1
00:00:00,540 --> 00:00:08,730
Hello in this, that you are going to try to reverse engineer and not a simulated melee, so I'm going

2
00:00:08,730 --> 00:00:15,870
down this fall and I zip it and put it on your desktop inside and you will find the Philco Ranger.

3
00:00:16,620 --> 00:00:17,930
So fire your back.

4
00:00:18,150 --> 00:00:18,570
You were.

5
00:00:23,670 --> 00:00:27,440
And then use them back if you were to open the file.

6
00:00:41,060 --> 00:00:42,590
Click on the plus to spin.

7
00:00:45,420 --> 00:00:53,790
You will notice the many other files within this Ja'far, so there's a package called Congregated,

8
00:00:53,850 --> 00:00:54,120
right?

9
00:00:54,660 --> 00:00:57,320
He signed this Ja'far, which contains another jar.

10
00:00:57,990 --> 00:01:02,520
There's also another package here inside the jar in mummification.

11
00:01:02,550 --> 00:01:06,000
So at least three packages, including one Jaffa.

12
00:01:07,740 --> 00:01:12,360
So let's try to look for the mean setting for this jar.

13
00:01:13,490 --> 00:01:15,140
You can click on Resources Resource, the.

14
00:01:16,130 --> 00:01:21,620
If they come back and begin here, you will find yourself standing here.

15
00:01:23,580 --> 00:01:28,770
So this is where program execution is set for this Java on top here.

16
00:01:28,970 --> 00:01:37,050
You see that there are many strengths, but they are being named in such a way as to confuse the analyst.

17
00:01:37,680 --> 00:01:45,630
The author tries to make it difficult to analyze it, to create unnecessary strings, unnecessary variables.

18
00:01:46,240 --> 00:01:47,130
And we can check.

19
00:01:48,580 --> 00:01:57,940
Selecting one of these copy and do a search party, Contrave, a search to see how many times this is

20
00:01:57,940 --> 00:02:05,080
used in this program, and you will find it is only be used once over here and you find the same thing

21
00:02:05,080 --> 00:02:06,180
for all the rest as well.

22
00:02:06,760 --> 00:02:11,920
So all these are just junk variables which are put in to confuse the analysis.

23
00:02:13,510 --> 00:02:19,360
And if you scroll down, you will see the same thing for these split spaces is also used new once and

24
00:02:19,360 --> 00:02:20,730
nowhere else in this program.

25
00:02:21,160 --> 00:02:28,930
So speciesist is also used to divert the analysts attention and to delay the analysis process so we

26
00:02:28,930 --> 00:02:29,710
can ignore this.

27
00:02:30,310 --> 00:02:33,630
The only thing we need to focus on is he mean it's taking me.

28
00:02:35,470 --> 00:02:36,190
So let's do that.

29
00:02:36,190 --> 00:02:39,520
Now, the first instruction here is to create a.

30
00:02:40,600 --> 00:02:42,940
And here again is another obfuscation, tiny.

31
00:02:43,330 --> 00:02:49,390
It is trying to combine multiple components together to create a string.

32
00:02:49,660 --> 00:02:59,230
And it is trying to do that by referencing members of various classes, the G class glass, the G g

33
00:02:59,230 --> 00:03:00,550
dress SDF class.

34
00:03:01,940 --> 00:03:10,710
So all this crosses Jr. and Gandhi just coming from here, so let's try to rebuild this while.

35
00:03:12,930 --> 00:03:22,360
We are open so that we can try to use that back to rebuild the district, so the first part of the string

36
00:03:22,360 --> 00:03:23,380
is due to see.

37
00:03:25,100 --> 00:03:29,900
So Itliong, g, g, c, e string calling.

38
00:03:31,130 --> 00:03:33,590
So we can write it down five.

39
00:03:37,200 --> 00:03:37,650
Colin.

40
00:03:39,970 --> 00:03:42,010
Coming back to me.

41
00:03:43,160 --> 00:03:49,490
It is concatenated New Jersey G is not for recession.

42
00:03:51,740 --> 00:03:53,810
So we put in the conversation here.

43
00:03:55,220 --> 00:03:56,210
Coming back to PIN.

44
00:03:57,770 --> 00:04:05,300
Jill, who is that is Dan Concatenating, we've got em, which is this guy, the M.

45
00:04:06,270 --> 00:04:08,510
Which is X con.

46
00:04:12,760 --> 00:04:24,500
Eggs for research come from research, come back to me, and that is concatenated degrease asdf NSX,

47
00:04:25,300 --> 00:04:26,890
which is just one is class.

48
00:04:27,980 --> 00:04:30,820
Don't know sex is rocket fire slash.

49
00:04:33,380 --> 00:04:37,320
So we get Jay Rocket forward slash.

50
00:04:38,850 --> 00:04:42,510
Come back to me and that in turn is concatenated.

51
00:04:43,530 --> 00:04:50,310
And so let's look for DG Dunam, which is dry for research.

52
00:04:51,000 --> 00:04:55,410
So it's been dry for research and this time.

53
00:04:57,390 --> 00:05:05,220
He's concatenated big, dressed as the axe, so we come back to this class next, introspection, introspection,

54
00:05:05,220 --> 00:05:05,790
Touya.

55
00:05:07,910 --> 00:05:12,440
So we type in Drew speccing do.

56
00:05:13,130 --> 00:05:17,360
Yeah, so this is a far, far off.

57
00:05:18,680 --> 00:05:25,490
So the fact is he appears is referring to this other package which is embedded inside his jar.

58
00:05:26,090 --> 00:05:31,340
So it seems like this program, this PSM zero Anjar.

59
00:05:32,630 --> 00:05:35,970
Has got a backfire within it, which is disrespectful.

