WEBVTT

00:00.440 --> 00:08.060
As mentioned before, this malware consists of two components a portable executable file sparkcontext

00:08.600 --> 00:13.720
and the Windows driver file Aacae dot size.

00:13.730 --> 00:21.320
So when more than one malicious file is found on a computer, it's quite common that one of them generates

00:21.350 --> 00:22.190
others.

00:23.260 --> 00:28.860
So as spark that Excel can be executed by just double clicking on it.

00:28.870 --> 00:40.090
While our courses must be loaded by another component such as the Windows Service Control Manager.

00:40.960 --> 00:43.360
So with another driver.

00:43.360 --> 00:50.860
So we can initially assume that spark that was executed and then it dropped the our courses to the disk.

00:50.890 --> 00:57.490
In fact, during our static analysis of the imports, we noticed that the spark that has APIs to deal

00:57.490 --> 01:00.160
with the Windows Service control manager.

01:00.760 --> 01:05.590
And what we're going to do here is we're going to get the spark that switches to.

01:06.900 --> 01:12.300
Jadra and we have the portable executable, something like that, and we imported it.

01:12.300 --> 01:14.760
So we'll double click on it to analyze.

01:14.940 --> 01:18.960
And after that click on Yes and analyze.

01:18.960 --> 01:19.590
That's it.

01:19.800 --> 01:28.320
So it's quite simple and small file simple because as you can see, it's already analyzed here.

01:28.320 --> 01:29.310
So.

01:32.270 --> 01:36.500
What are we going to do is we're going to go two bites here.

01:36.680 --> 01:37.880
This bites.

01:38.270 --> 01:42.620
We will display the bites here and.

01:43.550 --> 01:45.630
Here we have the start.

01:45.650 --> 01:48.980
Here I will note that on the screen.

01:51.110 --> 01:52.910
Or instead we have the notepad.

01:52.910 --> 01:53.380
Right.

01:53.390 --> 01:54.930
Or sticky notes?

01:54.950 --> 01:55.700
Yes.

01:56.460 --> 01:57.500
So.

01:58.670 --> 01:59.870
Not now.

02:00.110 --> 02:07.850
Okay, so here our start is 000001.

02:10.750 --> 02:11.770
Zero zero.

02:12.940 --> 02:16.900
And zero zero here again and end this here.

02:16.900 --> 02:20.200
I'm talking about this start at end.

02:20.770 --> 02:21.820
We will note that.

02:21.820 --> 02:26.020
And here our end is f f, f f f.

02:27.060 --> 02:31.730
Let's actually make it uppercase f, f, f, f, f and f f.

02:31.970 --> 02:32.580
Right.

02:32.580 --> 02:33.570
So.

02:34.790 --> 02:37.240
Why I noted this farce.

02:37.250 --> 02:41.150
You will understand right now because here.

02:44.480 --> 02:44.840
The.

02:44.920 --> 02:47.480
This file starts with this pattern.

02:47.480 --> 02:48.080
Right.

02:48.620 --> 02:49.430
Let's actually.

02:50.770 --> 02:52.560
Get this at the top here.

02:52.570 --> 02:54.580
This is the top of the file that starts.

02:54.580 --> 02:59.260
So here, this files this file starts with this pattern.

02:59.350 --> 03:03.840
So we will also notify that start pattern.

03:03.850 --> 03:16.360
Note that here the 45, a 90 and zero zero and so on here and others.

03:16.480 --> 03:18.010
So here.

03:19.380 --> 03:21.960
As you see, this is our standard pattern.

03:21.960 --> 03:26.400
And the starting bytes are also used as the signature of files.

03:26.400 --> 03:31.680
So these signatures are also known as magic numbers or magic bytes.

03:31.680 --> 03:38.520
So in this case, the signature indicates that this file is portable executable, which is the file

03:38.520 --> 03:46.650
format for executables, object code, DLLs and others used in 32 bit and 64 bit versions of Windows

03:46.650 --> 03:47.820
Operating Systems.

03:47.820 --> 03:55.230
So you will see this pattern every portable executable files object code dlls.

03:55.260 --> 04:00.030
You analyze on the reverse engineering operations.

04:00.030 --> 04:03.210
So here let's actually use our executable file.

04:03.210 --> 04:07.650
It's already analyzed, but we can check that.

04:08.660 --> 04:10.650
We have our key with us.

04:10.700 --> 04:11.780
We also have the.

04:12.420 --> 04:13.500
POS malware.

04:13.710 --> 04:23.620
So here, as you can see in POS malware, our bytes also starts with the 45, a 90 and zero zero.

04:23.640 --> 04:33.330
So you will see this pattern very common in the executable files object code, DLLs and others used

04:33.330 --> 04:38.970
in 32 bit and 64 bit versions of Windows Operating Systems.

04:39.210 --> 04:40.620
So we will.

04:41.560 --> 04:47.020
We can also just close this post malware, but it can stay it here.

04:48.220 --> 04:48.790
Now.

04:49.300 --> 04:49.840
Okay.

04:49.840 --> 04:54.530
So we can also calculate the difference between the start address and the end address.

04:54.550 --> 05:00.580
And in order to do that, we will open the go to search or.

05:01.740 --> 05:02.520
Window.

05:02.730 --> 05:04.020
We will go to the window and go.

05:04.050 --> 05:06.270
We will select the python from it.

