1
00:00:00,480 --> 00:00:04,560
Hello and welcome in this let practical.

2
00:00:05,160 --> 00:00:10,320
I would like you to try to analyze this on your own first.

3
00:00:11,400 --> 00:00:21,810
This can be downloaded from the resource section to let one dash dot net, dash Trojan, dungey the

4
00:00:21,810 --> 00:00:25,490
password and zip it is cracking lessons dot com.

5
00:00:26,310 --> 00:00:34,440
So please post the video and give it a try first and then watch the rest of this video after you have

6
00:00:34,440 --> 00:00:35,760
tried to analyze it.

7
00:00:37,380 --> 00:00:46,620
So I will try to analyze it first, using the dynamic analysis that is to execute it and analyze it

8
00:00:46,800 --> 00:00:52,920
using process Hekker and process monitor as well as Wireshark.

9
00:00:53,760 --> 00:00:58,170
And then after that only I will try to avoid the static analysis.

10
00:00:59,070 --> 00:01:00,840
OK, I hope you are going to try.

11
00:01:01,500 --> 00:01:05,640
After unzipping this file, you have a folder.

12
00:01:05,640 --> 00:01:12,690
I'll put mine on a desktop and within the folder is a father Melva itself dot net grabbing.

13
00:01:13,650 --> 00:01:22,400
The first thing we can do is to try to get the hash of this file and look it up in various total.

14
00:01:23,520 --> 00:01:27,240
So to get ahead of this file, you can click on this.

15
00:01:30,280 --> 00:01:32,500
And then take on Hashmat funds.

16
00:01:33,790 --> 00:01:44,730
And over here, you could find this slightly copy modified, open up your browser and head over to Aristotle,

17
00:01:45,610 --> 00:01:52,300
just click on Search and directly and paste the hash in this box and enter.

18
00:01:53,570 --> 00:01:56,610
And I just thought I would give you the results.

19
00:01:57,380 --> 00:02:05,420
Fifty nine hundred sixty nine search engines, various search engines has detected this fire and the

20
00:02:05,420 --> 00:02:08,090
name of it is a Trojan.

21
00:02:08,450 --> 00:02:14,330
Generally, you can see it is a kind of stela information.

22
00:02:14,330 --> 00:02:16,230
Stela is a spyware.

23
00:02:16,700 --> 00:02:17,540
So now we know.

24
00:02:18,230 --> 00:02:19,730
So that is quite helpful.

25
00:02:20,690 --> 00:02:25,440
Next thing you want to do is confirm that this is a Donnette executable.

26
00:02:26,300 --> 00:02:32,870
So before we proceed further, let us make a copy of this and then Renesmee.

27
00:02:34,110 --> 00:02:42,240
To something simpler, maybe we will call it executable as well, because we want to run it, you will

28
00:02:42,270 --> 00:02:50,050
call it an extension and for the name itself, we can just call it malware.

29
00:02:52,140 --> 00:02:52,560
Yes.

30
00:02:53,590 --> 00:03:01,880
Don't have security yet, open the IEEE and scan to make sure it is net executable.

31
00:03:02,260 --> 00:03:08,230
So look for your utilities folder in a flash folder and then.

32
00:03:09,180 --> 00:03:19,040
No, for the IEEE detected easy prey on the tree dots and navigate to the location of the Net malware

33
00:03:19,080 --> 00:03:19,820
SFR.

34
00:03:20,910 --> 00:03:28,920
Which is seeing the desktop calling on you to open and let us Kanafani, it has detected as a dot net

35
00:03:29,460 --> 00:03:37,010
framework executable and the compiler is built on it and it doesn't appear to be back.

36
00:03:37,020 --> 00:03:41,340
But this is not reliable barbeques to be paid.

37
00:03:42,330 --> 00:03:47,610
So now we confirm that it is done in a second stage of the analysis.

38
00:03:48,030 --> 00:03:51,750
We will open it will be spy by this video.

39
00:03:51,930 --> 00:03:59,790
I want to do the dynamic analysis us in the second part, the video we do the static analysis very we

40
00:03:59,800 --> 00:04:01,080
open evidenced by.

41
00:04:02,110 --> 00:04:07,860
To analyze it, we need to run it, but before we run it, let's fire a few programs.

42
00:04:08,590 --> 00:04:14,920
Now, make sure that you have disable the Internet for this virtual machine, because we don't want

43
00:04:14,920 --> 00:04:22,390
to accidentally cause it to reach out to the command and control server or worse still, to spread to

44
00:04:22,390 --> 00:04:24,390
other computers on your network.

45
00:04:24,400 --> 00:04:25,060
If it is who.

46
00:04:25,480 --> 00:04:32,680
So disable your network and then over here will fire a few programs starting the process monitor.

47
00:04:32,920 --> 00:04:34,780
So click on Process Monitor.

48
00:04:35,380 --> 00:04:35,890
Yes.

49
00:04:36,160 --> 00:04:38,710
And then over here you can filter.

50
00:04:39,070 --> 00:04:44,860
So we are going to filter the name of this malware because otherwise it will show everything that is

51
00:04:44,860 --> 00:04:46,420
running in the operating system.

52
00:04:46,660 --> 00:04:55,530
So on future and then here in the first propagandise select processed name and here it is.

53
00:04:56,020 --> 00:05:02,990
And here typing this name net malware, not XY.

54
00:05:03,910 --> 00:05:07,450
And you click on and click apply immediately.

55
00:05:07,450 --> 00:05:12,310
You see that think shows that because it is Futrelle filtering out only this.

56
00:05:13,310 --> 00:05:19,320
At the moment, we do need for it to capture anything yet so we can temporary policy, so we click on

57
00:05:19,610 --> 00:05:20,450
the pause button.

58
00:05:20,870 --> 00:05:28,100
OK, so now the next thing is we want to run process Hekker to see whatever additional processes that

59
00:05:28,550 --> 00:05:30,500
the malware might spawn.

60
00:05:31,520 --> 00:05:39,860
So to launch process hacker going to meant to fly here and then the utilities look for process hacker

61
00:05:40,130 --> 00:05:43,350
over here and click on.

62
00:05:43,430 --> 00:05:43,850
Yes.

63
00:05:44,900 --> 00:05:54,080
And what more do we need is Wireshark to capture the network traffic, so same thing in the same folder

64
00:05:54,080 --> 00:06:00,040
as in flair and a net look for Russia and launch it.

65
00:06:01,490 --> 00:06:09,130
But yes, Russia is now running and then look for local air connection and double click on it.

66
00:06:09,470 --> 00:06:13,760
And then over here we are going to filter the HTP traffic.

67
00:06:14,600 --> 00:06:18,780
So this timing HDB and hit enter.

68
00:06:19,490 --> 00:06:20,920
So this is the track.

69
00:06:21,090 --> 00:06:25,400
It is connecting to any to service, command and control service.

70
00:06:26,030 --> 00:06:32,770
So now we have set up our tools ready to detonate the malware inside this virtual machine.

71
00:06:33,260 --> 00:06:39,680
So we have got a process monitor to monitor the process, the malware process when it runs.

72
00:06:40,580 --> 00:06:47,040
We have got the YHA to capture the traffic network traffic, if any.

73
00:06:47,690 --> 00:06:54,560
And we also have a process hacker to see if our process in the process was born.

74
00:06:54,560 --> 00:06:59,600
Any additional children processer when it is running in the next video.

75
00:06:59,780 --> 00:07:03,970
We will continue to run the malware itself.

76
00:07:04,400 --> 00:07:05,990
So I'll see you in the next one.