1
00:00:00,600 --> 00:00:02,340
Hello and welcome back.

2
00:00:02,610 --> 00:00:09,660
In this video, we are going to do the bugging of malicious document.

3
00:00:09,870 --> 00:00:16,650
We are going to use the same file which we have analyzed many times before, using the menu approach

4
00:00:16,650 --> 00:00:18,270
to analysis.

5
00:00:18,660 --> 00:00:21,250
By this time, we are going to use the debugger.

6
00:00:21,990 --> 00:00:24,690
So this is the file that we are going to analyze.

7
00:00:25,110 --> 00:00:29,610
If you have misplaced, it can be downloaded from the resource section.

8
00:00:30,360 --> 00:00:38,950
It is known as Mount Christology and the password to unzip it is cracking lessons dot com.

9
00:00:40,080 --> 00:00:45,740
So after you have unzipped a file, put it in a document in a folder.

10
00:00:45,930 --> 00:00:50,360
I put my desktop called malware in here.

11
00:00:51,000 --> 00:00:58,980
Let's copy the path of this malware location and we'll open a common problem.

12
00:01:00,690 --> 00:01:02,790
So we just ACMD search.

13
00:01:04,700 --> 00:01:10,050
And every chief directory seed space based upon copy.

14
00:01:11,420 --> 00:01:18,150
And now we can run an office just to see the options his press.

15
00:01:19,310 --> 00:01:24,180
And this is how he can use our office or the office analyzer.

16
00:01:24,830 --> 00:01:32,350
So I'm going to run it with the leadership of the charity that is the location for the Microsoft Office.

17
00:01:33,020 --> 00:01:43,310
So to use it to the office, not be in, then that we will be watching for Paff and I have to go and

18
00:01:43,310 --> 00:01:51,470
locate my Microsoft Office installation directory, which for me will be in this location.

19
00:01:51,470 --> 00:01:54,170
Program files, Microsoft Office.

20
00:01:56,070 --> 00:02:06,300
Followed by office huffin and east of the which contains Minemakers office, so I just copy this.

21
00:02:08,810 --> 00:02:10,500
And then I'll put a.

22
00:02:13,580 --> 00:02:18,440
Directly and base and put a closing call, Nashville.

23
00:02:19,680 --> 00:02:26,550
Followed by the next barometer, his barometer will be the type of document that I want to analyze,

24
00:02:27,160 --> 00:02:31,400
as you can see here, my specified time document.

25
00:02:32,520 --> 00:02:39,990
So in this case is work and you can specify any of this or the word Excel, PowerPoint or script.

26
00:02:41,250 --> 00:02:44,410
So in this case is what an experiment would be.

27
00:02:44,430 --> 00:02:50,230
This is actually an essay on this when you want your analysis to stop.

28
00:02:50,880 --> 00:02:57,780
So I will put BRC the other options actually on the before and after the first.

29
00:02:57,780 --> 00:03:00,360
You are an expression or prop.

30
00:03:01,350 --> 00:03:11,100
Before process creation, so how we use prop before process creation, so the last parameter would be

31
00:03:11,100 --> 00:03:14,700
the name of the father, which is in this case, we better duck.

32
00:03:16,750 --> 00:03:26,730
So this is the that this has created another folder called logs, so after you've done that, get into

33
00:03:26,740 --> 00:03:35,220
to do is the debugging, he will launch Microsoft Office work to open the office program itself.

34
00:03:36,010 --> 00:03:41,110
And then here you need to enable content so that they could run content.

35
00:03:42,250 --> 00:03:48,820
And now you go back to your command problem and you see has begun, the analysis and analysis is now

36
00:03:48,820 --> 00:03:49,280
complete.

37
00:03:50,290 --> 00:03:57,680
Sometimes when before I ask you this question, whether you want to add some more fake documents.

38
00:03:58,090 --> 00:04:05,460
So this is to give the malware the impression that you are running a real machine and not to attack

39
00:04:05,470 --> 00:04:05,960
machine.

40
00:04:06,370 --> 00:04:08,140
So if you ask for this question.

41
00:04:08,140 --> 00:04:08,960
Yes, yes.

42
00:04:09,520 --> 00:04:13,270
So in my case, yes, I already answered yes in a previous run.

