WEBVTT 1 00:00.440 --> 00:01.320 Welcome back. 2 00:01.340 --> 00:09.560 In this video, we are going to analyze the dump file with PEStudio and Ghidra. 3 00:10.550 --> 00:13.370 So let's start off with PEStudio. 4 00:16.630 --> 00:18.340 Open up PEStudio. 5 00:22.340 --> 00:29.810 And drag the dump file into it to let PEStudio analyze the dumped file. 6 00:30.800 --> 00:34.940 And PEStudio is now analyzing. 7 00:40.380 --> 00:41.720 It looks like 8 00:49.490 --> 00:53.270 it looks like we got the wrong dump file. 9 00:54.320 --> 00:57.530 So we need to repeat the process of dumping. 10 00:57.560 --> 01:01.160 This is not the right PE file, 11 01:01.400 --> 01:04.520 since there are no libraries and no imports. 12 01:04.700 --> 01:06.710 And even if you look at strings, 13 01:10.330 --> 01:11.560 there is nothing much there. 14 01:12.070 --> 01:12.670 Okay. 15 01:12.820 --> 01:14.560 So we have to repeat it. 16 01:15.730 --> 01:17.500 So I'm going to try again. 17 01:18.400 --> 01:20.970 Open it with x32dbg. 18 01:22.300 --> 01:25.970 Sometimes it's a matter of trial and error, so it's quite okay. 19 01:25.990 --> 01:29.470 So we open the malware again. 20 01:36.130 --> 01:38.170 And then we'll put our breakpoint 21 01:41.860 --> 01:42.460 on VirtualAlloc. 22 01:49.390 --> 01:51.640 Run to the first breakpoint. 23 01:53.410 --> 01:54.430 Step over. 24 02:03.060 --> 02:10.020 Okay, so now this is the first one. We can Follow in Dump. 25 02:12.610 --> 02:13.150 All right. 26 02:13.750 --> 02:22.600 Now we're getting a different address: 0x0022, followed by four zeros, so we can put a note there. 27 02:34.100 --> 02:36.570 0x0022, followed by four zeros. 28 02:36.590 --> 02:37.910 One, two, three, four. 29 02:41.210 --> 02:46.190 Right-click, Follow in Memory Map. It is Readable and Writable. 30 02:48.380 --> 03:00.170 Now we run again, and it has populated that first memory with some unpacked code, and it has hit VirtualAlloc 31 03:00.170 --> 03:01.400 a second time. 32 03:01.700 --> 03:03.110 So let's step over. 33 03:09.970 --> 03:12.130 Okay, let's run VirtualAlloc now. 34 03:13.210 --> 03:16.240 And it has allocated some more memory here. 35 03:17.140 --> 03:19.600 Right-click, Follow in Dump Number 2. 36 03:21.340 --> 03:23.770 This is the one. Right now 37 03:23.770 --> 03:25.870 we're going to examine it in Memory Map. 38 03:27.040 --> 03:29.110 Right-click and Follow in Memory Map, 39 03:29.710 --> 03:32.110 and you see this one is Executable. 40 03:35.110 --> 03:43.180 Okay, so we are going to copy this address. Right-click, Copy Value, and put it here. 41 03:44.740 --> 03:46.090 We have two addresses. 42 03:47.290 --> 03:57.130 Okay, now we run, and you see it has populated the second one with this unpacked code. 43 03:58.240 --> 04:02.410 So now we will open Process Hacker. 44 04:04.690 --> 04:06.980 We open Process Hacker to try to dump, 45 04:06.980 --> 04:10.280 but this time we are going to dump a different location. 46 04:10.670 --> 04:12.020 Process Hacker. 47 04:25.170 --> 04:29.250 Go to our ransomware, go to Memory. 48 04:29.940 --> 04:39.780 And according to our notes we've written down, we started dumping at 0x0022, followed 49 04:39.780 --> 04:42.540 by four zeros, which is here. 50 04:44.220 --> 04:45.690 And then we dump something else. 51 04:45.690 --> 04:59.640 So now we're going to dump everything starting from here. Right-click, and we are going to Save, and 52 04:59.640 --> 05:01.860 we are going to overwrite the earlier one. 53 05:04.000 --> 05:04.210 Yes. 54 05:06.260 --> 05:11.780 So now we are going to open it with PEStudio. 55 05:15.890 --> 05:21.830 We'll go to our Utilities folder and fire up PEStudio, 56 05:22.340 --> 05:25.040 and now we analyze the dump file. 57 05:25.340 --> 05:26.030 PEStudio. 58 05:29.310 --> 05:31.560 And see if we get any libraries. 59 05:33.030 --> 05:33.600 All right. 60 05:33.810 --> 05:38.460 Probably no, because it doesn't have a header at that location. 61 05:38.580 --> 05:45.300 So we'll close this now and then we analyze it with a hex editor. 62 05:45.960 --> 05:47.760 I'll be using 010 Editor. 63 05:48.840 --> 05:51.450 Right-click, Open With 010 Editor. 64 05:55.280 --> 05:55.550 Okay. 65 05:56.000 --> 06:03.770 You see there is no PE header there at the location, so we can search for PE header. 