1 00:00:00,640 --> 00:00:02,140 Hello and welcome back. 2 00:00:02,440 --> 00:00:13,090 In this video, we are going to do a walk through on VVA Macro's cryptanalysis, if you recall some 3 00:00:13,090 --> 00:00:19,080 lessons ago, he already extracted how we obtained a crew from this fire. 4 00:00:19,510 --> 00:00:24,100 So we are going to make use of this area now for our work through. 5 00:00:26,100 --> 00:00:32,850 Let's take a quick look at this, frankly and openly, visual studio cook, and you can see there are 6 00:00:32,850 --> 00:00:35,850 a lot of obfuscated strings here and here. 7 00:00:35,850 --> 00:00:39,570 So you will immediately recognize the use of the CIA. 8 00:00:39,900 --> 00:00:46,280 Our function, as we discussed earlier, we could manually, the office, get these boxes here, too. 9 00:00:46,290 --> 00:01:01,080 So let's use our tools, the first to try Coeli VBA using the caption and also the revulsion and giving 10 00:01:01,080 --> 00:01:12,090 me the name of the VBA file and redirecting the output to a new file, you call it, in the obfuscated 11 00:01:12,090 --> 00:01:16,230 for the VBA. 12 00:01:16,740 --> 00:01:21,210 So the identity of that option would be obfuscated. 13 00:01:21,360 --> 00:01:29,490 The identifiability is to override file with the obfuscated strings, but we want to upload it to a 14 00:01:29,490 --> 00:01:30,140 different file. 15 00:01:30,140 --> 00:01:37,350 And you said you were writing the original file, so let us now run the program and see what happens. 16 00:01:38,160 --> 00:01:45,020 So he has finished running and you will see now there's a new file here containing the obfuscated script. 17 00:01:45,390 --> 00:01:47,640 So let's open it and see if we chose to. 18 00:01:47,640 --> 00:01:57,130 You could delay or evade us if he will foreshores the original code, thought the obfuscation, and 19 00:01:57,240 --> 00:01:58,410 we need to scroll down. 20 00:01:59,010 --> 00:02:06,240 If you scroll down further down, you will see a summary in a table of all the findings that he has 21 00:02:06,240 --> 00:02:06,510 made. 22 00:02:07,110 --> 00:02:10,660 And we are seeing some new stringers who he had not seen before. 23 00:02:11,280 --> 00:02:17,410 These were the strings which were previously obfuscated initially. 24 00:02:17,510 --> 00:02:20,940 Some eustress related to Bauscher. 25 00:02:21,000 --> 00:02:23,010 As you can see from here. 26 00:02:23,700 --> 00:02:33,180 Bauscher meeran partial command may create or reject using ploughshare internal files on the Internet. 27 00:02:33,180 --> 00:02:41,730 Using bauscher, we see some strings which were obfuscated before some file names, for example, see 28 00:02:41,760 --> 00:02:44,670 script for four four EIC. 29 00:02:45,420 --> 00:02:53,250 And if you scroll down further, we see some more strings Vestris that this program managed to find 30 00:02:53,250 --> 00:02:57,370 in the obfuscate quite a large number of them. 31 00:02:57,840 --> 00:03:03,110 However, this alone by itself does not give us any context in which they are be used. 32 00:03:03,720 --> 00:03:08,030 But if you scroll down, you will see how they are being used in context. 33 00:03:08,970 --> 00:03:16,110 So if you scroll down further at the bottom, you will see that the office version of the VBA script 34 00:03:16,290 --> 00:03:19,950 over here, however, or Avivah is not perfect. 35 00:03:19,960 --> 00:03:27,090 So it might miss some strings, as you can see here, but generally, overall is done a very good job 36 00:03:27,420 --> 00:03:29,730 of the obfuscation here. 37 00:03:29,740 --> 00:03:36,720 We see that it may be trying to do something with the user's temp directory or the Windows temp directory 38 00:03:37,470 --> 00:03:38,670 screen on further. 39 00:03:38,670 --> 00:03:45,210 You see that he may be trying to run some WMI service to get some tasks done. 40 00:03:45,840 --> 00:03:48,060 And you also see some comments here. 41 00:03:48,930 --> 00:03:56,040 Along with some scripts here, so he could be executing some additional files or some additional VBA 42 00:03:56,040 --> 00:03:56,560 scripts. 