1
00:00:04,840 --> 00:00:10,510
Critics say a sophisticated strain of banking malware that can steal banking credentials and other personal

2
00:00:10,510 --> 00:00:15,550
information on an infected system in order to gain access to financial records of a user.

3
00:00:16,480 --> 00:00:22,430
The critics are split by copying itself to Masvidal and remove the rights on infected computers.

4
00:00:22,690 --> 00:00:29,440
Critics create a backdoor entry point on infected systems, enabling the possibility for additional

5
00:00:29,440 --> 00:00:34,810
malware to be downloaded and run, as well as conduct operating system as opening KROOK websites.

6
00:00:37,390 --> 00:00:43,150
This little cabal capability enables critics to capture the banker gradational of users on an infected

7
00:00:43,150 --> 00:00:51,040
system and the user attempts to visit and look in the financial website chlorides for surreptitiously

8
00:00:51,480 --> 00:00:57,400
redirect the user to fraudulent vision of the financial side and record the looking credentials as they

9
00:00:57,400 --> 00:00:59,140
are entered at the point.

10
00:00:59,440 --> 00:01:06,100
Excuse the cybercrime kronmiller, the ability to connect the to the actual financial side from the

11
00:01:06,100 --> 00:01:10,390
infected system and execute fraudulent financial transaction.

12
00:01:12,290 --> 00:01:20,990
So in this video lecture, we will be analyzing the next Rydex infected Windows XP, XP Service Factory

13
00:01:22,370 --> 00:01:30,620
Operating system, which let's begin by downloading from the memory sample and get up from Geita.

14
00:01:31,670 --> 00:01:35,690
So go to Duck Call.

15
00:01:37,910 --> 00:01:38,630
Search engine.

16
00:01:40,390 --> 00:01:46,840
And type guitar volatility, memory sample, doughnut.

17
00:01:48,290 --> 00:01:49,670
Click on the first result.

18
00:01:57,240 --> 00:02:02,230
As you can see here, we have a wide variety of image memory samples.

19
00:02:02,580 --> 00:02:03,630
Click on download.

20
00:02:04,000 --> 00:02:10,950
And here you see, uh, the, uh, thirty eight megabyte zip file is downloading.

21
00:02:34,080 --> 00:02:36,030
Now for a few seconds left.

22
00:02:39,440 --> 00:02:48,370
And now open the terminal to define TIV, Entercom and less and to download.

23
00:02:49,710 --> 00:02:57,720
Here you can see our files downloaded on the file by all the critics that zip their files by us and

24
00:02:57,740 --> 00:03:01,230
accidentally click control process.

25
00:03:01,610 --> 00:03:02,060
See?

26
00:03:03,670 --> 00:03:06,390
And let's execute this command again.

27
00:03:11,620 --> 00:03:12,820
One of the critics.

28
00:03:18,920 --> 00:03:21,430
And the critics memoir is now.

29
00:03:26,080 --> 00:03:34,990
And clear the terminal and let's execute the facility commander and start using alternative for analysis.

30
00:03:36,730 --> 00:03:45,430
Type as to specify that we will be using the after this file and the.

31
00:03:49,950 --> 00:03:52,080
And look at the fine name.

32
00:03:55,150 --> 00:04:01,000
And then imagine for to specify the rich operating system images, is it?

33
00:04:06,790 --> 00:04:14,890
As you can see, this is the Windows XP service pack to try to get system image and let's specify the

34
00:04:14,890 --> 00:04:25,600
profile as Windows XP, so to speak, to it, is expected to do it actually and type three to see the

35
00:04:25,600 --> 00:04:28,600
processing false information about processors.

36
00:04:29,590 --> 00:04:33,040
And you can see it's society one six four zero.

37
00:04:37,280 --> 00:04:39,470
So you can see here.

38
00:04:41,970 --> 00:04:53,700
By connecting kind of comment, we get the information about local addresses of all local IP addresses

39
00:04:53,700 --> 00:04:58,320
and remote hypotheses and which party is using the Connector's IP addresses.

40
00:04:59,190 --> 00:05:04,350
And let's get the let's assume the commands by using same the line

41
00:05:07,020 --> 00:05:07,490
plugin.

42
00:05:17,490 --> 00:05:22,890
As you can see here, we have several comments that entered from the different processes.

43
00:05:41,900 --> 00:05:53,170
And let's get again the inside information you can see here are redressal that suspicious file process

44
00:05:53,180 --> 00:05:54,890
ideas one six four zero.

45
00:05:57,900 --> 00:06:07,500
Yet the circuits of the process name that which is associated with which process, and you can see here

46
00:06:07,500 --> 00:06:13,350
we have several IP addresses that all of them are connected to TCB and you would want to leave your

47
00:06:13,350 --> 00:06:13,980
addresses.

48
00:06:14,280 --> 00:06:18,270
And I was just starting by one seven to.

49
00:06:37,040 --> 00:06:46,430
And get the president by the president plugin and we specifying that get the fun of the process.