60
00:05:36,770 --> 00:05:43,580
So when this program runs this resource, the runs, what it is effectively doing is it is trying to

61
00:05:43,730 --> 00:05:46,070
open this fall this backfire.

62
00:05:47,080 --> 00:05:55,450
And then you can see from here, after he has created a path to this fire, he is going to look it over

63
00:05:55,450 --> 00:06:03,190
here, placeholder, and then he was going to create a threat, a new process, a new threat over here

64
00:06:03,520 --> 00:06:06,370
to run this jafa.

65
00:06:07,650 --> 00:06:16,170
And then it is going to open a method within that far from here, you can see see that gay men.

66
00:06:17,180 --> 00:06:23,770
Right, so now you have to take this far and look for the men, because here he's referencing me and

67
00:06:23,770 --> 00:06:26,960
he's going to run Minamata in sight here.

68
00:06:27,100 --> 00:06:29,790
So how do we unpack this to unpack it?

69
00:06:30,170 --> 00:06:36,610
We come back to this Ja'far here and we used to zip program, 7C program to unpack it.

70
00:06:37,150 --> 00:06:44,230
So this Reichling this and Asala 7c extractable zero one.

71
00:06:45,610 --> 00:06:48,120
And now we have you back here.

72
00:06:49,790 --> 00:06:50,120
Here.

73
00:06:50,890 --> 00:07:01,600
So now we have to end this jafa to Bikel viewer so that we can trace the mean method inside it, because

74
00:07:01,600 --> 00:07:04,060
the main method inside is what is being referred here.

75
00:07:04,840 --> 00:07:05,690
Let's do that now.

76
00:07:06,220 --> 00:07:08,070
So to Edgar Jafa.

77
00:07:08,530 --> 00:07:08,940
There we are.

78
00:07:08,950 --> 00:07:15,250
Just unpack Itliong file, click on ADD and then navigate to this location.

79
00:07:23,440 --> 00:07:27,220
And bring on it to select and Jaffa and click open.

80
00:07:29,110 --> 00:07:30,420
So now we can analyze it.

81
00:07:32,940 --> 00:07:38,070
Just click on the plus icon, click on Add to Cart to Decompiled.

82
00:07:40,450 --> 00:07:46,270
All right, so now we look for I mean, so this is the mean, so it is this party which is going to

83
00:07:46,270 --> 00:07:48,430
execute over here.

84
00:07:49,120 --> 00:07:51,400
So you get me Engvall.

85
00:07:52,570 --> 00:07:54,970
OK, so let's go back and analyze what does it do?

86
00:07:56,770 --> 00:07:58,450
So the first thing it does is.

87
00:07:59,650 --> 00:08:07,150
He creates a neti hook, we obviously register native hook after a native who.

88
00:08:08,380 --> 00:08:13,930
Is going to over here at Keely's, and that means he's a key logger.

89
00:08:15,250 --> 00:08:22,750
Looking at it so it is a killer out of this class, new introspection to its constructor.

90
00:08:24,280 --> 00:08:28,160
Nu is a Kiwi in Java to call a constructor.

91
00:08:28,190 --> 00:08:32,740
So this is a constructor for this class and so the constructor is over here.

92
00:08:33,280 --> 00:08:37,160
A class name is intermeshing to the constructor here.

93
00:08:38,020 --> 00:08:42,820
So what it does is it creates a team directory.

94
00:08:43,830 --> 00:08:52,560
And create a new file within that 10 day tree of your operating system and Java deployed log.

95
00:08:53,490 --> 00:08:57,300
It's the very is if it doesn't exist, he's going to create a new file.

96
00:08:57,320 --> 00:08:59,530
So this is your Melva artifact.

97
00:09:00,060 --> 00:09:01,390
So what is he going to do here?

98
00:09:02,310 --> 00:09:06,060
Most probably is going to lock your keystrokes into this file.

99
00:09:06,780 --> 00:09:09,890
As you can see here, it is creating a firefighter.

100
00:09:10,910 --> 00:09:14,870
And you're here because you are registering.

101
00:09:17,590 --> 00:09:28,210
Key press, a native Krsna, so the native Krsna is this this is a handler for the keepers, so whenever

102
00:09:28,210 --> 00:09:31,540
they use it to say anything on the keyboard, it will trigger this.

103
00:09:31,930 --> 00:09:38,800
Keely's in a key presence in there and it is going to get a keystroke whatever to use it and try to

104
00:09:38,800 --> 00:09:39,450
include it.

105
00:09:39,970 --> 00:09:41,670
We are encoding.

106
00:09:42,070 --> 00:09:44,410
So this is a symbol for Xolo encoding.

107
00:09:44,770 --> 00:09:51,550
So is going to include encode if the number one five one so that even if you were to retrieve Jowhar,

108
00:09:51,550 --> 00:09:58,350
deploy that law in your favor system, you won't be able to really because it is not in plain text,

109
00:09:58,660 --> 00:09:59,890
it has to be encrypted.

110
00:10:00,460 --> 00:10:03,340
So ah so are one five one.

111
00:10:04,210 --> 00:10:08,640
So now you have your evidence of an indicator of compromise.

112
00:10:08,650 --> 00:10:17,480
If you can find this far, then data indicate a compromise and you can actually decrypted by Larrivee

113
00:10:17,530 --> 00:10:18,420
one five one.

114
00:10:19,360 --> 00:10:19,760
All right.

115
00:10:20,080 --> 00:10:31,990
So this is how you can use a Bikel viewer and then like a reverse engineer, unpack a fact file and

116
00:10:31,990 --> 00:10:36,250
then decode it using analysis, as we have just done.

117
00:10:37,290 --> 00:10:39,870
So I hope this was useful to you.

118
00:10:40,590 --> 00:10:41,520
Thank you for watching.