0 1 00:00:10,610 --> 00:00:10,960 OK. 1 2 00:00:10,990 --> 00:00:17,270 So in this video we're looking at two more interesting tools. 2 3 00:00:17,350 --> 00:00:21,010 One is PPEE and the other one is PE studio. 3 4 00:00:21,550 --> 00:00:31,690 So the new thing which we learned in our previous couple of tools is the way of extracting general information 4 5 00:00:31,690 --> 00:00:38,110 about the file, like its hash value and how to identify whether the file is packed or not. 5 6 00:00:38,110 --> 00:00:43,990 So whenever you're doing static analysis of any PE file, the first thing you want to know is that is it 6 7 00:00:43,990 --> 00:00:45,980 packed or not. If it is not packed, 7 8 00:00:46,000 --> 00:00:47,710 It makes things easy for us. 8 9 00:00:47,710 --> 00:00:54,070 We can start using our standard analysis techniques but if it is packed, we have to make sure that we first 9 10 00:00:54,160 --> 00:00:58,790 unpack the file so that we have the actual file header information. 10 11 00:00:58,900 --> 00:01:03,880 Then only these tools will be able to give us a better information about the file's properties. 11 12 00:01:04,120 --> 00:01:13,000 So let's look at PPEE. Again, if you have FLARE installed, this tool will already be available on your 12 13 00:01:13,000 --> 00:01:13,800 machine. 13 14 00:01:13,870 --> 00:01:15,320 The utilities directory. 14 15 00:01:15,340 --> 00:01:21,160 In fact all the tools that we have looked at in the previous video and this video will be present inside 15 16 00:01:21,160 --> 00:01:23,440 the Utilities folder. 16 17 00:01:24,130 --> 00:01:36,230 So let's execute it. Let's drop our file. Let's try our ransomware file first. 17 18 00:01:36,390 --> 00:01:46,270 Now if you look at PPEE UI, you'll see that this starting information is exactly the same as what we have looked 18 19 00:01:46,270 --> 00:01:48,970 at in some of our other tools and videos. 19 20 00:01:48,970 --> 00:01:53,760 It has information about the headers, file and sections and stuff like that. 20 21 00:01:53,770 --> 00:02:03,060 So this is this is the reason why I first went through helping you understand how to read a file format 21 22 00:02:03,080 --> 00:02:09,130 so that you're not surprised by all these random information that you see when you start using these 22 23 00:02:09,130 --> 00:02:09,820 tools. 23 24 00:02:09,820 --> 00:02:15,910 So if you have a basic idea about file format it will be pretty easy for you to really understand what 24 25 00:02:15,910 --> 00:02:19,630 information these tools are trying to extract. 25 26 00:02:19,630 --> 00:02:29,340 Now the interesting part about PPEE is the string static extracts from the file. So strings is a standard 26 27 00:02:29,350 --> 00:02:30,140 Unix command. 27 28 00:02:30,160 --> 00:02:35,980 You can run it against any file you can just type strings followed by the file and it will tell you 28 29 00:02:36,280 --> 00:02:39,700 all the strings that it could recognize inside the file. 29 30 00:02:39,730 --> 00:02:47,500 So if you see here these are the strings that the tool was able to identify and ASCII format. 30 31 00:02:47,500 --> 00:02:53,470 And there are bunch of strings that the tool could identify in Unicode format. 31 32 00:02:53,500 --> 00:02:56,740 There are two separate sections for them. 32 33 00:02:56,980 --> 00:03:05,720 So here you can see some of the strings are pretty readable like the DLL imports, user32.dll, 33 34 00:03:05,730 --> 00:03:10,120 Kernel32.dll but a lot of them are just random strings. 34 35 00:03:10,120 --> 00:03:17,740 They do not really make any sense just because those characters are readable and exists in a defined 35 36 00:03:17,740 --> 00:03:18,250 order. 