WEBVTT 00:00.690 --> 00:02.100 Hello and welcome. 00:02.100 --> 00:09.750 In this video I will show you how to use API hooking in, analyzing and reversing malware. 00:09.930 --> 00:19.140 So go and download Panda Bank bin from the resource section and create a folder in the desktop called 00:19.140 --> 00:21.510 malware samples and put it in here. 00:21.840 --> 00:29.430 And then we are going to open Xdebug as administrator and then open panda banker. 00:29.850 --> 00:37.140 So before that in the options preference for Xdebug in the events tab. 00:38.720 --> 00:44.340 Uncheck system, breakpoint and callbacks, leaving only entry breakpoint checked. 00:44.360 --> 00:45.170 Click Save. 00:46.200 --> 00:48.720 Then go and open Pendau Banker. 00:50.060 --> 01:00.920 So click on this and go to the desktop, to the malware course, sample location and change to all files 01:00.920 --> 01:01.460 here. 01:01.490 --> 01:03.500 Click on this and open it. 01:04.600 --> 01:09.850 So now the moment you open, it will break at the entry point. 01:10.000 --> 01:11.590 I'm going to expand it here. 01:11.600 --> 01:12.580 Entry point. 01:13.150 --> 01:22.570 So the timing of API hooking is we are going to set breakpoints on the most common APIs that malware 01:22.570 --> 01:23.410 uses. 01:23.620 --> 01:32.200 So we will start off by putting a breakpoint on virtual lock. 01:38.050 --> 01:38.290 Hit. 01:38.290 --> 01:43.540 Enter breakpoint on Virtualprotect. 01:46.520 --> 01:55.250 It enter virtual analog and virtual protect are used to trap the API that is used when the malware is 01:55.250 --> 01:56.720 trying to unpack code. 01:56.900 --> 01:59.210 That's why we put breakpoints on those two. 01:59.240 --> 02:04.820 Next, there are also anti-analysis which we need to put a breakpoints on. 02:04.820 --> 02:08.390 So the first one is is debugger present? 02:13.130 --> 02:13.790 Hit enter. 02:15.200 --> 02:19.730 And then the other one is create to help. 02:22.170 --> 02:23.070 32. 02:24.030 --> 02:24.810 Snapshot. 02:25.620 --> 02:31.350 So this one is used to enumerate the list of running processes in memory. 02:31.380 --> 02:32.220 Hit, enter. 02:32.220 --> 02:38.670 And then the other one is breakpoint on process. 02:40.320 --> 02:41.670 32 first. 02:42.810 --> 02:46.290 This one is used in conjunction with Create to Help. 02:46.320 --> 02:46.690 32. 02:46.730 --> 02:51.540 Snapshot in order to iterate through the list of running processes. 02:51.570 --> 02:55.530 Hit enter then next one is breakpoint process. 02:56.070 --> 02:57.090 32. 02:57.120 --> 03:05.460 Next This is used in conjunction also with create to help to reduce snapshot in order to iterate through 03:05.460 --> 03:07.710 the list of running processes in memory. 03:07.920 --> 03:15.150 So create to help to reduce snapshot runs with process 32 first and process 32 next in order to list 03:15.150 --> 03:18.270 out the entire running processes in memory. 03:18.300 --> 03:20.550 Next one is create file. 03:20.670 --> 03:30.970 So we got to put a breakpoint on that create file W for the Unicode version, and the other one is create 03:30.970 --> 03:34.990 file A for the SRC version. 03:35.410 --> 03:36.040 Hit enter. 03:36.040 --> 03:43.960 So the create file API is used to keep track of what files are being written to or read and it is also 03:43.960 --> 03:52.270 used for by the malware for checking to see whether you have got any kind of anti analysis tools installed 03:52.300 --> 03:53.740 on your system. 03:53.740 --> 04:02.720 So next one is breakpoint on create process internal W. 04:02.740 --> 04:11.830 So this one is to keep track of when the malware is going to execute code which has already unpacked. 04:11.860 --> 04:18.730 Now when a malware is unpacking, it will use Virtualalloc and Virtualprotect and after that it will 04:18.730 --> 04:25.570 use create process internal W to start the unpack code to run it. 04:26.230 --> 04:27.970 So we also put breakpoint on those. 04:27.970 --> 04:33.370 So if you take a look at the breakpoint tab now these are all the breakpoints which I've set. 04:34.030 --> 04:42.340 Virtualalloc create file w Virtualprotect is debugger present create file a create process internal 04:42.340 --> 04:48.370 w create to help 32 snapshot process 32 next and process 32 first. 04:48.400 --> 04:50.200 Now we are ready to run it. 04:50.200 --> 05:00.700 So just hit on run and it hits the virtualprotect and Virtualprotect is going to change the permission 05:00.700 --> 05:02.740 bits for certain region of memory. 