1
00:00:00,470 --> 00:00:01,850
Hello, my name is Stefan.

2
00:00:01,850 --> 00:00:05,060
And in this lecture, we are going to look for strings.

3
00:00:05,970 --> 00:00:14,850
And let's start by opening the project, by double clicking on the run, that part and after that.

4
00:00:16,670 --> 00:00:19,850
Here we are seeing this kind of dialogue here.

5
00:00:20,120 --> 00:00:21,290
Welcome screen.

6
00:00:21,290 --> 00:00:26,360
Click on the close and here we will come to file new project here.

7
00:00:27,750 --> 00:00:31,920
Searching for strings in Lena.

8
00:00:31,950 --> 00:00:32,610
Here.

9
00:00:35,880 --> 00:00:37,870
Drink search.

10
00:00:38,550 --> 00:00:39,180
Elena.

11
00:00:41,130 --> 00:00:45,410
Malware and this is the project name for us.

12
00:00:45,420 --> 00:00:50,160
And after that we will drag and drop our exe file.

13
00:00:50,160 --> 00:00:57,030
Or you can press on the E on your keyboard and just select this, your malware here.

14
00:00:57,030 --> 00:00:57,840
And that's it.

15
00:00:57,870 --> 00:00:59,190
Here we have format.

16
00:00:59,220 --> 00:01:01,230
We will select a portable executable.

17
00:01:01,260 --> 00:01:03,420
By default, we have language.

18
00:01:03,420 --> 00:01:08,850
Obviously we can't we can't change it because here already knows that it is.

19
00:01:08,850 --> 00:01:15,660
It has compiler called Visual Studio here and program name is Sparc dot X.

20
00:01:15,660 --> 00:01:18,120
So this is just an representation.

21
00:01:18,600 --> 00:01:24,750
So it actually this is this name is just for you so you can change it anything you want.

22
00:01:24,780 --> 00:01:32,280
More descriptive names like Lena malware or POS malware here.

23
00:01:33,360 --> 00:01:33,840
Click on.

24
00:01:33,840 --> 00:01:41,630
Okay and loading language here and importing the file here we are seeing what is happening with Ghidra.

25
00:01:42,950 --> 00:01:43,730
And.

26
00:01:45,350 --> 00:01:51,740
It might take like ten or 20s depends on your computer specifications and it's done.

27
00:01:51,740 --> 00:01:53,890
We have the import results summary.

28
00:01:53,900 --> 00:01:56,300
As always, we will click on okay.

29
00:01:56,300 --> 00:01:59,690
And after that we will right click on the post malware.

30
00:02:01,730 --> 00:02:04,730
And we will click on the open in default window.

31
00:02:05,690 --> 00:02:06,740
After that.

32
00:02:07,630 --> 00:02:08,470
Do Ravel?

33
00:02:08,470 --> 00:02:09,280
Ask us.

34
00:02:10,000 --> 00:02:11,050
Do you want to?

35
00:02:11,780 --> 00:02:12,790
Analyze this.

36
00:02:12,800 --> 00:02:15,830
So, of course, we want to analyze this.

37
00:02:16,190 --> 00:02:18,790
And here it is checked by default.

38
00:02:18,800 --> 00:02:21,260
We will not touch anything for now.

39
00:02:21,260 --> 00:02:24,110
And we will click on the analyze.

40
00:02:24,320 --> 00:02:27,440
After that, it might take some time.

41
00:02:27,440 --> 00:02:34,970
Here in the right bottom corner of the screen, you can see the progress.

42
00:02:44,360 --> 00:02:49,760
And while our progress is running, we cannot scroll that down.

43
00:02:49,760 --> 00:02:52,370
Let's increase the font size a little bit for you.

44
00:02:53,150 --> 00:02:54,290
We have the.

45
00:02:56,730 --> 00:02:58,230
Undefined thunk function.

46
00:02:58,230 --> 00:03:01,220
Here we have several codes.

47
00:03:01,230 --> 00:03:02,910
It's almost the compiling here.

48
00:03:02,910 --> 00:03:04,890
The loading process is here.

49
00:03:19,310 --> 00:03:21,980
Let's get the call functions here.

50
00:03:37,100 --> 00:03:39,170
Push and here.

51
00:03:40,190 --> 00:03:42,110
So it's almost done here.

52
00:03:42,140 --> 00:03:43,460
We're just playing with it.

