1
00:00:00,480 --> 00:00:01,870
Hello and welcome back.

2
00:00:02,580 --> 00:00:11,240
This is a practical exercise walk through for a real girlfriend somewhere in a previous setting, I've

3
00:00:11,250 --> 00:00:13,560
got to ask you to.

4
00:00:15,380 --> 00:00:20,210
They define asleep and I put it on to my desktop here.

5
00:00:21,000 --> 00:00:27,890
Now, the content of the zipper contents to to the ransom note.

6
00:00:27,920 --> 00:00:28,030
Right.

7
00:00:28,110 --> 00:00:32,460
So, Peter, don't be an extension and public key.

8
00:00:33,580 --> 00:00:41,720
The been has been put there so that you do not accidentally click on it to execute it in a real way.

9
00:00:41,740 --> 00:00:45,640
It doesn't have to be an extension, but an extension.

10
00:00:46,510 --> 00:00:51,340
The public is necessary as a barometer for this and to run.

11
00:00:52,960 --> 00:01:01,720
So now the first thing you want to do is to check whether this was created, the net framework or some

12
00:01:01,930 --> 00:01:03,400
something else, like a network.

13
00:01:03,430 --> 00:01:08,610
I see all other things to do that we need to use the IEEE.

14
00:01:09,490 --> 00:01:10,250
So if you are.

15
00:01:10,690 --> 00:01:11,220
Yeah.

16
00:01:12,220 --> 00:01:13,210
Which is over here.

17
00:01:17,620 --> 00:01:21,370
You will find that it is done, it executable.

18
00:01:23,940 --> 00:01:28,950
You opened the of the real melee.

19
00:01:30,490 --> 00:01:35,290
And you can see it, he's done it executable, we've done it.

20
00:01:37,470 --> 00:01:45,510
And the fact that although he says that the little bit we this is not definitive, even though the father

21
00:01:46,810 --> 00:01:54,930
to be instead of 64, you know, to be definitely sure, we need to use another tool seized on.

22
00:01:54,960 --> 00:02:00,840
It can be fixed before we even know his history to be sold to we're going to use requires a command

23
00:02:00,840 --> 00:02:05,810
line search for developer coming from an openly.

24
00:02:10,080 --> 00:02:21,190
And again, we are going to copy the path and take a path to that path and then use a Common Core conflict.

25
00:02:22,920 --> 00:02:34,410
Call Flex, followed by the name of the executable you want to scan it into, if you see here today

26
00:02:34,410 --> 00:02:36,080
to be brief is zero.

27
00:02:36,090 --> 00:02:40,440
That means city for the city for Internet application.

28
00:02:42,050 --> 00:02:48,510
If you get a little bit of practice one, then it is that to be done in application.

29
00:02:48,530 --> 00:02:53,020
So in this case, it is zero and this is a 64 bit ton application.

30
00:02:53,780 --> 00:02:57,890
Therefore, we need to use the by 64 bit.

31
00:02:59,000 --> 00:03:00,440
So that is open the Espina.

32
00:03:02,410 --> 00:03:03,070
He's here.

33
00:03:07,680 --> 00:03:15,690
So instead of using the newspapers, we can also use strings to scan for strings so we can type the

34
00:03:15,690 --> 00:03:22,540
common strings, followed by the name of Hee Hee Hee Hee.

35
00:03:22,620 --> 00:03:23,760
There are a lot of strings here.

36
00:03:26,390 --> 00:03:34,400
And you can feel the strings telling me if maybe you're interested in whether this table has got any

37
00:03:34,400 --> 00:03:39,290
kind of encryption ability, you can pull the strings like this.

38
00:03:40,850 --> 00:03:49,840
You can me to direct, followed by assuming you are looking for those strings that contain the word.

39
00:03:52,310 --> 00:03:59,510
So you hit enter and now you see these are names of strings that are found that contains everything

40
00:03:59,750 --> 00:04:07,610
inside from here you can see days and fall and strings of string theory.

41
00:04:08,600 --> 00:04:16,650
So these are indications that this malware has the ability to obfuscate or to encrypt files.

