0
1
00:00:10,960 --> 00:00:17,110
Welcome everyone to another video of Expert Malware analysis and reverse engineer course. In this video
1

2
00:00:17,290 --> 00:00:24,300
we are going to analyze email headers which is a part of our delivery phase. To begin the analysis,
2

3
00:00:24,310 --> 00:00:34,390
Let's head to our windows VM and here are a bunch of malicious email examples that I want to share
3

4
00:00:34,390 --> 00:00:36,610
with you all today.
4

5
00:00:36,880 --> 00:00:42,240
So the first one is .msg format and the next two are .eml
5

6
00:00:42,250 --> 00:00:44,850
They both are standard e-mail formats.
6

7
00:00:44,980 --> 00:00:52,120
I'll be using Microsoft Outlook in order to view these three emails. To how Microsoft Outlook on your
7

8
00:00:52,120 --> 00:00:52,510
machine
8

9
00:00:52,510 --> 00:00:55,300
You should have Microsoft Office package installed.
9

10
00:00:55,390 --> 00:00:59,020
You can find more details about it on Microsoft's Web site.
10

11
00:00:59,020 --> 00:01:01,930
If you don't want to use Microsoft there are other options as well.
11

12
00:01:01,930 --> 00:01:12,740
For example you can use open email clients like Thunderbird. So let us look at the first e-mail here.
12

13
00:01:13,900 --> 00:01:18,130
So if if I launch it in Outlook this is what I see.
13

14
00:01:18,130 --> 00:01:21,230
I see that the e-mail comes from account payable.
14

15
00:01:21,250 --> 00:01:28,960
It has been sent to this particular person and the message says that "please find enclosed statement
15

16
00:01:28,960 --> 00:01:32,420
of account and due balance as requested."
16

17
00:01:33,230 --> 00:01:39,080
So there is an attachment as well which say that current_statement_of_account.xls
17

18
00:01:39,080 --> 00:01:44,060
So if you remember from our previous slide we said that to analyze an email the first thing that you
18

19
00:01:44,060 --> 00:01:49,160
should look at would be the sender and the sender's email address. The sender
19

20
00:01:49,160 --> 00:01:54,470
Here is account_payable and the e-mail address is registered with one yahoo.com.
20

21
00:01:54,470 --> 00:01:59,990
So this definitely seems suspicious it doesn't seem like something that it's coming from your own accounts
21

22
00:01:59,990 --> 00:02:06,770
department. Plus it has a suspicious attachment as well, an excel file.
22

23
00:02:06,960 --> 00:02:15,780
So outlook has a pretty cool feature of previewing your
Office formats like XLS or DOC
23

24
00:02:16,320 --> 00:02:17,470
or PPT.
24

25
00:02:17,550 --> 00:02:23,030
So we can basically click on this attachment and we can look at a preview of the file.
25

26
00:02:23,280 --> 00:02:28,960
It's not really executing the file but it's just loading it within the outlook environment.
26

27
00:02:29,040 --> 00:02:32,710
So it seems like this is an excel sheet.
27

28
00:02:32,710 --> 00:02:39,600
It has three sheets and it's basically saying that this document was created with an earlier version
28

29
00:02:39,600 --> 00:02:46,890
of Windows macro is required to view the document and it asks you to enable the macros.
29

30
00:02:46,890 --> 00:02:54,720
Now this is a kind of technique that the attackers have been using to enable macros in your office environment.
30

31
00:02:54,900 --> 00:02:58,040
We'll be understanding this a bit more in detail.
31

32
00:02:58,050 --> 00:03:05,990
Once we start analyzing these particular malicious files. Let us come back to our email again.
32

33
00:03:06,030 --> 00:03:10,570
So if you remember we also talked about analyzing e-mail headers.
33

34
00:03:10,740 --> 00:03:16,830
So in Outlook you can get the e-mail headers by simply clicking on this small "down" arrow here which gives
34

35
00:03:16,830 --> 00:03:19,140
you all the message options.
35

36
00:03:19,200 --> 00:03:27,990
So once you click here you'll see the internet headers you can just copy the entire thing.
36

37
00:03:28,690 --> 00:03:30,720
Open it in a notepad
37

38
00:03:35,040 --> 00:03:36,180
paste it here.
38

39
00:03:36,180 --> 00:03:39,470
So here we can see the complete e-mail header.
39

40
00:03:39,480 --> 00:03:49,760
Let us quickly parse through it and understand it. So the first line says that received from friterm.com
40

