1
00:00:00,640 --> 00:00:02,140
Hello and welcome back.

2
00:00:02,440 --> 00:00:13,090
In this video, we are going to do a walk through on VVA Macro's cryptanalysis, if you recall some

3
00:00:13,090 --> 00:00:19,080
lessons ago, he already extracted how we obtained a crew from this fire.

4
00:00:19,510 --> 00:00:24,100
So we are going to make use of this area now for our work through.

5
00:00:26,100 --> 00:00:32,850
Let's take a quick look at this, frankly and openly, visual studio cook, and you can see there are

6
00:00:32,850 --> 00:00:35,850
a lot of obfuscated strings here and here.

7
00:00:35,850 --> 00:00:39,570
So you will immediately recognize the use of the CIA.

8
00:00:39,900 --> 00:00:46,280
Our function, as we discussed earlier, we could manually, the office, get these boxes here, too.

9
00:00:46,290 --> 00:01:01,080
So let's use our tools, the first to try Coeli VBA using the caption and also the revulsion and giving

10
00:01:01,080 --> 00:01:12,090
me the name of the VBA file and redirecting the output to a new file, you call it, in the obfuscated

11
00:01:12,090 --> 00:01:16,230
for the VBA.

12
00:01:16,740 --> 00:01:21,210
So the identity of that option would be obfuscated.

13
00:01:21,360 --> 00:01:29,490
The identifiability is to override file with the obfuscated strings, but we want to upload it to a

14
00:01:29,490 --> 00:01:30,140
different file.

15
00:01:30,140 --> 00:01:37,350
And you said you were writing the original file, so let us now run the program and see what happens.

16
00:01:38,160 --> 00:01:45,020
So he has finished running and you will see now there's a new file here containing the obfuscated script.

17
00:01:45,390 --> 00:01:47,640
So let's open it and see if we chose to.

18
00:01:47,640 --> 00:01:57,130
You could delay or evade us if he will foreshores the original code, thought the obfuscation, and

19
00:01:57,240 --> 00:01:58,410
we need to scroll down.

20
00:01:59,010 --> 00:02:06,240
If you scroll down further down, you will see a summary in a table of all the findings that he has

21
00:02:06,240 --> 00:02:06,510
made.

22
00:02:07,110 --> 00:02:10,660
And we are seeing some new stringers who he had not seen before.

23
00:02:11,280 --> 00:02:17,410
These were the strings which were previously obfuscated initially.

24
00:02:17,510 --> 00:02:20,940
Some eustress related to Bauscher.

25
00:02:21,000 --> 00:02:23,010
As you can see from here.

26
00:02:23,700 --> 00:02:33,180
Bauscher meeran partial command may create or reject using ploughshare internal files on the Internet.

27
00:02:33,180 --> 00:02:41,730
Using bauscher, we see some strings which were obfuscated before some file names, for example, see

28
00:02:41,760 --> 00:02:44,670
script for four four EIC.

29
00:02:45,420 --> 00:02:53,250
And if you scroll down further, we see some more strings Vestris that this program managed to find

30
00:02:53,250 --> 00:02:57,370
in the obfuscate quite a large number of them.

31
00:02:57,840 --> 00:03:03,110
However, this alone by itself does not give us any context in which they are be used.

32
00:03:03,720 --> 00:03:08,030
But if you scroll down, you will see how they are being used in context.

33
00:03:08,970 --> 00:03:16,110
So if you scroll down further at the bottom, you will see that the office version of the VBA script

34
00:03:16,290 --> 00:03:19,950
over here, however, or Avivah is not perfect.

35
00:03:19,960 --> 00:03:27,090
So it might miss some strings, as you can see here, but generally, overall is done a very good job

36
00:03:27,420 --> 00:03:29,730
of the obfuscation here.

37
00:03:29,740 --> 00:03:36,720
We see that it may be trying to do something with the user's temp directory or the Windows temp directory

38
00:03:37,470 --> 00:03:38,670
screen on further.

39
00:03:38,670 --> 00:03:45,210
You see that he may be trying to run some WMI service to get some tasks done.

40
00:03:45,840 --> 00:03:48,060
And you also see some comments here.

41
00:03:48,930 --> 00:03:56,040
Along with some scripts here, so he could be executing some additional files or some additional VBA

42
00:03:56,040 --> 00:03:56,560
scripts.

43
00:03:57,270 --> 00:04:01,820
We also see an easy follower here in this location, this temporary location.

