1
00:00:00,550 --> 00:00:01,960
Hello and welcome back.

2
00:00:02,410 --> 00:00:07,960
In this lesson, I'm going to introduce you to the malware analysis process.

3
00:00:10,270 --> 00:00:19,870
The malware analysis process consists of three stages obtaining the malware and then the static analysis

4
00:00:19,870 --> 00:00:24,130
and dynamic analysis and finally doing the reporting.

5
00:00:25,130 --> 00:00:28,580
In a center module, you will find the two stages.

6
00:00:29,570 --> 00:00:37,260
The static analysis and the dynamic analysis, the static analysis is where you are analyzing Milray

7
00:00:37,370 --> 00:00:38,780
with the execution.

8
00:00:39,720 --> 00:00:46,500
Whereas in economic analysis, you are analyzing the behavior midway through execution.

9
00:00:49,780 --> 00:00:58,300
The static analysis techniques include embedded stress analysis and encrypted data analysis in the embedded

10
00:00:58,480 --> 00:00:59,650
stress analysis.

11
00:00:59,800 --> 00:01:07,720
The objective is to extract and examine groups of credible characters from the document in the encrypted

12
00:01:07,720 --> 00:01:08,690
data analysis.

13
00:01:09,040 --> 00:01:15,130
We are interested in searching the document for encrypted or encoded streams of data.

14
00:01:17,260 --> 00:01:22,150
One of the important thing is pattern and signature analysis.

15
00:01:23,170 --> 00:01:31,010
This analysis consists of finding the common patterns in embedded in inside.

16
00:01:31,150 --> 00:01:41,020
The document is so many of the modalities used the same techniques repeatedly in various attacks and

17
00:01:41,020 --> 00:01:46,040
therefore we can identify these common and repeatable patterns in your documents.

18
00:01:46,060 --> 00:01:52,900
So identifying the patterns in your technique is one of the common techniques that is no one else's.

19
00:01:54,490 --> 00:01:58,990
Once we have identified the patterns, we collect signatures to detect those attacks.

20
00:02:01,010 --> 00:02:08,720
This brings us to Yaara here is used to resonators to detect patterns and also to identify malware attacks.

21
00:02:09,350 --> 00:02:13,850
It is a robust language and use a lot among malware analysts.

22
00:02:14,960 --> 00:02:18,980
The repository of can be found in this building here.

23
00:02:19,610 --> 00:02:26,450
This contains only rules that have been written by another analysts, which we can use for identifying

24
00:02:26,750 --> 00:02:28,880
malware documents or other binaries.

25
00:02:30,050 --> 00:02:33,040
You can find out more about it from this link.

26
00:02:34,190 --> 00:02:40,280
This is the Yarra command line YAARA texta arguments and some options.

27
00:02:40,760 --> 00:02:45,630
Ruffa is the name of the cruise that you are going to use in order to scan the file.

28
00:02:46,430 --> 00:02:53,210
They'll be followed by the file that you want to scan, some of the options that are available in the

29
00:02:53,210 --> 00:03:03,140
command line, DFW, which is to turn on warning that you print tags and the print metadata and that

30
00:03:03,150 --> 00:03:05,300
has to print matching strings.

31
00:03:06,310 --> 00:03:08,920
We'll be doing some practical way.

32
00:03:09,010 --> 00:03:13,150
Will take a look at all these options as well as how to usera.

33
00:03:16,200 --> 00:03:22,530
Document files in Microsoft usually have to deal with the tension.

34
00:03:23,610 --> 00:03:26,920
So this means that the file is compressed.

35
00:03:27,500 --> 00:03:28,710
It's a kind of archive.

36
00:03:29,430 --> 00:03:37,650
There are many files, Whodini content types, ASML worth talking, Maximino the Cox e-mail and the

37
00:03:37,650 --> 00:03:39,490
binary file web projecting.

38
00:03:40,560 --> 00:03:50,430
So when you are trying to scan Microsoft geocaches document, you should be aware that you are scanning

39
00:03:50,430 --> 00:03:53,030
the archive rather than the contents.

40
00:03:53,430 --> 00:03:55,380
So that will give you a false result.

41
00:03:56,490 --> 00:04:06,780
So the intention here is to scan the binaries inside here, the VBA project being redundant to scan

42
00:04:06,780 --> 00:04:07,890
the archive itself.

43
00:04:08,670 --> 00:04:10,300
So there is something going on.

44
00:04:11,250 --> 00:04:20,100
So in order to overcome this difficulty, there is to dump the bottom is able to, I think, all the

45
00:04:20,100 --> 00:04:22,380
files within the archive.

46
00:04:23,100 --> 00:04:28,690
And it's also able to run YAARA signatures against each file within the archive.

47
00:04:29,700 --> 00:04:33,510
And this project is can be found at this website here.

48
00:04:36,530 --> 00:04:43,400
So if you are going to use Yaara to scan, you can use it in conjunction with it, no.

49
00:04:44,710 --> 00:04:52,340
So let's say we have a document, DCX, which is an archive containing all these files, Whodini.

50
00:04:52,840 --> 00:04:56,080
This is one way in which you can you sit down this time?

51
00:04:56,080 --> 00:05:02,450
Xianjun Guess why for your signature file, followed by the signature here file.

52
00:05:03,080 --> 00:05:09,070
This is your signature file and followed by the Target Microsoft document which you want to scan.

53
00:05:09,760 --> 00:05:12,880
And the analysis is metadata analysis.

54
00:05:13,450 --> 00:05:21,340
Metadata is information and what the document contained within the document you can find things like

55
00:05:21,340 --> 00:05:31,540
date and time stamps in the metadata, the language that is being used by the computer that was used

56
00:05:31,540 --> 00:05:39,580
to create the document and even the name of the author, the author of information, and as well as

57
00:05:39,580 --> 00:05:42,050
many other documents, specific information.

58
00:05:42,070 --> 00:05:42,460
So.

59
00:05:45,640 --> 00:05:53,590
Exhibit two is a common tool used to extract metadata from files, and it is found in this website.

60
00:05:54,550 --> 00:05:58,210
These are some of the output you can find from the EXIF to.

61
00:06:00,220 --> 00:06:10,440
We can show you the time the occupation title and hot information file type, the file modification,

62
00:06:11,150 --> 00:06:13,820
the creation and so on.

63
00:06:15,370 --> 00:06:22,890
So this is some of the things we doing here and doing analysis of malware documents.

64
00:06:23,380 --> 00:06:25,330
So that's all for this review.

65
00:06:25,480 --> 00:06:26,530
Thank you for watching.