1
00:00:00,200 --> 00:00:03,680
So as the binary references some malicious servers.

2
00:00:04,100 --> 00:00:09,320
As you saw in previous lecture, it must implement some kind of network communication, right?

3
00:00:09,320 --> 00:00:11,570
So in this case.

4
00:00:12,250 --> 00:00:13,100
Here.

5
00:00:13,120 --> 00:00:20,800
This communication is performed via a Http protocol as shown here.

6
00:00:20,800 --> 00:00:22,720
So we will go with a simple tree here.

7
00:00:24,170 --> 00:00:32,900
And after that we will go to imports folder and here we have the URL man and wininet init packages and

8
00:00:32,900 --> 00:00:35,240
we can see this functions.

9
00:00:35,240 --> 00:00:36,950
So looking at this.

10
00:00:37,850 --> 00:00:38,540
Earl.

11
00:00:38,540 --> 00:00:40,360
Montell.

12
00:00:41,690 --> 00:00:44,690
And we also have the ADP here.

13
00:00:45,110 --> 00:00:46,070
So.

14
00:00:46,840 --> 00:00:50,710
This looking at this ad, VP 32.

15
00:00:51,580 --> 00:00:56,170
We can identify functions named rec after rec.

16
00:00:56,170 --> 00:01:03,310
That's something, something here that allows us to work with a Windows registry while others that mention

17
00:01:03,310 --> 00:01:05,380
the word servers and.

18
00:01:06,200 --> 00:01:17,540
SC managers like start service A like set value exam, open servers, Rakoski, Requried and so on.

19
00:01:18,200 --> 00:01:26,330
With this here, this allows malicious attacker to allow to interact with the Windows Service Control

20
00:01:26,330 --> 00:01:32,480
manager, which enables us in to load drivers here.

21
00:01:32,510 --> 00:01:32,990
Right.

22
00:01:32,990 --> 00:01:34,570
And registry.

23
00:01:35,260 --> 00:01:36,700
And we also have.

24
00:01:36,790 --> 00:01:44,080
So there are really a lot of imports in kernel32 DLL also as well as many other things it allows us

25
00:01:44,080 --> 00:01:50,740
to interact with and perform actions related to named pipes, file names and processes.

26
00:01:51,100 --> 00:01:52,240
Let's actually.

27
00:01:53,060 --> 00:01:53,690
Here.

28
00:01:54,410 --> 00:01:55,970
We have a bigger sample tree, right.

29
00:01:57,110 --> 00:01:59,510
We can also drag it down here.

30
00:02:00,640 --> 00:02:04,450
Or if you mess with this view, you can go to window.

31
00:02:07,610 --> 00:02:08,200
Andrew.

32
00:02:08,210 --> 00:02:09,140
Is it your.

33
00:02:10,810 --> 00:02:12,650
You know we've options.

34
00:02:16,320 --> 00:02:19,770
So now we will go to here and.

35
00:02:20,830 --> 00:02:26,410
So as I said, there are really a lot of system 32 kernel 32.

36
00:02:28,070 --> 00:02:38,380
Imports and we also have this Wininet http open request, a http query info a and so on.

37
00:02:38,390 --> 00:02:44,060
So here we identified a lot of things with a very quick analysis.

38
00:02:44,060 --> 00:02:51,860
So if you are experienced you will know malware code patterns leading to a mentally matching API functions

39
00:02:51,860 --> 00:03:00,680
with strings and easily inferring that a malware will try to do when given the previously shown information

40
00:03:00,680 --> 00:03:01,280
here.

41
00:03:02,720 --> 00:03:03,500
So.

42
00:03:05,480 --> 00:03:10,340
In next lecture, we will dissect interesting malware sample parts.

43
00:03:10,370 --> 00:03:12,320
And I'm waiting you in next lecture.