WEBVTT 00:00.410 --> 00:01.110 Welcome back. 00:01.130 --> 00:07.040 In the previous video, we have already set up the tools that we are going to use before we run the 00:07.040 --> 00:07.490 malware. 00:07.880 --> 00:10.660 In this dynamic analysis. 00:10.670 --> 00:13.340 So in this video, we are going to continue. 00:15.930 --> 00:17.280 So note here. 00:17.280 --> 00:18.630 Now we are ready to run. 00:18.630 --> 00:26.880 So we will turn on the capture now, which we have paused earlier and then we if we want, we can also 00:26.880 --> 00:34.350 go to the tools here and look at the process tree, where we can look at the details of the processes 00:34.350 --> 00:39.180 which are running in this operating system, in this virtual machine. 00:39.850 --> 00:46.660 Note that under the command column we can also see the command line that started the process itself 00:46.660 --> 00:49.840 as well as any parameters to it, if any. 00:50.380 --> 00:50.770 All right. 00:50.770 --> 00:53.080 So we can close this for now. 00:53.080 --> 00:56.530 And now we are going to detonate our malware. 00:57.370 --> 01:05.170 So go back to the folder where the malware is found and click on the net malware with the dot ESC extension. 01:06.570 --> 01:09.510 And immediately it starts executing, as you can see. 01:10.260 --> 01:14.970 And if you look here, it doesn't show that it has created any. 01:15.000 --> 01:16.530 Any processes as well. 01:17.460 --> 01:25.110 And if you look at the Wireshark, it also doesn't seem to be trying to communicate out anywhere. 01:25.530 --> 01:30.270 So let us now take a look at the process monitor and see what is happening. 01:31.160 --> 01:32.720 Just open it a little bit. 01:33.560 --> 01:36.230 And since it's a long list. 01:36.890 --> 01:39.640 Scroll down to see what it's currently doing. 01:39.650 --> 01:43.970 So you can scroll all the way to the bottom to see what it is currently doing. 01:44.780 --> 01:48.050 So now here you will see it is trying to read your mails. 01:49.160 --> 01:50.360 Mails dot txt. 01:50.660 --> 01:52.040 Okay, let's scroll up further. 01:52.810 --> 01:58.810 You might see this thing popping up, saying the application was unable to start correctly asking you 01:58.810 --> 01:59.380 to close. 01:59.380 --> 02:00.160 Do not close it. 02:00.160 --> 02:00.550 Just. 02:00.700 --> 02:01.960 Just ignore it. 02:01.990 --> 02:03.670 Continue analysis. 02:03.860 --> 02:11.140 You will see it is also looking for browsers dot txt and then we keep scrolling upwards to look for 02:11.140 --> 02:12.880 more interesting things. 02:13.300 --> 02:16.390 And here is some meals dot txt. 02:16.600 --> 02:20.620 Probably trying to steal some email information. 02:20.890 --> 02:31.240 And here is also some evidence of looking for messages or messaging services as well as email identities 02:31.270 --> 02:32.560 outlook profiles. 02:34.030 --> 02:35.470 Usernames as well. 02:36.670 --> 02:44.080 As well as accounts phishing for accounts, computer names. 02:44.620 --> 02:46.300 And you see Thunderbird here. 02:46.330 --> 02:48.160 It's a mail client. 02:49.090 --> 02:50.110 Mozilla mail client. 02:51.430 --> 02:51.990 Okay. 02:52.000 --> 02:57.550 You do not discover much because probably the malware quit. 02:58.090 --> 03:05.020 So anyway, if the malware had not quit, we could probably have discovered much more information about 03:05.020 --> 03:06.600 what it is trying to steal. 03:06.610 --> 03:15.370 For example, the Firefox and Chrome's passwords as well as other passwords. 03:16.210 --> 03:22.280 So anyway, let us try to look at the strings now to look for the strings in memory. 03:22.300 --> 03:31.000 We can go over to the process hacker and double click on the process and head over to the memory tab 03:31.300 --> 03:35.710 and then click on the strings button and then click okay. 03:36.680 --> 03:40.100 So here we are looking for any kind of Http. 03:41.660 --> 03:44.660 So just scroll down and see if we can find any. 03:45.320 --> 03:48.020 And we found quite a lot of things here straight away. 03:48.050 --> 03:51.770 Pop3 imap password http email password. 03:51.830 --> 03:54.050 Smtp password too. 03:54.290 --> 03:56.840 So this could be what it is trying to steal. 03:57.890 --> 04:01.700 And even looking for this Gmail and Yahoo! 04:02.520 --> 04:03.660 Account passwords. 04:03.690 --> 04:06.750 Login name and password for Google. 04:07.890 --> 04:12.870 And here is evidence that is using PG 11 encryption IP. 04:13.110 --> 04:17.700 And this PG 11 is used by Firefox to encrypt the passwords. 04:17.700 --> 04:21.840 So it appears it might be stealing that Firefox passwords. 04:22.200 --> 04:29.670 And there's SQL three as well, probably trying to access the decrypted passwords for the Chrome Chrome 04:29.670 --> 04:30.390 passwords. 04:31.260 --> 04:34.850 There is also Thunderbird, which is the Mozilla mail client. 04:35.090 --> 04:40.100 So this might be indication that it's trying to steal the mail client password. 04:40.400 --> 04:41.450 Email password. 04:42.020 --> 04:47.780 Okay, let's try to filter for Http to see if we can find any command and control servers. 04:47.900 --> 04:52.010 So just type in Http and click. 04:52.010 --> 04:52.610 Okay. 04:53.710 --> 04:55.600 And it seems nothing showed up. 04:55.990 --> 05:04.480 And that could be because the program quit before it could show it could load any Http servers here. 05:05.170 --> 05:08.230 And we see this reference to nil soft nearest. 05:08.260 --> 05:17.530 This could be a this could be a decryption software suggesting that there might be an embedded exe inside 05:17.530 --> 05:19.900 this malware. 05:20.350 --> 05:28.970 So now we have a good overview of what it is trying to do basically is to steal email and browser passwords. 05:28.990 --> 05:34.470 So next, the next step, we are going to look at the static analysis. 05:34.480 --> 05:36.400 So thank you for watching. 05:36.400 --> 05:38.080 I will see you in the next one.