1
00:00:01,180 --> 00:00:06,640
In this lecture we will introduce reverse engineering malware using Ghidra.

2
00:00:06,670 --> 00:00:13,330
So by using Ghidra, you will be able to analyze executable binary files containing malicious code.

3
00:00:13,930 --> 00:00:20,230
This section is a great opportunity to put into practice the knowledge acquired during the first sections

4
00:00:20,230 --> 00:00:24,190
of our course and to put this knowledge into practice.

5
00:00:24,220 --> 00:00:29,980
We will analyze the point of sale POS malware.

6
00:00:29,980 --> 00:00:38,590
So this malware basically scrapes the Ram memory of point of sale systems to steal credit card and debit

7
00:00:38,590 --> 00:00:40,750
card information.

8
00:00:40,780 --> 00:00:46,480
So here we will first research about the point of sale malware.

9
00:00:48,280 --> 00:00:53,230
Let's open the Google Chrome here and point of sale.

10
00:00:54,380 --> 00:00:55,250
Malware.

11
00:00:57,300 --> 00:01:03,270
And as you can see here, malware is a type of malicious software designed to steal a customer's personal

12
00:01:03,270 --> 00:01:06,870
information through the point of sale devices, POS devices.

13
00:01:06,900 --> 00:01:08,970
Let's see what POS devices.

14
00:01:13,010 --> 00:01:15,470
And here this is the post device here.

15
00:01:15,950 --> 00:01:19,600
So this malware is designed for this post devices.

16
00:01:19,610 --> 00:01:21,740
So here I have two files.

17
00:01:21,920 --> 00:01:27,090
In the first file we have the malware and s y.

18
00:01:27,210 --> 00:01:32,270
S file, which you will learn what this is used for.

19
00:01:32,270 --> 00:01:36,020
And after that we have the password for this zip file.

20
00:01:36,020 --> 00:01:45,680
So before installing this malware, before you actually you need to run this malware on sandbox or virtual

21
00:01:45,680 --> 00:01:51,290
machine because it might infect your main machine here.

22
00:01:51,290 --> 00:01:55,640
So firstly, turn off the real time protection.

23
00:01:55,640 --> 00:02:04,130
So this is a executable Windows malware and here our approach will start by setting a safe analysis

24
00:02:04,130 --> 00:02:09,620
environment, of course, and then we will look for malware indicators in the malware sample.

25
00:02:09,620 --> 00:02:15,600
And finally, we will conclude by performing in-depth malware analysis using ghidra.

26
00:02:15,780 --> 00:02:27,570
So here for technical requirements, you will need to have the virtual machine like virtual box here.

27
00:02:27,600 --> 00:02:34,260
In previous lectures you learned how to install the virtual machines into your.

28
00:02:35,160 --> 00:02:36,360
Operating system.

29
00:02:36,780 --> 00:02:45,060
And also you will need to download the samples which is attached to the lecture section here.

30
00:02:45,600 --> 00:02:51,390
And at the time of creating this course, the public version of Ghidra has no debugging support for

31
00:02:51,390 --> 00:02:59,190
now, so this limits the scope of Ghidra to static analysis, meaning files are analyzed without being

32
00:02:59,220 --> 00:02:59,910
executed.

33
00:02:59,910 --> 00:03:00,180
So.

34
00:03:00,180 --> 00:03:07,050
But of course Ghidra static analysis can complement the dynamic analysis performed by any existing debugger

35
00:03:07,050 --> 00:03:13,110
of your choice, such as x64, dbg, Windbg and Ollydbg.

36
00:03:13,110 --> 00:03:17,430
So both types of analysis can be performed in parallel.

37
00:03:17,430 --> 00:03:22,950
So setting up an environment for malware analysis is a broad topic, So we will cover the basics of

38
00:03:22,950 --> 00:03:25,800
ghidra for this purposes.

39
00:03:25,800 --> 00:03:33,030
And keep in mind that the Golden Rule when setting up a malware analysis environment is to isolate it

40
00:03:33,030 --> 00:03:35,590
from your computer and network.

41
00:03:35,620 --> 00:03:42,010
Even if you are performing static analysis, it is recommended to set up an isolated environment because

42
00:03:42,010 --> 00:03:50,200
you have no guarantee that malware won't exploit some ghidra vulnerability and get executed anyway.

43
00:03:50,800 --> 00:03:54,700
Because here you also has some vulnerabilities.

