WEBVTT 00:00.560 --> 00:01.900 Hello and welcome back. 00:01.910 --> 00:08.270 In this video, we are going to continue with trying to decrypt the resource here to see what is inside 00:08.270 --> 00:15.050 it by setting some breakpoints and let it run and allow it to decrypt itself. 00:15.050 --> 00:20.170 And then we will dump the decrypted memory into a separate file for analysis. 00:20.180 --> 00:23.810 So this is the trick we did before and we are going to do it here as well. 00:24.080 --> 00:30.620 So the few breakpoints we are going to set is firstly this one here, one breakpoint here, second breakpoint 00:30.620 --> 00:31.580 would be here. 00:31.790 --> 00:41.810 Okay, So we click on Decrypt and here we put a breakpoint here because RSM decrypt will decrypt whatever 00:41.810 --> 00:44.300 is in the resource and then copy out to array. 00:44.540 --> 00:47.870 So we want to capture this array to in memory and dump it. 00:48.830 --> 00:51.290 Okay, so let's get started. 00:51.530 --> 00:53.240 So let's run it now. 00:55.070 --> 00:55.250 Click. 00:55.250 --> 00:55.850 Okay. 00:57.640 --> 00:57.760 Click. 00:57.820 --> 00:58.390 Okay. 00:58.520 --> 00:58.720 Click. 00:58.720 --> 00:59.230 Yes. 01:00.700 --> 01:01.050 All right. 01:01.110 --> 01:02.680 It has hit our first breakpoint. 01:02.710 --> 01:03.730 Let it continue. 01:04.060 --> 01:06.910 So we are going to see this text here. 01:06.940 --> 01:07.760 What is there? 01:07.870 --> 01:08.310 Run! 01:08.500 --> 01:10.630 Step over and see the text. 01:10.630 --> 01:13.240 Here is program data mail dot txt. 01:13.510 --> 01:18.010 And this is the file we saw early on when we did dynamic analysis. 01:18.370 --> 01:19.870 All right, let's continue the step over. 01:20.680 --> 01:22.540 So let's step over. 01:23.470 --> 01:23.950 Okay. 01:23.950 --> 01:24.940 Return result. 01:26.010 --> 01:26.940 Okay, let's run. 01:27.540 --> 01:29.880 All right, so now it's hit our decrypt. 01:30.030 --> 01:31.440 And over here. 01:32.590 --> 01:33.940 It is very step over. 01:37.050 --> 01:37.320 All right. 01:37.350 --> 01:39.360 Now it's going to return a array to. 01:39.840 --> 01:44.040 So let's go down here and see what is the ray to. 01:45.160 --> 01:46.720 All right, so array two is here. 01:46.720 --> 01:49.090 We can right click and view it. 01:49.690 --> 01:51.310 Show it in memory window. 01:51.340 --> 01:52.180 Memory one. 01:53.830 --> 02:02.620 And here you can see that it has got the magic byte M Z, which is the start of the header and also 02:02.620 --> 02:03.310 the string. 02:03.310 --> 02:05.310 This program cannot be run in Dos mode. 02:05.320 --> 02:08.590 So these two is confirmation that is an exe file. 02:08.980 --> 02:14.290 So it has decrypted the resource section and now we can see the content of it. 02:14.410 --> 02:22.030 And so what we do now is we can dump this memory into a separate file, right click here, Save Selection. 02:22.970 --> 02:27.980 And here we can store it as dump dot bin. 02:28.460 --> 02:29.120 Click save. 02:29.390 --> 02:37.700 So now that we have saved and dumped bin, we can stop this one and we can go and analyze this one using 02:37.730 --> 02:38.810 P studio. 02:38.810 --> 02:40.790 So let's open our P studio. 02:41.390 --> 02:43.670 P studio under utilities. 02:46.210 --> 02:46.790 Here you go. 02:46.810 --> 02:47.950 Just double click on it. 02:48.700 --> 02:50.440 Now we're going to open. 02:51.270 --> 02:53.400 The dump in studio. 02:55.550 --> 02:57.080 And let it analyze. 02:57.590 --> 03:04.130 And now you can see here that this executable, which we already decrypted from the resource section, 03:04.460 --> 03:08.420 is got a description called Web browser password view. 03:08.840 --> 03:16.220 So if you click on this here, you can see that the name of this product is web browser password view, 03:16.220 --> 03:18.020 and the company name is Nullsoft. 03:18.020 --> 03:25.400 So it seems that our malware authors did not write their own web browser decrypter password stealer. 03:25.400 --> 03:32.270 Instead, they use a commercially available password recovery from near soft and then just embedded 03:32.270 --> 03:37.670 the exe file after encrypting it, embedded it inside the resource section. 03:37.970 --> 03:51.380 So this is how we can defeat the encryption for the embedded file using the spice ability to debug and 03:51.380 --> 03:54.560 set breakpoints and dumping memory as well. 03:55.470 --> 03:58.740 So the next thing I want okay, we can stop this now. 03:59.250 --> 04:07.740 The next thing I want to show you is how you can the obfuscate this module, this one which we saw just 04:07.740 --> 04:07.950 now. 04:08.220 --> 04:13.920 So in order to obfuscate this class here, we can use something called D for Dot. 04:14.190 --> 04:16.500 So let's close this now. 04:17.250 --> 04:19.170 So let's go to our file path. 04:19.500 --> 04:24.900 We want to of escape this file so we select the. 04:25.730 --> 04:26.960 Copy the path. 04:27.260 --> 04:28.600 Open a command. 04:28.610 --> 04:29.600 Command prompt. 04:30.080 --> 04:33.140 Because the folder is a command line tool. 04:35.090 --> 04:40.640 And then here, navigate to this path that contains our Trojan. 04:41.030 --> 04:43.100 Do a dir to confirm it's there. 04:43.370 --> 04:49.190 And then type D for dot, followed by the name of our Trojan. 04:49.400 --> 04:54.050 Hit enter and let it do its due obfuscation. 04:54.740 --> 04:57.260 It has detected an unknown obfuscator. 04:57.620 --> 05:03.230 And clean it into a separate file here called dot malware clean. 05:03.500 --> 05:08.540 All right, so now we can open this dot malware clean inside our spy. 05:09.740 --> 05:12.920 So we just drag the clean file. 05:14.290 --> 05:15.220 Put it in here. 05:15.640 --> 05:17.890 And now we open and take a look. 05:23.620 --> 05:30.220 We have a new file, the obfuscated G class zero, which was previously in this file. 05:30.270 --> 05:37.000 Oh, so this is how we can obfuscate any part of the class which has been obfuscated since. 05:37.000 --> 05:37.870 It's the obfuscated. 05:37.990 --> 05:45.640 You can go ahead and analyze it using spy, using the techniques that I've taught you in this course. 05:45.640 --> 05:50.110 So that's all for this lab walkthrough. 05:50.230 --> 05:51.880 Thank you for watching.