1
00:00:00,540 --> 00:00:01,590
Hello and welcome back.

2
00:00:02,070 --> 00:00:04,410
So let's go to this location.

3
00:00:05,070 --> 00:00:12,420
Copy this path and open your access if I need you to go on prom again.

4
00:00:12,510 --> 00:00:14,270
We get to the spot.

5
00:00:14,820 --> 00:00:26,220
And by calling the compound, which is here to stay, then you will see the New York fog.

6
00:00:27,090 --> 00:00:34,470
Now, before you can run it, you need to make sure your Microsoft Paint is running because this malware

7
00:00:34,470 --> 00:00:39,240
is going to inject into the threat of the Microsoft Paint.

8
00:00:39,840 --> 00:00:41,460
So let's run Microsoft Paint.

9
00:00:44,040 --> 00:00:50,970
So Microsoft Paint is now running, and now we shall run our chat injection to see.

10
00:00:54,660 --> 00:01:00,510
You know, whatever happens, you're supposed to pop up message box.

11
00:01:03,020 --> 00:01:04,850
So this there is some light.

12
00:01:05,210 --> 00:01:14,440
And then finally, you find your shortcut is message boxes popped me to title Sharkawy and Victor in

13
00:01:14,690 --> 00:01:21,710
a content saying hello from cracking license icon and the information icon, and all these few were

14
00:01:22,040 --> 00:01:27,020
created using Metasploit on Kali Linux.

15
00:01:27,770 --> 00:01:32,000
So how can we be sure that this shellcode is coming from here?

16
00:01:32,660 --> 00:01:36,050
We can go an open process hacker.

17
00:01:40,790 --> 00:01:44,720
And look at the spin, it has got

18
00:01:47,660 --> 00:01:49,310
the idea for six for.

19
00:01:51,130 --> 00:02:01,330
Microsoft Bing, and here you can see the malware has has printed out the video here have been.

20
00:02:04,810 --> 00:02:13,300
And you can also use this to here, find Windows and Tray Jayegi drag over to this message box and release,

21
00:02:13,780 --> 00:02:22,330
and you will see that the pattern for this message box is Microsoft Bin, and he has got the video 464.

22
00:02:23,200 --> 00:02:27,190
Same is why we see here four six five six four.

23
00:02:30,760 --> 00:02:37,660
You can also go to the memory and then look up the session on Eric's.

24
00:02:40,260 --> 00:02:48,930
Go to this column protection hikes and look for an mock region of memory.

25
00:02:51,030 --> 00:02:56,220
You have a click on them and you will see or shall you see the string here?

26
00:02:56,310 --> 00:02:58,980
Hello from Greg Nielsen's dot com shortcut.

27
00:02:59,880 --> 00:03:02,700
And you can double confirm that this is indeed Nishioka.

28
00:03:03,300 --> 00:03:12,480
You can open the The Roche account here, which regenerated the Metasploit opening with Hex editor.

29
00:03:13,510 --> 00:03:15,750
Then you can compare if the one in memory.

30
00:03:16,770 --> 00:03:25,680
So drawing the circle here and you will see this is indeed identical to the one in memory.

31
00:03:27,270 --> 00:03:33,630
Another we can confirm that this is indeed the shellcode that the malware has injected.

32
00:03:33,870 --> 00:03:40,310
He used to compare with the source code described here and compare the Hex Value FC for anyone.

33
00:03:40,860 --> 00:03:44,130
Has he for A1 and so on and so forth.

34
00:03:44,520 --> 00:03:46,380
And you and you can convince yourself?

35
00:03:46,650 --> 00:03:47,520
Yeah, and yet I see.

36
00:03:48,210 --> 00:03:54,450
So this is the true practical work, true on direct contacts ingestion.

37
00:03:54,810 --> 00:03:56,490
Thank you for watching.