53
00:03:43,460 --> 00:03:47,390
And let's actually check the functions and.

54
00:03:49,120 --> 00:03:51,550
Imports from the symbol tree.

55
00:03:52,600 --> 00:03:54,310
Can we increase the font size a bit?

56
00:03:54,340 --> 00:03:54,670
No.

57
00:03:54,670 --> 00:03:55,390
Sorry.

58
00:03:55,660 --> 00:03:58,540
And here we have the win init.

59
00:03:58,550 --> 00:04:00,910
So here we are.

60
00:04:00,940 --> 00:04:03,250
Program our malware is using.

61
00:04:04,120 --> 00:04:07,030
Some of the Internet protocol libraries.

62
00:04:07,030 --> 00:04:08,290
So this might.

63
00:04:12,690 --> 00:04:13,890
Told us that.

64
00:04:14,640 --> 00:04:19,350
Our program has access to Internet or sending something here.

65
00:04:19,350 --> 00:04:22,440
And as you can see, it's almost all Http.

66
00:04:22,560 --> 00:04:34,110
So it means our malware is using port 80 Http protocol and our loading is almost done here.

67
00:04:35,620 --> 00:04:41,500
Let's also check out another import URL man So we have the URL download to file a.

68
00:04:41,530 --> 00:04:50,230
So this means our program can also install something, install the files or programs from internet.

69
00:04:51,350 --> 00:04:59,330
We have the kernel32 the win in it again and internet read file, internet, open, connect, close

70
00:04:59,330 --> 00:05:02,690
handle and so on.

71
00:05:02,690 --> 00:05:08,060
We have URL man url download file and at the vapid 32.

72
00:05:09,970 --> 00:05:13,750
This is also manipulating for registry keys.

73
00:05:15,810 --> 00:05:19,380
Control service, create service A, and so on.

74
00:05:20,490 --> 00:05:20,580
Now.

75
00:05:20,750 --> 00:05:21,210
This is fun.

76
00:05:21,260 --> 00:05:21,770
Yes.

77
00:05:21,770 --> 00:05:22,610
And that's it.

78
00:05:22,610 --> 00:05:25,340
Our analysis has been done.

79
00:05:25,340 --> 00:05:28,160
And after that, let's start by.

80
00:05:30,300 --> 00:05:33,170
Uh, going to search here.

81
00:05:33,180 --> 00:05:34,530
Search menu here.

82
00:05:34,530 --> 00:05:38,550
And at the bottom here, we have search for strings.

83
00:05:38,790 --> 00:05:41,880
And you will not touch anything because we don't want.

84
00:05:41,910 --> 00:05:45,000
We want, uh, the minimum length of five, So.

85
00:05:46,130 --> 00:05:50,470
And alignment one and word modal string model at G.

86
00:05:50,510 --> 00:06:00,740
So you can also change the word modal if you have one, but probably this hedras word modal will work

87
00:06:00,740 --> 00:06:02,930
and after that we will click on search.

88
00:06:04,290 --> 00:06:08,460
And here, as you can see, we have several.

89
00:06:11,130 --> 00:06:12,120
Strings here.

90
00:06:12,540 --> 00:06:13,530
So.

91
00:06:16,250 --> 00:06:21,410
We will go to we will search for it and find something interesting here.

92
00:06:22,490 --> 00:06:26,870
You can also use these filters, for example, if you want to like.

93
00:06:28,010 --> 00:06:29,200
That eggs are here.

94
00:06:29,210 --> 00:06:29,960
Let's.

95
00:06:32,320 --> 00:06:37,840
And here we have the several Xs strings.

96
00:06:42,730 --> 00:06:46,780
Our program has connections with tools Excel files.

97
00:06:47,870 --> 00:06:51,980
And here we have the wind defender that exit here.

98
00:06:52,430 --> 00:07:02,630
So we will check that address location for F 647 A and that's it.

99
00:07:03,230 --> 00:07:08,630
And here, as you can see, we will get our marker.

100
00:07:09,800 --> 00:07:12,950
Here we have this let's actually use different.

101
00:07:13,980 --> 00:07:14,340
Here.

102
00:07:14,340 --> 00:07:17,310
So we have this installed with the vendor that X.

103
00:07:19,540 --> 00:07:20,470
We have.

104
00:07:20,680 --> 00:07:22,000
Oh, shellcode.

105
00:07:22,030 --> 00:07:25,000
Mutex might be interesting, right?

