WEBVTT 00:00.590 --> 00:02.990 Hello and welcome to a new section. 00:03.170 --> 00:07.550 This time we are going to unpack Trickbot Trojan. 00:07.550 --> 00:14.660 So go and download Trickbot Trojan, unzip it and put it in the folder on your desktop called Trickbot 00:14.690 --> 00:15.410 Trojan. 00:16.360 --> 00:16.870 After that. 00:17.260 --> 00:19.000 Open up the fly folder. 00:19.030 --> 00:20.410 Go to utilities. 00:21.480 --> 00:24.660 We are going to use the detected. 00:24.690 --> 00:27.450 Easy to check to see if it is packed. 00:28.390 --> 00:30.260 So launch detected. 00:30.310 --> 00:30.600 Easy. 00:32.940 --> 00:40.440 And then click on the three dots here to navigate to the folder for the Trojan, which is on the desktop. 00:43.590 --> 00:46.080 Open the trickbot binary. 00:49.030 --> 00:49.840 Over here. 00:49.840 --> 00:53.650 It doesn't show whether there is any packer or any protection. 00:54.100 --> 00:55.390 Click on Entropy. 00:56.790 --> 01:01.350 And you will see here the status says it is packed 85%. 01:01.680 --> 01:03.240 So we know it is packed. 01:03.240 --> 01:13.740 But let us now go and let us now try to unpack it using Xdebug 32 via Xdebug. 01:14.190 --> 01:17.640 In the Options menu, click on preferences. 01:17.670 --> 01:22.320 Uncheck System Breakpoint and uncheck Uncheck the callback. 01:22.890 --> 01:33.600 And then under exceptions, click on ignore range and for the start range key eight zeros and end range 01:33.600 --> 01:34.920 key ETFs. 01:36.570 --> 01:38.580 Hit the okay button and click save. 01:39.390 --> 01:42.630 Now open the Trojan. 01:46.400 --> 01:50.810 Click on the drop down list, select all files, and click on the Trickbot. 01:53.080 --> 01:55.900 Now you will see he has hit our entry point. 01:58.550 --> 02:01.520 Next we are going to put some breakpoints. 02:01.610 --> 02:05.090 So the first breakpoint we put is virtualalloc. 02:10.160 --> 02:11.000 He enter? 02:12.050 --> 02:14.150 Second breakpoint is. 02:14.850 --> 02:17.360 Create process internal w. 02:23.570 --> 02:31.490 Createprocess internal W is where the malware tries to attach to a to a newly created process. 02:31.490 --> 02:37.850 Or it can also create a new process by itself to run certain functions. 02:37.880 --> 02:38.840 Hit enter. 02:39.710 --> 02:43.910 Third one is breakpoint on write process memory. 02:44.510 --> 02:47.540 Write process Memory. 02:47.690 --> 02:56.060 Right process memory is the API whereby the malware tries to hijack an existing process by copying parts 02:56.060 --> 03:00.710 of its code into that process memory in order to be stealthy. 03:01.340 --> 03:02.030 Hit Enter. 03:02.930 --> 03:10.940 After that, click on breakpoints to confirm that you have the three breakpoints as stated. 03:11.270 --> 03:17.120 Virtualalloc create process internal W and write process memory. 03:18.380 --> 03:31.850 After that just hit on F9, it hits a virtual lock press f8 or this button here to step over jump to 03:31.850 --> 03:32.390 virtual lock. 03:36.150 --> 03:36.500 Okay. 03:36.510 --> 03:44.640 After this call to the allocated address in memory would be returned in the register. 03:44.970 --> 03:50.460 Kindly refer back to previous lessons documentations as well on on this. 03:50.490 --> 03:52.040 If you have already forgotten. 03:52.050 --> 03:54.960 So let's step over it now and see. 03:54.960 --> 04:01.680 The return address is three two followed by four zeros so you can follow it by right clicking and follow 04:01.680 --> 04:02.310 in dump. 04:03.670 --> 04:07.420 So now in Dynamo, one click run again. 04:08.480 --> 04:09.290 And now what? 04:09.290 --> 04:09.680 You're allowed. 04:09.680 --> 04:10.550 One more time. 04:11.000 --> 04:16.130 Step over it and jump to virtual airlock and jump again to watch airlock. 04:17.630 --> 04:21.300 And now it's going to call virtual lock for the second time. 04:21.320 --> 04:25.190 Let's step over and see what address is being allocated. 04:25.610 --> 04:30.500 This time it allocates this region of memory three, three, followed by four zeros. 04:30.530 --> 04:35.150 Before we follow this in the memory, let's take a look at the first dump. 04:35.630 --> 04:39.800 The first dump has been populated with some shellcode, as you can see. 04:40.130 --> 04:47.430 So it has unpacked certain shell codes in order to help it with the further unpacking of the main IT 04:47.510 --> 04:48.200 later on. 04:48.920 --> 04:51.200 So let's follow this in down number two. 04:51.230 --> 04:57.560 So let's click on dump number two in memory and then right click on this address and follow in dump. 04:57.560 --> 04:59.750 So now we are following this in dump number two. 04:59.900 --> 05:01.490 At the moment it is empty. 