WEBVTT

1
00:00.510 --> 00:01.890
Hello and welcome.

2
00:02.070 --> 00:10.440
In this lab practical, I would like you to try to analyze this on your own first.

3
00:11.230 --> 00:15.100
This can be downloaded from the resource section.

4
00:15.670 --> 00:21.070
The file is "Lab 1 - .NET - Trojan.zip".

5
00:21.340 --> 00:25.570
The password to unzip it is "crackinglessons.com".

6
00:26.050 --> 00:34.330
So please pause the video and give it a try first, and then watch the rest of this video after you have

7
00:34.360 --> 00:35.830
tried to analyze it.

8
00:37.090 --> 00:47.740
So I will try to analyze it first using the dynamic analysis, that is, to execute it and analyze it using

9
00:47.740 --> 00:53.020
Process Hacker and Process Monitor, as well as Wireshark.

10
00:53.530 --> 00:56.980
And then after that, only I will try to analyze it.

11
00:56.980 --> 00:58.210
Static analysis.

12
00:59.020 --> 00:59.530
Okay.

13
00:59.530 --> 01:00.910
I hope you have given it a try.

14
01:01.330 --> 01:05.590
After unzipping this file, you will have a folder.

15
01:05.590 --> 01:12.860
I will put mine on the desktop, and within the folder is a file, the malware itself, "dotnet-malware.bin".

16
01:13.530 --> 01:22.470
The first thing we can do is to try to get the hash for this file and look it up in VirusTotal.

17
01:23.340 --> 01:27.360
So to get the hash of this file, you can right-click on this,

18
01:30.100 --> 01:35.920
and then click on "HashMyFiles". And over here you will see MD5.

19
01:35.950 --> 01:37.180
Just right-click,

20
01:37.270 --> 01:38.860
copy MD5,

21
01:39.430 --> 01:44.830
open up your browser, and head over to VirusTotal.

22
01:45.400 --> 01:52.390
Just click on "Search", and then right-click and paste the hash in this box and hit enter.

23
01:53.360 --> 01:56.690
And VirusTotal will give you the results.

24
01:57.140 --> 02:00.050
59 out of 69 search engines.

25
02:00.320 --> 02:01.270
Virus

26
02:01.280 --> 02:08.120
search engines have detected this file, and the name of it is a Trojan.

27
02:08.210 --> 02:13.010
Generally, you can see it is a kind of stealer,

28
02:13.310 --> 02:16.070
information stealer, a spyware.

29
02:16.430 --> 02:17.720
So now we know.

30
02:17.930 --> 02:19.880
So that's quite helpful.

31
02:20.390 --> 02:25.550
Next thing you want to do is confirm that this is a .NET executable.

32
02:25.970 --> 02:33.020
So before we proceed further, let us make a copy of this and then rename it

33
02:33.930 --> 02:36.020
to something simpler.

34
02:36.030 --> 02:40.980
Maybe we will call it—we will change the executable as well because we want to run it.

35
02:41.670 --> 02:45.840
We will call it an EXE with the EXE extension.

36
02:46.230 --> 02:52.080
And for the name itself, we can just call it "netmalware". Speaking—

37
02:52.080 --> 02:52.590
yes.

38
02:53.410 --> 02:54.670
Don't execute it yet.

39
02:55.360 --> 03:01.960
Open "Detect It Easy" and scan to make sure it is a .NET executable.

40
03:01.990 --> 03:06.280
So look for your Utilities folder in the left folder.

41
03:07.300 --> 03:08.380
And then

42
03:09.140 --> 03:11.780
look for "Detect It Easy".

43
03:13.400 --> 03:19.910
Click on the three dots and navigate to the location of the "netmalware.exe" file,

44
03:20.870 --> 03:22.490
which is on the desktop.

45
03:23.030 --> 03:26.420
Click on it to open and let it scan the file.

46
03:26.930 --> 03:28.310
It has detected it as a

47
03:28.550 --> 03:36.860
.NET Framework executable, and the compiler is VB.NET, and it doesn't appear to be packed.

