1
00:00:00,690 --> 00:00:05,940
So in this video we are going to obfuscate the import strings in the file.

2
00:00:06,000 --> 00:00:13,590
So malware analyst will use these p bear and other tools to do the static analysis.

3
00:00:13,590 --> 00:00:20,280
So in the static analysis, the malware analyst won't run the binary file and instead he uses tools

4
00:00:20,280 --> 00:00:25,470
to get the information as much as possible to understand what the program is doing.

5
00:00:25,470 --> 00:00:32,220
So if I am the analyst, I will open this in behavior and of course sees the import what the import

6
00:00:32,610 --> 00:00:34,210
data and the functions are.

7
00:00:34,260 --> 00:00:35,910
It's the key is using.

8
00:00:36,990 --> 00:00:46,200
So if I open in the normal p viewer, I can see there is a uh candidate uh 32 dot DLR and here we have

9
00:00:46,200 --> 00:00:50,370
the two functions so it's our attack and exit passes as soon as I see the attack.

10
00:00:50,370 --> 00:00:58,350
So something, uh, fishy is going on because, uh, it's allocating, uh, uh, some memory and exiting.

11
00:00:58,350 --> 00:01:03,270
So, uh, you also have other functions.

12
00:01:03,270 --> 00:01:05,490
Uh, if you wrote this, it matters by generate.

13
00:01:05,500 --> 00:01:10,810
Even if you have, uh, written normally you will have uh, much more functions like create, remote

14
00:01:10,810 --> 00:01:18,210
threat, etc. So as soon as the malware sees the creator moderate and all of these, uh, for hackable

15
00:01:18,210 --> 00:01:23,880
uh, functions, so he immediately uh, uh, understands that this is malware.

16
00:01:23,880 --> 00:01:29,340
So instead of these, uh, actual things, we can uh, obfuscate this, uh, we can use user server

17
00:01:29,340 --> 00:01:30,030
for this.

18
00:01:30,690 --> 00:01:32,400
So serious effort is a simple one.

19
00:01:32,400 --> 00:01:35,730
So, uh, I have already, uh, wrote the code.

20
00:01:35,730 --> 00:01:36,870
It's, uh, very simple.

21
00:01:36,870 --> 00:01:41,310
So here we have seen these, uh, parsing the inputs in the previous video.

22
00:01:41,340 --> 00:01:46,680
Now we are just, uh, uh, uh, printing out the error name.

23
00:01:46,770 --> 00:01:52,230
And also we are going to, uh, use the obfuscate function.

24
00:01:52,230 --> 00:01:56,400
So in this obfuscated function we will use the key as one for now.

25
00:01:56,400 --> 00:01:58,260
So to get the simple understanding.

26
00:01:59,160 --> 00:02:03,960
So if I go to obfuscate, uh, function, uh, it takes the plain string and the key.

27
00:02:03,960 --> 00:02:06,930
So the key is, uh, the shift one.

28
00:02:07,740 --> 00:02:10,410
We have uppercase, uh, characters, lowercase characters.

29
00:02:10,410 --> 00:02:16,230
So you can also, uh, take the, uh, ASCII code of the character and you can add that, uh, key.

30
00:02:16,230 --> 00:02:18,870
But this is, uh, my way of doing this.

31
00:02:18,880 --> 00:02:24,090
Philosopher So, uh, what we're going to do is if the string is.

32
00:02:28,690 --> 00:02:29,110
Oh, yeah.

33
00:02:29,140 --> 00:02:33,310
BCD Now the shift is, uh, uh, one.

34
00:02:33,460 --> 00:02:39,340
So what we're going to do is we are going to find the index of this capital here in this area.

35
00:02:39,340 --> 00:02:40,840
So it is zero.

36
00:02:42,040 --> 00:02:46,000
And I'm going to add this shift to this index.

37
00:02:46,360 --> 00:02:49,660
Now, if I add plus one to this, I will get the value of one.

38
00:02:50,200 --> 00:02:55,380
Now I go and fetch the element at this index in this same uppercase area.

39
00:02:55,390 --> 00:03:04,440
So uppercase of one gives you B so that means, uh, the capital B is my new string new character.

40
00:03:04,450 --> 00:03:06,030
So I'm going to have that one.

41
00:03:06,040 --> 00:03:10,750
So the same thing applies to the, uh, other characters in the string as well.

42
00:03:10,930 --> 00:03:14,440
You take B and find the index in this uppercase character.

43
00:03:15,400 --> 00:03:17,540
Uh, if you found any index.

44
00:03:17,540 --> 00:03:24,790
So that means, uh, uh, the index is one you want to add the shift to this, you get two and uppercase

45
00:03:24,790 --> 00:03:25,790
of to use, you see.

46
00:03:25,810 --> 00:03:27,280
So C is the new character.

47
00:03:27,400 --> 00:03:30,220
So in this way, uh, this is a cipher works.

48
00:03:30,400 --> 00:03:37,870
So we are just looping over the, uh, uh, source string and we are checking if the uppercase is equal

49
00:03:37,870 --> 00:03:39,040
to matches this one.

50
00:03:39,040 --> 00:03:41,700
And we are putting a flag is present too.