44
00:04:02,370 --> 00:04:06,350
It could be creating this executable in the Windows temp directory.

45
00:04:07,110 --> 00:04:10,540
And right here we see a partial hefted PRL.

46
00:04:11,400 --> 00:04:15,830
So this is obviously a broken up string concatenated together.

47
00:04:16,140 --> 00:04:22,170
So all we need to do is if you can find what is this string, then we can't you should be able to recreate

48
00:04:22,170 --> 00:04:23,580
the entire Yahel.

49
00:04:24,420 --> 00:04:25,430
Let's try to do that.

50
00:04:25,830 --> 00:04:31,680
So we are just going to copy this now and then go to Eddie and find.

51
00:04:33,830 --> 00:04:34,880
And then here.

52
00:04:37,260 --> 00:04:45,900
Find out the occurrences and this is one indication that one and we find it, this variable that you're

53
00:04:45,900 --> 00:04:47,200
referring to, the string.

54
00:04:47,880 --> 00:04:56,070
So now what we can do is replace all this variable video string so we can go to copy this first.

55
00:04:57,460 --> 00:05:08,230
And go to edit and replace, so here we face he the one that you want to replace here, and he put the

56
00:05:08,230 --> 00:05:11,710
original string that you wanted you wanted to replace.

57
00:05:14,480 --> 00:05:22,740
So now he's going to search area of this variable name and then replace it with the actual string itself.

58
00:05:23,000 --> 00:05:28,100
So let's click on this replace or replace all.

59
00:05:30,080 --> 00:05:37,010
And now if you come back to here, you can see that this area can be recreated so we can recreate it

60
00:05:38,000 --> 00:05:38,360
here.

61
00:05:40,490 --> 00:05:46,340
By manually editing it and we get an IP address.

62
00:05:48,830 --> 00:05:50,330
Then let's move on for the.

63
00:05:54,610 --> 00:05:55,410
OK, let's see.

64
00:05:56,800 --> 00:06:00,340
Now, we can go and look for this since you are speaking.

65
00:06:03,140 --> 00:06:04,610
Recreate the.

66
00:06:07,480 --> 00:06:09,510
All right, so here's another one.

67
00:06:09,690 --> 00:06:15,560
So let's recreate the IP address and they have it installed.

68
00:06:15,580 --> 00:06:16,240
So.

69
00:06:17,630 --> 00:06:27,830
Let's see if we can get the full name and if he concatenating this, we will get into the.

70
00:06:29,440 --> 00:06:41,250
E, they hear X and then he EIC, they have it, we have you, I am.

71
00:06:42,130 --> 00:06:49,360
So now that we know that this is an indicator of compromise, we can go to our proxy server, our firewalls,

72
00:06:49,360 --> 00:06:52,000
and see if anybody has gone there to download this.

73
00:06:52,540 --> 00:06:53,850
Oh, we can go in there.

74
00:06:54,040 --> 00:07:01,000
I was selling do further analysis on this binary and we can continue to look and see where else.

75
00:07:02,770 --> 00:07:04,420
All right, clicking.

76
00:07:06,410 --> 00:07:07,550
All right, here's another one.

77
00:07:15,680 --> 00:07:16,640
It's the same one.

78
00:07:19,490 --> 00:07:21,880
All right, it's going to continue.

79
00:07:23,360 --> 00:07:25,230
All right, isn't that so sexy?

80
00:07:26,180 --> 00:07:32,180
And if you look at this line, you will see that there's another string here and the string here is

81
00:07:32,180 --> 00:07:33,770
being used over here.

82
00:07:34,910 --> 00:07:41,780
So if he were to recreate the stream, he will get.

83
00:07:44,570 --> 00:07:58,460
For the U.S. and we find in this spring is actually here, that means we can replace these with for

84
00:07:59,420 --> 00:08:02,950
receiving them STEM forfour for the EIC.

85
00:08:03,410 --> 00:08:08,870
So this may be suggesting that whatever is downloaded is being copied and put in this location with

86
00:08:08,870 --> 00:08:10,040
the different name for.

87
00:08:11,630 --> 00:08:18,980
And if his grandfather from this we have reconstructed, you can see that he may be trying to download

88
00:08:18,980 --> 00:08:28,390
this and put it in this location in the Abdeh to local temp directory, the users, the user name and

89
00:08:28,940 --> 00:08:33,140
date, and look at them directly under a different name, 444, the EIC.

