1
00:00:00,440 --> 00:00:08,060
As mentioned before, this malware consists of two components a portable executable file sparkcontext

2
00:00:08,600 --> 00:00:13,720
and the Windows driver file Aacae dot size.

3
00:00:13,730 --> 00:00:21,320
So when more than one malicious file is found on a computer, it's quite common that one of them generates

4
00:00:21,350 --> 00:00:22,190
others.

5
00:00:23,260 --> 00:00:28,860
So as spark that Excel can be executed by just double clicking on it.

6
00:00:28,870 --> 00:00:40,090
While our courses must be loaded by another component such as the Windows Service Control Manager.

7
00:00:40,960 --> 00:00:43,360
So with another driver.

8
00:00:43,360 --> 00:00:50,860
So we can initially assume that spark that was executed and then it dropped the our courses to the disk.

9
00:00:50,890 --> 00:00:57,490
In fact, during our static analysis of the imports, we noticed that the spark that has APIs to deal

10
00:00:57,490 --> 00:01:00,160
with the Windows Service control manager.

11
00:01:00,760 --> 00:01:05,590
And what we're going to do here is we're going to get the spark that switches to.

12
00:01:06,900 --> 00:01:12,300
Jadra and we have the portable executable, something like that, and we imported it.

13
00:01:12,300 --> 00:01:14,760
So we'll double click on it to analyze.

14
00:01:14,940 --> 00:01:18,960
And after that click on Yes and analyze.

15
00:01:18,960 --> 00:01:19,590
That's it.

16
00:01:19,800 --> 00:01:28,320
So it's quite simple and small file simple because as you can see, it's already analyzed here.

17
00:01:28,320 --> 00:01:29,310
So.

18
00:01:32,270 --> 00:01:36,500
What are we going to do is we're going to go two bites here.

19
00:01:36,680 --> 00:01:37,880
This bites.

20
00:01:38,270 --> 00:01:42,620
We will display the bites here and.

21
00:01:43,550 --> 00:01:45,630
Here we have the start.

22
00:01:45,650 --> 00:01:48,980
Here I will note that on the screen.

23
00:01:51,110 --> 00:01:52,910
Or instead we have the notepad.

24
00:01:52,910 --> 00:01:53,380
Right.

25
00:01:53,390 --> 00:01:54,930
Or sticky notes?

26
00:01:54,950 --> 00:01:55,700
Yes.

27
00:01:56,450 --> 00:01:57,500
So.

28
00:01:58,670 --> 00:01:59,870
Not now.

29
00:02:00,110 --> 00:02:07,850
Okay, so here our start is 000001.

30
00:02:10,750 --> 00:02:11,770
Zero zero.

31
00:02:12,940 --> 00:02:16,900
And zero zero here again and end this here.

32
00:02:16,900 --> 00:02:20,200
I'm talking about this start at end.

33
00:02:20,770 --> 00:02:21,820
We will note that.

34
00:02:21,820 --> 00:02:26,020
And here our end is f f, f f f.

35
00:02:27,060 --> 00:02:31,730
Let's actually make it uppercase f, f, f, f, f and f f.

36
00:02:31,970 --> 00:02:32,580
Right.

37
00:02:32,580 --> 00:02:33,570
So.

38
00:02:34,790 --> 00:02:37,240
Why I noted this farce.

39
00:02:37,250 --> 00:02:41,150
You will understand right now because here.

40
00:02:44,480 --> 00:02:44,840
The.

41
00:02:44,920 --> 00:02:47,480
This file starts with this pattern.

42
00:02:47,480 --> 00:02:48,080
Right.

43
00:02:48,620 --> 00:02:49,430
Let's actually.

44
00:02:50,770 --> 00:02:52,560
Get this at the top here.

45
00:02:52,570 --> 00:02:54,580
This is the top of the file that starts.

46
00:02:54,580 --> 00:02:59,260
So here, this files this file starts with this pattern.

47
00:02:59,350 --> 00:03:03,840
So we will also notify that start pattern.

48
00:03:03,850 --> 00:03:16,360
Note that here the 45, a 90 and zero zero and so on here and others.

49
00:03:16,480 --> 00:03:18,010
So here.

50
00:03:19,380 --> 00:03:21,960
As you see, this is our standard pattern.

51
00:03:21,960 --> 00:03:26,400
And the starting bytes are also used as the signature of files.