43
00:04:13,540 --> 00:04:14,960
It not from me again.

44
00:04:15,610 --> 00:04:17,760
So let's take a look at this now.

45
00:04:18,190 --> 00:04:22,760
A copy of this report is also found in the logs here.

46
00:04:23,260 --> 00:04:28,690
So if you open the logs folder, you can open this lock here and read.

47
00:04:30,080 --> 00:04:36,250
Yeah, so you have two copies, so now here I see what happens.

48
00:04:36,930 --> 00:04:38,600
He has found 13, right?

49
00:04:39,320 --> 00:04:46,900
Forty five reads one process to legal process and 015 compares and it has not far in your house.

50
00:04:47,600 --> 00:04:49,640
And these are the files that he has opened.

51
00:04:50,750 --> 00:04:55,280
So the interesting ones will be those which are read and write.

52
00:04:55,700 --> 00:04:59,120
So you can see from here you have three and right.

53
00:04:59,120 --> 00:04:59,830
And so on.

54
00:04:59,850 --> 00:05:07,010
So he's trying to read and write to these numbers and which is a template file.

55
00:05:07,460 --> 00:05:10,430
And then down here and there is another one written.

56
00:05:10,430 --> 00:05:12,650
Right, temporary Internet.

57
00:05:13,630 --> 00:05:20,470
Content that can be so this might suggest it is trying to go to the Internet to download something.

58
00:05:21,310 --> 00:05:28,420
There's another one here, customs, which is quite common for selfies and another reason right here

59
00:05:28,420 --> 00:05:29,470
to the document.

60
00:05:29,630 --> 00:05:38,060
So right here as well for a temporary file that can be in this location and another and.

61
00:05:38,110 --> 00:05:38,400
Right.

62
00:05:38,690 --> 00:05:41,310
And not a temporary Internet file here.

63
00:05:41,860 --> 00:05:43,050
Another one over here.

64
00:05:43,440 --> 00:05:43,690
Right.

65
00:05:44,710 --> 00:05:52,150
You scroll down, you see that it has ejecta to WMI activities, which was also discovered during our

66
00:05:52,510 --> 00:05:54,780
menu analysis before Avivah.

67
00:05:56,080 --> 00:06:04,450
And then we see that this one process creation, it did not detect any Yahel, probably because it has

68
00:06:04,450 --> 00:06:08,590
not reached that stage, because we did not allow it to start the process.

69
00:06:09,550 --> 00:06:11,620
But we did see something interesting here.

70
00:06:11,620 --> 00:06:20,980
And the process creation is since then, our Web scribe is trying to execute this batch for the bakdash

71
00:06:20,980 --> 00:06:23,000
update that in this location.

72
00:06:23,350 --> 00:06:25,640
So that is good to see what's happening there.

73
00:06:26,140 --> 00:06:32,350
So we open a window explorer and this is a location C.

74
00:06:35,460 --> 00:06:42,220
User's PC, so go to users PCs and then my computer might be different from yours.

75
00:06:42,870 --> 00:06:46,600
So he has had data so you can see at the time because it's a hidden file.

76
00:06:47,040 --> 00:06:59,250
So we need to type in manually Ed Natus and then go to local, stamp local and go to temp and scroll

77
00:06:59,250 --> 00:07:08,040
down and we see the tree, Fouzia one, two and three or four bauscher script and we script.

78
00:07:08,910 --> 00:07:16,310
So according to our office, it is going to execute Adobe ABCDE that which is this far.

79
00:07:16,650 --> 00:07:18,830
So let's open it first and analyze it.

80
00:07:18,860 --> 00:07:20,460
We're not plus plus.

81
00:07:21,640 --> 00:07:27,210
And as you can see here, there's a Pinkham man and he's going to ping this IP address twice.

82
00:07:27,490 --> 00:07:30,720
Now, the purpose of this is to put in a delay.

83
00:07:31,300 --> 00:07:37,120
So over here we see also that there are two variables where one, two, three and four.

84
00:07:37,480 --> 00:07:46,890
And and this one, one, two, three and four is being concatenated here to create a string Siwa for

85
00:07:47,140 --> 00:07:48,370
essentially the string.

86
00:07:48,790 --> 00:07:56,230
And then you can't get in any real one, which is a dot continue to evolve to which is a V four or five.

