WEBVTT 00:00.510 --> 00:01.120 Welcome back. 00:01.140 --> 00:04.530 In this video, we are going to start unpacking radicals. 00:04.650 --> 00:10.590 So fire up your x32 debug since we know it is a 32 bit program. 00:13.000 --> 00:19.510 And then go to the options preferences and uncheck system breakpoints and uncheck callbacks. 00:19.630 --> 00:20.770 Click on Save. 00:22.120 --> 00:24.790 And then open the Trojan. 00:30.600 --> 00:34.170 He will hit your entry point, as you can see. 00:34.320 --> 00:38.580 So now we are going to put three breakpoints. 00:39.240 --> 00:41.310 The first breakpoint is virtual. 00:46.690 --> 00:49.180 The second breakpoint is Virtualprotect. 00:52.390 --> 00:55.990 And the third breakpoint is optional. 00:56.020 --> 00:58.600 It is actually create process internal. 00:59.200 --> 01:06.580 Normally we will put that if we suspect it's going to be a self injecting Trojan. 01:11.490 --> 01:19.440 Or if we suspect that it is going to call some other APIs and execute them by creating a new process. 01:19.800 --> 01:22.800 So we just press enter now. 01:23.160 --> 01:30.570 And then if we click on the breakpoint, we will see that confirm the three breakpoints being set, 01:30.690 --> 01:34.870 which are lock, which are protect and create process internal w. 01:37.630 --> 01:44.680 Now, if you didn't know what breakpoints you are supposed to set, set as many as you can, but if 01:44.710 --> 01:54.340 you have already tried this a few rounds, you can start to narrow it down to only those which it actually 01:54.340 --> 01:58.810 hits, or only those which are relevant to what you observe. 01:59.740 --> 02:02.530 So macro analysis is a lot of trial and error. 02:02.920 --> 02:07.960 Normally, the first analysis will not succeed, so it's a very time consuming process. 02:08.470 --> 02:12.130 So a lot of trial and error and guesswork as well. 02:12.550 --> 02:16.990 So now we are going to run now this Trojan. 02:17.410 --> 02:26.140 Trojans can either create an external process or it can create an internal process by overwriting part 02:26.170 --> 02:28.600 of its own memory and running from there. 02:28.780 --> 02:34.840 Now it so happens that Dridex is the Trojan, which overwrites its own process. 02:35.680 --> 02:37.130 His own process memory. 02:37.130 --> 02:41.660 So that is called Self-injecting self injecting Trojan. 02:42.380 --> 02:45.120 Okay, so now it has hit the virtual lock. 02:45.170 --> 02:49.160 And if we step over virtual A. 02:52.240 --> 02:52.630 Come. 02:54.270 --> 03:02.790 And now if we step over this call, we look at the return allocated address in X, we can follow this 03:02.820 --> 03:04.500 in the dump one. 03:04.980 --> 03:07.350 So right click on this following dump. 03:08.340 --> 03:09.380 Now it's empty. 03:09.390 --> 03:11.040 So let's run now. 03:13.350 --> 03:18.720 His virtual analog again f8 to step over or click on this one. 03:18.720 --> 03:19.350 To step over 03:22.770 --> 03:26.130 and step over this virtual lock. 03:26.310 --> 03:29.730 And now it allocates three seven followed by four zeros. 03:30.060 --> 03:32.040 So click on Done Tool. 03:32.070 --> 03:34.110 We are going to follow this in down to. 03:36.080 --> 03:39.140 Now we are falling down to that one is still blank. 03:39.620 --> 03:50.990 Now we run F9 and this time we see it has unpacked some B header B file in dump to dump one is still 03:50.990 --> 03:51.260 blank. 03:52.220 --> 03:56.840 So you can dump this now and analyze it if you wanted to. 03:56.960 --> 04:05.090 But we are going to proceed further because this is probably not the main exe, but you won't know that 04:05.120 --> 04:06.140 until you have dumped it. 04:06.320 --> 04:11.570 So that's why there's a lot of trial and error in malware analysis because you don't know which one 04:11.570 --> 04:14.720 is the main B, so you may need to dump all of them. 04:15.050 --> 04:18.380 But since I've done this already, I know that this is not the main path. 04:18.770 --> 04:22.970 But if you are facing this for the first time, this Trojan, you wouldn't know that. 04:22.970 --> 04:24.830 So you will dump this. 04:25.190 --> 04:29.120 So now you will go ahead and. 04:30.860 --> 04:32.260 Step over the water. 04:32.720 --> 04:34.070 So let's see. 04:41.430 --> 04:47.520 Get established again and now it is allocated this regional memory. 04:48.030 --> 04:50.900 So now we go here, click on Done Tree. 04:50.910 --> 04:55.350 We're going to follow this in Dump tree by right clicking it and clicking follow in dump. 04:56.340 --> 05:00.870 Okay, so now we see dump tree is blank empty. 05:01.890 --> 05:05.130 And then now we keep on running. 