1
00:00:01,440 --> 00:00:09,450
A review of the result from a variety of sources has indicated that the process of 1956 and the associated

2
00:00:09,450 --> 00:00:16,530
executable reader cell that has the process either 228 suspected of containing malware.

3
00:00:16,530 --> 00:00:24,780
So hands up reader as and while the data thus far is very useful, is often necessary to obtain confirmation

4
00:00:24,780 --> 00:00:29,550
from external sources that the executable in question is malicious.

5
00:00:29,670 --> 00:00:36,990
So this can include something as simple as checking the hash of the executable against third party sources

6
00:00:36,990 --> 00:00:42,660
all the way to forwarding the executable to a malware in reversing engineering team.

7
00:00:42,780 --> 00:00:50,190
So to cure the executable from the memory image, utilize the process process.

8
00:00:50,190 --> 00:00:52,980
This means process and dump means dump here.

9
00:00:52,980 --> 00:00:57,600
So you're going to use we're going to use the process dump plugin.

10
00:00:57,600 --> 00:01:04,330
And yeah, it's actually syntax and volatility is pretty much the same as the previous dump processes,

11
00:01:04,690 --> 00:01:07,600
which is the following command here.

12
00:01:07,600 --> 00:01:10,360
As you can see here is the same actually.

13
00:01:10,360 --> 00:01:12,010
So we're not going to choose another.

14
00:01:13,590 --> 00:01:13,920
Here.

15
00:01:15,280 --> 00:01:17,430
I want to see another list here.

16
00:01:17,850 --> 00:01:22,860
So in this case, we're going to just list the.

17
00:01:23,100 --> 00:01:23,760
Okay.

18
00:01:25,580 --> 00:01:26,210
Uh, list.

19
00:01:27,770 --> 00:01:28,060
List.

20
00:01:28,070 --> 00:01:28,580
Yeah.

21
00:01:29,050 --> 00:01:30,470
Uh, list.

22
00:01:31,430 --> 00:01:32,150
As you can see.

23
00:01:32,180 --> 00:01:32,780
Oops.

24
00:01:32,810 --> 00:01:33,500
Why?

25
00:01:35,780 --> 00:01:37,970
Oh, yeah, that's because of this.

26
00:01:43,850 --> 00:01:50,450
And as you can see, the reader is 228 one, the 1956.

27
00:01:50,870 --> 00:01:53,290
And yeah, it's dump it.

28
00:01:54,230 --> 00:01:55,250
Dump it here.

29
00:01:59,580 --> 00:02:03,200
So clear here.

30
00:02:03,210 --> 00:02:09,570
We're going to use the proc TAM process stamp P or proc.

31
00:02:10,260 --> 00:02:13,110
Proc dump.

32
00:02:15,000 --> 00:02:15,630
Yeah.

33
00:02:16,690 --> 00:02:18,220
The dumpster is the same.

34
00:02:18,250 --> 00:02:26,440
The process virtual memory is same, but the process we're going to also dump the executable like the

35
00:02:26,440 --> 00:02:27,460
explorer.exe.

36
00:02:28,210 --> 00:02:34,720
But now in this case, we're going to just dump the reader SSL that that's the main malware, the main

37
00:02:34,720 --> 00:02:36,850
executable that containing malware here.

38
00:02:37,510 --> 00:02:38,170
Okay.

39
00:02:38,170 --> 00:02:40,390
So in there.

40
00:02:42,620 --> 00:02:43,160
Okay.

41
00:02:43,160 --> 00:02:48,740
As you can see, executable 228 dot x is dumped named reader.sl.

42
00:02:49,040 --> 00:02:52,670
And yeah, let's open this up here.

43
00:02:52,700 --> 00:02:54,800
Desktop volatility.

44
00:02:54,860 --> 00:02:55,880
Volatility.

45
00:02:56,150 --> 00:02:56,720
Yeah.

46
00:02:56,720 --> 00:02:58,550
Let's see what's what's in here.

47
00:02:58,790 --> 00:03:00,740
Executable dump is dumped here.

48
00:03:00,740 --> 00:03:02,450
And let's change the numbers.

49
00:03:02,450 --> 00:03:04,850
So change the name.

50
00:03:05,010 --> 00:03:05,180
Okay.

51
00:03:05,220 --> 00:03:07,730
0010001.

