WEBVTT 00:01.030 --> 00:02.270 Hello and welcome back. 00:02.290 --> 00:11.740 In the previous video, we stopped here where we found that the Trojan was making a copy of itself into 00:11.740 --> 00:13.020 a stealthy location. 00:13.030 --> 00:19.720 So in future, the project will run from here for sure, because this is a stealthy location, and before 00:19.720 --> 00:25.590 it will unleash its full powers, it will make sure that he will check its path. 00:25.600 --> 00:30.520 So we might as well analyze it from here instead of from the original one. 00:30.700 --> 00:40.060 So now we will stop this original analysis in Xpg and open the other location instead. 00:40.690 --> 00:44.530 That means we will use Xpg to analyze this. 00:44.530 --> 00:55.720 So we select the path copy and then we go to Xpg and then open paste the path here and then hit enter 00:55.720 --> 00:58.420 and then open this new file. 01:01.530 --> 01:07.200 Now, we are also going to put the same breakpoints as we did as in the first session. 01:07.770 --> 01:18.030 So let's put the breakpoint on virtual lock, hit enter and the breakpoint on create process internal 01:18.030 --> 01:18.720 W 01:22.350 --> 01:26.850 hit enter and then a breakpoint on write process memory 01:29.850 --> 01:40.380 hit enter and one more additional breakpoint called and write virtual memory breakpoint on and write 01:40.980 --> 01:43.710 virtual memory. 01:44.100 --> 01:50.070 Now this empty write virtual memory is the same as write process memory, but is lower level. 01:50.070 --> 01:54.390 And normally we use this as well in order to make sure we don't miss anything. 01:54.780 --> 02:01.600 So hit enter and then click on the breakpoints tab to confirm that we have all the four breakpoints. 02:02.380 --> 02:06.790 So now we can go back and continue with the analysis. 02:06.910 --> 02:15.730 So press F9 or this button run button and let it hit the first breakpoint virtual alloc. 02:16.240 --> 02:22.390 So now we press F8 or step over, we jump to virtual 02:27.250 --> 02:28.810 and then step over this. 02:30.060 --> 02:36.650 And look at the X and select the number one and then follow this in downward one. 02:36.660 --> 02:38.010 Right click, follow and done. 02:38.700 --> 02:39.810 Now it's empty. 02:40.380 --> 02:45.000 Click F9 or run button his virtual lock again. 02:45.040 --> 02:46.050 Step over again. 02:46.980 --> 02:51.120 So it's behaving the same like the the first session. 02:54.840 --> 02:55.140 Okay. 02:55.170 --> 02:59.720 Step over this virtual lock and then look at this X. 02:59.730 --> 03:04.470 So now click on number two and notice that number one has been populated with Shellcode. 03:06.180 --> 03:09.720 Click on dam number two and then right click on this following dam. 03:10.410 --> 03:13.350 So we are following Number two at the moment is empty. 03:13.380 --> 03:14.550 So click run. 03:15.500 --> 03:18.530 And now the number two has been populated with Shellcode. 03:19.460 --> 03:24.410 So this shellcode in here, this location in memory, as well as this location. 03:24.410 --> 03:28.600 Memory is the same C 32 and then 33. 03:28.610 --> 03:36.470 So they are like continuous, like one big shellcode that is going to be used by the Trojan in order 03:36.470 --> 03:39.320 to help you unpack the final executable. 03:40.250 --> 03:42.620 So now we hit Virtualalloc again. 03:42.620 --> 03:43.880 So we step over it. 03:46.880 --> 03:55.190 Jump to virtual and then step over this virtual lock and look at the allocation, this time at this 03:55.190 --> 03:55.810 address. 03:55.820 --> 04:03.110 So now select this third jump and then right click on this address following Dum number three. 04:03.470 --> 04:05.300 So at the moment Dum three is empty. 04:05.330 --> 04:06.110 So run. 04:09.210 --> 04:14.400 It is now freely running and now it is virtual again. 04:15.580 --> 04:15.850 Away. 04:19.070 --> 04:19.620 Summary. 