WEBVTT

00:01.370 --> 00:01.970
Hello.

00:01.970 --> 00:06.590
In this video, let's take a look at malware analysis terminology.

00:08.990 --> 00:18.950
These are some basic terminologies backed, obfuscated, disassemblers or decompilers debuggers, IOCs

00:18.950 --> 00:20.570
and malware artifacts.

00:21.920 --> 00:23.000
Packed packer.

00:23.630 --> 00:28.400
A packed malware contains part of itself compressed or encrypted.

00:28.400 --> 00:34.700
The stub will unpack this compressed part and then execute it, either by injecting it into another

00:34.700 --> 00:39.790
process memory or runs its itself as a separate process.

00:39.800 --> 00:45.500
So a packed malware consists of two parts the stub and the payload.

00:45.590 --> 00:52.610
The payload is a part that is compressed and the stub is run first in order to uncompress the payload

00:52.610 --> 00:53.630
into memory.

00:54.560 --> 00:55.550
Obfuscation.

00:55.580 --> 01:02.540
Obfuscation uses meaningless strings for variables so that it makes it difficult to understand the function

01:02.540 --> 01:04.160
and purpose of variables.

01:04.400 --> 01:07.970
It also means meaningless strings for function names.

01:07.970 --> 01:12.540
So that the malware analysts would not know what the purpose of a function is.

01:12.810 --> 01:17.010
Sometimes strings can also be encoded in base64.

01:17.220 --> 01:24.690
Obfuscation can also involve taking a string and breaking up into small parts, and each part is substituted

01:24.690 --> 01:29.010
by a function whose purpose is to be obfuscated during runtime.

01:29.010 --> 01:34.170
And then those parts are then combined together concatenated to form the original string.

01:34.200 --> 01:41.100
Examples of this technique is usually found in PowerShell or JavaScript or VBScript.

01:41.130 --> 01:46.650
Malware executables or binaries can also be obfuscated or encrypted.

01:47.250 --> 01:48.510
Disassemblers.

01:48.540 --> 01:49.620
Disassemblers.

01:49.620 --> 01:55.350
Are those tools used for disassembling a binary file into assembly code?

01:55.530 --> 01:59.610
It is used for analyzing a file without executing it.

01:59.640 --> 02:03.120
This technique is also known as static analysis.

02:03.480 --> 02:07.500
Examples of Disassemblers are Ghidra and Ida Pro.

02:08.340 --> 02:17.670
Ghidra is also known as a Decompiler because it can decompile a binary file into assembly as well as

02:17.700 --> 02:18.810
C source code.

02:19.500 --> 02:24.990
One disadvantage of disassemblers are that it cannot analyze memory region.

02:25.020 --> 02:28.020
This is because the program is not running.

02:28.050 --> 02:30.810
Therefore it is not loaded into memory.

02:31.170 --> 02:32.280
Debuggers.

02:32.370 --> 02:39.900
Debuggers are those tools which allow you to run programs and then step through it to analyze the program

02:39.900 --> 02:43.950
as it is running, to analyze its instruction step by step.

02:43.980 --> 02:51.660
Because debuggers are actually running the program, you are therefore able to examine memory in which

02:51.660 --> 02:53.550
the program is loaded into.

02:53.850 --> 02:57.150
This technique is also known as dynamic analysis.

02:57.600 --> 03:01.350
Examples of debuggers are xdebug and windbg.

03:02.040 --> 03:10.140
You can also use debuggers to unpack PAC malware by dumping memory after the PAC program has already

03:10.140 --> 03:11.670
unpacked itself in memory.

03:11.700 --> 03:15.660
Debuggers are also excellent tools to do behavior analysis.

03:15.690 --> 03:18.840
That is, to run a program and see what it does.

03:19.530 --> 03:20.580
IOCs.

03:20.700 --> 03:24.480
IOCs stands for Indicators of Compromise.

03:24.660 --> 03:32.580
This means that you can look for any of these inside your operating system, and if you find any of

03:32.580 --> 03:37.200
these, then you can know for sure that your machine has been compromised.

03:37.200 --> 03:41.030
That's why they are called indicators of compromise.

03:41.040 --> 03:44.790
So examples of IOCs are file hashes.

03:45.270 --> 03:55.080
File hashes can be obtained by using hash programs in order to obtain the MD5 or Sha for a particular

03:55.080 --> 03:55.740
file.

03:56.100 --> 04:02.310
You can then compile those hashes with existing hashes in order to identify the malware.

04:03.150 --> 04:05.760
You can also look for file names.

04:06.830 --> 04:13.490
Email addresses, URLs, drop files as well as added or modified registry keys.

04:14.480 --> 04:22.160
So if you find any of these or combination of them in your operating system in your machine, then this

04:22.160 --> 04:25.490
highly suggests that your machine could have been compromised.

04:26.150 --> 04:26.660
Malware.

04:26.660 --> 04:27.530
Artifacts.

04:27.560 --> 04:28.790
Malware Artifacts.

04:28.790 --> 04:36.050
Are those items left over from malware infection and they include indicators of compromise.

04:36.140 --> 04:37.580
Thank you for watching.

04:37.580 --> 04:38.930
I'll see you in the next one.