WEBVTT

00:00.470 --> 00:01.850
Hello, my name is Stefan.

00:01.850 --> 00:05.060
And in this lecture, we are going to look for strings.

00:05.970 --> 00:14.850
And let's start by opening the project, by double clicking on the run, that part and after that.

00:16.670 --> 00:19.850
Here we are seeing this kind of dialogue here.

00:20.120 --> 00:21.290
Welcome screen.

00:21.290 --> 00:26.360
Click on the close and here we will come to file new project here.

00:27.750 --> 00:31.940
Searching for strings in Lena.

00:31.950 --> 00:32.610
Here.

00:35.880 --> 00:37.870
Drink search.

00:38.550 --> 00:39.180
Elena.

00:41.130 --> 00:45.410
Malware and this is the project name for us.

00:45.420 --> 00:50.160
And after that we will drag and drop our exe file.

00:50.160 --> 00:57.030
Or you can press on the E on your keyboard and just select this, your malware here.

00:57.030 --> 00:57.840
And that's it.

00:57.870 --> 00:59.190
Here we have format.

00:59.220 --> 01:01.230
We will select a portable executable.

01:01.260 --> 01:03.420
By default, we have language.

01:03.420 --> 01:08.850
Obviously we can't we can't change it because here already knows that it is.

01:08.850 --> 01:15.660
It has compiler called Visual Studio here and program name is Sparc dot X.

01:15.660 --> 01:18.120
So this is just an representation.

01:18.600 --> 01:24.750
So it actually this is this name is just for you so you can change it anything you want.

01:24.780 --> 01:32.280
More descriptive names like Lena malware or POS malware here.

01:33.360 --> 01:33.840
Click on.

01:33.840 --> 01:41.630
Okay and loading language here and importing the file here we are seeing what is happening with Ghidra.

01:42.950 --> 01:43.730
And.

01:45.350 --> 01:51.740
It might take like ten or 20s depends on your computer specifications and it's done.

01:51.740 --> 01:53.890
We have the import results summary.

01:53.900 --> 01:56.300
As always, we will click on okay.

01:56.300 --> 01:59.690
And after that we will right click on the post malware.

02:01.730 --> 02:04.730
And we will click on the open in default window.

02:05.690 --> 02:06.740
After that.

02:07.630 --> 02:08.470
Do Ravel?

02:08.470 --> 02:09.280
Ask us.

02:10.000 --> 02:11.050
Do you want to?

02:11.780 --> 02:12.790
Analyze this.

02:12.800 --> 02:15.830
So, of course, we want to analyze this.

02:16.190 --> 02:18.790
And here it is checked by default.

02:18.800 --> 02:21.260
We will not touch anything for now.

02:21.260 --> 02:24.110
And we will click on the analyze.

02:24.320 --> 02:27.440
After that, it might take some time.

02:27.440 --> 02:34.970
Here in the right bottom corner of the screen, you can see the progress.

02:44.360 --> 02:49.760
And while our progress is running, we cannot scroll that down.

02:49.760 --> 02:52.370
Let's increase the font size a little bit for you.

02:53.150 --> 02:54.290
We have the.

02:56.730 --> 02:58.230
Undefined thunk function.

02:58.230 --> 03:01.220
Here we have several codes.

03:01.230 --> 03:02.910
It's almost the compiling here.

03:02.910 --> 03:04.890
The loading process is here.

03:19.310 --> 03:21.980
Let's get the call functions here.

03:37.100 --> 03:39.170
Push and here.

03:40.190 --> 03:42.110
So it's almost done here.

03:42.140 --> 03:43.460
We're just playing with it.

03:43.460 --> 03:47.390
And let's actually check the functions and.

03:49.120 --> 03:51.550
Imports from the symbol tree.

03:52.600 --> 03:54.310
Can we increase the font size a bit?

03:54.340 --> 03:54.670
No.

03:54.670 --> 03:55.390
Sorry.

03:55.660 --> 03:58.540
And here we have the win init.

03:58.550 --> 04:00.900
So here we are.

04:00.940 --> 04:03.250
Program our malware is using.

04:04.120 --> 04:07.030
Some of the Internet protocol libraries.

04:07.030 --> 04:08.290
So this might.

04:12.690 --> 04:13.890
Told us that.

04:14.640 --> 04:19.350
Our program has access to Internet or sending something here.

04:19.350 --> 04:22.440
And as you can see, it's almost all Http.

04:22.560 --> 04:34.110
So it means our malware is using port 80 Http protocol and our loading is almost done here.

04:35.620 --> 04:41.500
Let's also check out another import URL man So we have the URL download to file a.

04:41.530 --> 04:50.230
So this means our program can also install something, install the files or programs from internet.

04:51.350 --> 04:59.330
We have the kernel32 the win in it again and internet read file, internet, open, connect, close

04:59.330 --> 05:02.690
handle and so on.

05:02.690 --> 05:08.060
We have URL man url download file and at the vapid 32.

05:09.970 --> 05:13.750
This is also manipulating for registry keys.

05:15.810 --> 05:19.380
Control service, create service A, and so on.

05:20.490 --> 05:20.580
Now.

05:20.750 --> 05:21.210
This is fun.

05:21.260 --> 05:21.770
Yes.

05:21.770 --> 05:22.610
And that's it.

05:22.610 --> 05:25.340
Our analysis has been done.

05:25.340 --> 05:28.160
And after that, let's start by.

