1
00:00:00,490 --> 00:00:09,100
Welcome to a new session so far in this cause, we have been trying to use menu methods to do analysis

2
00:00:09,580 --> 00:00:10,780
now in this session.

3
00:00:10,810 --> 00:00:17,780
I'm going to show you a faster way to do analysis to extract the indicators of compromise.

4
00:00:18,520 --> 00:00:20,130
We are going to use debuggers.

5
00:00:20,830 --> 00:00:28,630
So in this video, I will introduce you first to the principles of using debuggers in document analysis,

6
00:00:30,430 --> 00:00:32,480
the learning objectives of this session.

7
00:00:32,500 --> 00:00:35,650
Our number one, why debuggers work?

8
00:00:36,460 --> 00:00:42,190
And we do want to monitor Gangotri debugging tools.

9
00:00:44,530 --> 00:00:53,230
Now, all programs and scripts are actually making calls out to operating systems, API functions.

10
00:00:53,920 --> 00:00:56,360
Take, for example, the script here.

11
00:00:56,830 --> 00:00:58,660
So take, for example, this line here.

12
00:00:59,050 --> 00:01:09,220
When you call the function create text file, you are actually calling the file API function in the

13
00:01:09,220 --> 00:01:10,170
operating system.

14
00:01:11,320 --> 00:01:19,000
And then, for example, over this line, right line code, when this is being executed, you call the

15
00:01:19,690 --> 00:01:21,280
function the API function.

16
00:01:21,640 --> 00:01:22,360
Right file.

17
00:01:23,390 --> 00:01:30,650
And then when you call the close here, you're actually closing the operating systems API, which is

18
00:01:31,010 --> 00:01:31,400
closed.

19
00:01:32,330 --> 00:01:41,920
So because of this behavior, it is possible to track or put a break on this API calls.

20
00:01:42,200 --> 00:01:51,290
So whenever an operating system is being called by indirectly, we can pass it to some breakpoints and

21
00:01:51,290 --> 00:01:55,190
analyzed parameters as well as the return for those calls.

22
00:01:55,880 --> 00:01:59,150
And that will give us our indicators of compromise.

23
00:02:01,270 --> 00:02:06,670
Now, there are many API functions in the operating system, however, there are few which we should

24
00:02:06,670 --> 00:02:14,770
be looking at for the first one of our operations APIs, for example, create for the viewer a right

25
00:02:14,770 --> 00:02:20,080
file and then Hastey TPA operations, for example, Internet craniofacial.

26
00:02:20,350 --> 00:02:31,890
And these two API calls who break up you are into each component parts and it is the operations, the

27
00:02:31,940 --> 00:02:36,310
process operations, which example create process.

28
00:02:38,220 --> 00:02:47,040
Debuggers useful in order to help us to find out what the malware is trying to do, because you can

29
00:02:47,040 --> 00:02:54,860
intercept all the break points in the APIs, which are caused by the scripts themselves.

30
00:02:55,530 --> 00:03:05,390
So as I mentioned before, if Scribbly Salchows create text file to call API from the operating system,

31
00:03:06,240 --> 00:03:08,860
in this case, you can only create file.

32
00:03:09,510 --> 00:03:15,360
And here we can break and then find the parameters to the file and some of the things we can examine

33
00:03:15,360 --> 00:03:15,860
as well.

34
00:03:16,080 --> 00:03:26,910
When the EPA is now a very useful Python script, we can make debugging easier for analyzing office

35
00:03:26,910 --> 00:03:29,400
documents will be lazy.

36
00:03:29,400 --> 00:03:30,430
Office analyzer.

37
00:03:30,430 --> 00:03:38,640
Analisa, this program will be able to extract you are El's found modifications and execute programs

38
00:03:39,210 --> 00:03:46,180
and he works on Microsoft Office, Word, Excel, PowerPoint and JavaScript.

39
00:03:47,100 --> 00:03:54,420
So if you are running a PDA, we has got JavaScript inside it, then if you will get well, this is

40
00:03:54,420 --> 00:03:56,970
the website where you can get more information.

41
00:03:57,450 --> 00:03:58,800
This is what he looks like.

42
00:03:58,800 --> 00:03:59,890
The Seitzer.

43
00:04:02,160 --> 00:04:04,230
And this you are, Al.

44
00:04:05,130 --> 00:04:11,460
To run the program, you can take the name of the Python script, followed by the first parameter,

45
00:04:11,550 --> 00:04:19,770
which is one of these types, word Excel, PowerPoint or script, and then the second parameter will

46
00:04:19,770 --> 00:04:22,450
be the condition where you want to start the program.

47
00:04:23,160 --> 00:04:28,080
So there are few conditions you might want to exit the program.

48
00:04:28,080 --> 00:04:31,740
When he hits you first, you are going to extract it for yourself.

49
00:04:32,370 --> 00:04:36,720
You could also exit this program when he finds the first process.

50
00:04:37,880 --> 00:04:45,980
Or you can put none when you put none until completion, so if you put none, the malicious document

51
00:04:45,990 --> 00:04:49,380
is given a free rein to run until completion.

52
00:04:49,400 --> 00:04:51,240
So this is the most dangerous option.

53
00:04:52,430 --> 00:04:55,460
These are the lazy office analyses, prerequisites.

54
00:04:55,880 --> 00:04:58,330
First, you have Microsoft Office.

55
00:04:58,940 --> 00:05:02,280
In our case, we already started Microsoft Office two or one three.

56
00:05:03,220 --> 00:05:09,890
Second, we need to download and install it because lazy office analyzer requires it.

57
00:05:10,760 --> 00:05:18,320
Then we need Python two point seven because Python two point seven is use by the next three scripts

58
00:05:18,320 --> 00:05:18,740
below.

59
00:05:21,150 --> 00:05:32,400
For P and Capstone, we can use to install for Windi, but we adiba, we need to install the 64 installer

60
00:05:32,790 --> 00:05:38,220
since we are using Windows seven fogie and install from the installer.

61
00:05:38,370 --> 00:05:40,050
So that's all for this video.

62
00:05:40,290 --> 00:05:48,060
In the next lesson, we will install all the prerequisites for the office analyzer and will also download

63
00:05:48,960 --> 00:05:51,150
the office analyzer from this link here.

64
00:05:51,630 --> 00:05:53,250
So I'll see you in the next video.

65
00:05:54,420 --> 00:05:55,500
Thank you for watching.