05:02.740 --> 05:10.480 And you can actually look at the parameters here and you can refer to mSDN to see what are the meaning 05:10.480 --> 05:13.750 of all these parameters that are being passed to Virtualprotect. 05:13.870 --> 05:21.700 But for this occasion I'm not necessary to discuss it because it's not so important for this particular 05:21.700 --> 05:22.120 malware. 05:22.750 --> 05:31.000 So just hit run, which will allow also the parameters to virtual alloc all over here and Virtualalloc 05:31.000 --> 05:37.630 will allocate space in the memory for unpacking code and here are the parameters to it. 05:37.780 --> 05:44.920 And you can also refer to mSDN or Microsoft by googling to see what the parameters mean. 05:44.920 --> 05:49.420 So I'll just continue with this one running still. 05:49.450 --> 05:51.310 Virtualalloc Virtualalloc. 05:51.730 --> 05:56.350 Click one more time, run with yellow, click again. 05:56.710 --> 05:58.900 Which lock still keep on clicking. 06:01.110 --> 06:04.730 Okay, now it's going to read some files. 06:04.740 --> 06:08.070 So let's click run and see what what file is trying to read. 06:09.450 --> 06:09.840 Okay. 06:09.840 --> 06:16.290 It's looking to see whether you have this program installed and now it's going to check this file. 06:17.650 --> 06:17.980 All right. 06:18.010 --> 06:23.530 Now it's going to check whether you have the Wireshark library installed. 06:23.710 --> 06:26.110 So this is a library used by Wireshark. 06:26.230 --> 06:33.970 So if we continue to run now, it will quit because this is the part of the anti analysis system, this 06:33.970 --> 06:34.390 malware. 06:34.540 --> 06:41.650 So we have to uninstall the library for Wireshark, which is Winpcap, I think, and also Wireshark 06:41.650 --> 06:42.040 itself. 06:42.400 --> 06:46.750 If we don't uninstall it, we won't be able to continue with the analysis. 06:46.900 --> 06:48.340 So just uninstall it. 06:48.340 --> 06:51.550 Go to here and look for Add remove program. 06:52.510 --> 06:53.260 Click add remove. 06:54.370 --> 07:00.760 Click on this one, add remove program and then here in the list of all the files that are installed, 07:00.940 --> 07:05.470 go down and uninstall the last two Winpcap and Wireshark. 07:06.010 --> 07:08.440 So we right click on remove Pcap. 07:08.560 --> 07:13.780 Click on install Winpcap is the is this one and this one IP. 07:14.260 --> 07:16.120 So we need to uninstall winpcap. 07:16.720 --> 07:18.380 So right click uninstall. 07:20.500 --> 07:21.790 Click on install here. 07:22.030 --> 07:28.390 Don't worry, you can always restore it back using the virtual machine restore function later. 07:29.110 --> 07:29.920 Click finish. 07:30.580 --> 07:35.050 Now we uninstall Wireshark, so right click on Wireshark and uninstall. 07:36.430 --> 07:39.250 Click on next and click on Next again. 07:40.270 --> 07:41.380 Click on Uninstall. 07:41.680 --> 07:44.060 So that is ready uninstall itself. 07:44.080 --> 07:45.280 Click on Next again. 07:46.180 --> 07:47.170 Click on finish. 07:47.170 --> 07:50.590 So now it has uninstalled Winpcap and Wireshark. 07:50.980 --> 07:53.320 So now you pass this test. 07:53.410 --> 07:58.450 So Createfile is used to check whether files exists or not. 07:58.480 --> 08:00.790 So in this case we can run again. 08:01.680 --> 08:04.260 And now he is going to use it to help. 08:04.300 --> 08:09.110 32 snapshot Great file earlier was used to check for existence of files. 08:09.120 --> 08:15.870 If a file exists, it means you have installed that anti-analysis program like wireshark for example. 08:16.020 --> 08:17.420 But great to help. 08:17.430 --> 08:22.530 32 snapshot is used to check for what is already running in memory. 08:22.710 --> 08:26.760 That's the difference between great help and great file. 08:27.210 --> 08:34.590 So here it is now checking for whether Wireshark is running in memory, but since we did not start Wireshark 08:34.590 --> 08:41.760 so we can safely continue now it's checking for immunity debugger whether it's open in memory. 08:42.500 --> 08:43.700 They continue running. 08:43.910 --> 08:47.300 Now we're checking for process cycle, but we are not running process cycle. 08:49.020 --> 08:51.810 Checking for Process Explorer. 08:53.110 --> 08:56.440 Click Run checking for Process monitor. 