52
00:03:26,400 --> 00:03:31,680
So these signatures are also known as magic numbers or magic bytes.

53
00:03:31,680 --> 00:03:38,520
So in this case, the signature indicates that this file is portable executable, which is the file

54
00:03:38,520 --> 00:03:46,650
format for executables, object code, DLLs and others used in 32 bit and 64 bit versions of Windows

55
00:03:46,650 --> 00:03:47,820
Operating Systems.

56
00:03:47,820 --> 00:03:55,220
So you will see this pattern every portable executable files object code dlls.

57
00:03:55,260 --> 00:04:00,030
You analyze on the reverse engineering operations.

58
00:04:00,030 --> 00:04:03,210
So here let's actually use our executable file.

59
00:04:03,210 --> 00:04:07,650
It's already analyzed, but we can check that.

60
00:04:08,660 --> 00:04:10,660
We have our key with us.

61
00:04:10,700 --> 00:04:11,780
We also have the.

62
00:04:12,420 --> 00:04:13,500
POS malware.

63
00:04:13,710 --> 00:04:23,620
So here, as you can see in POS malware, our bytes also starts with the 45, a 90 and zero zero.

64
00:04:23,640 --> 00:04:33,330
So you will see this pattern very common in the executable files object code, DLLs and others used

65
00:04:33,330 --> 00:04:38,970
in 32 bit and 64 bit versions of Windows Operating Systems.

66
00:04:39,210 --> 00:04:40,620
So we will.

67
00:04:41,560 --> 00:04:47,020
We can also just close this post malware, but it can stay it here.

68
00:04:48,220 --> 00:04:48,790
Now.

69
00:04:49,300 --> 00:04:49,840
Okay.

70
00:04:49,840 --> 00:04:54,530
So we can also calculate the difference between the start address and the end address.

71
00:04:54,550 --> 00:05:00,580
And in order to do that, we will open the go to search or.

72
00:05:01,740 --> 00:05:02,520
Window.

73
00:05:02,730 --> 00:05:04,020
We will go to the window and go.

74
00:05:04,050 --> 00:05:06,270
We will select the python from it.

75
00:05:07,080 --> 00:05:07,950
Python.

76
00:05:07,950 --> 00:05:12,090
And here what we're going to do is reset in Python.

77
00:05:12,420 --> 00:05:18,960
We will subtract this here, subtract this here, in this case, Hex.

78
00:05:19,260 --> 00:05:20,100
Hex.

79
00:05:25,870 --> 00:05:26,860
Zero six.

80
00:05:34,210 --> 00:05:35,350
Go to here.

81
00:05:51,390 --> 00:05:51,920
Here.

82
00:06:28,800 --> 00:06:31,350
And now we will go back to Python.

83
00:06:31,350 --> 00:06:33,390
So we will calculate this, right?

84
00:06:33,390 --> 00:06:38,130
So 00010000

85
00:06:38,160 --> 00:06:44,440
-0 00151 and five.

86
00:06:44,850 --> 00:06:50,610
So that close this preset's now here as input.

87
00:06:54,810 --> 00:06:55,620
I'm sorry.

88
00:06:56,130 --> 00:06:59,100
We need to add zero X here and here.

89
00:06:59,100 --> 00:07:00,030
This is our output.

90
00:07:08,980 --> 00:07:12,160
So 0X51 and five.

91
00:07:12,280 --> 00:07:15,580
So then we can open the.

92
00:07:17,770 --> 00:07:18,790
It's actually close this.

93
00:07:18,790 --> 00:07:27,160
So we will we can open the spark that XM and look for the file by clicking on the search and memory

94
00:07:27,160 --> 00:07:27,820
here.

95
00:07:28,480 --> 00:07:33,070
And we will paste this code here that we got from this.

96
00:07:36,320 --> 00:07:37,130
Search pattern.

97
00:07:37,310 --> 00:07:38,750
So we will paste this.

98
00:07:39,470 --> 00:07:40,610
The search pattern.

99
00:07:40,610 --> 00:07:42,100
And here this is it.

100
00:07:42,110 --> 00:07:44,180
And you will see here.

101
00:07:45,310 --> 00:07:45,720
We have.

102
00:07:45,730 --> 00:07:46,540
Let's search all.

103
00:07:46,540 --> 00:07:51,820
So you will see the two occurrences of this header header pattern.

104
00:07:51,820 --> 00:07:55,150
So the first one corresponds to the.