50
00:06:48,050 --> 00:06:57,830
And by peewees specifying that I want this process idea after P is I'm entering that one six four zero,

51
00:06:57,830 --> 00:07:03,770
which is Leadore L l that is a process ID and a dump.

52
00:07:03,780 --> 00:07:09,680
There is my no default directory, which I will get that.

53
00:07:10,010 --> 00:07:16,640
But you can specify the part of fine after the Stampeder metal plugin.

54
00:07:17,940 --> 00:07:21,990
You can see it are acceptable, that X Files here.

55
00:07:34,630 --> 00:07:42,080
You can see in our exit poll that takes a while is our endowments director, because of that, I specified

56
00:07:42,080 --> 00:07:46,210
that that which means that the phone directory that I am working in it.

57
00:07:50,910 --> 00:07:57,990
So then enter the volatility, if what I'm in terms, which is I don't know what it is, come on again

58
00:07:58,560 --> 00:08:09,060
and I will I want to get a memory dump for analysis of the websites and other components and same as

59
00:08:09,060 --> 00:08:13,800
the process dump or just specify the top tier and the default directory.

60
00:08:14,610 --> 00:08:23,130
And you can see it one my one six four zero dump is in my default working directory.

61
00:08:33,450 --> 00:08:37,530
And by string command, we will execute these strings.

62
00:08:38,190 --> 00:08:44,990
We will execute strings from the DMP, file the Abigroup command.

63
00:08:45,290 --> 00:08:51,280
We will specify which how which strings will be executed.

64
00:08:52,230 --> 00:09:00,780
So I'm specifying the IP address of suspicious IP address, which this will give us more information

65
00:09:00,780 --> 00:09:03,420
about the IP address and visited websites.

66
00:09:07,880 --> 00:09:19,310
If he and enter the IP see five, you can see here we have a great deal of public and the PC entertainment

67
00:09:19,360 --> 00:09:24,240
adapter associate with these IP addresses, the IP address root.

68
00:09:36,300 --> 00:09:38,130
Bye bye.

69
00:09:38,490 --> 00:09:46,280
After the group home making glass, we'll give the all the information in the empty string, all the

70
00:09:46,320 --> 00:09:53,520
strings in the empty file, which by clicking, entering, enter or space, this will give more lines

71
00:09:53,520 --> 00:09:54,360
of information.

72
00:09:55,800 --> 00:09:58,860
So I'm pressing the center now.

73
00:09:58,980 --> 00:10:12,600
So you can see here there is so many bank accounts that I wish I told told that this virus is there

74
00:10:12,900 --> 00:10:23,190
to manipulate by working, by manipulating DNS to fake phishing bank bank domains, which you can see

75
00:10:23,190 --> 00:10:23,370
here.

76
00:10:23,370 --> 00:10:33,680
All of this if you computer's infected by this virus, that is all of these domains over the redirect

77
00:10:33,710 --> 00:10:39,570
redirect in the bite to phishing website, which is a fake hacker website.

78
00:10:41,270 --> 00:10:46,910
So you can see here there is so many so many domain bank domain names.

79
00:10:56,080 --> 00:10:56,630
This is a joke.

80
00:10:57,280 --> 00:10:59,200
This is the regular JavaScript called.

81
00:11:03,170 --> 00:11:04,190
And functions.

82
00:11:29,330 --> 00:11:38,360
So let's say that we first litigated by Mendham comment for some comment, we get the text file, which

83
00:11:38,540 --> 00:11:44,470
we will now upload this file to our total website, which is Konsta.

84
00:11:45,020 --> 00:11:54,440
Insofar as hash values and other components that you can see, it is that we get it from X File by person

85
00:11:54,440 --> 00:12:03,590
process is there is a lot of alert that some so many antivirus programs alert this file as the only

86
00:12:03,590 --> 00:12:06,050
safe malware and Trojan font.

87
00:12:07,010 --> 00:12:17,090
So you can see here by Behere and the relations behind that, that one source, children and behaviourists

88
00:12:17,090 --> 00:12:24,860
that I care about, we were all over this fake Acrobat River were if you can see the CHP hash values

89
00:12:25,250 --> 00:12:31,940
and the windows excludable, is is it 32 bit or six of the forward fine.

90
00:12:34,670 --> 00:12:37,790
This is a associated name of the program.

91
00:13:03,420 --> 00:13:15,240
It's game time, the strings and grab the comb websites, our website, which you can see here, that

92
00:13:15,240 --> 00:13:20,400
all of that strings starting by slash is come here.

93
00:13:20,400 --> 00:13:29,280
And I'm now specifying that that Confiance is you can see it is Google APIs dot com, which is required

94
00:13:29,280 --> 00:13:31,320
for JavaScript functions.

95
00:13:31,330 --> 00:13:41,940
You can see there's a lot of websites that manipulating when the infected come to visit since all of

96
00:13:41,940 --> 00:13:45,600
this information will be redirected to official website.