WEBVTT 00:00.480 --> 00:07.830 Now we are analyzing spark that Excel is opened the code browser here and going to do the entry point 00:07.830 --> 00:15.000 so you can look for the entry function in symbols tree here program tree and symbol tree. 00:15.000 --> 00:21.090 So we will open the symbol tree here and we have the entry functions here and we will double click on 00:21.120 --> 00:21.480 that. 00:21.480 --> 00:23.550 And here we are seeing this. 00:23.550 --> 00:27.750 So we will also want the the compiler here. 00:27.750 --> 00:29.580 So that's it. 00:29.580 --> 00:31.470 So we have two functions here. 00:31.620 --> 00:36.360 So the compilation of this functions looks readable. 00:36.360 --> 00:43.080 The security in it cookie is a memory corruption protection function introduced by the compiler. 00:43.080 --> 00:49.470 So go ahead with the main startup by the double clicking on it. 00:49.500 --> 00:52.560 So there are a lot of functions recognized by Ghidra here. 00:52.560 --> 01:00.730 So let's focus on the only the function that not recognized yet, which is this here. 01:01.590 --> 01:05.100 Think 1045556. 01:08.110 --> 01:12.280 So here, this is the main function of the program. 01:13.500 --> 01:22.830 So if you have some cplusplus background, you will also notice that the this win cmd line here, this 01:23.100 --> 01:27.030 should be somewhere here in cmd ln. 01:29.450 --> 01:31.670 Initialize some global variables here. 01:31.670 --> 01:37.460 So as you can see, it's initialized with var four and we will double click on it here. 01:37.610 --> 01:42.680 And here, as you can see here, it initialized some global variables like here. 01:42.800 --> 01:43.730 So. 01:46.170 --> 01:46.770 At the. 01:48.590 --> 01:53.540 And it also initialize the environment and heap for the process. 01:53.540 --> 01:56.810 So and then the main function is called. 01:57.170 --> 02:08.120 So the thing with our function that ends with thunk function that with F 60, it should be somewhere 02:08.120 --> 02:08.900 here. 02:09.610 --> 02:19.450 So here, as you can see, we can see in the ln and so ln is the winmain function. 02:19.450 --> 02:22.360 So we will rename this. 02:23.830 --> 02:26.080 Song for function. 02:26.110 --> 02:30.550 Function 00455F 60. 02:30.940 --> 02:34.000 Function to winmain. 02:34.000 --> 02:38.350 So we will just press on the l key. 02:39.410 --> 02:42.790 Uh, while uh, focusing or clicked on the phone. 02:42.830 --> 02:46.520 Or you can also right click on it and click on rename function. 02:46.520 --> 02:52.760 So we will rename it to win Main Win main here. 02:53.750 --> 02:54.890 And that's it. 02:54.980 --> 03:02.930 So Ghidra allows you to rename variables and functions, introduce commands, and modify the disassembly 03:02.930 --> 03:05.150 and the compiled code in a lot of aspects. 03:05.150 --> 03:10.000 So this is essential when reverse engineering a malware. 03:10.010 --> 03:13.070 So we will double click on winmain. 03:13.070 --> 03:21.680 So we will also we can also return retype, return, edit, function signature and so on, so undefined 03:21.680 --> 03:23.420 winmain and so on. 03:23.690 --> 03:32.300 And we took two steps here so we can also have the undefined for here, as you can see here, integer 03:32.300 --> 03:34.100 E var one. 03:35.440 --> 03:36.340 Undefined. 03:36.370 --> 03:37.150 Eight. 03:37.180 --> 03:39.100 Pascal and Main. 03:41.330 --> 03:43.250 And we are returning here. 03:47.380 --> 03:47.890 Here. 03:48.190 --> 03:53.980 So we took these steps to identify where the malware starts to analyze its flow from the beginning. 03:53.980 --> 04:01.720 So but there are some functions in the Decompiled code listing that we don't know about or anything 04:01.720 --> 04:02.530 we don't know about. 04:02.530 --> 04:02.830 Right? 04:02.830 --> 04:09.100 So our job here is to reveal their functionality in order to understand that malware. 04:09.100 --> 04:12.220 So keep in mind that malware analysis is time consuming task. 04:12.220 --> 04:17.530 So don't waste your time with the details, but also don't forget anything important. 04:17.530 --> 04:26.140 So next, we will analyze each of the functions listed in Winmain main here this winmain the compiled 04:26.140 --> 04:34.540 code, and we will start analyzing the first function which is located on line 20, and we will start 04:34.540 --> 04:39.760 analyzing the first which that ends with 40 here. 04:39.790 --> 04:44.170 Function 004, 533 and 40.