52
00:03:07,730 --> 00:03:08,510
Here.

53
00:03:09,050 --> 00:03:10,700
Um, like, name it.

54
00:03:11,900 --> 00:03:12,870
Read, Russell.

55
00:03:14,210 --> 00:03:15,250
Reader sl.

56
00:03:16,290 --> 00:03:16,740
Thump.

57
00:03:19,020 --> 00:03:21,540
Okay, this is reader dump Excel file.

58
00:03:22,380 --> 00:03:23,010
So.

59
00:03:23,010 --> 00:03:25,230
So make sure that you don't open this file.

60
00:03:25,280 --> 00:03:30,330
You don't want to, like, infect your computer with these files, but they're actually pretty like

61
00:03:30,330 --> 00:03:32,310
old Malwares.

62
00:03:32,340 --> 00:03:35,220
It's probably your antivirus program, Will.

63
00:03:36,270 --> 00:03:37,050
Notify it.

64
00:03:37,050 --> 00:03:42,810
Or, uh, probably these malwares will not work on the Windows 10 or newer versions because they are

65
00:03:42,840 --> 00:03:45,360
written for the Windows XP Service Pack two.

66
00:03:45,780 --> 00:03:49,920
Let's make sure, like, uh, who wants to get their PC infected?

67
00:03:50,370 --> 00:03:53,640
So, as you can see, we check the folder we have.

68
00:03:53,640 --> 00:03:56,760
Like, we dumped the dump.

69
00:03:56,790 --> 00:03:58,590
We dumped the executable.

70
00:03:59,580 --> 00:04:00,210
Uh, yeah.

71
00:04:00,210 --> 00:04:04,500
We dump the Explorer dot exe and reader dump malicious.

72
00:04:04,500 --> 00:04:09,690
As you can see, this is pretty big file because we dumped the whole Explorer file.

73
00:04:09,690 --> 00:04:15,690
And inside this explorer, there is a little, uh, little dump here, But I just wanted to.

74
00:04:15,720 --> 00:04:20,010
But we actually can also use the dump.

75
00:04:20,190 --> 00:04:21,360
Uh, no, we don't want to.

76
00:04:22,080 --> 00:04:22,180
We.

77
00:04:22,310 --> 00:04:24,690
We want to do the.

78
00:04:27,010 --> 00:04:27,310
Now.

79
00:04:27,310 --> 00:04:27,940
It's okay.

80
00:04:28,450 --> 00:04:33,700
Yeah, we don't have to because we already dumped the Explorer dot exe here.

81
00:04:33,940 --> 00:04:41,650
So once the files have been acquired here, they can be analyzed for malware either by the incident

82
00:04:41,650 --> 00:04:44,740
response team or through a separate malware analysis team.

83
00:04:44,740 --> 00:04:51,460
So these files will make up a significant portion of the analysis in previous in actually in next lectures.

84
00:04:51,460 --> 00:04:59,380
So in next lecture we're going to do an analysis files for further investigation investigation and Yeah.

85
00:05:01,250 --> 00:05:05,320
I'm gonna in next lecture, we're going to analyze these files.

86
00:05:05,330 --> 00:05:06,650
So that's it.

87
00:05:06,650 --> 00:05:07,850
About this section.

88
00:05:08,030 --> 00:05:10,790
This you are successfully complete this section.

89
00:05:11,060 --> 00:05:16,550
Actually I'm going to day after this lecture, you're going to have a practice test which you can test

90
00:05:16,550 --> 00:05:17,540
your practices.

91
00:05:17,750 --> 00:05:20,990
It's going to probably have ten questions or more.

92
00:05:21,290 --> 00:05:26,570
So if you like this course, make sure, like, uh, give the reviews.

93
00:05:26,750 --> 00:05:29,960
And I, I it's like it will make me happy.

94
00:05:30,290 --> 00:05:32,030
So thank you for watching.

95
00:05:32,030 --> 00:05:37,610
And yeah, in next lecture, we're going to analyze these files or yeah, we can actually, uh, do

96
00:05:37,610 --> 00:05:39,830
more acquisition process.

97
00:05:39,830 --> 00:05:43,760
But in next lecture, mainly in next section, we're going to analyze these files.

98
00:05:43,760 --> 00:05:44,990
So good bye.