51
00:03:41,710 --> 00:03:49,290
And then we are just using this, uh, index and index should be uh, uh, reminder operator, module

52
00:03:49,300 --> 00:03:57,760
operator, uh, with this, uh, length because it should not over go about, uh, the application trend

53
00:03:58,210 --> 00:04:05,380
in the same way to the logic case, uh, characters and if, uh, there is a number which is not present

54
00:04:05,380 --> 00:04:11,740
in these errors, so we are just uh, appending that number to this obfuscated string.

55
00:04:11,740 --> 00:04:20,770
So we will get some, uh, cipher, uh, string, and we are going to replace, uh, that old string

56
00:04:20,770 --> 00:04:28,990
that is Canada with the new string that is the obfuscated, uh, uh, cipher text.

57
00:04:30,820 --> 00:04:39,430
So what we're going to do is we are going to, uh, search, uh, from each byte, uh, uh, up to this,

58
00:04:39,430 --> 00:04:40,060
uh, length.

59
00:04:40,150 --> 00:04:45,520
So we are searching from starting to, uh, uh.

60
00:04:48,450 --> 00:04:56,100
Ending and then we are going to get string for each bites and then we are comparing with this whole

61
00:04:56,100 --> 00:04:56,410
thing.

62
00:04:56,430 --> 00:05:03,360
If this is equal, then that means we are going to modify the weights at that old string with the new

63
00:05:03,360 --> 00:05:03,930
string.

64
00:05:03,930 --> 00:05:08,760
So we are modifying each character with the new string.

65
00:05:08,760 --> 00:05:10,320
That is our ciphertext.

66
00:05:15,300 --> 00:05:16,090
So that's it.

67
00:05:16,110 --> 00:05:19,140
That's, uh, what this function does.

68
00:05:19,680 --> 00:05:24,240
It's gonna create a new, uh, binary that is called character 330.

69
00:05:24,510 --> 00:05:27,360
So let's, uh, run this one.

70
00:05:43,490 --> 00:05:47,420
So get to the taxi and.

71
00:06:11,900 --> 00:06:16,820
Now this function gonna create a new binary characteristics, so it's gonna run this.

72
00:06:18,920 --> 00:06:26,090
So it's not only it's gonna pass the imports or it's exit and that's open that character, the THC.

73
00:06:28,330 --> 00:06:29,650
So let's go to imports.

74
00:06:29,650 --> 00:06:34,500
And here we can see some, uh, random character searching.

75
00:06:34,510 --> 00:06:41,890
But here when you see the t two, you probably, uh, guess that it might be Canada, but you don't

76
00:06:41,890 --> 00:06:45,550
know the functions, so it's very easy to decipher.

77
00:06:45,550 --> 00:06:51,730
So if you, uh, since the key is one, you can, uh, backtrack one, uh, character.

78
00:06:51,730 --> 00:07:00,550
So the previous character for L is K and for if it's C and uh, yes, it's R, so similar to like the

79
00:07:00,550 --> 00:07:09,820
k e r n e l that e to that d l l so we're gonna get the generated here, uh, and in the same way for

80
00:07:09,820 --> 00:07:17,500
these, uh, functions as well, if we're gonna backtrack one, uh, before, so the character before

81
00:07:17,530 --> 00:07:23,200
W is V and i j r s so we get virtual arrow.

82
00:07:23,620 --> 00:07:29,650
So in this way, when my analyst sees so this is not going to stop my interest from figuring out this

83
00:07:29,650 --> 00:07:36,040
one, but it's going to, uh, delay my list for sure so we can use other transportation, uh, ciphers

84
00:07:36,040 --> 00:07:36,580
as well.

85
00:07:37,540 --> 00:07:39,370
So let's, uh, decode this one.

86
00:07:39,370 --> 00:07:41,890
So let's say car three dot e c.

87
00:07:47,590 --> 00:07:49,240
So what we're going to do is.

88
00:07:54,760 --> 00:08:02,710
Whenever you pass this string, all you need to do is you need to, uh, uh, card this d obfuscate,

89
00:08:02,710 --> 00:08:05,350
which, uh, probably disappears with the key.

90
00:08:34,340 --> 00:08:40,490
So we are starting the day of a skate, uh, skate function with the key, which we are going to the

91
00:08:40,490 --> 00:08:41,570
first skate function.

92
00:08:48,260 --> 00:08:52,370
So there are an m so we can also de obfuscate.

93
00:09:04,800 --> 00:09:14,730
After a day of skating, we can copy the, uh, same, uh, uh, the, the obfuscated names to these,

94
00:09:14,730 --> 00:09:16,860
uh, addresses as well.

95
00:09:17,340 --> 00:09:18,780
So if we run this.

96
00:09:20,560 --> 00:09:27,460
So here we can see the, uh, the obfuscated deciphered, uh, Canada, uh, dialer and the function

97
00:09:27,460 --> 00:09:28,030
names.

98
00:09:29,080 --> 00:09:30,740
So after, uh.

99
00:09:33,220 --> 00:09:37,750
The fascination we can write the to this passes memory.

100
00:09:37,750 --> 00:09:43,960
So we have passed a lot of this in the this process memory so we can write this up updated.

101
00:09:44,620 --> 00:09:45,120
Uh.

102
00:09:47,710 --> 00:09:49,120
Our names to that memory.

103
00:09:49,120 --> 00:09:52,870
And you can, uh, parse the base location and execute the code.

104
00:09:53,770 --> 00:10:02,080
So that's how for this video, it's, uh, simple, uh, uh, trick, but, uh, it, it still, uh,

105
00:10:02,200 --> 00:10:04,930
delays the model and for the static analysis.