1
00:00:00,480 --> 00:00:07,830
Now we are analyzing spark that Excel is opened the code browser here and going to do the entry point

2
00:00:07,830 --> 00:00:15,000
so you can look for the entry function in symbols tree here program tree and symbol tree.

3
00:00:15,000 --> 00:00:21,090
So we will open the symbol tree here and we have the entry functions here and we will double click on

4
00:00:21,120 --> 00:00:21,480
that.

5
00:00:21,480 --> 00:00:23,550
And here we are seeing this.

6
00:00:23,550 --> 00:00:27,750
So we will also want the the compiler here.

7
00:00:27,750 --> 00:00:29,580
So that's it.

8
00:00:29,580 --> 00:00:31,470
So we have two functions here.

9
00:00:31,620 --> 00:00:36,360
So the compilation of this functions looks readable.

10
00:00:36,360 --> 00:00:43,080
The security in it cookie is a memory corruption protection function introduced by the compiler.

11
00:00:43,080 --> 00:00:49,470
So go ahead with the main startup by the double clicking on it.

12
00:00:49,500 --> 00:00:52,560
So there are a lot of functions recognized by Ghidra here.

13
00:00:52,560 --> 00:01:00,730
So let's focus on the only the function that not recognized yet, which is this here.

14
00:01:01,590 --> 00:01:05,100
Think 1045556.

15
00:01:08,110 --> 00:01:12,280
So here, this is the main function of the program.

16
00:01:13,500 --> 00:01:22,830
So if you have some cplusplus background, you will also notice that the this win cmd line here, this

17
00:01:23,100 --> 00:01:27,030
should be somewhere here in cmd ln.

18
00:01:29,450 --> 00:01:31,670
Initialize some global variables here.

19
00:01:31,670 --> 00:01:37,460
So as you can see, it's initialized with var four and we will double click on it here.

20
00:01:37,610 --> 00:01:42,680
And here, as you can see here, it initialized some global variables like here.

21
00:01:42,800 --> 00:01:43,730
So.

22
00:01:46,170 --> 00:01:46,770
At the.

23
00:01:48,590 --> 00:01:53,540
And it also initialize the environment and heap for the process.

24
00:01:53,540 --> 00:01:56,810
So and then the main function is called.

25
00:01:57,170 --> 00:02:08,120
So the thing with our function that ends with thunk function that with F 60, it should be somewhere

26
00:02:08,120 --> 00:02:08,900
here.

27
00:02:09,610 --> 00:02:19,450
So here, as you can see, we can see in the ln and so ln is the winmain function.

28
00:02:19,450 --> 00:02:22,360
So we will rename this.

29
00:02:23,830 --> 00:02:26,120
Song for function.

30
00:02:26,160 --> 00:02:30,550
Function 00455F 60.

31
00:02:30,940 --> 00:02:34,000
Function to winmain.

32
00:02:34,000 --> 00:02:38,350
So we will just press on the l key.

33
00:02:39,410 --> 00:02:42,790
Uh, while uh, focusing or clicked on the phone.

34
00:02:42,830 --> 00:02:46,520
Or you can also right click on it and click on rename function.

35
00:02:46,520 --> 00:02:52,760
So we will rename it to win Main Win main here.

36
00:02:53,750 --> 00:02:54,890
And that's it.

37
00:02:54,980 --> 00:03:02,930
So Ghidra allows you to rename variables and functions, introduce commands, and modify the disassembly

38
00:03:02,930 --> 00:03:05,150
and the compiled code in a lot of aspects.

39
00:03:05,150 --> 00:03:10,000
So this is essential when reverse engineering a malware.

40
00:03:10,010 --> 00:03:13,070
So we will double click on winmain.

41
00:03:13,070 --> 00:03:21,680
So we will also we can also return retype, return, edit, function signature and so on, so undefined

42
00:03:21,680 --> 00:03:23,420
winmain and so on.

43
00:03:23,690 --> 00:03:32,300
And we took two steps here so we can also have the undefined for here, as you can see here, integer

44
00:03:32,300 --> 00:03:34,100
E var one.

45
00:03:35,440 --> 00:03:36,340
Undefined.

46
00:03:36,370 --> 00:03:37,150
Eight.

47
00:03:37,180 --> 00:03:39,100
Pascal and Main.

48
00:03:41,330 --> 00:03:43,250
And we are returning here.

49
00:03:47,380 --> 00:03:47,890
Here.

50
00:03:48,190 --> 00:03:53,980
So we took these steps to identify where the malware starts to analyze its flow from the beginning.

51
00:03:53,980 --> 00:04:01,720
So but there are some functions in the Decompiled code listing that we don't know about or anything

52
00:04:01,720 --> 00:04:02,530
we don't know about.

53
00:04:02,530 --> 00:04:02,830
Right?

54
00:04:02,830 --> 00:04:09,100
So our job here is to reveal their functionality in order to understand that malware.

55
00:04:09,100 --> 00:04:12,220
So keep in mind that malware analysis is time consuming task.

56
00:04:12,220 --> 00:04:17,530
So don't waste your time with the details, but also don't forget anything important.

57
00:04:17,530 --> 00:04:26,410
So next we will analyze each of the functions listed in Win Main here this winmain the compiled code,

58
00:04:26,410 --> 00:04:35,050
and we will start analyzing the first function, which is located on line 20, and we will start analyzing

59
00:04:35,050 --> 00:04:39,760
the first which that ends with 40 here.

60
00:04:39,790 --> 00:04:44,170
Function 004, five three, three and 40.