42
00:04:17,480 --> 00:04:22,270
So these are some hints for you as to what is capable.

43
00:04:23,490 --> 00:04:28,920
Now we open it inside our audience by just drag it into our audience.

44
00:04:30,060 --> 00:04:32,960
And the name of the executable is of India.

45
00:04:34,960 --> 00:04:39,790
And from here, you can see the entry point is in the program, doesn't mean.

46
00:04:40,910 --> 00:04:47,930
It is one week into the entry point, yeah, it's a good entry point is to expand on this Reichling

47
00:04:47,930 --> 00:04:51,730
on this and click the go to entry point.

48
00:04:54,380 --> 00:04:55,580
And this is your entry point.

49
00:04:56,730 --> 00:04:58,350
And you can see here the entry point.

50
00:04:59,720 --> 00:05:02,930
You the program mean program.

51
00:05:03,850 --> 00:05:14,050
And this is mean, you also notice in other piece called s.E.C probably encryption modu, so they said,

52
00:05:14,050 --> 00:05:15,190
I see what's happening here.

53
00:05:17,460 --> 00:05:25,660
Looking at this, you can see that this program is looking for whether they are giving back to the program.

54
00:05:26,540 --> 00:05:27,620
He is checking it.

55
00:05:27,990 --> 00:05:34,950
So they suggest it requires an argument when the program started and this is argument that we should

56
00:05:34,950 --> 00:05:35,390
pursue.

57
00:05:36,300 --> 00:05:38,780
Now, this malware comes in to pass, to follow.

58
00:05:38,880 --> 00:05:46,140
And as I mentioned before, this beautiful High-Tech filing, as well as the public, which to be which

59
00:05:46,140 --> 00:05:49,360
is to be passed, has an argument when you're running this program.

60
00:05:50,850 --> 00:05:53,810
So there is no argument that the program will quit.

61
00:05:54,770 --> 00:06:00,450
But if the argument is is positive, then you can continue to run.

62
00:06:01,650 --> 00:06:08,460
And you can see here in Virginia, after checking whether the argument is exist, you will go and really.

63
00:06:10,460 --> 00:06:17,930
Oh, here is checking a man is following this, and then he's going to really a strike the public,

64
00:06:17,930 --> 00:06:18,110
he.

65
00:06:19,510 --> 00:06:29,050
And to this static variable, static variable are variables which are created object you cannot own

66
00:06:29,050 --> 00:06:33,970
because the name of the class is Mingenew instead of an object.

67
00:06:35,110 --> 00:06:38,740
So in this case, the name of the class is service used here.

68
00:06:38,790 --> 00:06:42,430
Therefore, this is static where you click on it.

69
00:06:42,460 --> 00:06:47,100
Now you can see how variable is playing in the backspace.

70
00:06:47,320 --> 00:06:51,700
But after reading the content on this publicly, you see here.

71
00:06:53,840 --> 00:06:59,060
And then in the next line here, you see is checking whether the directory of certain directory exists

72
00:07:00,050 --> 00:07:06,960
and if he doesn't, if he's doing this, then he will go time here and create it, actually.

73
00:07:08,420 --> 00:07:12,380
So let's check and see what exactly is he checking for less clear on this.

74
00:07:14,240 --> 00:07:20,470
So here he is using the function for the power to create a directory.

75
00:07:21,800 --> 00:07:28,190
So in order to know the name on it right here, we need to click and put a breakpoint here.

76
00:07:28,430 --> 00:07:34,880
And then you run to hit a break point and then we analyze the return value for string.

77
00:07:36,580 --> 00:07:46,850
So we can through this stuff and then here you must pass the name of this fall as a barometer.

78
00:07:48,160 --> 00:07:51,820
So it just right click on this and we nimi.

79
00:07:53,660 --> 00:07:56,120
And then Copiah, the funny.

80
00:07:57,630 --> 00:07:58,920
Base the funding here.

81
00:08:01,260 --> 00:08:02,260
And in Cleveland, Kate.

82
00:08:04,740 --> 00:08:09,300
Yes, and they run so that you hit this breakpoint.