08:57.040 --> 09:00.520 Click Run now Checking for Aida. 09:00.760 --> 09:01.750 Aida Pro. 09:01.990 --> 09:06.160 So I'm not opening Aida Pro in memory now so I can safely continue. 09:06.190 --> 09:07.150 Click Run again. 09:07.510 --> 09:10.000 Now it's checking whether shot is running. 09:10.630 --> 09:13.810 Click run and auto it to X. 09:15.010 --> 09:18.370 They run now is checking if you've got Perl running. 09:19.150 --> 09:21.820 Click run whether Python is running. 09:22.930 --> 09:28.540 Click run again and checking for some files, which is not important. 09:28.570 --> 09:29.800 Just continue running. 09:30.310 --> 09:31.360 Click running. 09:31.840 --> 09:33.580 So now it is checking all this. 09:33.610 --> 09:36.250 If it finds all these type of things, it will quit. 09:36.790 --> 09:37.750 Not important. 09:37.750 --> 09:38.920 So just run. 09:39.810 --> 09:40.860 Run again. 09:41.910 --> 09:42.750 And again. 09:44.440 --> 09:45.340 Run again. 09:46.520 --> 09:46.940 Run. 09:47.630 --> 09:53.990 Okay, Now it's opening this location so we can also open this location. 09:53.990 --> 09:56.600 Maybe it's trying to drop a file there. 09:56.900 --> 09:57.980 So let's go there. 09:57.980 --> 10:07.640 Now we can click on this one, open the run box, and then key in the. 10:08.970 --> 10:13.350 Variable environment path variable called app data. 10:13.780 --> 10:15.390 App Data. 10:16.170 --> 10:21.930 So the symbol is present at the top which refers to this path. 10:22.320 --> 10:23.040 So click. 10:23.040 --> 10:23.820 Okay. 10:24.720 --> 10:30.660 And then now we are app data roaming and then let's see what's going to happen here next. 10:30.930 --> 10:32.460 So keep on running. 10:36.180 --> 10:36.480 Okay. 10:36.480 --> 10:39.270 And we see something here in the stack. 10:39.420 --> 10:42.570 If we pull this to the left, you can see the full path. 10:42.870 --> 10:44.640 It is trying to drop a file here. 10:45.540 --> 10:52.140 In this location in Appdata roaming so we can go there now and inspect and inspect the location, see 10:52.170 --> 10:54.240 what's what is going to do. 10:54.450 --> 10:57.720 So it might be different for your machine, you know? 10:57.720 --> 11:05.100 So if your machine doesn't say NPM cache, you should follow whatever is shown in your particular case. 11:05.100 --> 11:11.670 For my machine is showing npm cache, so I'm just going to follow it here and cache. 11:13.390 --> 11:14.440 Add an underscore. 11:16.280 --> 11:25.900 Cash, followed by content V2 and then followed by Sha one and then followed by zero one. 11:27.890 --> 11:33.350 Followed by E and C, These are the files that it has dropped. 11:36.580 --> 11:37.290 These three files. 11:37.300 --> 11:38.560 So the next one is going to drop. 11:38.560 --> 11:45.370 There is this file with the ammo extension so we can go here and click and see what happens when we 11:45.370 --> 11:45.790 run. 11:47.240 --> 11:47.660 Okay. 11:47.660 --> 11:49.310 I believe it has dropped the file there. 11:49.790 --> 11:51.020 Let's go and confirm it. 11:52.330 --> 11:53.110 And there you go. 11:53.350 --> 11:55.150 This file has been dropped there. 11:55.450 --> 11:59.860 And now the next file is going to drop in this location is this one. 11:59.860 --> 12:02.410 And it's interesting. 12:02.410 --> 12:05.710 Okay, So let it run and see happen. 12:05.890 --> 12:06.610 Run. 12:06.640 --> 12:11.230 And now we're go inspect the folder and there you go. 12:11.660 --> 12:13.030 Here is. 12:13.300 --> 12:15.280 But at the moment, it's still zero. 12:15.310 --> 12:17.580 That means it hasn't written anything to it. 12:17.590 --> 12:21.070 It has only created the file, but it is still an empty file. 12:21.490 --> 12:28.090 So let's continue to execute and see whether or not it will copy something into it. 12:29.540 --> 12:37.700 So at this point here, we can go run to user code and see whether or not it writes to this file. 12:38.840 --> 12:41.870 So now we run to user code over here. 12:43.310 --> 12:47.090 Okay, we're in user code and let's see what's going to happen. 12:47.750 --> 12:48.290 Nothing yet. 12:48.290 --> 12:50.450 So let's continue to run. 12:50.720 --> 12:52.010 Okay, Virtual lock. 12:52.790 --> 12:55.190 So now let's see what's happening here. 12:55.820 --> 12:56.180 Okay. 12:56.180 --> 12:58.160 It still hasn't written anything to it yet. 12:58.490 --> 13:02.250 But what, you're allocating something. 