05:30.300 --> 05:33.170
Uh, going to search here.

05:33.180 --> 05:34.530
Search menu here.

05:34.530 --> 05:38.550
And at the bottom here, we have search for strings.

05:38.790 --> 05:41.880
And you will not touch anything because we don't want.

05:41.910 --> 05:45.000
We want, uh, the minimum length of five, So.

05:46.130 --> 05:50.470
And alignment one and word modal string model at G.

05:50.510 --> 06:00.740
So you can also change the word modal if you have one, but probably this hedras word modal will work

06:00.740 --> 06:02.930
and after that we will click on search.

06:04.290 --> 06:08.460
And here, as you can see, we have several.

06:11.130 --> 06:12.120
Strings here.

06:12.540 --> 06:13.530
So.

06:16.250 --> 06:21.410
We will go to we will search for it and find something interesting here.

06:22.490 --> 06:26.870
You can also use these filters, for example, if you want to like.

06:28.010 --> 06:29.200
That eggs are here.

06:29.210 --> 06:29.960
Let's.

06:32.320 --> 06:37.840
And here we have the several Xs strings.

06:42.730 --> 06:46.780
Our program has connections with tools Excel files.

06:47.870 --> 06:51.980
And here we have the wind defender that exit here.

06:52.430 --> 07:02.630
So we will check that address location for F 647 A and that's it.

07:03.230 --> 07:08.630
And here, as you can see, we will get our marker.

07:09.800 --> 07:12.950
Here we have this let's actually use different.

07:13.980 --> 07:14.340
Here.

07:14.340 --> 07:17.300
So we have this installed with the vendor that X.

07:19.540 --> 07:20.470
We have.

07:20.680 --> 07:22.000
Oh, shellcode.

07:22.030 --> 07:25.000
Mutex might be interesting, right?

07:25.120 --> 07:30.820
And we also have SSD to hook that PDB.

07:33.080 --> 07:37.580
And we have that password might be interesting, right?

07:39.380 --> 07:40.280
Password.

07:41.460 --> 07:45.680
And this program cannot run in RDS mode and so on.

07:45.690 --> 07:50.370
And we should also have something like.

07:52.530 --> 07:53.190
That's it.

07:55.200 --> 07:59.960
And here we also have the desktop in here.

07:59.970 --> 08:09.810
When you see users desktop alien source working debug spark dot p, P as shown here, the user Benson

08:09.960 --> 08:17.100
seems to have compiled this malware so this information could be useful to investigate the attribution

08:17.100 --> 08:18.350
of this malware.

08:18.360 --> 08:21.300
So there are a lot of suspicious strings here, right?

08:21.330 --> 08:28.080
So this URL in here is probably the.

08:29.770 --> 08:33.280
Compiler of this malware.

08:34.380 --> 08:35.610
Transparent.

08:37.810 --> 08:41.710
So Alan the some someone that.

08:43.270 --> 08:48.590
A count named Allen on a Windows machine compiled this.

08:49.710 --> 08:50.580
Malware.

08:50.580 --> 08:54.890
And we have the Benson This is the computer name.

08:54.900 --> 08:55.680
The.

08:57.190 --> 08:58.030
Machine name.

08:58.030 --> 08:58.270
So.

08:58.300 --> 08:59.130
Machine name, balancer.

08:59.230 --> 09:01.750
And user name is Allen.

09:01.750 --> 09:05.080
And we have some suspicious password here.

09:05.380 --> 09:13.120
Like after password, we have the probably the real password here that's also of Sorry.

09:13.810 --> 09:16.240
Let's also take this.

09:21.740 --> 09:23.870
And this is some suspicious password.

09:23.900 --> 09:26.300
Let's note it down here.

09:26.480 --> 09:29.230
Uppercase, y, h and g.

09:29.540 --> 09:31.880
Y l key.

09:34.650 --> 09:36.180
O0.

09:37.780 --> 09:38.860
Nine H.

09:38.890 --> 09:42.520
Uppercase and trans frame with white background.

09:42.520 --> 09:53.290
So this is some password here and we have the shellcode mutex and SSD hooked PDB here and here, for

09:53.290 --> 09:53.950
instance.

09:53.950 --> 10:01.030
So it's hard to imagine the reason behind the legitimate program making reference to win defender here.

10:01.030 --> 10:01.390
Right?

10:01.390 --> 10:05.470
So it's also making some reference to win defender.

10:05.470 --> 10:09.310
So it's probably the bad program here, right?

10:09.310 --> 10:16.960
The malware and also here the shellcode that mutex shellcode that mutex and win defender here.

10:16.960 --> 10:22.870
So especially the shellcode that mutex and the system.

10:24.110 --> 10:26.420
This SSD here.

10:26.420 --> 10:29.510
So let's let me note it down.

10:29.600 --> 10:31.480
Psst, psst.

10:31.550 --> 10:35.880
Here is system service, sir.

10:36.230 --> 10:37.250
Service.

10:37.280 --> 10:39.710
Dispatch table.

10:40.460 --> 10:41.420
So.

10:43.930 --> 10:49.570
Also just making regular program, hooking this to this service.

10:49.960 --> 10:58.450
References are both explicitly malicious and a quick overview of these strings of the program can sometimes

10:58.450 --> 11:01.070
reveal whether it is malware or not.

11:01.090 --> 11:06.130
Without further analysis and simple and powerful.