WEBVTT 00:00.200 --> 00:03.680 So as the binary references some malicious servers. 00:04.100 --> 00:09.320 As you saw in previous lecture, it must implement some kind of network communication, right? 00:09.320 --> 00:11.570 So in this case. 00:12.250 --> 00:13.100 Here. 00:13.120 --> 00:20.800 This communication is performed via a Http protocol as shown here. 00:20.800 --> 00:22.720 So we will go with a simple tree here. 00:24.170 --> 00:33.050 And after that we will go to imports folder and here we have the URL man and wininet packages and we 00:33.050 --> 00:35.240 can see this functions. 00:35.240 --> 00:36.950 So looking at this. 00:37.850 --> 00:38.540 Earl. 00:38.540 --> 00:40.360 Montell. 00:41.690 --> 00:44.690 And we also have the ADP here. 00:45.110 --> 00:46.070 So. 00:46.840 --> 00:50.710 This looking at this ad, VP 32. 00:51.580 --> 00:56.170 We can identify functions named rec after rec. 00:56.170 --> 01:03.310 That's something, something here that allows us to work with a Windows registry while others that mention 01:03.310 --> 01:05.380 the word servers and. 01:06.200 --> 01:17.540 SC managers like start service A like set value exam, open servers, Rakovski, Requried and so on. 01:18.200 --> 01:26.330 With this here, this allows malicious attacker to allow to interact with the Windows Service Control 01:26.330 --> 01:32.480 manager, which enables us in to load drivers here. 01:32.510 --> 01:32.990 Right. 01:32.990 --> 01:34.570 And registry. 01:35.260 --> 01:36.700 And we also have. 01:36.790 --> 01:44.080 So there are really a lot of imports in kernel32 DLL also as well as many other things it allows us 01:44.080 --> 01:50.740 to interact with and perform actions related to named pipes, file names and processes. 01:51.100 --> 01:52.240 Let's actually. 01:53.060 --> 01:53.690 Here. 01:54.410 --> 01:55.970 We have a bigger sample tree, right. 01:57.110 --> 01:59.510 We can also drag it down here. 02:00.640 --> 02:04.450 Or if you mess with this view, you can go to window. 02:07.610 --> 02:08.200 Andrew. 02:08.210 --> 02:09.140 Is it your. 02:10.820 --> 02:12.650 You know we've options. 02:16.320 --> 02:19.770 So now we will go to here and. 02:20.830 --> 02:26.410 So as I said, there are really a lot of system 32 kernel 32. 02:28.070 --> 02:38.380 Imports and we also have this Wininet http open request, a http query info a and so on. 02:38.390 --> 02:44.060 So here we identified a lot of things with a very quick analysis. 02:44.060 --> 02:51.860 So if you are experienced you will know malware code patterns leading to a mentally matching API functions 02:51.860 --> 03:00.680 with strings and easily inferring that a malware will try to do when given the previously shown information 03:00.680 --> 03:01.280 here. 03:02.720 --> 03:03.500 So. 03:05.480 --> 03:10.340 In next lecture, we will dissect interesting malware sample parts. 03:10.370 --> 03:12.320 And I'm waiting you in next lecture.