WEBVTT

00:00.810 --> 00:07.290
Okay, so now we are going to dump this in in the memory from memory.

00:07.440 --> 00:12.430
And your, your address might be different from mine, so you just follow yours accordingly.

00:12.450 --> 00:17.460
So in order to dump this file from memory, we use process hacker.

00:18.480 --> 00:25.950
So we go to process Hacker inside the Flash utilities folder and Open Process Hacker.

00:27.930 --> 00:33.670
Click on Yes and then look for Hanseter in memory.

00:33.690 --> 00:34.560
Here it is.

00:34.710 --> 00:41.190
So double click on it and then go to the memory tab and look for this address.

00:41.640 --> 00:43.980
One C followed by four zeros.

00:47.010 --> 00:57.180
So over here, look for one C followed by four zeros and you can see the permission bits is read write

00:57.180 --> 00:58.020
executable.

00:58.020 --> 00:59.460
So this must be the one.

01:00.150 --> 01:08.100
So if you expand on this and double click, you will see the executable file has been unpacked in memory

01:08.220 --> 01:11.190
and this is the one we are seeing down here in the same one.

01:11.310 --> 01:12.630
So we can dump this.

01:12.630 --> 01:21.990
Now we click on this one right click and then save and then go to the desktop malware core sample folder

01:22.290 --> 01:33.510
and we are going to dump it followed by the extension, followed by suffix 0X1, C followed by four

01:33.510 --> 01:36.030
zeros, one, two, three, four.

01:36.030 --> 01:39.720
So that we can remember that it has been done from this address.

01:39.720 --> 01:46.480
And we also need this address to set the image base inside process hacker.

01:48.420 --> 01:49.770
So click on Save.

01:51.410 --> 01:52.820
Now click on Close.

01:53.480 --> 01:56.960
And now we can stop the handset itself.

01:57.260 --> 01:59.480
Click on X to close.

02:01.500 --> 02:06.430
And now we are going to unmap measure in process cycle.

02:06.510 --> 02:07.650
Everything has been killed.

02:08.460 --> 02:12.180
Click close and now we can unmap this file using.

02:13.710 --> 02:15.240
So we open P bear.

02:18.070 --> 02:21.250
And then we drop our dump file.

02:22.390 --> 02:27.100
Before you do anything, make a copy, make a copy.

02:27.520 --> 02:29.500
And then now you dump this one.

02:29.530 --> 02:31.240
You open this one in PDB.

02:32.900 --> 02:37.190
And now we are going to fix the section headers.

02:37.640 --> 02:42.170
If you look at the imports, the import address table is all screwed up.

02:42.260 --> 02:46.610
So we need to fix this by fixing the section header.

02:47.090 --> 02:55.790
So the first thing we do is the raw address must be set to the same values as the virtual address.

02:55.970 --> 02:58.130
So we change this to 1000.

02:58.160 --> 02:59.870
This 1 to 4000.

02:59.900 --> 03:01.490
This 1 to 5000.

03:01.520 --> 03:03.140
This 1 to 8000.

03:03.230 --> 03:04.640
So let's do it now.

03:11.170 --> 03:12.040
1000.

03:13.330 --> 03:14.590
5000.

03:14.980 --> 03:17.260
So this process is called Unmapping.

03:19.840 --> 03:21.250
So make sure it's correct.

03:21.280 --> 03:23.650
14581458.

03:23.800 --> 03:29.680
Next, we need to fix the raw size by calculating based on the raw address.

03:29.770 --> 03:35.470
So the first raw size here is calculated by taking 4000 -1000.

03:35.500 --> 03:37.420
So we should get 3000.

03:39.610 --> 03:44.380
The second raw size is calculated by taking 5000 -4000.

03:44.410 --> 03:46.570
So this should be 1000.

03:49.390 --> 03:53.960
This raw size is now calculated, taking 8000 -5000.

03:53.980 --> 03:56.110
So this should be 3000.

03:58.060 --> 04:00.640
And the last one, we can leave it.

04:00.760 --> 04:03.220
The section.

04:03.220 --> 04:04.690
We can just ignore it.

04:05.020 --> 04:07.720
So confirm this is correct.

04:08.940 --> 04:09.750
Next.

04:09.810 --> 04:14.670
Now that we have fixed the raw size with unmap, the the raw address.

04:14.760 --> 04:18.660
Next, we have to fix the virtual size.

04:18.660 --> 04:22.680
So the virtual size here column must be the same as the raw size.

04:22.680 --> 04:30.390
So we're going to change this 1 to 3000, this 1 to 1000, this 1 to 3000 and this 1 to 200.

04:33.210 --> 04:34.080
3000.

04:37.330 --> 04:38.350
1000.

04:40.840 --> 04:44.680
3002 hundred.

04:45.280 --> 04:46.390
So make sure it's correct.

04:46.420 --> 04:47.680
Three one, three, two.

04:47.710 --> 04:50.530
So now let's check our imports, whether it has been fixed.

04:50.560 --> 04:51.130
Yes.

04:51.130 --> 04:53.170
So we have fixed the import address table.

04:53.170 --> 04:57.070
You can see all the API that this malware is using.

04:58.660 --> 05:01.990
Next thing you want to do is fix the image base that is.

05:01.990 --> 05:04.090
So let's go to optional headers.

05:04.270 --> 05:07.330
So this process is called rebasing.

05:07.570 --> 05:13.780
So let's check the image base here and we find that image base is already correct.

05:13.810 --> 05:20.220
One C followed by four zeros, which is what we saw here.

05:20.230 --> 05:21.690
One C, 440.

05:21.700 --> 05:23.420
This is the very dumb it forms.

05:23.470 --> 05:26.530
So since it's already correct, there is no need to change it.

05:26.770 --> 05:29.050
So we can now dump the file.

05:29.710 --> 05:36.970
So right click on here and click Save the Executable as and then give it a name.

05:37.360 --> 05:40.190
Maybe we can call it.

05:42.850 --> 05:47.590
On this score, you can see unmap and click save.

05:50.360 --> 05:56.180
Now click okay and we can now close this and we have this unwrapped file here.

05:56.180 --> 06:00.290
We can now go and open an Ida to see whether Ida can read it.

06:01.730 --> 06:03.050
So let's open Ida.

06:09.760 --> 06:16.060
Click new and open our unmatched file over here.

06:18.160 --> 06:18.370
Okay.

06:18.370 --> 06:19.030
Okay.

06:24.410 --> 06:25.700
Just ignore this click.

06:25.700 --> 06:26.300
Okay.

06:28.850 --> 06:29.980
Let he analyzed.

06:31.530 --> 06:33.360
And look at the function here.

06:34.200 --> 06:41.220
Now, you have so many functions compared to our first analysis where there's only one start function.

06:41.250 --> 06:48.750
So that means we have successfully unpacked hanseter and you can see the function name as well.

06:49.350 --> 06:55.500
And then here you can look at the imports that are there as well, the imports, and then you can also

06:55.500 --> 07:05.130
look at the strings view, opens up views and then click on strings and you can see the strings here

07:05.940 --> 07:07.530
and you can look in this.

07:07.560 --> 07:09.270
We also have a URL here.

07:11.400 --> 07:14.910
The SBC host and so on.

07:15.060 --> 07:16.220
So that's it.

07:16.230 --> 07:19.740
So we have successfully unpacked this malware.

07:20.370 --> 07:26.900
Some consider using the API hooking method and unmapping it using PEB.

07:27.270 --> 07:29.750
So that's all for this session.

07:29.760 --> 07:31.710
Thank you for watching.