05:09.770 --> 05:10.190 All right. 05:10.610 --> 05:12.410 And now we hit Roger Protect. 05:13.070 --> 05:16.250 So now it is already. 05:16.460 --> 05:21.320 If you click on the breakpoint, you can see how many times which lock has been hit. 05:21.710 --> 05:22.790 Three times. 05:22.910 --> 05:23.350 All right. 05:23.360 --> 05:30.560 So at this point in time, we do not know when is the proper time to dump and we do not know where is 05:30.560 --> 05:33.500 the main memory which we are supposed to dump from. 05:33.770 --> 05:39.110 So that's why the first round we are doing this or the first few rounds that we do this. 05:39.380 --> 05:40.940 We don't dump anything yet. 05:41.360 --> 05:47.360 We just count how many times which lock has been hit, how many times which protect has been hit. 05:48.080 --> 05:53.720 Okay, so now we just go through the motions to get the the count, the enumeration. 05:54.680 --> 05:56.810 So now it's hit virtualprotect. 05:56.960 --> 06:07.670 And so we are going to step over, jump to Virtualprotect, jump to watch protect again and let it push 06:07.670 --> 06:09.240 the parameters to the stack. 06:10.260 --> 06:12.720 And now we look at the second parameter. 06:12.870 --> 06:20.340 Second parameter is the location in memory where it would change the permission. 06:20.340 --> 06:23.670 So in this case it is three five followed by three zeros. 06:24.330 --> 06:26.100 So if we go to. 06:27.800 --> 06:29.930 And we continue to run. 06:31.480 --> 06:34.210 So now we can step over. 06:34.390 --> 06:36.670 Since I've done this, I'll save you some time. 06:38.740 --> 06:40.510 But initially you will know. 06:41.230 --> 06:46.080 So you need to do everything but try to cut this short. 06:46.090 --> 06:49.450 So now it's going to go with your product again. 06:49.450 --> 06:53.020 And look at the second parameter this time is this region of memory. 06:53.470 --> 06:56.350 Now this one has got one followed by seven zeros. 06:56.560 --> 07:01.810 Look it up in the memory map because you cannot right click this and follow in memory map. 07:02.860 --> 07:03.300 Right here. 07:03.310 --> 07:03.930 He followed me. 07:03.960 --> 07:07.390 You might be following this address rather than the D-word. 07:07.540 --> 07:09.040 But we want to look at the D-word. 07:09.310 --> 07:13.240 So we follow in memory map. 07:14.820 --> 07:17.880 One followed by seven zeros is here. 07:18.240 --> 07:18.870 Over here. 07:19.200 --> 07:21.840 That means it is already written. 07:21.870 --> 07:23.700 Is about to write something. 07:24.460 --> 07:25.560 Okay, so let's see. 07:25.560 --> 07:26.760 What does this do? 07:27.360 --> 07:30.060 Let's step over this and take a look again. 07:31.880 --> 07:34.920 And so it has removed the W flag. 07:34.970 --> 07:37.190 That means previously it was writable. 07:37.220 --> 07:39.590 Now it's no more writable. 07:40.150 --> 07:40.460 Go. 07:40.470 --> 07:43.460 That means that it has finished unpacking code. 07:43.790 --> 07:46.020 Normally that would be the case. 07:46.040 --> 07:49.100 That's why it removes the writable flag. 07:49.520 --> 07:53.360 So at this point in time we may 07:55.730 --> 07:58.250 conclude that it has finished unpacking. 07:58.460 --> 07:59.300 But. 08:00.730 --> 08:04.510 At this region of memory one followed by seven zeros. 08:04.900 --> 08:09.720 So one followed by seven zero seems to be an important location. 08:09.730 --> 08:12.130 So we can follow that. 08:13.100 --> 08:14.870 One followed by seven zeros. 08:16.190 --> 08:19.010 We can follow that in the right click. 08:19.010 --> 08:20.900 Follow dealer in Kaandam. 08:22.650 --> 08:24.780 Curing them, maybe. 08:24.810 --> 08:25.830 Yeah, we can use them. 08:25.830 --> 08:26.880 Number three if we want. 08:27.240 --> 08:29.190 Follow the one in calendar. 08:29.910 --> 08:34.800 As you can see, this region of memory has got an MC header and a string. 08:34.800 --> 08:41.670 This program cannot be run in dark mode, so obviously it has unpacked something into this region of 08:41.670 --> 08:43.140 memory over here. 08:43.410 --> 08:46.020 So now it's already only readable. 08:46.620 --> 08:53.280 No more writable, but we don't want to dump now because we're not sure whether or not it has finished 08:53.280 --> 08:54.000 unpacking. 08:54.570 --> 09:04.050 So we will continue to execute this until something happens, for example, until it stops executing 09:04.350 --> 09:10.260 or it stops breaking in all the breakpoints or it has entered into an exception. 09:10.740 --> 09:16.140 So if you take a look at the breakpoints we see now, the virtual lock has been hit three times and 09:16.140 --> 09:17.640 virtualprotect two times. 