90
00:08:34,100 --> 00:08:40,610
And if you go down here, something interesting is trying to execute the file that he has downloaded.

91
00:08:41,690 --> 00:08:50,600
So we see that whoever has given us a lot of information and some of these are also in the inside the

92
00:08:51,110 --> 00:08:55,370
summary table here, as you can see, some of the table here.

93
00:08:55,850 --> 00:08:59,150
OK, so now that is irrelevant to why Pamunkey.

94
00:08:59,570 --> 00:09:02,300
So let's try to run YPO monkey.

95
00:09:03,770 --> 00:09:15,940
As the screen viper monkey on the original VVA file and see how we get to see enter, so now it is doing

96
00:09:15,960 --> 00:09:17,600
analysis, it will take some time.

97
00:09:18,450 --> 00:09:22,160
OK, this may take a few minutes to run, so we need to wait for it to complete.

98
00:09:22,160 --> 00:09:28,640
His analysis is performing a VBA emulation in order to find malware artifacts.

99
00:09:28,790 --> 00:09:32,510
So I just posted a video for a while and come back to it once he's done.

100
00:09:33,500 --> 00:09:33,950
All right.

101
00:09:33,950 --> 00:09:35,080
Just let it do its thing.

102
00:09:35,840 --> 00:09:40,030
There's a lot of analysis going on here at outracing as well.

103
00:09:40,430 --> 00:09:42,620
Some warnings and some information message.

104
00:09:43,160 --> 00:09:51,470
And eventually you come to the conclusion you meet a nice summary of the NBN and finally has finished

105
00:09:51,470 --> 00:09:52,510
with this analysis.

106
00:09:52,520 --> 00:09:53,890
And here is the result.

107
00:09:54,560 --> 00:09:58,410
So you can see this very comprehensive report that is generated.

108
00:09:58,790 --> 00:10:04,880
It is put in a nice table and the action, the parameters and the description.

109
00:10:05,210 --> 00:10:12,520
So it is found entry point to open and it's also found is the action to delete file.

110
00:10:13,820 --> 00:10:16,700
So he is trying to delete some temporary files here.

111
00:10:17,000 --> 00:10:20,630
And the description, interesting function call to delete far.

112
00:10:20,660 --> 00:10:27,430
Here's a Q queue function to delete the fun and also get on Jacquier interesting function.

113
00:10:28,640 --> 00:10:31,370
And another interesting function call here.

114
00:10:33,430 --> 00:10:40,840
And this open fire it like he also created a temporary file to open it, and these are indicators of

115
00:10:40,840 --> 00:10:41,390
compromise.

116
00:10:41,410 --> 00:10:43,630
You can go and take a look at all this location.

117
00:10:44,110 --> 00:10:54,460
So all this was not visible clearly to us in the he obfuscated maybe a script, but we VIPR monkey has

118
00:10:54,460 --> 00:10:55,690
shown this clearly.

119
00:10:58,310 --> 00:11:04,630
Another open fire is trying to open another we have great father he has created.

120
00:11:06,380 --> 00:11:08,340
And it's quite a lot of things going on here.

121
00:11:08,480 --> 00:11:13,640
Yes, one is Bauscher, so it is going to run a Porsche.

122
00:11:15,710 --> 00:11:17,510
And I don't read the script here.

123
00:11:20,980 --> 00:11:22,870
And so on, and then a batch file here.

124
00:11:23,800 --> 00:11:24,670
Finally, Abd.

125
00:11:26,330 --> 00:11:31,250
And the file here deleting traces of his drug file.

126
00:11:34,750 --> 00:11:42,520
And open fire, so this is as good as running it in the sandbox and executing it.

127
00:11:43,740 --> 00:11:49,650
And they know we are doing this all in remixing a Linux imaging machine, and yet we can see all this

128
00:11:49,650 --> 00:11:51,920
without actually running in a Windows machine.

129
00:11:53,730 --> 00:12:04,350
So you can see the level of information that this monkey has shown us, a lot of it, plenty of indicators

130
00:12:04,350 --> 00:12:07,690
of compris nicely tabulated in a table.

131
00:12:08,850 --> 00:12:15,560
OK, so that is how we do a walk through on the LIBOR McCroskey analysis.

132
00:12:16,610 --> 00:12:22,540
We have already come to a conclusion, our objective for this video.

133
00:12:22,830 --> 00:12:26,280
So thank you for watching and I'll see you the next one.