44
00:03:56,250 --> 00:03:59,330
It should be like Siva does.

45
00:03:59,370 --> 00:04:03,330
1917 664.

46
00:04:04,810 --> 00:04:09,400
And here this is a ghidra malware.

47
00:04:10,170 --> 00:04:18,950
So CVA 20, 1917 664 is when executing data from a given path.

48
00:04:18,960 --> 00:04:22,620
The Java Process Working Directory is set to this path.

49
00:04:22,620 --> 00:04:29,820
So then when launching the Python interpreter via the Ghidra code browser window, Python Ghidra will

50
00:04:29,820 --> 00:04:35,520
try to execute the cmd dot exe program from this working directory here.

51
00:04:35,520 --> 00:04:40,260
So as you can see here, the base store score is high here.

52
00:04:41,600 --> 00:04:49,010
And in order to analyze malware, you can use physical computer restorable to a client state via hard

53
00:04:49,010 --> 00:04:51,380
disk drive backups or virtual one here.

54
00:04:51,380 --> 00:04:58,880
So the first option is more realistic but slower when restoring the backup and more expensive here.

55
00:05:00,050 --> 00:05:03,650
So you can also isolate your network.

56
00:05:04,280 --> 00:05:07,340
This is a good example to illustrate risk.

57
00:05:07,350 --> 00:05:12,110
This is ransomware encrypting the shared folders during analysis.

58
00:05:12,320 --> 00:05:16,490
So you can also use the VirtualBox or VMware.

59
00:05:17,530 --> 00:05:22,390
For your creating virtual machine purposes.

60
00:05:23,640 --> 00:05:27,670
And now let's look into our malware here.

61
00:05:27,690 --> 00:05:34,170
So as you probably remember from previous lectures, GitLab works with projects containing zero or more

62
00:05:34,170 --> 00:05:34,830
files.

63
00:05:34,830 --> 00:05:39,570
So this here, this malware consists of two components.

64
00:05:39,570 --> 00:05:41,910
So actually, let's call this the cleaner.

65
00:05:42,800 --> 00:05:49,760
Malware, because in reality, actually this malware called by the Internet community.

66
00:05:50,240 --> 00:05:52,700
Is Lena here the code name?

67
00:05:54,170 --> 00:05:59,270
So Lena malware here consists two components.

68
00:06:00,670 --> 00:06:01,740
Can you see the screen?

69
00:06:01,750 --> 00:06:02,140
Yes.

70
00:06:02,140 --> 00:06:02,910
Perfect.

71
00:06:02,920 --> 00:06:12,790
So the malware here contains consists of two components a Windows driver, r, t, dot c.

72
00:06:12,820 --> 00:06:17,290
S and a portable executable Sparc dot x.

73
00:06:17,290 --> 00:06:22,270
So there are a compressed data project like this here.

74
00:06:22,270 --> 00:06:29,350
Malware sample one dot zip containing both components can be found in the lecture attachment section.

75
00:06:29,350 --> 00:06:36,130
So if you want to get the linear malware sample as is instead of Ghidra project, you can also find

76
00:06:36,130 --> 00:06:41,350
it in the lecture attachment sections here.

77
00:06:41,410 --> 00:06:51,730
And because we also compressed and protected with the password infected, we also have this file.

78
00:06:51,730 --> 00:06:59,260
So the password is infected and it's quite common to share malware in this way so that it does not accidentally

79
00:06:59,260 --> 00:07:00,810
get infected.

80
00:07:00,810 --> 00:07:06,970
And next we will try to quickly guess what kind of malware we are dealing with in general terms.

81
00:07:06,970 --> 00:07:11,950
And to do that, we will look for strings which can be revealing in many cases.

82
00:07:11,950 --> 00:07:18,940
So we will also check external sources which can be useful if the malware has been analyzed or classified.

83
00:07:18,940 --> 00:07:27,100
So finally, we will analyze its capabilities by looking for dynamic linking library DLL functions.

84
00:07:27,100 --> 00:07:34,780
So here the functions and we have the C and exec here.

85
00:07:36,350 --> 00:07:40,290
So now what we're going to do is we will start a draw here.

86
00:07:40,310 --> 00:07:41,660
The new project.

87
00:07:48,800 --> 00:07:52,730
And after that we will start analysis in next lecture.

88
00:07:52,760 --> 00:07:54,080
I'm waiting you in the next lecture.