36 37 00:03:18,250 --> 00:03:22,340 That's why the tool picked them up. If you come to unicode, 37 38 00:03:22,530 --> 00:03:35,150 You'll see a bunch of Unicode information so you have linker files, temporary files, cryptographic libraries 38 39 00:03:35,150 --> 00:03:36,830 being used. 39 40 00:03:36,830 --> 00:03:44,630 Then you'll see that it's basically trying to run SQL command. select * from Win32 40 41 00:03:44,630 --> 00:03:46,250 Shadow Copy. 41 42 00:03:46,310 --> 00:03:52,970 So if you want to know more about Shadow Copy that would be really interesting and if you have looked 42 43 00:03:52,970 --> 00:03:59,870 at ransomware files before this much information is enough for you to understand that the file that 43 44 00:03:59,870 --> 00:04:08,130 you're looking at is highly likely a ransomware. If it's still not very clear to you will probably 44 45 00:04:08,130 --> 00:04:09,400 be looking at. 45 46 00:04:09,630 --> 00:04:14,460 Another interesting aspect called suspicious. 46 47 00:04:14,460 --> 00:04:22,290 So what PPEE does is that, it runs its own heuristics to extract a bunch of suspicious 47 48 00:04:24,680 --> 00:04:25,520 strings for you. 48 49 00:04:25,550 --> 00:04:32,640 So if you look at the strings over here you'll see that it has extracted content type. 49 50 00:04:32,660 --> 00:04:40,180 This is basically an information that is used when you are trying to connect through an HTTPserver 50 51 00:04:40,610 --> 00:04:43,990 its also looking for and antivirus products. 51 52 00:04:44,000 --> 00:04:54,080 It is also pinging bunch of servers, deleting, ping command, security centers Shadow Copy information 52 53 00:04:54,620 --> 00:05:00,660 and things like that. So let's go back to our unicode strings. 53 54 00:05:01,050 --> 00:05:08,490 So if you keep scrolling down you see information like it's looking for 54 55 00:05:11,390 --> 00:05:16,460 local settings, Internet Explorer information, local data information 55 56 00:05:19,670 --> 00:05:28,450 then as you come down you'll see string called "Encrypting whole system". 56 57 00:05:28,490 --> 00:05:35,120 Then another string called "encrypting specified folder in the path" parameter and then finished. 57 58 00:05:35,120 --> 00:05:42,690 These strings are enough for us to identify that this executable is highly likely ransomware. 58 59 00:05:42,750 --> 00:05:47,750 Now I forgot to give a short explanation of ransomware 59 60 00:05:47,750 --> 00:05:55,790 There is a family of malware which takes hostage of the machine either by completely locking it or 60 61 00:05:56,120 --> 00:06:00,620 by encrypting every file on your machine. 61 62 00:06:00,620 --> 00:06:07,930 It then demands for ransom money in the form of crypto currencies most commonly by using bitcoin. 62 63 00:06:07,970 --> 00:06:14,900 So once you make that payment then only the malware authors would allow you to access your machine or 63 64 00:06:14,900 --> 00:06:19,840 basically decrypt all the encrypted files back into readable format. 64 65 00:06:19,850 --> 00:06:25,720 It's a pretty well known malware family that has been a huge problem for the security industry and over 65 66 00:06:25,730 --> 00:06:27,950 the last five 6 years. 66 67 00:06:28,010 --> 00:06:28,520 So 67 68 00:06:31,710 --> 00:06:37,650 if you come down over here you will see that there is a ransom note so these strings are really common 68 69 00:06:37,650 --> 00:06:39,150 in ransom notes. 69 70 00:06:39,240 --> 00:06:46,510 Will see that it seems that your file has been encrypted by RSA 2048 and Cha-Cha algorithm. 70 71 00:06:46,560 --> 00:06:51,080 The only way to restore them is to buy the decryptor and to buy the descriptor, 71 72 00:06:51,090 --> 00:06:59,040 You have to pay a certain amount of bitcoins or crypto currency is that the ransom authors are demanding 72 73 00:06:59,460 --> 00:07:00,420 from you. 73 74 00:07:00,450 --> 00:07:05,710 They are also kind enough to share a wikipedia link for you to read more about the file. 74 75 00:07:05,760 --> 00:07:11,010 So what that basically means is that they are trying to tell you that no matter what you do you're only 75 76 00:07:11,010 --> 00:07:20,600 going to get your files back unless and until you do not pay for getting the decryption keys so there's 76 77 00:07:20,630 --> 00:07:24,640 a very short introduction. You can read more about ransomware. 77 78 00:07:24,650 --> 00:07:27,840 There is tons and tons of information available. 