66 06:06.160 --> 06:12.850 The the magic bytes are 4D 5A. So we search for 4D 5A. 67 06:15.560 --> 06:18.410 4D 5A. 68 06:18.440 --> 06:25.340 4D 5A is hex for MZ, and we found a hit here. 69 06:26.820 --> 06:27.420 There is one here. 70 06:27.420 --> 06:27.900 Here. 71 06:28.550 --> 06:31.920 So this is the location where we have a PE header. 72 06:32.790 --> 06:33.990 There's another one here, 73 06:35.670 --> 06:38.070 another PE header here. 74 06:38.250 --> 06:40.440 So it seems there are quite a few. 75 06:41.130 --> 06:41.550 All right. 76 06:41.550 --> 06:46.830 So it will take a lot of time to go through all of them to see which is the correct one. 77 06:47.910 --> 06:55.620 So to save some time, I will cut short and tell you that the second one is the correct one. 78 06:56.730 --> 07:02.310 But if you are going to try this, you need to go through every one of the headers and then open it in 79 07:02.310 --> 07:03.270 PEStudio. 80 07:04.290 --> 07:13.950 So in order to open in PEStudio, we have to delete all the ones which are the wrong ones. 81 07:13.950 --> 07:16.860 So we select the wrong bytes and delete them. 82 07:21.620 --> 07:22.460 Hit Delete. 83 07:23.240 --> 07:25.490 So now we're going to save this. 84 07:27.200 --> 07:33.710 And then now, once it's saved, we can open PEStudio to analyze it. 85 07:37.430 --> 07:39.620 So we go to 86 07:42.170 --> 07:44.780 Utilities and open PEStudio. 87 07:46.070 --> 07:49.940 So it's actually trial and error. Sometimes it takes a lot of work. 88 07:53.040 --> 07:57.900 Even a dump file doesn't necessarily contain the correct unpacked code. 89 07:58.530 --> 08:01.350 So it's a matter of trial and error. 90 08:01.500 --> 08:06.480 If you find a few MZ headers, you need to try each one of them, 91 08:06.480 --> 08:06.840 like 92 08:06.840 --> 08:08.130 how I'm doing here, 93 08:08.550 --> 08:09.690 until you get the right one. 94 08:09.690 --> 08:14.700 So the right one is now the second one, and we are trying to analyze it now. 95 08:17.160 --> 08:19.290 So the new dump file is here. 96 08:19.650 --> 08:22.860 Let's see if we can get a PE header this time. 97 08:26.740 --> 08:27.040 Okay. 98 08:27.040 --> 08:27.930 We have a PE here. 99 08:28.450 --> 08:30.400 See if we can get any libraries. 100 08:32.750 --> 08:36.800 If we can get libraries and imports, that means we are correct. 101 08:37.220 --> 08:45.020 We have already extracted the correct unpacked code. Going to give it some time to finish this analysis. 102 08:47.240 --> 08:48.910 And it has finished analysis, 103 08:48.920 --> 08:51.500 and this time I think we are correct. 104 08:52.040 --> 08:57.350 You can see there are so many libraries and so many API imports. 105 08:57.560 --> 09:00.950 That means we have correctly unpacked the file. 106 09:00.980 --> 09:01.490 You see that? 107 09:01.910 --> 09:03.080 So many. 108 09:03.200 --> 09:05.660 And then if we go to Strings, 109 09:08.310 --> 09:09.900 let's see what strings we get. 110 09:13.130 --> 09:13.430 All right. 111 09:13.430 --> 09:20.600 You can see there is some kind of Base64 encoding. 112 09:23.710 --> 09:26.020 Okay, let's scroll down and look for anything else. 113 09:26.890 --> 09:35.830 It's still being obfuscated with Base64 encoding, and there is some registry key here. 114 09:36.400 --> 09:37.600 So this is correct. 115 09:37.600 --> 09:39.880 Much more information than the previous one. 116 09:45.750 --> 09:47.880 So this is the kind of persistence here. 117 10:02.430 --> 10:04.320 Scroll down and see what else we have. 118 10:13.610 --> 10:17.540 And we have an HTTP here, URL. 119 10:18.500 --> 10:24.800 So that could be the server that it is trying to connect to. 120 10:25.700 --> 10:35.630 So this is a good sign or Indicator of Compromise, and here could be some kind of message to show the 121 10:35.630 --> 10:36.080 user. 122 10:36.080 --> 10:37.400 Maybe it's a ransom note. 123 10:38.540 --> 10:39.890 Yes, it looks like it. 124 10:40.490 --> 10:42.140 So let's expand this further. 125 10:44.630 --> 10:45.500 There you go. 126 10:45.500 --> 10:51.770 So many URLs. You can see some ransom and probably the ransom note and some URLs here. 127 10:53.120 --> 10:53.480 Okay. 128 10:53.480 --> 10:57.890 So this is a positive sign of an Indicator of Compromise. 129 10:58.550 --> 11:03.620 So it looks like we have dumped the correct unpacked code. 130 11:03.920 --> 11:12.680 So in the next video, we will show you how to open it in Ghidra if you wanted to use Ghidra 131 11:12.680 --> 11:14.110 to analyze this. 132 11:14.150 --> 11:15.920 So thank you for watching. 133 11:15.920 --> 11:17.300 I'll see you in the next one.