41
00:03:49,760 --> 00:03:57,800
com So this is basically the recipient organization and that's its particular e-mail exchange server
41

42
00:03:57,890 --> 00:04:07,290
where the email was received then it has some details about time stamps and if you go further down you'll
42

43
00:04:07,290 --> 00:04:12,960
have more information about where that e-mail got received.
43

44
00:04:13,020 --> 00:04:16,880
And there are some information about the hosting of that particular e-mail.
44

45
00:04:17,160 --> 00:04:25,650
And you see the e-mail has been sent to this particular e-mail address and it has been sent from this
45

46
00:04:25,650 --> 00:04:27,350
user an e-mail.
46

47
00:04:27,660 --> 00:04:30,930
That's the information about when the e-mail was sent.
47

48
00:04:31,050 --> 00:04:37,350
And then there is the hash digest of the e-mail. Scrolling down you'll see some exchange information
48

49
00:04:37,380 --> 00:04:45,070
which are pretty much the exchange headers that are appended by the company's e-mail exchange service.
49

50
00:04:45,270 --> 00:04:47,490
So this is how we located the e-mail headers.
50

51
00:04:47,490 --> 00:04:55,920
And this is more like the raw information that  gets added to a given e-mail when it bounces to
51

52
00:04:55,920 --> 00:05:04,200
multiple exchanges or when it gets resolved into which location where you could get delivered to.
52

53
00:05:04,200 --> 00:05:07,360
at our second example here.
53

54
00:05:07,380 --> 00:05:12,400
So if you look at the second e-mail again it has been sent by someone named Maria.
54

55
00:05:12,630 --> 00:05:14,560
That's the e-mail address.
55

56
00:05:14,700 --> 00:05:19,830
And there is an attachment called inquiry_rfq.doc
56

57
00:05:19,830 --> 00:05:23,870
So this time there is a doc file which is an attachment and it's a pretty long e-mail.
57

58
00:05:23,870 --> 00:05:27,950
There are a lot of things in this e-mail where they're talking about some business dealings and all
58

59
00:05:27,970 --> 00:05:28,670
those things.
59

60
00:05:28,860 --> 00:05:35,880
So these are some of the ways that the attackers implement to create a very unique e-mail so that it
60

61
00:05:35,880 --> 00:05:43,920
doesn't look like that if it was just randomly sent. It tries to incorporate as much originality
61

62
00:05:43,920 --> 00:05:44,790
as possible.
62

63
00:05:47,200 --> 00:05:49,860
Let us look at the e-mail headers here as well.
63

64
00:05:53,200 --> 00:05:58,650
So again we have pretty much similar information where that e-mail came from, whom it got delivered to
64

65
00:05:58,660 --> 00:05:59,210
to.
65

66
00:05:59,340 --> 00:06:01,660
And there are MIME version information
66

67
00:06:01,690 --> 00:06:03,840
Then there is the e-mail degest
67

68
00:06:04,270 --> 00:06:09,280
And if you come down there are some interesting information in this case.
68

69
00:06:09,370 --> 00:06:18,080
If you see there is a User-Agent which tells us about the particular e-mail client that was used, then
69

70
00:06:18,090 --> 00:06:20,890
there is an Anti-abuse information as well.
70

71
00:06:21,180 --> 00:06:27,180
So if your exchange was able to detect that this e-mail doesn't seem to be coming from where it claims,
71

72
00:06:27,270 --> 00:06:31,350
then it basically adds an anti abuse header into the e-mail.
72

73
00:06:31,380 --> 00:06:39,060
This basically keeps track of any abusive e-mails that the e-mail client things got delivered into your
73

74
00:06:39,060 --> 00:06:41,510
network.
74

75
00:06:41,530 --> 00:06:48,770
So it seems that the primary hostname of the abused e-mail is this and the original domain from where
75

76
00:06:48,790 --> 00:06:55,150
This email has been sent is firstampumps.com
76

77
00:06:55,390 --> 00:07:02,490
So this is  the information that the e-mail exchange service has appended to this e-mail.
77

78
00:07:03,010 --> 00:07:10,290
If you come all the way to the bottom it says that the sender did not meet the SPF rules.
78

79
00:07:10,690 --> 00:07:14,180
That's why this e-mail was classified as spam.
79

80
00:07:14,530 --> 00:07:18,040
So it's important to understand what exactly SPF means here.