1
00:00:00,720 --> 00:00:08,700
It is also useful to investigate the information found using external sources such as intelligence tools.

2
00:00:09,390 --> 00:00:11,250
So, for instance.

3
00:00:12,230 --> 00:00:15,710
You can search the web domains that this.

4
00:00:17,260 --> 00:00:20,800
Malware connects to, for example, Adobe.

5
00:00:21,430 --> 00:00:28,240
This is probably not a legitimate website, but because Adobe, as I remember, doesn't have domains

6
00:00:28,240 --> 00:00:28,720
like that.

7
00:00:28,720 --> 00:00:30,730
But we will check this out.

8
00:00:31,720 --> 00:00:35,320
Adam a flasher up.1.com.

9
00:00:35,320 --> 00:00:38,800
And let's also run the rule here.

10
00:00:39,010 --> 00:00:42,070
Java Oracle two dot rule here.

11
00:00:42,610 --> 00:00:46,000
Java Oracle two dot room.

12
00:00:51,090 --> 00:00:52,000
And here we.

13
00:00:52,170 --> 00:00:54,510
We can use the expressions, probably.

14
00:00:55,620 --> 00:00:55,980
Rule.

15
00:00:59,210 --> 00:00:59,750
Come.

16
00:01:22,200 --> 00:01:24,150
And here we will have.

17
00:01:27,760 --> 00:01:28,240
Net.

18
00:01:29,650 --> 00:01:30,430
Nothing.

19
00:01:31,270 --> 00:01:31,860
Argh!

20
00:01:32,260 --> 00:01:33,100
Nothing.

21
00:01:33,400 --> 00:01:34,450
Come again.

22
00:01:36,890 --> 00:01:40,400
Yeah that's I think that's two websites is okay.

23
00:01:40,400 --> 00:01:47,360
So as I said, it's also useful to investigate the information found using external sources such as

24
00:01:47,360 --> 00:01:49,850
the VirusTotal, for instance.

25
00:01:50,180 --> 00:02:00,590
We have these two websites that are malware has some relation to which we will check that out right

26
00:02:00,590 --> 00:02:00,890
now.

27
00:02:00,890 --> 00:02:02,360
So VirusTotal.

28
00:02:07,010 --> 00:02:08,120
Dot com.

29
00:02:09,930 --> 00:02:19,740
And after that we will give these websites to VirusTotal to check if it has something malicious insiders

30
00:02:19,770 --> 00:02:27,000
or someone reported something malicious about this websites and we can go to community.

31
00:02:27,890 --> 00:02:29,570
Read this here.

32
00:02:30,290 --> 00:02:33,860
It has the hybrid analysis.com sample.

33
00:02:35,160 --> 00:02:36,990
Let's check this out.

34
00:02:41,590 --> 00:02:42,220
Here.

35
00:02:43,450 --> 00:02:45,460
We have incident response.

36
00:02:45,460 --> 00:02:46,660
Someone did it.

37
00:02:46,840 --> 00:02:48,910
So network behavior contexts.

38
00:02:48,940 --> 00:02:51,490
Five domains and two hosts.

39
00:02:51,520 --> 00:02:53,600
Let's see all of the hosts here.

40
00:02:53,680 --> 00:02:56,200
So the web flasher abc.com.

41
00:02:56,230 --> 00:03:02,230
This is a we can do osint bootzilla that through Java Oracle to that through here.

42
00:03:04,360 --> 00:03:07,180
So it's a bit malicious here.

43
00:03:07,180 --> 00:03:08,890
So from Germany to.

44
00:03:09,620 --> 00:03:17,180
Contacted countries in the United States, we have the Http traffic with hybrid analysis that come here.

45
00:03:19,530 --> 00:03:23,250
As the name suggests, it is the analysis website.

46
00:03:23,580 --> 00:03:25,470
So you can website like.

47
00:03:26,430 --> 00:03:30,810
Enter malware's websites or analyze.

48
00:03:32,290 --> 00:03:34,110
Here we have the PDF.

49
00:03:35,440 --> 00:03:40,000
Let's have some kind of close user agent Mozilla here that PHP.

50
00:03:41,550 --> 00:03:49,890
You have a CRL and so on here and in VirusTotal we have the scan results for.

51
00:03:50,630 --> 00:03:58,430
Security vendors flag this URL as malicious, and apart from that, we VirusTotal can provide more useful

52
00:03:58,430 --> 00:04:02,570
information that you can find by browsing through the page here.

53
00:04:02,780 --> 00:04:05,690
For instance, let's go there.

54
00:04:07,030 --> 00:04:08,190
The protections.

55
00:04:09,060 --> 00:04:10,680
Details and so on.

56
00:04:11,490 --> 00:04:12,690
For instance.

57
00:04:13,800 --> 00:04:18,050
It has the final year server serving IP address.

58
00:04:18,060 --> 00:04:24,000
We can also check this serving IP address here if something to do with it.

59
00:04:24,030 --> 00:04:25,230
Now for now.

60
00:04:25,800 --> 00:04:29,670
And malware sinkhole is Arbor Networks.

61
00:04:30,510 --> 00:04:36,210
The date is written here and last analysis date is one month ago.

62
00:04:36,210 --> 00:04:45,330
But whatsoever our hybrid analysis.com actually gives more detailed information about our malware.

63
00:04:49,670 --> 00:04:50,240
Uh, legal.

64
00:04:50,630 --> 00:04:51,770
Corporate As-salih.

65
00:04:51,800 --> 00:04:53,690
Internal name is Dale.

66
00:04:56,350 --> 00:05:05,260
And here as a compiler packer as Microsoft Visual C plus plus architecture for Windows and size of 200kB.

67
00:05:06,630 --> 00:05:09,000
So it associated our.

68
00:05:11,000 --> 00:05:15,470
Malware, this website that connects to our executable malware.

69
00:05:15,500 --> 00:05:16,040
Right.

70
00:05:17,650 --> 00:05:24,760
And after that, we have also so much information about that we can find out.

71
00:05:27,710 --> 00:05:35,930
And so once we are done with this string analysis and open source intelligence analysis, now we will

72
00:05:35,930 --> 00:05:36,500
look.

73
00:05:37,800 --> 00:05:38,770
Input functions.

74
00:05:38,790 --> 00:05:39,780
In the next lecture.