1 00:00:00,810 --> 00:00:02,290 Hello and welcome back. 2 00:00:02,820 --> 00:00:04,140 In this new session. 3 00:00:04,410 --> 00:00:12,450 We are going to do a particle of analyzing real world mail, whether it is in some way. 4 00:00:13,320 --> 00:00:16,640 So be careful and remember the use of your machine. 5 00:00:17,850 --> 00:00:25,440 So in this first video in this session, I will talk to you about the principles, analyzing the some 6 00:00:25,510 --> 00:00:25,920 ransomware. 7 00:00:28,480 --> 00:00:31,150 What is your sense of ransomware? 8 00:00:31,180 --> 00:00:39,880 It's a malware that restricts access to data by encrypting files or locking computer screens and attempts 9 00:00:39,880 --> 00:00:44,560 to extort money from victims in a form of crypto currencies. 10 00:00:45,400 --> 00:00:53,470 After encrypting the files, it displays a ransom note with instructions of how to pay and recover the 11 00:00:53,470 --> 00:00:58,990 files in one of the following ways it might show a desktop wallpaper. 12 00:00:59,170 --> 00:01:04,810 The ransom note as the wallpaper or in my redirect you to a website with instructions. 13 00:01:05,770 --> 00:01:08,470 Or it may display a Pop-Up message. 14 00:01:09,900 --> 00:01:21,060 Typical stages of a malware attack, many malware artists who make use of a document in order to start 15 00:01:21,240 --> 00:01:32,700 the first attack, for example, in my use a Microsoft Office document or a Java binary file or even 16 00:01:33,120 --> 00:01:42,420 link, and this could be sent to the victim via emails or put on websites for you to download. 17 00:01:43,200 --> 00:01:51,840 So once a victim has downloaded a document, the victim might open the document and then might trigger 18 00:01:51,840 --> 00:01:55,020 and execute an embedded script. 19 00:01:55,030 --> 00:02:04,940 For example, PowerShares script or visual basic script or JavaScript or even an embedded native EIC 20 00:02:05,400 --> 00:02:06,480 executable file. 21 00:02:06,630 --> 00:02:08,640 And that site, the document itself. 22 00:02:09,840 --> 00:02:18,390 So this could normally kind of drop in order to go out to the Internet and download the second stage 23 00:02:18,390 --> 00:02:19,140 of the attack. 24 00:02:19,910 --> 00:02:26,280 The second stage of the attack will be the actual malicious malware itself, which may do further damage 25 00:02:26,280 --> 00:02:27,120 to your system. 26 00:02:28,050 --> 00:02:36,600 For example, in criminal files, some malware or install remote access to if it is intended to steal 27 00:02:37,140 --> 00:02:40,260 information from the target system. 28 00:02:41,570 --> 00:02:43,010 Features a ransom, the. 29 00:02:44,610 --> 00:02:51,260 A ransomware would typically attempt to locate all critical files, for example, document files or 30 00:02:51,270 --> 00:02:56,100 images and encrypt them and delete the original file. 31 00:02:56,880 --> 00:02:59,340 Mostly, they will use strong cryptography. 32 00:02:59,730 --> 00:03:08,340 So it's not possible to recover ransom files with a key ransom when they also look for network shares 33 00:03:08,610 --> 00:03:09,990 and attached storage. 34 00:03:10,710 --> 00:03:15,150 And he may even spread to other computers within a system or in a network. 35 00:03:16,270 --> 00:03:23,000 Some rental agreement also contains additional functionality, for example, and back door to enable 36 00:03:23,020 --> 00:03:31,450 remote access by the hacker, or they could be having the ability to do crypto mining, for example, 37 00:03:31,660 --> 00:03:35,410 to mine for bitcoins or cryptocurrency. 38 00:03:36,880 --> 00:03:43,320 So in this session, you will be downloading real malware, ransomware for practice. 39 00:03:44,080 --> 00:03:51,130 Go and download the file copies, dot net, real world and somewhere down from the resource section 40 00:03:51,130 --> 00:03:54,680 for this lesson, use a virtual machine. 41 00:03:55,150 --> 00:03:56,510 This is real random. 42 00:03:57,430 --> 00:04:05,770 The password on unzip it is cracking lessons that come workflow for analyzing ransomware. 43 00:04:06,820 --> 00:04:14,530 Below is a list of some possible workflow when analyzing malicious malware. 44 00:04:15,460 --> 00:04:23,630 First, you might want to check the virus Twitter to see if there are any signatures that can identify 45 00:04:23,630 --> 00:04:26,050 the family for this particular malware. 46 00:04:26,710 --> 00:04:35,110 Second, you might want to do a scan for strings that is embedded inside the malware itself. 47 00:04:35,890 --> 00:04:43,360 This trace may give you a hint as to for the things that you need to look for in going to with the analysis. 48 00:04:43,930 --> 00:04:51,460 All the strings may even give you a hint or idea of what he is capable of doing or even his intentions. 49 00:04:52,270 --> 00:05:01,240 And sometimes the strings might also show indicators of compromise like you are ALS or other links goes 50 00:05:01,240 --> 00:05:03,750 out to the Internet to download second stage bill. 51 00:05:04,540 --> 00:05:10,870 Then you might also want to proceed to do dynamic analysis where you will actually run the malware, 52 00:05:11,530 --> 00:05:13,640 perform analysis on it. 53 00:05:14,320 --> 00:05:22,050 You can use densify to reverse engineer the malware itself, that is to decompiled into the source code. 54 00:05:23,140 --> 00:05:29,380 And then you might also want to defeat any anti analysis mechanisms that are already guilty. 55 00:05:29,860 --> 00:05:36,690 Email me and you also want to find indicators of compromise or no artifacts. 56 00:05:37,510 --> 00:05:38,800 So thank you for watching. 57 00:05:39,280 --> 00:05:41,680 I'll see you in the next three days. 58 00:05:41,830 --> 00:05:43,370 Good luck in your analysis.