43 00:03:57,270 --> 00:04:01,820 We also see an easy follower here in this location, this temporary location. 44 00:04:02,370 --> 00:04:06,350 It could be creating this executable in the Windows temp directory. 45 00:04:07,110 --> 00:04:10,540 And right here we see a partial hefted PRL. 46 00:04:11,400 --> 00:04:15,830 So this is obviously a broken up string concatenated together. 47 00:04:16,140 --> 00:04:22,170 So all we need to do is if you can find what is this string, then we can't you should be able to recreate 48 00:04:22,170 --> 00:04:23,580 the entire Yahel. 49 00:04:24,420 --> 00:04:25,430 Let's try to do that. 50 00:04:25,830 --> 00:04:31,680 So we are just going to copy this now and then go to Eddie and find. 51 00:04:33,830 --> 00:04:34,880 And then here. 52 00:04:37,260 --> 00:04:45,900 Find out the occurrences and this is one indication that one and we find it, this variable that you're 53 00:04:45,900 --> 00:04:47,200 referring to, the string. 54 00:04:47,880 --> 00:04:56,070 So now what we can do is replace all this variable video string so we can go to copy this first. 55 00:04:57,460 --> 00:05:08,230 And go to edit and replace, so here we face he the one that you want to replace here, and he put the 56 00:05:08,230 --> 00:05:11,710 original string that you wanted you wanted to replace. 57 00:05:14,480 --> 00:05:22,740 So now he's going to search area of this variable name and then replace it with the actual string itself. 58 00:05:23,000 --> 00:05:28,100 So let's click on this replace or replace all. 59 00:05:30,080 --> 00:05:37,010 And now if you come back to here, you can see that this area can be recreated so we can recreate it 60 00:05:38,000 --> 00:05:38,360 here. 61 00:05:40,490 --> 00:05:46,340 By manually editing it and we get an IP address. 62 00:05:48,830 --> 00:05:50,330 Then let's move on for the. 63 00:05:54,610 --> 00:05:55,410 OK, let's see. 64 00:05:56,800 --> 00:06:00,340 Now, we can go and look for this since you are speaking. 65 00:06:03,140 --> 00:06:04,610 Recreate the. 66 00:06:07,480 --> 00:06:09,510 All right, so here's another one. 67 00:06:09,690 --> 00:06:15,560 So let's recreate the IP address and they have it installed. 68 00:06:15,580 --> 00:06:16,240 So. 69 00:06:17,630 --> 00:06:27,830 Let's see if we can get the full name and if he concatenating this, we will get into the. 70 00:06:29,440 --> 00:06:41,250 E, they hear X and then he EIC, they have it, we have you, I am. 71 00:06:42,130 --> 00:06:49,360 So now that we know that this is an indicator of compromise, we can go to our proxy server, our firewalls, 72 00:06:49,360 --> 00:06:52,000 and see if anybody has gone there to download this. 73 00:06:52,540 --> 00:06:53,850 Oh, we can go in there. 74 00:06:54,040 --> 00:07:01,000 I was selling do further analysis on this binary and we can continue to look and see where else. 75 00:07:02,770 --> 00:07:04,420 All right, clicking. 76 00:07:06,410 --> 00:07:07,550 All right, here's another one. 77 00:07:15,680 --> 00:07:16,640 It's the same one. 78 00:07:19,490 --> 00:07:21,880 All right, it's going to continue. 79 00:07:23,360 --> 00:07:25,230 All right, isn't that so sexy? 80 00:07:26,180 --> 00:07:32,180 And if you look at this line, you will see that there's another string here and the string here is 81 00:07:32,180 --> 00:07:33,770 being used over here. 82 00:07:34,910 --> 00:07:41,780 So if he were to recreate the stream, he will get. 83 00:07:44,570 --> 00:07:58,460 For the U.S. and we find in this spring is actually here, that means we can replace these with for 84 00:07:59,420 --> 00:08:02,950 receiving them STEM forfour for the EIC. 85 00:08:03,410 --> 00:08:08,870 So this may be suggesting that whatever is downloaded is being copied and put in this location with 86 00:08:08,870 --> 00:08:10,040 the different name for. 87 00:08:11,630 --> 00:08:18,980 And if his grandfather from this we have reconstructed, you can see that he may be trying to download 88 00:08:18,980 --> 00:08:28,390 this and put it in this location in the Abdeh to local temp directory, the users, the user name and 89 00:08:28,940 --> 00:08:33,140 date, and look at them directly under a different name, 444, the EIC. 90 00:08:34,100 --> 00:08:40,610 And if you go down here, something interesting is trying to execute the file that he has downloaded. 