimal-array obfuscation, isolate the array with a regex capture group, Fork the data on commas to process each integer independently, append the captured subtraction constant via a regex replacement (using capture groups like $1 and register variables like $R0), apply Subtract to recover ASCII codes, then use From Decimal and Merge to reconstruct the next-stage PowerShell script.

For the AES-encrypted stage, extract the Base64 blob using a regex (list matches), Base64-decode it, and Register the first 16 bytes as the IV using a .{16} capture. Drop the initial 16 bytes from the decoded blob before decryption (Drop Bytes length 16), then run AES Decrypt while referencing the key and IV from registers (ensuring correct input encodings: base64/utf8 as appropriate and the script-specified mode). After decryption, remove trailing null bytes with a regex targeting one-or-more nulls at end of data (null+ $), then Gunzip to decompress the resultant payload and reveal the final script.

Stage-three decoding repeats the stage-one pattern across multiple arrays: Register the subtraction constant, capture each bracketed integer array with regex, Fork to split arrays and then again to split individual integers, append the subtraction register, Subtract, and From Decimal to restore text. Combining these techniques into a single chain (the author used 22 operations) yields an automated, generic extractor that can handle NetSupport loader variants without manual key/value edits.

Read more: https://embee-research.ghost.io/advanced-cyberchef-operations-netsupport/