1
00:00:00,490 --> 00:00:02,080
Hello and welcome back.

2
00:00:02,500 --> 00:00:12,770
In this particular lapsation, we will take a look at how we can try to manually obfuscate this Chalco

3
00:00:13,420 --> 00:00:18,900
or these JavaScript, which we have extracted from that PDF.

4
00:00:20,080 --> 00:00:30,500
We will first try to do it manually and then we will use the spider monkey to try to extract it.

5
00:00:31,390 --> 00:00:37,780
So as you can see from the previous Neston, typically.

6
00:00:39,260 --> 00:00:50,050
Obfuscation can be any of these four or in combination, as you can see, the random name has no meaning,

7
00:00:50,960 --> 00:00:54,320
and then here you see an escape function.

8
00:00:55,260 --> 00:01:02,260
In JavaScript, Unnice is used to decode sequences of encoded strings like this.

9
00:01:02,730 --> 00:01:12,840
So in here you can see device and this signifies that these are all Unicode and kind of skip is intended

10
00:01:12,840 --> 00:01:13,880
to decode it.

11
00:01:14,490 --> 00:01:16,870
So this suggests that this could be Chalco.

12
00:01:17,790 --> 00:01:29,460
So because we expect this to be Shakal, we can rename this part here as a meaningful name, so radically

13
00:01:30,060 --> 00:01:33,930
change our occurences and Chalco.

14
00:01:36,030 --> 00:01:42,770
And now when you're winning this, you will see the same thing we rename in all the occurrences you.

15
00:01:43,920 --> 00:01:49,530
And then the second line here, you can see that this is not slight.

16
00:01:50,640 --> 00:02:00,050
An escaped 1998 and not so enough slight is using Chuck-will's-widow, and you can read all about it.

17
00:02:01,920 --> 00:02:12,730
Even by Googling for you here not to use in a sequence of instructions, men dislike this instruction

18
00:02:12,770 --> 00:02:16,580
execution flow to his final design destination.

19
00:02:17,400 --> 00:02:24,960
You don't really need to know this detail, but whenever you see nineteen like this being added to the

20
00:02:24,960 --> 00:02:29,580
anxiety, how good you can be sure that this is most probably not a.

21
00:02:30,780 --> 00:02:37,580
So if you suspect this to be another slide, we can just rename this to something meaningful, theoretically

22
00:02:37,580 --> 00:02:40,890
can be nameless and you can call it Oxly.

23
00:02:43,400 --> 00:02:48,290
Right, click and change all occurrences, and Colley's no slight.

24
00:02:51,200 --> 00:02:55,990
And here you can put it down into another line, became more reliable.

25
00:02:57,920 --> 00:03:05,120
And over here you can see that this variable he's holding 20 Chalco length.

26
00:03:05,130 --> 00:03:07,010
So we can rename this Hesseldahl.

27
00:03:07,700 --> 00:03:16,580
So Reichling, this change on occurences, call it Chalco plus 20.

28
00:03:19,870 --> 00:03:27,450
And then down here, you can see further that there's a while we're trying to build the site to build

29
00:03:27,460 --> 00:03:29,800
a shortcut by adding up slides.

30
00:03:31,240 --> 00:03:34,990
Now, if you keep looking for there, you will see another volume over here.

31
00:03:35,620 --> 00:03:46,210
And this wall is taking this data here and in trying to sell concatenation over here, as you can see.

32
00:03:46,600 --> 00:03:51,190
And he takes this data and a pencil itself to itself again.

33
00:03:51,640 --> 00:04:01,850
And this is quite typical in constructing a shortcut and it exploits shortcuts are normally being used.

34
00:04:02,440 --> 00:04:11,700
So the purpose of this is so that when this runs, you do not return to an exact address, but sufficiently

35
00:04:11,770 --> 00:04:18,930
before forced into any of the norm that we injected using the obviously you don't need to know that

36
00:04:18,940 --> 00:04:25,240
in detail, but just enough to understand what is in meaning, what is just trying to do.

37
00:04:25,480 --> 00:04:27,640
And that should be sufficient.

38
00:04:28,480 --> 00:04:35,110
So this is the manual we are trying to do with JavaScript, which is obfuscated.

39
00:04:35,470 --> 00:04:36,960
But there is an easy way.

40
00:04:37,000 --> 00:04:43,480
Instead of going through this line by line trying to make sense, we can allow this to execute and try

41
00:04:43,480 --> 00:04:45,900
to let the obfuscated sell.

42
00:04:46,390 --> 00:04:54,010
So to do that, you can use to which I introduce to you in the previous method, which is the modified

43
00:04:54,010 --> 00:04:55,500
spider monkey.