48
03:36.860 --> 03:38.780
But this is not reliable.

49
03:40.040 --> 03:41.330
Part of it could still be packed.

50
03:42.080 --> 03:44.170
So now we confirm that it is a .NET.

51
03:44.310 --> 03:50.190
Later in the second stage of the analysis, we will open it with dnSpy.

52
03:50.540 --> 03:54.440
But in this video, I want to do the dynamic analysis first.

53
03:55.220 --> 04:00.950
In the second part of the video, we will do the static analysis where we will open it with dnSpy.

54
04:02.080 --> 04:03.040
To analyze it,

55
04:03.070 --> 04:04.180
we need to run it.

56
04:04.180 --> 04:07.930
But before we run it, let's fire up a few programs.

57
04:08.410 --> 04:15.400
Now make sure that you have disabled the internet for this virtual machine because we don't want to

58
04:15.400 --> 04:22.810
accidentally cause it to reach out to the command and control server, or worse still, to spread to other

59
04:22.810 --> 04:24.270
computers on your network

60
04:24.280 --> 04:31.060
if it is a worm. So disable your network, and then over here we will fire up a few programs, starting

61
04:31.060 --> 04:32.710
with Process Monitor.

62
04:32.710 --> 04:35.920
So click on "Process Monitor". Click "Yes".

63
04:35.920 --> 04:38.800
And then over here you can filter.

64
04:38.800 --> 04:44.620
So we are going to filter out the name of this malware because otherwise it will show everything that

65
04:44.620 --> 04:46.480
is running in the operating system.

66
04:46.480 --> 04:54.640
So click on "Filter", and then here in the first drop-down list, select "Process Name", and then here leave

67
04:54.640 --> 04:55.570
it as is.

68
04:55.720 --> 05:07.480
And here, type in this name: "netmalware.exe", and then click on "Add", click "Apply", and immediately you

69
05:07.480 --> 05:12.370
will see nothing shows up because it is filtering—filtering out only this.

70
05:13.270 --> 05:13.900
At the moment,

71
05:13.900 --> 05:18.400
we don't need for it to capture anything yet, so we can temporarily pause it.

72
05:18.400 --> 05:20.590
So let's click on—hit on the "Pause" button.

73
05:20.860 --> 05:28.120
Okay, so now the next thing is we want to run Process Hacker to see whatever additional processes that

74
05:28.300 --> 05:30.550
the malware might spawn.

75
05:31.270 --> 05:40.330
So to launch Process Hacker, go to FLARE here, and then the Utilities, look for Process Hacker over

76
05:40.330 --> 05:42.190
here and run it.

77
05:42.940 --> 05:43.930
Click on "Yes".

78
05:44.700 --> 05:50.490
And one more tool we need is Wireshark to capture the network traffic.

79
05:51.090 --> 05:56.490
So same thing in the same folder as in FLARE is under "Net".

80
05:57.390 --> 06:00.090
Look for "Wireshark" and launch it.

81
06:01.410 --> 06:01.640
Click

82
06:01.650 --> 06:09.210
"Yes". Wireshark is now running, and then look for "Local Area Connection" and double-click on it.

83
06:09.210 --> 06:13.860
And then over here we are going to filter out the HTTP traffic.

84
06:14.310 --> 06:18.810
So just type in "HTTP" and hit enter.

85
06:19.320 --> 06:25.470
So this is to check if it is connecting to any C2 servers, command and control servers.

86
06:25.860 --> 06:32.930
So now we have set up our tools ready to detonate the malware inside this virtual machine.

87
06:32.940 --> 06:39.870
So we have got Process Monitor to monitor the process, the malware process when it runs.

88
06:40.290 --> 06:47.290
We have got Wireshark to capture the traffic, network traffic, if any.

89
06:47.470 --> 06:55.510
And we also have Process Hacker to see if our process, the malware process, will spawn any additional

90
06:55.510 --> 06:58.000
children processes when it is running.

91
06:58.150 --> 07:06.160
In the next video, we will continue to run the malware itself, so I'll see you in the next one.