WEBVTT

1
00:01.020 --> 00:04.080
Hello and welcome to a new section.

2
00:04.650 --> 00:15.810
In this new section, we are going to reverse engineer a new malware sample, which is also

3
00:15.810 --> 00:19.920
known as the TeslaCrypt Ransomware.

4
00:24.110 --> 00:26.930
The learning objectives for this section are:

5
00:27.440 --> 00:34.670
Analysis of the TeslaCrypt Ransomware File Identification.

6
00:35.570 --> 00:43.280
For this, you will need to use the usual tools for identifying the file type, like TrID.NET,

7
00:43.310 --> 00:44.510
for example.

8
00:45.560 --> 00:49.880
And then we'll be doing something different.

9
00:50.690 --> 00:59.960
You'll be trying to find out what the packer is, but you won't be able to find any signature.

10
01:00.560 --> 01:06.650
This is because TeslaCrypt was packed with a custom packer.

11
01:08.430 --> 01:18.090
But anyway, you need to go through the process of trying to identify it using Detect It Easy, also

12
01:18.090 --> 01:23.130
known as DIE, and also Exeinfo PE.

13
01:24.870 --> 01:29.040
But both of those tools will yield no results.

14
01:29.970 --> 01:35.610
It will not show any packing, but that does not mean it is not packed.

15
01:37.060 --> 01:41.950
So to find out, dig further into whether or not it is packed.

16
01:43.010 --> 01:55.280
You need to use PEStudio, and PEStudio will show you that the number of imported functions are very few.

17
01:56.860 --> 02:07.270
And another thing is, in the sections, you will find that the entropy is very high,

18
02:08.330 --> 02:09.380
above seven.

19
02:10.250 --> 02:12.260
Entropy maximum is eight.

20
02:13.150 --> 02:15.100
Normal unpacked

21
02:16.040 --> 02:16.460
code

22
02:16.490 --> 02:24.590
entropy is only 5 to 6, but anything above seven usually means it is packed.

23
02:25.670 --> 02:31.820
So you need to use PEStudio and analyze the sections to look at the entropy.

24
02:33.590 --> 02:34.520
Then

25
02:35.430 --> 02:38.280
you will use x64dbg debugger

26
02:38.970 --> 02:45.090
to let the program unpack itself into memory.

27
02:46.740 --> 02:51.900
But you need to put the breakpoint on the correct API.

28
02:53.040 --> 03:02.400
And the technique to do that is to use a breakpoint on the API known as VirtualAlloc.

29
03:05.140 --> 03:19.150
And then you need to let it unpack itself, but before it runs the unpacked memory,

30
03:20.540 --> 03:27.830
you are going to use another tool to dump the memory for the unpacked

31
03:28.560 --> 03:33.030
addresses, and that will be Process Hacker.

32
03:34.750 --> 03:45.580
And then lastly, you will start the Ghidra program to disassemble the dumped memory,

33
03:46.090 --> 03:49.150
and then you can analyze it if you want.

34
03:50.150 --> 03:54.740
So these are the learning objectives for this section.

35
03:55.700 --> 04:04.190
If you feel up to it, I encourage you to give it a try on your own before you take a look at the next

36
04:04.190 --> 04:07.550
videos on how I do it.

37
04:08.210 --> 04:11.000
So go ahead and give it a try.

38
04:11.390 --> 04:15.170
Good luck and see you in the next one.

39
04:15.320 --> 04:16.640
Thank you for watching.