1 00:00:00,490 --> 00:00:02,080 Hello and welcome back. 2 00:00:02,500 --> 00:00:12,770 In this particular lapsation, we will take a look at how we can try to manually obfuscate this Chalco 3 00:00:13,420 --> 00:00:18,900 or these JavaScript, which we have extracted from that PDF. 4 00:00:20,080 --> 00:00:30,500 We will first try to do it manually and then we will use the spider monkey to try to extract it. 5 00:00:31,390 --> 00:00:37,780 So as you can see from the previous Neston, typically. 6 00:00:39,260 --> 00:00:50,050 Obfuscation can be any of these four or in combination, as you can see, the random name has no meaning, 7 00:00:50,960 --> 00:00:54,320 and then here you see an escape function. 8 00:00:55,260 --> 00:01:02,260 In JavaScript, Unnice is used to decode sequences of encoded strings like this. 9 00:01:02,730 --> 00:01:12,840 So in here you can see device and this signifies that these are all Unicode and kind of skip is intended 10 00:01:12,840 --> 00:01:13,880 to decode it. 11 00:01:14,490 --> 00:01:16,870 So this suggests that this could be Chalco. 12 00:01:17,790 --> 00:01:29,460 So because we expect this to be Shakal, we can rename this part here as a meaningful name, so radically 13 00:01:30,060 --> 00:01:33,930 change our occurences and Chalco. 14 00:01:36,030 --> 00:01:42,770 And now when you're winning this, you will see the same thing we rename in all the occurrences you. 15 00:01:43,920 --> 00:01:49,530 And then the second line here, you can see that this is not slight. 16 00:01:50,640 --> 00:02:00,050 An escaped 1998 and not so enough slight is using Chuck-will's-widow, and you can read all about it. 17 00:02:01,920 --> 00:02:12,730 Even by Googling for you here not to use in a sequence of instructions, men dislike this instruction 18 00:02:12,770 --> 00:02:16,580 execution flow to his final design destination. 19 00:02:17,400 --> 00:02:24,960 You don't really need to know this detail, but whenever you see nineteen like this being added to the 20 00:02:24,960 --> 00:02:29,580 anxiety, how good you can be sure that this is most probably not a. 21 00:02:30,780 --> 00:02:37,580 So if you suspect this to be another slide, we can just rename this to something meaningful, theoretically 22 00:02:37,580 --> 00:02:40,890 can be nameless and you can call it Oxly. 23 00:02:43,400 --> 00:02:48,290 Right, click and change all occurrences, and Colley's no slight. 24 00:02:51,200 --> 00:02:55,990 And here you can put it down into another line, became more reliable. 25 00:02:57,920 --> 00:03:05,120 And over here you can see that this variable he's holding 20 Chalco length. 26 00:03:05,130 --> 00:03:07,010 So we can rename this Hesseldahl. 27 00:03:07,700 --> 00:03:16,580 So Reichling, this change on occurences, call it Chalco plus 20. 28 00:03:19,870 --> 00:03:27,450 And then down here, you can see further that there's a while we're trying to build the site to build 29 00:03:27,460 --> 00:03:29,800 a shortcut by adding up slides. 30 00:03:31,240 --> 00:03:34,990 Now, if you keep looking for there, you will see another volume over here. 31 00:03:35,620 --> 00:03:46,210 And this wall is taking this data here and in trying to sell concatenation over here, as you can see. 32 00:03:46,600 --> 00:03:51,190 And he takes this data and a pencil itself to itself again. 33 00:03:51,640 --> 00:04:01,850 And this is quite typical in constructing a shortcut and it exploits shortcuts are normally being used. 34 00:04:02,440 --> 00:04:11,700 So the purpose of this is so that when this runs, you do not return to an exact address, but sufficiently 35 00:04:11,770 --> 00:04:18,930 before forced into any of the norm that we injected using the obviously you don't need to know that 36 00:04:18,940 --> 00:04:25,240 in detail, but just enough to understand what is in meaning, what is just trying to do. 37 00:04:25,480 --> 00:04:27,640 And that should be sufficient. 38 00:04:28,480 --> 00:04:35,110 So this is the manual we are trying to do with JavaScript, which is obfuscated. 39 00:04:35,470 --> 00:04:36,960 But there is an easy way. 40 00:04:37,000 --> 00:04:43,480 Instead of going through this line by line trying to make sense, we can allow this to execute and try 41 00:04:43,480 --> 00:04:45,900 to let the obfuscated sell. 42 00:04:46,390 --> 00:04:54,010 So to do that, you can use to which I introduce to you in the previous method, which is the modified 43 00:04:54,010 --> 00:04:55,500 spider monkey. 