87
00:07:56,230 --> 00:08:04,270
All three, which is V, so it is trying to create a string ending the other bakdash of the dot VVS

88
00:08:04,660 --> 00:08:06,490
and finally is going to execute it.

89
00:08:06,820 --> 00:08:13,410
So that suggests a second part is going to execute these other B abcde abdeh dot vvs.

90
00:08:13,750 --> 00:08:15,940
So let's open this now and see what happens.

91
00:08:16,240 --> 00:08:16,660
Open it.

92
00:08:16,870 --> 00:08:17,310
Not bad.

93
00:08:18,070 --> 00:08:25,990
So now is going to execute in this script and here under the variable current file is trying to generate

94
00:08:25,990 --> 00:08:26,810
another string.

95
00:08:27,220 --> 00:08:30,400
So let's combine this string here and see what we get.

96
00:08:35,430 --> 00:08:38,430
And so we can see is going to execute this script.

97
00:08:39,030 --> 00:08:45,870
There'll be ABCDE Desha Paswan, which is a PowerShares script, and then the next line here, the last

98
00:08:45,870 --> 00:08:54,000
night objectional run, is where he create the string power shell and then execute that to execute this

99
00:08:54,000 --> 00:08:57,020
current Fani, which is coming from here.

100
00:08:57,390 --> 00:09:01,320
So next fall it's going to execute the script with this one.

101
00:09:02,380 --> 00:09:10,900
Perhaps if I were to concatenate the strings, you might be clearer for you, so there you go, publisher

102
00:09:11,170 --> 00:09:15,720
and then is going to execute this script here, Khilafah.

103
00:09:17,520 --> 00:09:21,390
So now let us go and see what this show is going to do.

104
00:09:21,780 --> 00:09:23,220
Let's open it, if not Pat.

105
00:09:26,390 --> 00:09:35,210
And here we see the script where the document is going to actually go out and download something from

106
00:09:35,210 --> 00:09:42,830
this location and then probably save it in a different name for the DLC and all this we've already seen

107
00:09:42,830 --> 00:09:48,500
before when we are manually analyzing and using eBay and other tools.

108
00:09:49,310 --> 00:09:55,440
And if you look further down, we see online here, this is where the file that has been downloaded

109
00:09:55,610 --> 00:09:59,440
is being executed from the stand directly dislocation.

110
00:10:00,320 --> 00:10:07,790
And if you go down here, you see on 16, 17 and 19, it is trying to clean up the website and find

111
00:10:07,790 --> 00:10:08,630
some other file.

112
00:10:09,050 --> 00:10:14,510
So this is an attempt by the malware to remove any malware artifacts from the system.

113
00:10:15,520 --> 00:10:23,210
So as you can see, it's so much faster using an office to debunk this and get all this information

114
00:10:23,210 --> 00:10:26,880
out without actually allowing the process to be created.

115
00:10:27,380 --> 00:10:36,230
So we were manually able to use static analysis earlier to go and feature all this information, bits

116
00:10:36,230 --> 00:10:37,640
and pieces all over the place.

117
00:10:37,850 --> 00:10:41,470
But they did not show us in context how this thing actually fits in.

118
00:10:41,930 --> 00:10:49,660
But when we ran the thing using our office, we see the whole picture, how he actually starts and gives

119
00:10:49,700 --> 00:10:51,520
a better understanding of the email.

120
00:10:51,530 --> 00:10:51,830
Right.

121
00:10:52,820 --> 00:10:59,960
And we could do this is the office analyzer without having to the office, get our fix any kind of code,

122
00:11:00,060 --> 00:11:01,370
encryption or encoding.

123
00:11:01,700 --> 00:11:09,590
And because all of this is automatically done for us and our office was has managed to break the correct

124
00:11:09,890 --> 00:11:18,110
API calls and examine its parameters and extricate all the necessary strings, the important suspicious

125
00:11:18,110 --> 00:11:18,380
one.

126
00:11:18,860 --> 00:11:25,190
So this is how useful using a debugger is, even analyzing a malicious document.

127
00:11:25,580 --> 00:11:27,440
So that brings us to the end of this.

128
00:11:27,660 --> 00:11:29,910
What thank you for watching.

129
00:11:29,930 --> 00:11:31,750
I'll see you in the next one.