WEBVTT 00:00.720 --> 00:08.700 It is also useful to investigate the information found using external sources such as intelligence tools. 00:09.390 --> 00:11.250 So, for instance. 00:12.230 --> 00:15.710 You can search the web domains that this. 00:17.260 --> 00:20.800 Malware connects to, for example, Adobe. 00:21.430 --> 00:28.240 This is probably not a legitimate website, but because Adobe, as I remember, doesn't have domains 00:28.240 --> 00:28.720 like that. 00:28.720 --> 00:30.730 But we will check this out. 00:31.720 --> 00:35.320 Adam a flasher up.1.com. 00:35.320 --> 00:38.800 And let's also run the rule here. 00:39.010 --> 00:42.070 Java Oracle two dot rule here. 00:42.610 --> 00:46.000 Java Oracle two dot room. 00:51.090 --> 00:52.070 And here we. 00:52.170 --> 00:54.510 We can use the expressions, probably. 00:55.620 --> 00:55.980 Rule. 00:59.210 --> 00:59.750 Come. 01:22.200 --> 01:24.150 And here we will have. 01:27.760 --> 01:28.240 Net. 01:29.650 --> 01:30.430 Nothing. 01:31.270 --> 01:31.860 Argh! 01:32.260 --> 01:33.100 Nothing. 01:33.400 --> 01:34.450 Come again. 01:36.890 --> 01:40.400 Yeah that's I think that's two websites is okay. 01:40.400 --> 01:47.360 So as I said, it's also useful to investigate the information found using external sources such as 01:47.360 --> 01:49.850 the VirusTotal, for instance. 01:50.180 --> 02:00.590 We have these two websites that are malware has some relation to which we will check that out right 02:00.590 --> 02:00.890 now. 02:00.890 --> 02:02.360 So VirusTotal. 02:07.010 --> 02:08.120 Dot com. 02:09.930 --> 02:19.740 And after that we will give these websites to VirusTotal to check if it has something malicious insiders 02:19.770 --> 02:27.000 or someone reported something malicious about this websites and we can go to community. 02:27.890 --> 02:29.570 Read this here. 02:30.290 --> 02:33.860 It has the hybrid analysis.com sample. 02:35.160 --> 02:36.990 Let's check this out. 02:41.590 --> 02:42.220 Here. 02:43.450 --> 02:45.460 We have incident response. 02:45.460 --> 02:46.660 Someone did it. 02:46.840 --> 02:48.910 So network behavior contexts. 02:48.940 --> 02:51.490 Five domains and two hosts. 02:51.520 --> 02:53.600 Let's see all of the hosts here. 02:53.680 --> 02:56.200 So the web flasher abc.com. 02:56.230 --> 03:02.230 This is a we can do osint bootzilla that through Java Oracle to that through here. 03:04.360 --> 03:07.180 So it's a bit malicious here. 03:07.180 --> 03:08.890 So from Germany to. 03:09.620 --> 03:17.180 Contacted countries in the United States, we have the Http traffic with hybrid analysis that come here. 03:19.530 --> 03:23.250 As the name suggests, it is the analysis website. 03:23.580 --> 03:25.470 So you can website like. 03:26.430 --> 03:30.810 Enter malware's websites or analyze. 03:32.290 --> 03:34.110 Here we have the PDF. 03:35.440 --> 03:40.000 Let's have some kind of close user agent Mozilla here that PHP. 03:41.550 --> 03:49.890 You have a CRL and so on here and in VirusTotal we have the scan results for. 03:50.630 --> 03:58.430 Security vendors flag this URL as malicious, and apart from that, we VirusTotal can provide more useful 03:58.430 --> 04:02.570 information that you can find by browsing through the page here. 04:02.780 --> 04:05.690 For instance, let's go there. 04:07.030 --> 04:08.190 The protections. 04:09.060 --> 04:10.680 Details and so on. 04:11.490 --> 04:12.690 For instance. 04:13.800 --> 04:18.050 It has the final year server serving IP address. 04:18.060 --> 04:24.000 We can also check this serving IP address here if something to do with it. 04:24.030 --> 04:25.230 Now for now. 04:25.800 --> 04:29.670 And malware sinkhole is Arbor Networks. 04:30.510 --> 04:36.210 The date is written here and last analysis date is one month ago. 04:36.210 --> 04:45.330 But whatsoever our hybrid analysis.com actually gives more detailed information about our malware. 04:49.670 --> 04:50.390 Uh, let go. 04:50.630 --> 04:51.770 Copyright Zallie. 04:51.800 --> 04:53.690 Internal name is Dale. 04:56.350 --> 05:05.260 And here as a compiler packer as Microsoft Visual C plus plus architecture for Windows and size of 200kB. 05:06.630 --> 05:09.000 So it associated our. 05:11.000 --> 05:15.470 Malware, this website that connects to our executable malware. 05:15.500 --> 05:16.040 Right. 05:17.650 --> 05:24.760 And after that, we have also so much information about that we can find out. 05:27.710 --> 05:35.930 And so once we are done with this string analysis and open source intelligence analysis, now we will 05:35.930 --> 05:36.500 look. 05:37.800 --> 05:38.770 Input functions. 05:38.790 --> 05:39.780 In the next lecture.