106
00:07:25,120 --> 00:07:30,820
And we also have SSD to hook that PDB.

107
00:07:33,080 --> 00:07:37,580
And we have that password might be interesting, right?

108
00:07:39,380 --> 00:07:40,280
Password.

109
00:07:41,460 --> 00:07:45,680
And this program cannot run in RDS mode and so on.

110
00:07:45,690 --> 00:07:50,370
And we should also have something like.

111
00:07:52,530 --> 00:07:53,190
That's it.

112
00:07:55,200 --> 00:07:59,960
And here we also have the desktop in here.

113
00:07:59,970 --> 00:08:10,380
When you see users desktop alien source working debug spark dot P as shown here, the user Benson seems

114
00:08:10,380 --> 00:08:17,550
to have compiled this malware, so this information could be useful to investigate the attribution of

115
00:08:17,550 --> 00:08:18,350
this malware.

116
00:08:18,360 --> 00:08:21,300
So there are a lot of suspicious strings here, right?

117
00:08:21,330 --> 00:08:28,080
So this URL in here is probably the.

118
00:08:29,770 --> 00:08:33,280
Compiler of this malware.

119
00:08:34,380 --> 00:08:35,610
Transparent.

120
00:08:37,810 --> 00:08:41,710
So Alan the some someone that.

121
00:08:43,270 --> 00:08:48,590
A count named Allen on a Windows machine compiled this.

122
00:08:49,710 --> 00:08:50,580
Malware.

123
00:08:50,580 --> 00:08:54,890
And we have the Benson This is the computer name.

124
00:08:54,900 --> 00:08:55,680
The.

125
00:08:57,190 --> 00:08:58,030
Machine name.

126
00:08:58,030 --> 00:08:58,270
So.

127
00:08:58,300 --> 00:08:59,120
Machine name, balancer.

128
00:08:59,230 --> 00:09:01,750
And user name is Allen.

129
00:09:01,750 --> 00:09:05,080
And we have some suspicious password here.

130
00:09:05,380 --> 00:09:13,120
Like after password, we have the probably the real password here that's also of Sorry.

131
00:09:13,810 --> 00:09:16,240
Let's also take this.

132
00:09:21,740 --> 00:09:23,870
And this is some suspicious password.

133
00:09:23,900 --> 00:09:26,300
Let's note it down here.

134
00:09:26,480 --> 00:09:29,240
Uppercase, y, h and g.

135
00:09:29,540 --> 00:09:31,880
Y l key.

136
00:09:34,650 --> 00:09:36,180
O0.

137
00:09:37,780 --> 00:09:38,860
Nine H.

138
00:09:38,890 --> 00:09:42,520
Uppercase and trans frame with white background.

139
00:09:42,520 --> 00:09:53,290
So this is some password here and we have the shellcode mutex and SSD hooked PDB here and here, for

140
00:09:53,290 --> 00:09:53,950
instance.

141
00:09:53,950 --> 00:10:01,030
So it's hard to imagine the reason behind the legitimate program making reference to win defender here.

142
00:10:01,030 --> 00:10:01,390
Right?

143
00:10:01,390 --> 00:10:05,470
So it's also making some reference to win defender.

144
00:10:05,470 --> 00:10:09,310
So it's probably the bad program here, right?

145
00:10:09,310 --> 00:10:16,960
The malware and also here the shellcode that mutex shellcode that mutex and win defender here.

146
00:10:16,960 --> 00:10:22,870
So especially the shellcode that mutex and the system.

147
00:10:24,110 --> 00:10:26,420
This SSD here.

148
00:10:26,420 --> 00:10:29,510
So let's let me note it down.

149
00:10:29,600 --> 00:10:31,480
Psst, psst.

150
00:10:31,550 --> 00:10:35,880
Here is system service, sir.

151
00:10:36,230 --> 00:10:37,250
Service.

152
00:10:37,280 --> 00:10:39,710
Dispatch table.

153
00:10:40,460 --> 00:10:41,420
So.

154
00:10:43,930 --> 00:10:49,570
Also just making regular program, hooking this to this service.

155
00:10:49,960 --> 00:10:58,450
References are both explicitly malicious and a quick overview of these strings of the program can sometimes

156
00:10:58,450 --> 00:11:01,070
reveal whether it is malware or not.

157
00:11:01,090 --> 00:11:06,130
Without further analysis and simple and powerful.