04:20.930 --> 04:29.900 And now step over this call to Virtualalloc and look at this is a new address for air followed by four 04:29.900 --> 04:30.440 zero. 04:30.650 --> 04:35.750 Click done number four, and then right click on this follow in dump. 04:36.650 --> 04:38.750 So now it's dump number four is empty. 04:39.110 --> 04:39.980 Click Run. 04:42.090 --> 04:42.810 Step over. 04:42.810 --> 04:48.090 So part of malware analysis unpacking is just to keep on following the VirtualBox. 04:50.150 --> 04:55.130 And see what is being unpacked, if any, in any of those locations. 04:55.280 --> 05:01.580 So we hit virtual a lot again, but this time we saw that downfall has been populated with some executables. 05:01.610 --> 05:04.910 We see that this is a 64 bit executable. 05:06.690 --> 05:08.520 And Gumtree is still blank. 05:09.090 --> 05:11.070 So now we hit virtual lock again. 05:11.100 --> 05:12.210 Let's step over. 05:15.210 --> 05:17.220 We are looking for the final executable. 05:18.180 --> 05:19.350 So let's start over. 05:21.780 --> 05:22.260 All right. 05:22.260 --> 05:29.360 And then this time it has allocated this region of memory six D, followed by four zeros. 05:29.370 --> 05:36.210 So we go to down number five and then right click on this and then follow in, down, down number five. 05:36.570 --> 05:37.710 Now we hit run. 05:38.550 --> 05:39.690 It hits virtualalloc. 05:39.690 --> 05:43.050 This time down number five has got some executable. 05:43.170 --> 05:48.720 You can see the magic header, magic bytes and the string. 05:48.720 --> 05:50.700 This program cannot be run in Dos mode. 05:50.850 --> 05:59.820 So if you wanted to, you can dump this now by right clicking this and then follow in memory map and 05:59.820 --> 06:05.490 then go here and then right click and then click on dump memory to file. 06:05.640 --> 06:13.500 And then once you dump memory to file, you can fix the Unmapping using pbair and then analyze it with 06:13.500 --> 06:14.340 your Ida. 06:15.000 --> 06:16.880 All right, so this is one. 06:16.990 --> 06:18.670 One is that you can dump. 06:19.210 --> 06:19.510 All right. 06:19.510 --> 06:22.090 I believe that to you if you wanted to do that. 06:22.180 --> 06:27.910 But for this video, I will proceed to see what other executables are being done. 06:28.240 --> 06:29.890 So now we click. 06:30.220 --> 06:31.990 Now we have a virtual hello again. 06:32.200 --> 06:34.780 So we step over. 06:45.120 --> 06:48.450 And now we are going to go virtual again. 06:48.450 --> 06:53.610 So now we start over and this time it allocates this region of memory. 06:54.480 --> 07:01.890 So right click, right this region of memory is not allocated yet, so that's why you can't follow it. 07:02.670 --> 07:04.020 So we run again. 07:05.730 --> 07:07.710 Again, we step over. 07:12.460 --> 07:12.720 Right? 07:12.720 --> 07:14.190 We are going to call again virtual lock. 07:15.630 --> 07:15.960 All right. 07:15.960 --> 07:20.010 This time it allocates the this region of memory. 07:20.040 --> 07:20.910 Right click. 07:21.090 --> 07:22.620 This time you can follow in dump. 07:22.830 --> 07:28.770 So since we have used all the five dumps, we go back to dump number one. 07:29.340 --> 07:35.040 And then over here we are going to follow in number one, right click following dump. 07:35.880 --> 07:40.890 So this dump, number one now at this address, one followed by seven zeros. 07:40.920 --> 07:42.940 It is empty at the moment. 07:43.090 --> 07:45.310 So let us run and see what happens. 07:45.430 --> 07:47.980 And this time it has populated it. 07:47.980 --> 07:49.720 With all this code. 07:51.190 --> 07:52.310 This is an exe. 07:52.360 --> 07:56.110 You can see the magic bytes MSG followed by this string. 07:56.110 --> 07:58.960 This program cannot be run in Dos mode. 07:59.530 --> 08:01.060 I'll be going to dump this now. 08:01.390 --> 08:03.970 We are not sure if it has fully unpacked it. 08:04.000 --> 08:10.390 We only can see the header, so to be sure that it is fully unpacked, we will continue to run until 08:10.390 --> 08:12.610 it is about to execute this code. 08:12.610 --> 08:20.080 So now we will open process hacker to see whether it will execute this code in other processes. 