91 00:08:41,690 --> 00:08:50,600 So we see that whoever has given us a lot of information and some of these are also in the inside the 92 00:08:51,110 --> 00:08:55,370 summary table here, as you can see, some of the table here. 93 00:08:55,850 --> 00:08:59,150 OK, so now that is irrelevant to why Pamunkey. 94 00:08:59,570 --> 00:09:02,300 So let's try to run YPO monkey. 95 00:09:03,770 --> 00:09:15,940 As the screen viper monkey on the original VVA file and see how we get to see enter, so now it is doing 96 00:09:15,960 --> 00:09:17,600 analysis, it will take some time. 97 00:09:18,450 --> 00:09:22,160 OK, this may take a few minutes to run, so we need to wait for it to complete. 98 00:09:22,160 --> 00:09:28,640 His analysis is performing a VBA emulation in order to find malware artifacts. 99 00:09:28,790 --> 00:09:32,510 So I just posted a video for a while and come back to it once he's done. 100 00:09:33,500 --> 00:09:33,950 All right. 101 00:09:33,950 --> 00:09:35,080 Just let it do its thing. 102 00:09:35,840 --> 00:09:40,030 There's a lot of analysis going on here at outracing as well. 103 00:09:40,430 --> 00:09:42,620 Some warnings and some information message. 104 00:09:43,160 --> 00:09:51,470 And eventually you come to the conclusion you meet a nice summary of the NBN and finally has finished 105 00:09:51,470 --> 00:09:52,510 with this analysis. 106 00:09:52,520 --> 00:09:53,890 And here is the result. 107 00:09:54,560 --> 00:09:58,410 So you can see this very comprehensive report that is generated. 108 00:09:58,790 --> 00:10:04,880 It is put in a nice table and the action, the parameters and the description. 109 00:10:05,210 --> 00:10:12,520 So it is found entry point to open and it's also found is the action to delete file. 110 00:10:13,820 --> 00:10:16,700 So he is trying to delete some temporary files here. 111 00:10:17,000 --> 00:10:20,630 And the description, interesting function call to delete far. 112 00:10:20,660 --> 00:10:27,430 Here's a Q queue function to delete the fun and also get on Jacquier interesting function. 113 00:10:28,640 --> 00:10:31,370 And another interesting function call here. 114 00:10:33,430 --> 00:10:40,840 And this open fire it like he also created a temporary file to open it, and these are indicators of 115 00:10:40,840 --> 00:10:41,390 compromise. 116 00:10:41,410 --> 00:10:43,630 You can go and take a look at all this location. 117 00:10:44,110 --> 00:10:54,460 So all this was not visible clearly to us in the he obfuscated maybe a script, but we VIPR monkey has 118 00:10:54,460 --> 00:10:55,690 shown this clearly. 119 00:10:58,310 --> 00:11:04,630 Another open fire is trying to open another we have great father he has created. 120 00:11:06,380 --> 00:11:08,340 And it's quite a lot of things going on here. 121 00:11:08,480 --> 00:11:13,640 Yes, one is Bauscher, so it is going to run a Porsche. 122 00:11:15,710 --> 00:11:17,510 And I don't read the script here. 123 00:11:20,980 --> 00:11:22,870 And so on, and then a batch file here. 124 00:11:23,800 --> 00:11:24,670 Finally, Abd. 125 00:11:26,330 --> 00:11:31,250 And the file here deleting traces of his drug file. 126 00:11:34,750 --> 00:11:42,520 And open fire, so this is as good as running it in the sandbox and executing it. 127 00:11:43,740 --> 00:11:49,650 And they know we are doing this all in remixing a Linux imaging machine, and yet we can see all this 128 00:11:49,650 --> 00:11:51,920 without actually running in a Windows machine. 129 00:11:53,730 --> 00:12:04,350 So you can see the level of information that this monkey has shown us, a lot of it, plenty of indicators 130 00:12:04,350 --> 00:12:07,690 of compris nicely tabulated in a table. 131 00:12:08,850 --> 00:12:15,560 OK, so that is how we do a walk through on the LIBOR McCroskey analysis. 132 00:12:16,610 --> 00:12:22,540 We have already come to a conclusion, our objective for this video. 133 00:12:22,830 --> 00:12:26,280 So thank you for watching and I'll see you the next one.