13:02.270 --> 13:03.410 Let's continue to run. 13:04.070 --> 13:04.460 Okay. 13:04.460 --> 13:07.790 Now it's going to read in my write to the file. 13:07.790 --> 13:10.280 You can see now the parameter is this file. 13:11.330 --> 13:16.910 Okay, now we can go to user code and see. 13:17.930 --> 13:25.370 We just call this API to open this exe file and now we're going to see what it's going to do. 13:25.410 --> 13:26.600 Looks like it's going to right here. 13:26.600 --> 13:32.900 So let's step, step over and now we can press F8, continue to step over. 13:38.060 --> 13:43.400 Okay, Now it's going to right at the moment it is still zero, this one. 13:43.940 --> 13:48.020 And we can see in the stack it's going to write this. 13:48.290 --> 13:54.410 Now we can refer to do this API in mSDN. 13:54.860 --> 14:00.950 This is Microsoft mSDN, and then here you can see the API for write file. 14:00.980 --> 14:09.500 The second parameter is the buffer, which is going to be used for writing into the target. 14:09.980 --> 14:11.730 And this is the target. 14:11.760 --> 14:18.990 The first parameter you can see the description here, buffer is a pointer containing the data to be 14:18.990 --> 14:23.160 written to the file, and the file is the first parameter. 14:23.160 --> 14:25.560 So second parameter is a buffer. 14:25.560 --> 14:33.420 So these are the parameters to write file and you can compare it with the stack, the parameters in 14:33.420 --> 14:35.280 the stack over here. 14:35.940 --> 14:43.770 So the first parameter is the file handle and the second parameter is your buffer. 14:44.310 --> 14:50.040 Now we can follow this right click and follow the word in random. 14:50.160 --> 14:51.510 And you can see here. 14:52.230 --> 14:59.550 So at this address, this is the buffer is going to use to write into the exe file. 15:00.480 --> 15:02.760 The exe file is this file. 15:03.450 --> 15:05.100 Currently it's still zero bytes. 15:05.520 --> 15:10.050 So it's going to take all this and write it into this file. 15:10.830 --> 15:15.330 That is the meaning of the parameters here for this API. 15:16.200 --> 15:24.630 So this one is executable file because there is an MSI magic bytes in the header and also the confirmation 15:24.630 --> 15:25.830 of the string. 15:25.860 --> 15:28.500 This program cannot be run in Dos mode. 15:28.830 --> 15:30.900 So this is an executable file itself. 15:32.520 --> 15:33.000 Okay. 15:33.000 --> 15:36.030 So now we step over this write file. 15:38.870 --> 15:40.820 And run until you close handle. 15:41.990 --> 15:42.650 Step over. 15:42.650 --> 15:43.970 Until it closes the handle. 15:45.520 --> 15:46.000 All right. 15:46.210 --> 15:50.230 So this is close handle is a closed handle for this great file. 15:50.560 --> 15:53.220 So now we go back and inspect the size. 15:53.240 --> 15:55.810 You can see it's 145 bytes kilobytes. 15:55.840 --> 15:59.290 He has copied this buffer into this file. 15:59.860 --> 16:04.060 And you can check what file is this by using hash to check. 16:04.420 --> 16:07.270 So let's get the hash for this file. 16:08.470 --> 16:11.200 Right click and MD5 hash. 16:12.220 --> 16:14.800 And this is the hash MD5. 16:14.980 --> 16:18.910 Copy the hash and then open a notepad. 16:20.230 --> 16:21.670 Open a notepad. 16:26.110 --> 16:28.060 And paste the hash here. 16:28.930 --> 16:31.300 So this one is unknown file. 16:31.300 --> 16:40.150 We just put a question mark for unknown file and then we suspect that this file is actually a copy of 16:40.300 --> 16:41.260 Panda Banker. 16:41.800 --> 16:47.290 So we can go to Panel Backer, get a hash for this as well and define hash. 16:47.950 --> 16:52.480 And we copy the hash and we put it here and see whether they are the same. 16:53.970 --> 16:54.570 All right. 16:54.870 --> 16:57.120 So this is panda banker. 16:59.460 --> 17:02.430 And you can see they are the same file, the hash. 17:02.460 --> 17:04.020 MD5 hash are the same. 17:05.010 --> 17:09.900 So this confirms our suspicion that it has copied itself into a. 17:09.930 --> 17:11.190 Hidden folder. 17:11.220 --> 17:14.670 Hidden directory in this location. 17:14.820 --> 17:20.670 Now for your computer, it might not be the same location, so you might need to change accordingly 17:20.670 --> 17:23.490 based on what you see in your machine. 17:23.490 --> 17:28.650 So I think we will continue with this analysis in the next video. 17:28.940 --> 17:30.270 And thank you for watching.