08:20.650 --> 08:30.340 So we open process Hacker over here, go to utilities, click on Process Hacker. 08:35.670 --> 08:39.130 And then we see if it has spawned any additional processes. 08:39.150 --> 08:47.700 So at the moment our Trojan has not spawned any additional processes and Trickbot is known for spawning 08:48.030 --> 08:52.650 a process called SVC host and then injecting part of a code. 08:52.680 --> 08:54.210 It's code inside SVC. 08:54.240 --> 08:54.750 Host. 08:55.020 --> 08:58.370 So that's why we will continue to run. 08:58.390 --> 09:05.610 It's probably going to inject this code here inside the SVC host, which we'll see later. 09:05.880 --> 09:07.600 So that's why we are not dumping now. 09:07.620 --> 09:11.130 We wait for it to to finish unpacking first. 09:11.130 --> 09:17.670 And how will we know when it has finished unpacking, when it is about to write to a virtual memory 09:17.670 --> 09:18.870 inside SVC? 09:18.870 --> 09:20.740 Host That's how we know. 09:20.760 --> 09:23.640 So at the moment we still continue to run. 09:24.910 --> 09:27.400 So this will allow we can step over. 09:34.200 --> 09:40.590 Okay, now we come to this step again, and this time it is continuing to unpack itself to the same 09:40.590 --> 09:41.700 region of memory. 09:42.240 --> 09:45.720 One followed by seven zeros, but at a lower address. 09:46.690 --> 09:51.610 Okay, So let's continue to unpack itself here so we don't have to follow this in dump because we know 09:51.610 --> 09:52.120 what it's doing. 09:52.120 --> 09:58.280 But if you want, you can follow, you can select down to right click and then follow in dump number 09:58.310 --> 09:58.690 two. 09:58.720 --> 09:59.410 Which one? 09:59.800 --> 10:00.850 Now we run. 10:01.300 --> 10:07.870 And true enough, it has unpacked additional code in this region of memory, starting from here, going 10:07.870 --> 10:09.640 down and continuing here. 10:09.640 --> 10:10.990 Same region of memory. 10:11.470 --> 10:13.420 And if we hit voucher a lot again. 10:17.050 --> 10:18.040 So let's jump. 10:18.430 --> 10:19.450 Continue. 10:20.800 --> 10:22.300 Okay, let's step over this call. 10:24.130 --> 10:31.120 And it's still unpacking itself to the same region of memory, this time at this address. 10:31.120 --> 10:33.250 So follow this in. 10:33.250 --> 10:38.380 Down number three, select down number three, right click, and then follow in dump number three. 10:38.980 --> 10:40.630 So we are now following here. 10:41.290 --> 10:42.220 Let's run. 10:42.850 --> 10:45.100 And this time it is unpacked. 10:45.840 --> 10:52.020 Continue to unpack additional code to the same region of memory starting from here. 10:52.260 --> 10:53.820 Continuing here. 10:54.180 --> 10:55.650 Continuing here. 10:55.740 --> 11:03.390 And you can see this is the library which is trying to load, load, load, kernel32 and so on. 11:03.990 --> 11:07.420 So this seems like almost the end of the unpacking already. 11:07.440 --> 11:08.400 Once you see this. 11:08.400 --> 11:10.500 But anyway, let's continue to. 11:11.290 --> 11:12.430 Step over the virtual. 11:19.610 --> 11:22.310 Okay, let's call this and see what it does now. 11:23.150 --> 11:30.680 Okay, so now it still continues to unpack, so we follow it in the dump four and then right click. 11:31.490 --> 11:36.440 Now this same region of memory, starting with one following down number four. 11:36.830 --> 11:38.750 And then let's run and see what happens. 11:39.650 --> 11:40.050 All right. 11:40.100 --> 11:40.610 Still watching. 11:42.500 --> 11:43.370 Step over. 11:44.510 --> 11:44.960 Jump. 11:48.850 --> 11:50.110 Turn over the switala. 11:50.860 --> 11:53.890 Still unpacking this time to this region of memory. 11:54.220 --> 11:57.430 So click on this dump file. 11:57.460 --> 11:58.060 Right click. 11:58.390 --> 11:59.590 Following dump. 12:01.180 --> 12:02.890 Still nothing here, so just run. 12:03.370 --> 12:03.670 Ah. 12:03.910 --> 12:04.810 This time it is. 12:04.810 --> 12:05.480 Dump something. 