78 79 00:07:27,890 --> 00:07:34,910 The whole purpose here is to help you understand how and how we can use Static analysis tools to really 79 80 00:07:34,910 --> 00:07:40,130 identify different types of traits and different types of behaviors inside the file. 80 81 00:07:40,190 --> 00:07:45,710 And once you start looking at all these malware more and more that's where you start understanding 81 82 00:07:46,100 --> 00:07:50,260 how exactly to understand the behaviors on the file. 82 83 00:07:50,270 --> 00:07:55,700 In fact if you see here there is a string called Cmaze Ransomware. Maze ransomware family 83 84 00:07:55,700 --> 00:08:01,520 basically so that's why they file which they are currently looking at. That's the ransomware 84 85 00:08:01,520 --> 00:08:04,480 family that this particular file belongs to. 85 86 00:08:08,100 --> 00:08:13,700 So URLL is another specific section that the tool creates. 86 87 00:08:13,730 --> 00:08:20,000 So if by running the String command if the tool is able to extract some URLs they will basically 87 88 00:08:20,000 --> 00:08:21,350 be presented here. 88 89 00:08:21,530 --> 00:08:29,510 Right now it could only extract http:// and % s. It means it's substituting a value 89 90 00:08:29,510 --> 00:08:31,270 that is defined in a different variable. 90 91 00:08:31,280 --> 00:08:38,320 So that's how they are putting up the value over here and calling out to this particular domain. 91 92 00:08:38,390 --> 00:08:44,240 If there was an actual domain over here it's it's possible that it might be the command and control 92 93 00:08:44,240 --> 00:08:53,560 server of that ransomware. Sp that was about PPEE and how we can understand the malware family and 93 94 00:08:53,560 --> 00:08:59,530 behavior by using the static analysis to. The last one that I want to talk about is PE studio that is 94 95 00:08:59,620 --> 00:09:06,760 also one of my favorite tools because it gives us a lot more information about the file so let's again 95 96 00:09:07,000 --> 00:09:10,230 drop our ransomware file over here. 96 97 00:09:10,270 --> 00:09:12,220 This is how it looks like. 97 98 00:09:12,220 --> 00:09:18,950 So if you see the studio is still running a bunch of heuristics on top of default. 98 99 00:09:19,150 --> 00:09:27,830 So the good thing about PPEE and PE studio is that they have their own heuristics. Their own ways of determining 99 100 00:09:28,010 --> 00:09:35,870 whether the file that you're looking at is suspicious or not. So if you see here PE studio has figured 100 101 00:09:35,870 --> 00:09:42,560 out that the file you just scanned has a detection ratio of sixty three on Virus Total. 101 102 00:09:42,800 --> 00:09:51,050 So virus total is a web service where you can scan a file or you can search for a file hash and 102 103 00:09:51,050 --> 00:09:55,190 it will tell you how many of the well known anti viruses 103 104 00:09:55,190 --> 00:09:56,880 have a detection for the file. 104 105 00:09:56,890 --> 00:10:03,140 This is a very good way of identifying whether the file is bad and not. If all the major antivirus vendors 105 106 00:10:03,140 --> 00:10:11,200 are saying that oh this file is known malicious then we know by certain that okay this is a malware file. 106 107 00:10:11,420 --> 00:10:16,980 So if you look at some of the detection names it has ransomware and the ransomware family 107 108 00:10:16,980 --> 00:10:17,980 inside it. 108 109 00:10:18,080 --> 00:10:23,680 So this is also one indication of figuring out that OK the file that we are looking at is nothing but 109 110 00:10:23,740 --> 00:10:24,620 ransomware file. 110 111 00:10:26,400 --> 00:10:28,530 Other than that there is an indicator section. 111 112 00:10:28,560 --> 00:10:31,670 This is something really interesting that PE studio provides us. 112 113 00:10:31,740 --> 00:10:38,850 These are a bunch of indicators that PE studio has extracted for us. So if you see, it has strings 113 114 00:10:38,880 --> 00:10:42,130 which are marked as blacklisted strings. 114 115 00:10:42,300 --> 00:10:45,300 It also references a lot of black listed libraries. 115 116 00:10:45,300 --> 00:10:52,980 So this is the string section and this is the library section so if you go into these sections you can 116 117 00:10:52,980 --> 00:10:55,190 see which ones are blacklisted. 