105
00:07:56,440 --> 00:08:03,580
The header of the file we are analyzing in this case, it's sparked at XM, while the second one corresponds

106
00:08:03,580 --> 00:08:09,870
to the embedded dot S is s, which is we just analyze here.

107
00:08:09,880 --> 00:08:10,870
So.

108
00:08:11,920 --> 00:08:12,400
Here.

109
00:08:12,400 --> 00:08:14,440
This is that zero zero label.

110
00:08:14,560 --> 00:08:18,220
It also has labels, but we have the image loss heater here.

111
00:08:20,900 --> 00:08:21,530
Yes.

112
00:08:21,830 --> 00:08:31,010
So as we know that it starts with the 004F here, location here.

113
00:08:31,010 --> 00:08:32,540
So we will note that down.

114
00:08:36,110 --> 00:08:40,130
Oops, that's not a good marker here.

115
00:08:40,130 --> 00:08:47,330
So we already know that it starts with the actually, let's actually, instead of writing things here,

116
00:08:47,330 --> 00:08:49,520
let's note it down so we can read it.

117
00:08:49,520 --> 00:08:57,590
So location of that that 004.

118
00:08:58,790 --> 00:09:01,010
F68 50.

119
00:09:02,340 --> 00:09:03,870
Six 850.

120
00:09:05,700 --> 00:09:08,760
As we noted it down and.

121
00:09:12,830 --> 00:09:13,820
After that.

122
00:09:16,280 --> 00:09:19,820
We will select the bytes here.

123
00:09:22,320 --> 00:09:23,370
Search.

124
00:09:24,180 --> 00:09:24,630
Or.

125
00:09:25,600 --> 00:09:25,990
Yeah.

126
00:09:25,990 --> 00:09:29,250
Now select here and select the bytes here.

127
00:09:29,260 --> 00:09:32,050
So here we will enter the length.

128
00:09:32,050 --> 00:09:32,680
Right.

129
00:09:33,010 --> 00:09:38,560
The length is we got this, the calculation here and here.

130
00:09:38,560 --> 00:09:40,090
We selected our bytes.

131
00:09:40,090 --> 00:09:49,030
So by right clicking on the selected bytes and choosing extract and import right here, extract and

132
00:09:49,030 --> 00:09:52,660
import, which is also available, it also has the shortcut.

133
00:09:53,410 --> 00:10:00,940
So we get this screen where a data file is added to the project containing the selected bytes.

134
00:10:01,840 --> 00:10:05,710
So so we identifying the malware components here.

135
00:10:05,980 --> 00:10:08,950
Now let's actually we can also analyze it.

136
00:10:09,370 --> 00:10:11,110
But here.

137
00:10:15,930 --> 00:10:16,620
That's it.

138
00:10:17,160 --> 00:10:19,800
And here in imports.

139
00:10:21,550 --> 00:10:23,140
IBM's Notes program file.

140
00:10:23,140 --> 00:10:25,900
And here we also have the in data type manager.

141
00:10:25,900 --> 00:10:29,320
We have three data types spark data.

142
00:10:29,320 --> 00:10:32,770
Here we have this data data file.

143
00:10:37,030 --> 00:10:39,670
And we have the program trees here.

144
00:10:40,030 --> 00:10:42,080
We can refresh it and so on.

145
00:10:42,100 --> 00:10:42,880
So.

146
00:10:44,520 --> 00:10:48,390
We can go to the active projects that excel here.

147
00:10:49,630 --> 00:10:51,100
Program change symbol three.

148
00:10:56,620 --> 00:10:57,920
At CES.

149
00:11:03,950 --> 00:11:05,390
And here we.

150
00:11:07,950 --> 00:11:14,580
We have this, we can see the spark that exit data here separately and that's it.

151
00:11:15,840 --> 00:11:17,640
We have found the.

152
00:11:21,130 --> 00:11:22,480
This, Aki.

153
00:11:22,480 --> 00:11:26,260
That size file from our executable file.

154
00:11:26,260 --> 00:11:26,800
Right.

155
00:11:27,960 --> 00:11:32,340
And here we have this in the Ghidra active project.

156
00:11:32,340 --> 00:11:37,530
Here we can see this, all the malware components.

157
00:11:37,920 --> 00:11:44,610
Now, in next lecture, we will analyze the malware from the entry point of the program.

158
00:11:45,220 --> 00:11:46,420
See you in next lecture.