05:01.520 --> 05:03.650 So let's run virtual lock again. 05:04.320 --> 05:07.410 And he hits virtual airlock again. 05:07.410 --> 05:15.690 And this time you see Damtew has been unpacked with further code for the shell code Again, this will 05:15.690 --> 05:21.000 be used by the malware in order to help you unpack the final exe file. 05:22.380 --> 05:24.930 So now let's step over this virtual lock. 05:26.550 --> 05:34.410 Keep on stepping over, jump, and then come to the call here and then step over this call and look 05:34.410 --> 05:35.220 at the X. 05:35.310 --> 05:40.260 It is allocated some more memory in the region for eight followed by four zeros. 05:40.260 --> 05:46.050 So let's follow this in game number three and then right click on this one following them. 05:47.040 --> 05:52.320 So now if you look at dump two, it has populated dump two and dump three is now empty. 05:53.100 --> 05:56.100 So let us now hit one more time. 05:56.100 --> 05:56.700 Run. 06:00.410 --> 06:09.380 It has stopped at our breakpoint for createprocess internal w, so it is using this API to run a cmd 06:09.380 --> 06:13.550 command in order to stop Windows Defender. 06:14.540 --> 06:17.570 So we now need to step through this. 06:18.770 --> 06:22.430 At least now we know that it is trying to stop the antivirus. 06:22.760 --> 06:24.050 So run again. 06:25.950 --> 06:29.100 This time hits the same breakpoint. 06:29.130 --> 06:35.070 Create process internal w and it is now trying to delete the Windows Defender service. 06:36.590 --> 06:37.430 Click run again. 06:38.510 --> 06:44.960 Same thing hits the create process internal W and this time it is trying to disable real time monitoring 06:44.960 --> 06:47.210 using the PowerShell command. 06:48.410 --> 06:49.550 Hit run again. 06:50.930 --> 06:51.620 This time. 06:51.620 --> 06:55.430 It is now trying to drop a file into this location. 06:56.080 --> 07:02.920 So the name of the file is this one you JKL, Vtt dot FC in this location. 07:02.950 --> 07:06.740 This location is the Appdata roaming folder. 07:06.760 --> 07:10.510 We can go there now and try to see what file is this. 07:10.810 --> 07:15.550 So click on the windows icon on the bottom left corner. 07:16.300 --> 07:21.940 And then here type run and click on click the Run. 07:22.090 --> 07:30.490 And then here in the environment variable percentage app data percentage. 07:30.730 --> 07:36.580 So this environment variable shell variable is referring to this location. 07:37.560 --> 07:38.730 Appdata roaming. 07:38.910 --> 07:41.640 So when you click okay, it will open that folder. 07:42.900 --> 07:48.390 And now once you're in this roaming folder, open the W network. 07:49.230 --> 07:50.820 W network is this one. 07:51.870 --> 07:54.810 And this is the file that the Trojan has dropped. 07:55.320 --> 08:02.850 So let us find out if this file is the same file as the trickbot itself to to find out whether or not 08:02.850 --> 08:03.810 it is the same file. 08:04.260 --> 08:06.480 We will use hash files. 08:06.510 --> 08:12.480 So you click on start here, look for hash my files. 08:12.960 --> 08:14.010 This is the one. 08:14.860 --> 08:24.970 And then click on this and we will now use the MD5 utilities to generate the MD5 for this file. 08:26.900 --> 08:29.000 And now we have the MD5 for this file. 08:29.330 --> 08:32.750 And we also do the same thing for the trickbot. 08:35.670 --> 08:43.620 Drag this into here and it will generate the MD5 for Trickbot and you see the MD5 same same hash. 08:43.620 --> 08:47.160 That means this file is the same as the trickbot. 08:47.490 --> 08:49.110 So why does it do this? 08:49.560 --> 08:52.290 It does this in order to be more stealthy. 08:53.040 --> 08:57.150 This is part of the behavior of most Trojans. 08:57.900 --> 09:03.500 When it first runs, it will copy itself from wherever it was first loaded. 09:03.510 --> 09:06.840 For example, it was loaded from the downloads folder. 09:06.870 --> 09:14.220 Then it will copy itself to a location which is hidden, a stealthy location, so that in future it 09:14.220 --> 09:19.890 will run from this location instead of from the original place where it was first downloaded. 09:20.370 --> 09:26.220 So now we know that this is the same file as the Trickbot program itself, the original file. 09:26.460 --> 09:33.390 So before the Trojan will run, it will first probably check to see to make sure that it is in this 09:33.390 --> 09:37.920 stealthy location before it will proceed or continue running. 09:38.190 --> 09:44.140 We will pause here just for this video and continue the analysis in the next video. 09:44.160 --> 09:45.540 Thank you for watching.