117 118 00:10:55,260 --> 00:11:01,260 The file is also known as bad on virus total it is also importing symbols which have been tagged 118 119 00:11:01,260 --> 00:11:05,270 as bad and the file references MITRE techniques. 119 120 00:11:05,490 --> 00:11:13,080 So these are a bunch of indicators which PE studio used to give us a verdict that defined that we are 120 121 00:11:13,080 --> 00:11:15,100 looking at is actually bad. 121 122 00:11:15,680 --> 00:11:21,150 Let us look at the Libraries section. So if you come here you'll see that these top ones which are marked and 122 123 00:11:21,150 --> 00:11:27,040 set red are the black listed libraries that this particular executable is using. 123 124 00:11:27,120 --> 00:11:33,290 So security service support provider interface, secure32.dll, net API. 124 125 00:11:33,330 --> 00:11:41,060 It's basically a win32 API for using net connections. Crypto API 125 126 00:11:41,080 --> 00:11:47,700 That's the one which gives us the biggest indication about the presence of ransomware on the machine. 126 127 00:11:47,700 --> 00:11:57,550 because this library would help you encrypt the file. In the imports table, to give you a little 127 128 00:11:57,550 --> 00:12:02,010 bit of context about these two you can even follow the link. 128 129 00:12:03,830 --> 00:12:10,100 You could right click on it and you can go to search MSDN. Search MSDN basically opens up your 129 130 00:12:10,100 --> 00:12:10,750 browser. 130 131 00:12:12,070 --> 00:12:14,770 And it goes to Microsoft's 131 132 00:12:17,030 --> 00:12:23,750 MSDN library and it searches for this API to give you more information about why this is used. 132 133 00:12:24,020 --> 00:12:31,360 So there is a very good way of understanding the libraries information. MSDN is your best tool when 133 134 00:12:31,370 --> 00:12:37,620 you want to understand what particular windows library is used for which specific purpose 134 135 00:12:43,070 --> 00:12:54,270 lets come to the strings section. So in the string section, you'll see information like POST, program cannot 135 136 00:12:54,270 --> 00:12:58,330 run in DOS mode, then 136 137 00:12:58,500 --> 00:13:01,340 There are a bunch of GET and POST information 137 138 00:13:04,700 --> 00:13:12,390 so these are these are the strings which we also saw in when we were looking at PPEE. So decrypt-file.txt 138 139 00:13:12,660 --> 00:13:13,380 txt 139 140 00:13:13,380 --> 00:13:21,500 This is basically the ransom note file which gets created on your machine which has all that ransom 140 141 00:13:21,500 --> 00:13:27,250 note information that your file has been encrypted and 141 142 00:13:27,260 --> 00:13:31,340 You have to buy the decryptor tool to take back your files. 142 143 00:13:31,610 --> 00:13:41,040 So this is where PE studio is really really useful in understanding the behavior of files. 143 144 00:13:41,240 --> 00:13:47,600 Let us also try our UPX packed file in PE studio and see what it has preserved. 144 145 00:13:48,140 --> 00:13:52,270 So in the UPX packed as well, you'll see similar sections. 145 146 00:13:52,370 --> 00:14:00,420 virus total tells us all the known antiviruses which have detection for this file 146 147 00:14:00,420 --> 00:14:06,230 still calculating for other indicators and certify you have the file headers. 147 148 00:14:06,240 --> 00:14:13,300 This is something which we have already seen a couple of times in the previous videos sections. 148 149 00:14:13,450 --> 00:14:15,940 It tells me that that's the entry point. 149 150 00:14:15,940 --> 00:14:21,680 It also has figured out that the file has UPX packer inside it. 150 151 00:14:21,850 --> 00:14:26,180 It tells us what percentage of the file is bad. 151 152 00:14:26,210 --> 00:14:32,830 The file percentage ratio, the entry point information and a bunch of other blacklisted details that 152 153 00:14:32,830 --> 00:14:34,330 it could figure out from the file. 153 154 00:14:34,930 --> 00:14:41,200 SoPE studio is also very very handy tool in understanding more traits and behaviors of the file.