09:17.640 --> 09:23.520 So let's see how many times you hit continue to run. 09:23.520 --> 09:25.050 It hits virtualprotect again. 09:25.470 --> 09:32.580 So we step over, jump to Virtualprotect, jump to Virtualprotect. 09:35.190 --> 09:41.490 Okay, now we see it is continuing to unpack something in this region of memory. 09:41.760 --> 09:42.690 Same region. 09:42.690 --> 09:48.960 We started from one followed by seven zeros and then now it's unpacking at one, followed by ending 09:48.960 --> 09:50.340 with one three zeros. 09:50.370 --> 09:52.620 Same region of memory, just a continuation. 09:52.650 --> 09:54.630 That means it hasn't finished unpacking yet. 09:54.660 --> 09:55.830 It's still continuing. 09:56.490 --> 09:59.640 So we can follow this one in. 09:59.880 --> 10:03.930 Probably we put this pull it to the left. 10:04.740 --> 10:07.260 Now we follow in dump number three. 10:09.330 --> 10:09.660 But. 10:11.700 --> 10:13.610 If you want to, but I think it's not necessary. 10:13.620 --> 10:17.670 We know that it hasn't finished unpacking, so let's continue to run. 10:20.670 --> 10:21.900 So let's step over. 10:25.440 --> 10:26.700 Which you protect again. 10:27.570 --> 10:27.930 Again. 10:27.930 --> 10:28.590 Will you protect? 10:30.570 --> 10:30.900 Okay. 10:30.900 --> 10:32.760 This time look at the second parameter. 10:32.760 --> 10:34.470 Still haven't finished unpacking. 10:34.830 --> 10:36.240 Same region of memory. 10:36.240 --> 10:38.910 We started from one followed by seven zero. 10:39.240 --> 10:40.920 So we need to do anything. 10:40.920 --> 10:41.910 Just let it finish. 10:41.910 --> 10:42.600 Unpacking. 10:44.070 --> 10:45.000 Step over. 10:47.370 --> 10:51.480 And then run still hit virtue protect. 10:52.230 --> 10:53.220 Step over. 10:54.300 --> 10:55.020 Jump to virtue. 10:55.020 --> 10:55.470 Protect. 10:56.310 --> 10:57.000 Jump to virtue. 10:57.000 --> 10:57.450 Protect. 11:01.340 --> 11:07.970 See that still same region of memory, but at a at a higher address range, 283330. 11:08.360 --> 11:10.490 So it still hasn't finished unpacking. 11:10.490 --> 11:14.810 So you let it unpack, continue running still virtualprotect. 11:15.800 --> 11:18.890 So it seems like this region of memory is super important here. 11:18.920 --> 11:26.510 One followed by seven zeros as it keeps unpacking itself into the original memory which commences from 11:26.510 --> 11:26.960 here. 11:28.040 --> 11:30.230 So we continue to step over. 11:34.760 --> 11:36.230 Now take a look at this. 11:36.240 --> 11:40.200 Still same one, starting with one. 11:40.200 --> 11:42.780 And then this time, 29000. 11:43.110 --> 11:45.450 That means it still hasn't finished unpacking. 11:45.450 --> 11:53.100 So we continue to do this F9, F9, and keep on looking and see how many times it is going to hit Virtualprotect. 11:55.190 --> 11:58.040 Okay, so now step over. 11:59.930 --> 12:00.860 Run all the way. 12:02.600 --> 12:07.040 And now you see there's a first chance exception. 12:07.280 --> 12:07.760 See that? 12:08.330 --> 12:11.480 That means it's probably finish unpacking. 12:11.750 --> 12:13.640 So now we have a count. 12:13.730 --> 12:15.020 Take a look at the breakpoint. 12:16.580 --> 12:21.170 Waterboarding has been hit six times, which are allowed three times. 12:21.170 --> 12:22.400 So take note of this. 12:22.550 --> 12:25.670 Open a notepad and write that down. 12:27.710 --> 12:28.640 Open notepad. 12:31.220 --> 12:32.480 And write it down. 12:35.600 --> 12:39.530 Virtual has been hit three times. 12:41.180 --> 12:45.530 Virtual protect has been hit six times. 12:46.520 --> 12:50.510 And the last API that was hit was virtual lock. 12:53.060 --> 12:54.650 So this is a clue. 12:54.680 --> 13:00.800 Once we see virtual lock has been hit six times, we know that unpacking has finished and we can dump 13:01.040 --> 13:04.900 from this region of memory one followed by seven zero. 13:04.910 --> 13:08.390 So this is a simple trick to know when to dump. 13:09.140 --> 13:13.340 Okay, so now the next thing for us to do is to shut everything down. 13:13.880 --> 13:23.390 And then for this one, you need to copy out to a external file outside the virtual machine or just 13:23.540 --> 13:30.320 copy this down in the paper using pen and paper, because we are going to reset the virtual machine 13:31.070 --> 13:38.060 because by now the malware must have made some infection, might have infected the virtual machine. 13:38.540 --> 13:42.890 So let us go and reset the virtual machine. 13:43.550 --> 13:48.650 So let's shut everything down and I will see you in the next video.