12:05.560 --> 12:08.830 Five four is still empty, right? 12:08.860 --> 12:11.200 So it is still continuing to unpack. 12:11.350 --> 12:16.540 The unpacking process has started from dump one at this address continues here. 12:16.540 --> 12:18.190 Same address, same range. 12:18.310 --> 12:19.510 But lower down. 12:19.690 --> 12:20.890 Continue here. 12:20.920 --> 12:21.970 Even lower down. 12:21.970 --> 12:22.800 Same range. 12:22.810 --> 12:24.010 Continue here. 12:25.000 --> 12:26.530 Continue here. 12:27.500 --> 12:32.120 Same region of memory, starting with one followed by seven zeros here. 12:32.300 --> 12:32.690 All right. 12:32.690 --> 12:33.980 So this is interesting. 12:34.100 --> 12:35.420 Let's follow this. 12:35.450 --> 12:39.680 See what else it is going to unpack in that region of memory. 12:39.980 --> 12:44.090 So let's step over, go to the call here. 12:44.540 --> 12:45.980 Step over this Virtala. 12:46.370 --> 12:52.280 This time I think it has finished unpacking because now it is a totally different area of memory. 12:52.460 --> 12:54.770 Six E So we can ignore that. 12:55.130 --> 12:56.990 We are now continuing to run. 12:56.990 --> 13:00.680 Just click on F9 until we see this. 13:01.370 --> 13:03.330 So this is what we are looking for. 13:03.350 --> 13:07.730 Once you see this, that means it has finished unpacking. 13:07.910 --> 13:15.110 So the unpack code is in this region of memory one followed by seven zeros and all the way to this, 13:15.530 --> 13:19.980 this, this, and finally this. 13:20.000 --> 13:24.500 So this is the last region of memory we started from here. 13:24.530 --> 13:25.810 Same region. 13:25.820 --> 13:27.360 So it has finished unpacked. 13:27.670 --> 13:29.610 That's why it is calling this. 13:29.640 --> 13:40.980 It is using this API to create this SPC host and then it is going to write this, this unpack code into 13:40.980 --> 13:45.840 this SPC host that it is the intention of this malware. 13:47.040 --> 13:51.240 Now we are ready to jump because we know it has fully unpacked. 13:51.420 --> 14:00.270 We can now safely right click on this and then follow in memory map and then go down to this location 14:00.270 --> 14:02.340 here, right click. 14:02.340 --> 14:03.390 And then. 14:04.770 --> 14:05.970 The memory to file. 14:07.430 --> 14:16.850 So now we can dump it to the desktop desktop, go to the Trickbot Trojan folder and then just save it 14:16.850 --> 14:17.390 here. 14:18.750 --> 14:27.750 Okay, so now we have successfully unpacked one of the main trickbot's executable file which has unpacked 14:27.750 --> 14:30.080 itself and about to inject into SDC. 14:30.120 --> 14:30.630 Host. 14:30.660 --> 14:36.490 So if you go to this process hacker, you see it is going to start SDC. 14:36.540 --> 14:41.280 Host And then move this, copy this file into that process memory. 14:41.790 --> 14:43.740 So let's run and see that happen. 14:46.060 --> 14:46.450 Okay. 14:46.470 --> 14:47.860 You can see here empty, right? 14:47.860 --> 14:48.880 Virtual memory. 14:49.330 --> 14:54.370 It is going to write this into virtual memory. 14:54.850 --> 14:56.170 Come back here and see. 14:56.560 --> 15:00.140 SVC host has been started by district board. 15:00.850 --> 15:01.170 See that? 15:01.730 --> 15:05.970 So it's now going to write this into SVC. 15:05.980 --> 15:08.140 Host Let's run. 15:09.550 --> 15:10.150 Same thing. 15:10.150 --> 15:11.590 It is continuing to write. 15:11.620 --> 15:12.940 Go back here and see. 15:13.870 --> 15:14.650 Run again. 15:18.190 --> 15:18.970 Run again. 15:20.170 --> 15:20.660 All right. 15:20.680 --> 15:26.890 This additional and now terminated so if you come and see process hacker. 15:29.970 --> 15:31.950 It has terminated, Right? 15:31.950 --> 15:41.070 So now we can just close everything and then continue with the next video where we will take a look 15:41.070 --> 15:47.370 at the dump file which we saved in our folder here. 15:47.370 --> 15:48.090 This one. 15:48.330 --> 15:49.530 So thank you. 15:49.530 --> 15:50.760 I will see you in the next one.