WEBVTT

00:01.180 --> 00:06.630
In this lecture we will introduce reverse engineering malware using Ghidra.

00:06.660 --> 00:13.330
So by using Ghidra, you will be able to analyze executable binary files containing malicious code.

00:13.930 --> 00:20.230
This section is a great opportunity to put into practice the knowledge acquired during the first sections

00:20.230 --> 00:24.190
of our course and to put this knowledge into practice.

00:24.220 --> 00:29.980
We will analyze the point of sale POS malware.

00:29.980 --> 00:38.590
So this malware basically scrapes the Ram memory of point of sale systems to steal credit card and debit

00:38.590 --> 00:40.760
card information.

00:40.780 --> 00:46.480
So here we will first research about the point of sale malware.

00:48.280 --> 00:53.230
Let's open the Google Chrome here and point of sale.

00:54.380 --> 00:55.250
Malware.

00:57.300 --> 01:03.270
And as you can see here, malware is a type of malicious software designed to steal a customer's personal

01:03.270 --> 01:06.870
information through the point of sale devices, POS devices.

01:06.900 --> 01:08.970
Let's see what POS devices.

01:13.010 --> 01:15.470
And here this is the post device here.

01:15.950 --> 01:19.600
So this malware is designed for this post devices.

01:19.610 --> 01:21.740
So here I have two files.

01:21.920 --> 01:27.090
In the first file we have the malware and s y.

01:27.210 --> 01:32.270
S file, which you will learn what this is used for.

01:32.270 --> 01:36.020
And after that we have the password for this zip file.

01:36.020 --> 01:45.680
So before installing this malware, before you actually you need to run this malware on sandbox or virtual

01:45.680 --> 01:51.290
machine because it might infect your main machine here.

01:51.290 --> 01:55.640
So firstly, turn off the real time protection.

01:55.640 --> 02:04.130
So this is a executable Windows malware and here our approach will start by setting a safe analysis

02:04.130 --> 02:09.620
environment, of course, and then we will look for malware indicators in the malware sample.

02:09.620 --> 02:15.600
And finally, we will conclude by performing in-depth malware analysis using ghidra.

02:15.780 --> 02:27.570
So here for technical requirements, you will need to have the virtual machine like virtual box here.

02:27.600 --> 02:34.260
In previous lectures you learned how to install the virtual machines into your.

02:35.160 --> 02:36.360
Operating system.

02:36.780 --> 02:45.060
And also you will need to download the samples which is attached to the lecture section here.

02:45.600 --> 02:51.390
And at the time of creating this course, the public version of Ghidra has no debugging support for

02:51.390 --> 02:59.190
now, so this limits the scope of Ghidra to static analysis, meaning files are analyzed without being

02:59.220 --> 02:59.910
executed.

02:59.910 --> 03:00.180
So.

03:00.180 --> 03:07.050
But of course Ghidra static analysis can complement the dynamic analysis performed by any existing debugger

03:07.050 --> 03:13.110
of your choice, such as x64, dbg, Windbg and Ollydbg.

03:13.110 --> 03:17.430
So both types of analysis can be performed in parallel.

03:17.430 --> 03:22.950
So setting up an environment for malware analysis is a broad topic, So we will cover the basics of

03:22.950 --> 03:25.800
ghidra for this purposes.

03:25.800 --> 03:33.030
And keep in mind that the Golden Rule when setting up a malware analysis environment is to isolate it

03:33.030 --> 03:35.590
from your computer and network.

03:35.620 --> 03:42.010
Even if you are performing static analysis, it is recommended to set up an isolated environment because

03:42.010 --> 03:50.200
you have no guarantee that malware won't exploit some other vulnerability and get executed anyway.

03:50.800 --> 03:54.700
Because here you also has some vulnerabilities.

03:56.250 --> 03:59.330
It should be like Siva does.

03:59.370 --> 04:03.330
1917 664.

04:04.810 --> 04:09.400
And here this is a ghidra malware.

04:10.170 --> 04:18.950
So CVA 20, 1917 664 is when executing data from a given path.

04:18.960 --> 04:22.620
The Java Process Working Directory is set to this path.

04:22.620 --> 04:29.820
So then when launching the Python interpreter via the Ghidra code browser window, Python Ghidra will

04:29.820 --> 04:35.520
try to execute the cmd dot exe program from this working directory here.

04:35.520 --> 04:40.260
So as you can see here, the base store score is high here.

04:41.600 --> 04:49.010
And in order to analyze malware, you can use physical computer restorable to a client state via hard

04:49.010 --> 04:51.380
disk drive backups or virtual one here.

04:51.380 --> 04:58.880
So the first option is more realistic but slower when restoring the backup and more expensive here.

05:00.050 --> 05:03.650
So you can also isolate your network.

05:04.280 --> 05:07.340
This is a good example to illustrate risk.

05:07.350 --> 05:12.110
This is ransomware encrypting the shared folders during analysis.

05:12.320 --> 05:16.490
So you can also use the VirtualBox or VMware.

05:17.530 --> 05:22.390
For your creating virtual machine purposes.

05:23.640 --> 05:27.660
And now let's look into our malware here.

05:27.690 --> 05:34.170
So as you probably remember from previous lectures, GitLab works with projects containing zero or more

05:34.170 --> 05:34.830
files.

05:34.830 --> 05:39.570
So this here, this malware consists of two components.

05:39.570 --> 05:41.910
So actually, let's call this the cleaner.

05:42.800 --> 05:49.760
Malware, because in reality, actually this malware called by the Internet community.

05:50.240 --> 05:52.700
Is Lena here the code name?

05:54.170 --> 05:59.270
So Lena malware here consists two components.

06:00.670 --> 06:01.740
Can you see the screen?

06:01.750 --> 06:02.140
Yes.

06:02.140 --> 06:02.910
Perfect.

06:02.920 --> 06:12.780
So the malware here contains consists of two components a Windows driver, r, t, dot c.

06:12.820 --> 06:17.290
S and a portable executable Sparc dot x.

06:17.290 --> 06:22.270
So there are a compressed data project like this here.

06:22.270 --> 06:29.350
Malware sample one dot zip containing both components can be found in the lecture attachment section.

06:29.350 --> 06:36.130
So if you want to get the linear malware sample as is instead of Ghidra project, you can also find

06:36.130 --> 06:41.350
it in the lecture attachment sections here.

06:41.410 --> 06:51.730
And because we also compressed and protected with the password infected, we also have this file.

06:51.730 --> 06:59.260
So the password is infected and it's quite common to share malware in this way so that it does not accidentally

06:59.260 --> 07:00.810
get infected.

07:00.810 --> 07:06.970
And next we will try to quickly guess what kind of malware we are dealing with in general terms.

07:06.970 --> 07:11.950
And to do that, we will look for strings which can be revealing in many cases.

07:11.950 --> 07:18.940
So we will also check external sources which can be useful if the malware has been analyzed or classified.

07:18.940 --> 07:27.100
So finally, we will analyze its capabilities by looking for dynamic linking library DLL functions.

07:27.100 --> 07:34.780
So here the functions and we have the C and exec here.

07:36.350 --> 07:40.290
So now what we're going to do is we will start a draw here.

07:40.310 --> 07:41.660
The new project.

07:48.800 --> 07:52.730
And after that we will start analysis in next lecture.

07:52.760 --> 07:54.080
I'm waiting you in the next lecture.