44 00:04:56,650 --> 00:05:04,930 So that is open terminal here and go to our location of the malware. 45 00:05:10,730 --> 00:05:22,550 And then over here, this is our target, JavaScript, we can use our modified spider monkey to directly 46 00:05:22,790 --> 00:05:27,950 run the JavaScript file. 47 00:05:32,520 --> 00:05:35,390 All right, so we see nothing happening immediately. 48 00:05:35,480 --> 00:05:37,340 Chris, why does that happen? 49 00:05:37,740 --> 00:05:41,610 That happens because this JavaScript does not have an entry point. 50 00:05:42,240 --> 00:05:45,170 This is a function, but nothing is calling a function. 51 00:05:45,570 --> 00:05:53,220 So we can write our own function, call inside here to do that and we can just copy this line. 52 00:05:55,830 --> 00:06:00,740 And put it down, here it is, semicolon and save. 53 00:06:03,210 --> 00:06:05,630 Now we can run it again and see what happens. 54 00:06:06,880 --> 00:06:13,750 So this time it is trying to execute it, and if you get a reference here that is not defined, so callup 55 00:06:13,810 --> 00:06:17,380 is coming from 930, KOLLAR is not define. 56 00:06:19,470 --> 00:06:21,460 OK, so that is quite OK. 57 00:06:21,930 --> 00:06:26,940 The important thing is we are trying to cut the shark here and see what it actually is. 58 00:06:27,420 --> 00:06:36,630 So what we can do is introduce an additional coating here to drum up the memory content of memory after 59 00:06:36,630 --> 00:06:43,630 this thing has been decoded so we can document the right, followed by the Shalakany. 60 00:06:43,650 --> 00:06:51,210 So now we save it and you come back here and we execute the command. 61 00:06:56,960 --> 00:07:02,780 All right, this time we put a listing and we see that there are new files being created right. 62 00:07:02,780 --> 00:07:03,680 And been long, right. 63 00:07:03,680 --> 00:07:05,100 Law and U.S. law. 64 00:07:05,480 --> 00:07:14,000 So these three files contain the binary representation of the Chalco and the ASCII representation, 65 00:07:14,000 --> 00:07:16,580 as well as a unique representation. 66 00:07:18,370 --> 00:07:25,300 And these three files are coming from this destruction here, right document, right, Chalco. 67 00:07:27,810 --> 00:07:35,490 We will first take a look at the binary version of the Chilkoot, so to do that, we can examine in 68 00:07:35,490 --> 00:07:38,340 hex them Hexton. 69 00:07:40,650 --> 00:07:45,360 With the caution so that we can see the sky, her presentation as well, 70 00:07:49,530 --> 00:07:54,910 enter, you see, this is the content of the binary of the Chalco. 71 00:07:55,410 --> 00:08:02,460 So on top here you see all the the executable instructions in Netty format. 72 00:08:02,820 --> 00:08:05,100 And down here you will see something interesting. 73 00:08:06,870 --> 00:08:11,550 HTP, you are ill and this could be the indicator of compromise. 74 00:08:12,000 --> 00:08:13,200 Then you go looking for. 75 00:08:13,500 --> 00:08:21,810 So indicators of compromise is and allow them to refer to some evidence of proof. 76 00:08:21,980 --> 00:08:25,870 Then the machine is being infected by malware. 77 00:08:26,280 --> 00:08:27,860 So this is a good sign. 78 00:08:29,230 --> 00:08:36,010 All right, now, this is pretty hard to read, so we can you can comment on the on the binary file, 79 00:08:36,050 --> 00:08:44,880 so strings, right, being lost and you pull all the strings they find in a binary file. 80 00:08:45,400 --> 00:08:54,250 And as you can see clearly here, that this is you are ill, that this Chalco is trying to do to reach 81 00:08:54,250 --> 00:09:01,720 out to and he runs and he's probably trying to reach out to this area and download the secondary payload 82 00:09:02,530 --> 00:09:04,060 for this malware. 83 00:09:04,690 --> 00:09:12,340 And this is good enough for us to conclude that this is an indicator of compromise. 84 00:09:12,730 --> 00:09:21,220 And we can go ahead and look now in our organization to see if anybody has already reached up to this 85 00:09:21,220 --> 00:09:21,700 website. 86 00:09:22,000 --> 00:09:27,580 And you can even put a firewall to block access to E to this Web site. 87 00:09:28,390 --> 00:09:37,450 And that should be good enough to conclude in this analysis so that we have successfully done the analysis 88 00:09:37,450 --> 00:09:40,870 for this malware document. 89 00:09:42,190 --> 00:09:43,390 Thank you for watching. 90 00:09:43,660 --> 00:09:44,970 I'll see you in the next one.