05:07.080 --> 05:07.950
Python.

05:07.950 --> 05:12.090
And here what we're going to do is reset in Python.

05:12.420 --> 05:18.960
We will subtract this here, subtract this here, in this case, Hex.

05:19.260 --> 05:20.100
Hex.

05:25.870 --> 05:26.860
Zero six.

05:34.210 --> 05:35.350
Go to here.

05:51.390 --> 05:51.920
Here.

06:28.800 --> 06:31.350
And now we will go back to Python.

06:31.350 --> 06:33.390
So we will calculate this, right?

06:33.390 --> 06:38.130
So 00010000

06:38.160 --> 06:50.610
-0 00151 and F so that close this preset's now here as input.

06:54.810 --> 06:55.620
I'm sorry.

06:56.130 --> 06:59.100
We need to add zero X here and here.

06:59.100 --> 07:00.030
This is our output.

07:08.980 --> 07:12.160
So 0X51 and five.

07:12.280 --> 07:15.580
So then we can open the.

07:17.770 --> 07:18.790
It's actually close this.

07:18.790 --> 07:27.160
So we will we can open the spark that XM and look for the file by clicking on the search and memory

07:27.160 --> 07:27.820
here.

07:28.480 --> 07:33.070
And we will paste this code here that we got from this.

07:36.320 --> 07:37.130
Search pattern.

07:37.310 --> 07:38.750
So we will paste this.

07:39.470 --> 07:40.610
The search pattern.

07:40.610 --> 07:42.100
And here this is it.

07:42.110 --> 07:44.180
And you will see here.

07:45.310 --> 07:45.720
We have.

07:45.730 --> 07:46.540
Let's search all.

07:46.540 --> 07:51.820
So you will see the two occurrences of this header header pattern.

07:51.820 --> 07:55.150
So the first one corresponds to the.

07:56.440 --> 08:03.580
The header of the file we are analyzing in this case, it's sparked at XM, while the second one corresponds

08:03.580 --> 08:09.870
to the embedded dot S is s, which is we just analyze here.

08:09.880 --> 08:10.870
So.

08:11.920 --> 08:12.400
Here.

08:12.400 --> 08:14.440
This is that zero zero label.

08:14.560 --> 08:18.220
It also has labels, but we have the image loss heater here.

08:20.900 --> 08:21.530
Yes.

08:21.830 --> 08:31.010
So as we know that it starts with the 004F here, location here.

08:31.010 --> 08:32.540
So we will note that down.

08:36.110 --> 08:40.130
Oops, that's not a good marker here.

08:40.130 --> 08:47.330
So we already know that it starts with the actually, let's actually, instead of writing things here,

08:47.330 --> 08:49.520
let's note it down so we can read it.

08:49.520 --> 08:57.590
So location of that that 004.

08:58.790 --> 09:01.010
F68 50.

09:02.340 --> 09:03.870
Six 850.

09:05.700 --> 09:08.760
As we noted it down and.

09:12.830 --> 09:13.820
After that.

09:16.280 --> 09:19.820
We will select the bytes here.

09:22.320 --> 09:23.370
Search.

09:24.180 --> 09:24.630
Or.

09:25.600 --> 09:25.990
Yeah.

09:25.990 --> 09:29.250
Now select here and select the bytes here.

09:29.260 --> 09:32.050
So here we will enter the length.

09:32.050 --> 09:32.680
Right.

09:33.010 --> 09:38.560
The length is we got this, the calculation here and here.

09:38.560 --> 09:40.090
We selected our bytes.

09:40.090 --> 09:49.030
So by right clicking on the selected bytes and choosing extract and import right here, extract and

09:49.030 --> 09:52.660
import, which is also available, it also has the shortcut.

09:53.410 --> 10:00.940
So we get this screen where a data file is added to the project containing the selected bytes.

10:01.840 --> 10:05.710
So so we identifying the malware components here.

10:05.980 --> 10:08.950
Now let's actually we can also analyze it.

10:09.320 --> 10:11.110
But here.

10:15.930 --> 10:16.620
That's it.

10:17.160 --> 10:19.800
And here in imports.

10:21.550 --> 10:23.140
IBM's Notes program file.

10:23.140 --> 10:25.900
And here we also have the in data type manager.

10:25.900 --> 10:29.320
We have three data types spark data.

10:29.320 --> 10:32.770
Here we have this data data file.

10:37.030 --> 10:39.670
And we have the program trees here.

10:40.030 --> 10:42.080
We can refresh it and so on.

10:42.100 --> 10:42.880
So.

10:44.520 --> 10:48.390
We can go to the active projects that excel here.

10:49.630 --> 10:51.100
Program change symbol three.

10:56.620 --> 10:57.920
At CES.

11:03.950 --> 11:05.390
And here we.

11:07.950 --> 11:14.580
We have this, we can see the spark that exit data here separately and that's it.

11:15.840 --> 11:17.640
We have found the.

11:21.130 --> 11:22.480
This, Aki.

11:22.480 --> 11:26.260
That size file from our executable file.

11:26.260 --> 11:26.800
Right.

11:27.960 --> 11:32.340
And here we have this in the Ghidra active project.

11:32.340 --> 11:37.530
Here we can see this, all the malware components.

11:37.920 --> 11:44.610
Now, in next lecture, we will analyze the malware from the entry point of the program.

11:45.220 --> 11:46.420
See you in next lecture.