WEBVTT 00:00.260 --> 00:05.420 So now we are going to do a static analysis by using the spy. 00:05.960 --> 00:12.800 And since it is a 32 bit application, we are going to use the 32 bit version of The Spy. 00:13.790 --> 00:16.820 So I already opened my 32 bit spy here. 00:17.090 --> 00:21.170 Now I'm going to load this in malware inside the Spy. 00:22.590 --> 00:24.570 And let the analyze and decompile. 00:28.010 --> 00:31.430 And from here you can see the basic information. 00:32.450 --> 00:34.410 About assembly name and so on. 00:34.410 --> 00:36.810 And the assembly company is mini to. 00:36.900 --> 00:41.550 Solution assembly description is mini to power data recovery. 00:42.540 --> 00:47.280 And this is just a fake description because this is actually a malware. 00:48.090 --> 00:51.760 And from here we can see the entry point is gone. 00:51.780 --> 00:53.300 Camp dot main. 00:54.000 --> 00:57.090 So I'm just going to bring this down here. 00:58.020 --> 00:58.290 All right. 00:58.290 --> 01:00.360 Let's click on this to go to the main. 01:01.640 --> 01:07.400 And here is the main and you can see here Gorny camp is a main class. 01:07.850 --> 01:12.440 And inside here you can see there are many other classes as well. 01:12.560 --> 01:18.680 Dynamic Encryption file Zilla, Imvu, Social networking stuff. 01:18.920 --> 01:26.870 Internet Download Manager Jdownloader Key Hook Paltalk Recovery Browser's Recovery mail and all this 01:26.900 --> 01:35.810 gives the impression that it is a password stealer for mail as well as browser and then sent here. 01:35.840 --> 01:40.910 Sounds like it is a connecting to the command and control server. 01:41.030 --> 01:48.600 And finally you have this one strange looking one which seems to be obfuscated and we are going to deobfuscated 01:48.600 --> 01:50.780 it later using the four dot. 01:51.410 --> 01:55.910 But now let's take a look at our entry point, which is Kony camp. 01:57.230 --> 02:04.370 So to just click on that and just go to the entry point. 02:04.700 --> 02:06.560 From here you can go to entry point. 02:07.880 --> 02:10.010 Okay, So this seems to be entry point. 02:10.430 --> 02:13.220 The main function, as you can see, the main method. 02:13.460 --> 02:19.010 And here you see the many threads being created, each for certain functionality. 02:19.160 --> 02:22.700 And finally at the bottom you have the application run. 02:22.700 --> 02:30.010 So this runs the main program and this gives the impression that it is some kind of remote access to 02:30.020 --> 02:38.450 package where you can customize the Trojan or the rat that you want to distribute, and not necessarily 02:38.450 --> 02:39.590 all of them will be enabled. 02:40.070 --> 02:45.350 So let's see if we if we click on the first one show message. 02:46.460 --> 02:47.360 So it's blank. 02:47.390 --> 02:48.680 That means this is not enabled. 02:48.680 --> 02:58.230 Click on the backspace, click on this Add to startup, also not enabled Backspace website blocker also 02:58.230 --> 03:03.660 not enabled backspace website visitor also not enabled. 03:03.690 --> 03:12.690 Backspace self-destruct also not enabled backspace get current window so get current window seems to 03:12.690 --> 03:13.230 be enabled. 03:13.440 --> 03:23.340 So this seems to be a kind of key logger and from here is trying to create some of the content of the 03:23.340 --> 03:29.670 key log like Windows title and the machine time and the keystroke type and so on. 03:30.120 --> 03:38.280 And if you want to get more information, you can actually search for this keystroke log to see where 03:38.300 --> 03:44.250 is being used so we can search for this right click and find. 03:46.570 --> 03:53.410 And here you can scroll through the list of places where this is being used and keystroke log is used 03:53.410 --> 03:55.840 in this function, this method called record keys. 03:55.840 --> 03:58.690 So here you can see it is capturing your keystrokes. 03:58.720 --> 04:05.890 It sleeps for a certain number of milliseconds and it goes in a perpetual loop where it keeps on recording 04:05.890 --> 04:06.730 your keystrokes. 04:06.730 --> 04:10.510 So here is capturing the key log keystrokes. 04:10.510 --> 04:13.960 And down here it seems they are sending it somewhere. 04:14.320 --> 04:18.460 So let's click on this link and see where it goes to. 04:19.030 --> 04:23.620 And here you can see this is the URL, the command and control server. 04:23.620 --> 04:29.200 So this could be your indicator of compromise and this would have showed up in the dynamic analysis 04:29.200 --> 04:30.880 as well when we did it earlier. 04:31.270 --> 04:34.270 Okay, let's click the backspace to go back here. 04:34.870 --> 04:35.170 All right. 04:35.200 --> 04:35.980 Now, let's continue. 04:35.980 --> 04:39.490 This time we click on this method called send Log. 04:40.360 --> 04:46.340 And here we can see that send log is actually trying to send something to the command and control server. 04:46.820 --> 04:48.740 Over here you have a web client. 04:48.920 --> 04:54.920 And the download string here is getting the information back from the command and control server. 04:55.100 --> 05:08.060 And here you can see the machine McKinney machine time in reverse, probably some attempt at obfuscation. 05:08.060 --> 05:10.790 And here we see password in reverse. 05:10.790 --> 05:17.870 And here you see clipboard in reverse and here is a screenshot and notification. 