44
00:04:56,650 --> 00:05:04,930
So that is open terminal here and go to our location of the malware.

45
00:05:10,730 --> 00:05:22,550
And then over here, this is our target, JavaScript, we can use our modified spider monkey to directly

46
00:05:22,790 --> 00:05:27,950
run the JavaScript file.

47
00:05:32,520 --> 00:05:35,390
All right, so we see nothing happening immediately.

48
00:05:35,480 --> 00:05:37,340
Chris, why does that happen?

49
00:05:37,740 --> 00:05:41,610
That happens because this JavaScript does not have an entry point.

50
00:05:42,240 --> 00:05:45,170
This is a function, but nothing is calling a function.

51
00:05:45,570 --> 00:05:53,220
So we can write our own function, call inside here to do that and we can just copy this line.

52
00:05:55,830 --> 00:06:00,740
And put it down, here it is, semicolon and save.

53
00:06:03,210 --> 00:06:05,630
Now we can run it again and see what happens.

54
00:06:06,880 --> 00:06:13,750
So this time it is trying to execute it, and if you get a reference here that is not defined, so callup

55
00:06:13,810 --> 00:06:17,380
is coming from 930, KOLLAR is not define.

56
00:06:19,470 --> 00:06:21,460
OK, so that is quite OK.

57
00:06:21,930 --> 00:06:26,940
The important thing is we are trying to cut the shark here and see what it actually is.

58
00:06:27,420 --> 00:06:36,630
So what we can do is introduce an additional coating here to drum up the memory content of memory after

59
00:06:36,630 --> 00:06:43,630
this thing has been decoded so we can document the right, followed by the Shalakany.

60
00:06:43,650 --> 00:06:51,210
So now we save it and you come back here and we execute the command.

61
00:06:56,960 --> 00:07:02,780
All right, this time we put a listing and we see that there are new files being created right.

62
00:07:02,780 --> 00:07:03,680
And been long, right.

63
00:07:03,680 --> 00:07:05,100
Law and U.S. law.

64
00:07:05,480 --> 00:07:14,000
So these three files contain the binary representation of the Chalco and the ASCII representation,

65
00:07:14,000 --> 00:07:16,580
as well as a unique representation.

66
00:07:18,370 --> 00:07:25,300
And these three files are coming from this destruction here, right document, right, Chalco.

67
00:07:27,810 --> 00:07:35,490
We will first take a look at the binary version of the Chilkoot, so to do that, we can examine in

68
00:07:35,490 --> 00:07:38,340
hex them Hexton.

69
00:07:40,650 --> 00:07:45,360
With the caution so that we can see the sky, her presentation as well,

70
00:07:49,530 --> 00:07:54,910
enter, you see, this is the content of the binary of the Chalco.

71
00:07:55,410 --> 00:08:02,460
So on top here you see all the the executable instructions in Netty format.

72
00:08:02,820 --> 00:08:05,100
And down here you will see something interesting.

73
00:08:06,870 --> 00:08:11,550
HTP, you are ill and this could be the indicator of compromise.

74
00:08:12,000 --> 00:08:13,200
Then you go looking for.

75
00:08:13,500 --> 00:08:21,810
So indicators of compromise is and allow them to refer to some evidence of proof.

76
00:08:21,980 --> 00:08:25,870
Then the machine is being infected by malware.

77
00:08:26,280 --> 00:08:27,860
So this is a good sign.

78
00:08:29,230 --> 00:08:36,010
All right, now, this is pretty hard to read, so we can you can comment on the on the binary file,

79
00:08:36,050 --> 00:08:44,880
so strings, right, being lost and you pull all the strings they find in a binary file.

80
00:08:45,400 --> 00:08:54,250
And as you can see clearly here, that this is you are ill, that this Chalco is trying to do to reach

81
00:08:54,250 --> 00:09:01,720
out to and he runs and he's probably trying to reach out to this area and download the secondary payload

82
00:09:02,530 --> 00:09:04,060
for this malware.

83
00:09:04,690 --> 00:09:12,340
And this is good enough for us to conclude that this is an indicator of compromise.

84
00:09:12,730 --> 00:09:21,220
And we can go ahead and look now in our organization to see if anybody has already reached up to this

85
00:09:21,220 --> 00:09:21,700
website.

86
00:09:22,000 --> 00:09:27,580
And you can even put a firewall to block access to E to this Web site.

87
00:09:28,390 --> 00:09:37,450
And that should be good enough to conclude in this analysis so that we have successfully done the analysis

88
00:09:37,450 --> 00:09:40,870
for this malware document.

89
00:09:42,190 --> 00:09:43,390
Thank you for watching.

90
00:09:43,660 --> 00:09:44,970
I'll see you in the next one.