83
00:08:10,310 --> 00:08:12,110
So let me step into this.

84
00:08:14,300 --> 00:08:19,070
So we're going to step into this and we see the tintype here.

85
00:08:20,740 --> 00:08:25,580
So we just put a break point here for the return and then we run again.

86
00:08:26,080 --> 00:08:27,340
So did you hit this very point?

87
00:08:28,390 --> 00:08:32,020
And here you see a tax that is returning is programmed to.

88
00:08:33,400 --> 00:08:44,890
So he's looking for his dietary program data, we can copy this copy value and put it in our notes for

89
00:08:44,890 --> 00:08:45,130
the.

90
00:08:47,840 --> 00:08:55,090
We here, so we know that it is looking for this directory of polling data.

91
00:09:00,080 --> 00:09:04,520
Can I step out of it and tell you about here?

92
00:09:05,400 --> 00:09:11,830
OK, so now we know that the director is looking for his program, that data, so he can stop it now.

93
00:09:12,530 --> 00:09:18,170
And he Backspacer, go back to our main program where we were analyzing spacing in.

94
00:09:19,280 --> 00:09:27,410
So here today, he's looking for his program data and now he says he would like to create a directory.

95
00:09:29,490 --> 00:09:31,200
He can go to the location.

96
00:09:33,820 --> 00:09:36,850
That we captured just now see program to.

97
00:09:39,960 --> 00:09:43,020
Dyle Kinzie program later.

98
00:09:49,530 --> 00:09:57,330
So somewhere down here, one of these files here is the malware document, malware for the and then

99
00:09:57,330 --> 00:10:03,450
here you see this is just a just a young instruction doesn't do anything.

100
00:10:03,870 --> 00:10:05,890
You just concatenate some strings together.

101
00:10:05,910 --> 00:10:13,290
So this is one example of obfuscation where you deliberately insert some Joung instructions to throw

102
00:10:13,290 --> 00:10:13,650
you off.

103
00:10:15,240 --> 00:10:17,900
And the same thing is probably Hayesville.

104
00:10:20,750 --> 00:10:23,270
And here is where he's trying to start a thread.

105
00:10:24,630 --> 00:10:29,520
All right, and then down here, you can see that it is creating some strength.

106
00:10:31,830 --> 00:10:41,550
He's creating a real drives, this area is coming from here, very real drive, and if you click on

107
00:10:41,550 --> 00:10:43,220
this, you can see what he's doing.

108
00:10:47,260 --> 00:10:48,910
And this one, you can see the.

109
00:10:50,060 --> 00:10:57,220
Dysfunction is trying to check if the that it is now checking for is going through every draft letter

110
00:10:57,230 --> 00:11:02,740
in Saluzzi dry inside your computer setting with ABC TV's on.

111
00:11:03,530 --> 00:11:11,180
And for every hour of the day that he enters, he is checking whether you are inside the system.

112
00:11:11,180 --> 00:11:14,240
Directress you can see in India and so on.

113
00:11:14,930 --> 00:11:16,910
And it is not in the system that is.

114
00:11:18,850 --> 00:11:20,890
Then on you proceed to the next one.

115
00:11:22,620 --> 00:11:27,840
You get all the files in that particular folder checking for.

116
00:11:28,820 --> 00:11:34,230
The name of the father, full name of the father is signing directory, and this is a.

117
00:11:36,750 --> 00:11:41,430
And for each of the extension of the file and then here.

118
00:11:43,080 --> 00:11:46,080
He's checking whether the file extension matches.

119
00:11:47,590 --> 00:11:51,220
Something so let's was just so we're clear on this.

120
00:11:53,490 --> 00:12:00,370
And here it is trying to create an array out of these types types.

121
00:12:00,610 --> 00:12:02,640
He's referring to this.

122
00:12:03,700 --> 00:12:08,600
So here is again, obfuscation, but we can use a debugger to have the office.

123
00:12:10,060 --> 00:12:10,470
All right.

124
00:12:10,480 --> 00:12:12,370
So our continuing next video.

125
00:12:13,900 --> 00:12:14,470
See you then.