05:17.870 --> 05:23.120 So these are the things it is probably trying to capture based on the response, the command coming 05:23.120 --> 05:24.980 back from the command and control server. 05:25.640 --> 05:32.450 All right, so let's go back now to the previous location to remain and continue analysis. 05:32.450 --> 05:36.020 And here we see we have get record keys. 05:36.020 --> 05:40.220 So these are the keystroke part which we have already seen. 05:40.910 --> 05:43.610 So back send notification. 05:44.060 --> 05:47.360 So nothing here, it seems it's not it's not enabled. 05:47.630 --> 05:53.180 And add hotwords is also not enabled clipboard logging. 05:53.390 --> 06:00.470 So this one is where the malware is trying to steal the information from the clipboard, including the 06:00.470 --> 06:03.140 time, the text and so on. 06:03.140 --> 06:07.640 All right, so let's go back now to look at the main again. 06:07.760 --> 06:10.790 Next one set apartment state. 06:11.060 --> 06:11.540 All right. 06:11.540 --> 06:13.130 It's not enabled, it's blank. 06:13.310 --> 06:24.500 And here screen logging not enabled download and execute not enabled backspace execute and binded files 06:24.540 --> 06:28.100 also not enabled and password recovery. 06:28.400 --> 06:28.940 Yes. 06:28.940 --> 06:32.630 So we can see password recovery is one of the main things it is doing. 06:32.660 --> 06:34.310 There are a lot of things happening here. 06:34.550 --> 06:35.000 All right. 06:35.000 --> 06:36.740 So let's take a look at the first one. 06:36.770 --> 06:43.010 These are all the clients for emails and also web web browsers. 06:43.010 --> 06:49.130 So let's take a look at outlook first and here outlook function will call this function called fence. 06:49.820 --> 06:57.920 And then fence in here will be doing some kind of search for something in the list. 06:58.130 --> 07:00.200 So let's see, what is our list. 07:00.650 --> 07:01.010 All right. 07:01.010 --> 07:05.480 So we need to search for our list and see what we get our underscore list. 07:06.140 --> 07:06.590 All right. 07:06.590 --> 07:10.970 So it seems that this list is populated through this function with mail. 07:10.970 --> 07:12.350 So let's follow this. 07:12.530 --> 07:17.390 And here read Mail is trying to get the folder path to this mail dot txt. 07:17.690 --> 07:21.710 And this is what we saw earlier on when we did the dynamic analysis. 07:22.370 --> 07:22.700 Okay. 07:22.700 --> 07:29.930 From here you can see that it is trying to store the content of the email in this file, but before 07:29.930 --> 07:36.410 it can store it there, it needs to go through the process of extracting information from the emails 07:36.560 --> 07:39.110 and probably this is how it does it. 07:39.260 --> 07:44.960 It is trying to execute this string in reverse which reverse it. 07:44.960 --> 07:54.740 It will be get executed in assembly and then after that resource manager and then it will execute the 07:54.740 --> 08:00.800 web path and then it's going to get something from the resource manager and then it's going to decrypt 08:00.800 --> 08:02.510 it using this function. 08:02.600 --> 08:03.560 RSM Decrypt. 08:04.630 --> 08:09.730 All right, Let's click on this to see what it's doing. 08:09.850 --> 08:12.940 So it is getting something from the resource manager. 08:12.970 --> 08:19.250 The resource section of the file, key resources, probably this or this. 08:19.270 --> 08:23.290 And then it is using RSM to decrypt it. 08:23.980 --> 08:26.010 So let's see what is decrypt. 08:26.020 --> 08:26.830 Click on it. 08:27.660 --> 08:35.820 And you can see here, this is the decryption routine that appears to be a symmetrical decryption routine. 08:35.820 --> 08:41.520 So probably it's is not RSA because RSA is asymmetrical. 08:41.670 --> 08:49.530 So this one gives a hint that this symmetrical encryption so is using this to decrypt whatever is in 08:49.530 --> 08:50.700 the resource section. 08:50.850 --> 08:53.040 Okay, let's go back and see. 08:53.340 --> 08:55.650 So this is RSM Decrypt. 08:56.830 --> 09:02.170 So it appears from here, the resource manager, the resource that is trying to get is key. 09:02.320 --> 09:04.570 So let's go and look for the resource. 09:04.600 --> 09:05.290 There you go. 09:05.320 --> 09:06.460 Key resources. 09:06.970 --> 09:07.870 Look at this one. 09:11.010 --> 09:12.330 Over in Hex Editor. 09:14.570 --> 09:14.870 All right. 09:14.870 --> 09:16.910 So this seems to be encrypted. 09:17.840 --> 09:18.170 All right. 09:18.170 --> 09:24.290 Let's go back to our path, our assembly, which you analyzing the main function. 09:24.290 --> 09:25.100 Click on the back. 09:25.880 --> 09:27.710 We can close this. 09:28.460 --> 09:28.970 All right. 09:28.970 --> 09:31.770 So coming back to this function, which we were looking at. 09:31.790 --> 09:35.480 So it looks like it is decrypting the resource. 09:35.810 --> 09:40.820 The two resource we saw just now and then executing it over here. 09:41.150 --> 09:47.060 So we need to somehow find a way to decrypt this, decrypt the resource session. 09:47.060 --> 09:51.470 The resource session might be a executable embedded executable. 09:52.040 --> 09:52.370 Okay. 09:52.370 --> 09:59.000 So in the next video we will continue with this one where we will decrypt the key resource here to see 09:59.000 --> 09:59.840 what is inside. 09:59.870 --> 10:01.820 So I'll see you in the next video. 10:02.180 --> 10:03.350 Thank you for watching.