1 00:00:00,550 --> 00:00:01,960 Hello and welcome back. 2 00:00:02,410 --> 00:00:07,960 In this lesson, I'm going to introduce you to the malware analysis process. 3 00:00:10,270 --> 00:00:19,870 The malware analysis process consists of three stages obtaining the malware and then the static analysis 4 00:00:19,870 --> 00:00:24,130 and dynamic analysis and finally doing the reporting. 5 00:00:25,130 --> 00:00:28,580 In a center module, you will find the two stages. 6 00:00:29,570 --> 00:00:37,260 The static analysis and the dynamic analysis, the static analysis is where you are analyzing Milray 7 00:00:37,370 --> 00:00:38,780 with the execution. 8 00:00:39,720 --> 00:00:46,500 Whereas in economic analysis, you are analyzing the behavior midway through execution. 9 00:00:49,780 --> 00:00:58,300 The static analysis techniques include embedded stress analysis and encrypted data analysis in the embedded 10 00:00:58,480 --> 00:00:59,650 stress analysis. 11 00:00:59,800 --> 00:01:07,720 The objective is to extract and examine groups of credible characters from the document in the encrypted 12 00:01:07,720 --> 00:01:08,690 data analysis. 13 00:01:09,040 --> 00:01:15,130 We are interested in searching the document for encrypted or encoded streams of data. 14 00:01:17,260 --> 00:01:22,150 One of the important thing is pattern and signature analysis. 15 00:01:23,170 --> 00:01:31,010 This analysis consists of finding the common patterns in embedded in inside. 16 00:01:31,150 --> 00:01:41,020 The document is so many of the modalities used the same techniques repeatedly in various attacks and 17 00:01:41,020 --> 00:01:46,040 therefore we can identify these common and repeatable patterns in your documents. 18 00:01:46,060 --> 00:01:52,900 So identifying the patterns in your technique is one of the common techniques that is no one else's. 19 00:01:54,490 --> 00:01:58,990 Once we have identified the patterns, we collect signatures to detect those attacks. 20 00:02:01,010 --> 00:02:08,720 This brings us to Yaara here is used to resonators to detect patterns and also to identify malware attacks. 21 00:02:09,350 --> 00:02:13,850 It is a robust language and use a lot among malware analysts. 22 00:02:14,960 --> 00:02:18,980 The repository of can be found in this building here. 23 00:02:19,610 --> 00:02:26,450 This contains only rules that have been written by another analysts, which we can use for identifying 24 00:02:26,750 --> 00:02:28,880 malware documents or other binaries. 25 00:02:30,050 --> 00:02:33,040 You can find out more about it from this link. 26 00:02:34,190 --> 00:02:40,280 This is the Yarra command line YAARA texta arguments and some options. 27 00:02:40,760 --> 00:02:45,630 Ruffa is the name of the cruise that you are going to use in order to scan the file. 28 00:02:46,430 --> 00:02:53,210 They'll be followed by the file that you want to scan, some of the options that are available in the 29 00:02:53,210 --> 00:03:03,140 command line, DFW, which is to turn on warning that you print tags and the print metadata and that 30 00:03:03,150 --> 00:03:05,300 has to print matching strings. 31 00:03:06,310 --> 00:03:08,920 We'll be doing some practical way. 32 00:03:09,010 --> 00:03:13,150 Will take a look at all these options as well as how to usera. 33 00:03:16,200 --> 00:03:22,530 Document files in Microsoft usually have to deal with the tension. 34 00:03:23,610 --> 00:03:26,920 So this means that the file is compressed. 35 00:03:27,500 --> 00:03:28,710 It's a kind of archive. 36 00:03:29,430 --> 00:03:37,650 There are many files, Whodini content types, ASML worth talking, Maximino the Cox e-mail and the 37 00:03:37,650 --> 00:03:39,490 binary file web projecting. 38 00:03:40,560 --> 00:03:50,430 So when you are trying to scan Microsoft geocaches document, you should be aware that you are scanning 39 00:03:50,430 --> 00:03:53,030 the archive rather than the contents. 40 00:03:53,430 --> 00:03:55,380 So that will give you a false result. 41 00:03:56,490 --> 00:04:06,780 So the intention here is to scan the binaries inside here, the VBA project being redundant to scan 42 00:04:06,780 --> 00:04:07,890 the archive itself. 43 00:04:08,670 --> 00:04:10,300 So there is something going on. 44 00:04:11,250 --> 00:04:20,100 So in order to overcome this difficulty, there is to dump the bottom is able to, I think, all the 45 00:04:20,100 --> 00:04:22,380 files within the archive. 46 00:04:23,100 --> 00:04:28,690 And it's also able to run YAARA signatures against each file within the archive. 47 00:04:29,700 --> 00:04:33,510 And this project is can be found at this website here. 48 00:04:36,530 --> 00:04:43,400 So if you are going to use Yaara to scan, you can use it in conjunction with it, no. 49 00:04:44,710 --> 00:04:52,340 So let's say we have a document, DCX, which is an archive containing all these files, Whodini. 50 00:04:52,840 --> 00:04:56,080 This is one way in which you can you sit down this time? 51 00:04:56,080 --> 00:05:02,450 Xianjun Guess why for your signature file, followed by the signature here file. 52 00:05:03,080 --> 00:05:09,070 This is your signature file and followed by the Target Microsoft document which you want to scan. 53 00:05:09,760 --> 00:05:12,880 And the analysis is metadata analysis. 54 00:05:13,450 --> 00:05:21,340 Metadata is information and what the document contained within the document you can find things like 55 00:05:21,340 --> 00:05:31,540 date and time stamps in the metadata, the language that is being used by the computer that was used 56 00:05:31,540 --> 00:05:39,580 to create the document and even the name of the author, the author of information, and as well as 57 00:05:39,580 --> 00:05:42,050 many other documents, specific information. 58 00:05:42,070 --> 00:05:42,460 So. 59 00:05:45,640 --> 00:05:53,590 Exhibit two is a common tool used to extract metadata from files, and it is found in this website. 60 00:05:54,550 --> 00:05:58,210 These are some of the output you can find from the EXIF to. 61 00:06:00,220 --> 00:06:10,440 We can show you the time the occupation title and hot information file type, the file modification, 62 00:06:11,150 --> 00:06:13,820 the creation and so on. 63 00:06:15,370 --> 00:06:22,890 So this is some of the things we doing here and doing analysis of malware documents. 64 00:06:23,380 --> 00:06:25,330 So that's all for this review. 65 00:06:25,480 --> 00:06:26,530 Thank you for watching.