WEBVTT

00:00.620 --> 00:02.900
Hello and welcome to a new section.

00:03.230 --> 00:08.000
In this new section, we are going to unpack the Ramnit Trojan.

00:08.690 --> 00:15.230
So in this website here, you can read about the Ramnit Trojan Ramnit.

00:16.130 --> 00:20.750
It is not a new Trojan and it has been around for some time now.

00:20.750 --> 00:22.970
First detected in 2010.

00:25.030 --> 00:32.500
He was originally designed to attack bank accounts by infecting PCs and using them as proxy servers

00:32.500 --> 00:34.030
for malicious activity.

00:35.480 --> 00:37.640
And since then it has evolved.

00:38.740 --> 00:45.730
So previously remnant operated as a botnet, infecting computers, turning them into bots.

00:47.690 --> 00:56.210
And recently the current objective is to steal credentials via web injects that trick people to providing

00:56.210 --> 00:57.650
confidential information.

00:58.160 --> 01:02.720
And Remnick is best known for focusing on the banking industry.

01:04.370 --> 01:05.420
How it spreads.

01:05.640 --> 01:13.370
Remit was originally distributed using worm capabilities, but is now distributed via executable files

01:13.400 --> 01:18.080
that are downloaded and executed by an unwitting user.

01:18.680 --> 01:28.280
And also there's been cases of remnants being distributed via email spam, that is malware spamming

01:28.280 --> 01:29.210
via email.

01:29.630 --> 01:35.570
When victims download it by clicking on an ad or on an insecure website.

01:36.560 --> 01:43.310
So go and download this Ramnit file, unzip it and put it on the desktop folder called Ramnit.

01:44.660 --> 01:51.620
So the first thing we do is to do a preliminary scan to see whether it is packed.

01:52.010 --> 01:58.790
So we can fire up our detector by going to flair utilities.

02:00.210 --> 02:02.460
In open the detected easy.

02:06.470 --> 02:07.760
Click on the three dots here.

02:11.320 --> 02:12.940
Navigate to the desktop.

02:15.910 --> 02:16.660
Open remit.

02:19.810 --> 02:23.340
And you see here it is actually packed with it.

02:23.890 --> 02:25.390
But later on, we'll see.

02:25.390 --> 02:27.490
There is also speckle inside.

02:28.090 --> 02:31.150
And then now we take a look at the entropy.

02:34.270 --> 02:34.750
Very high.

02:34.780 --> 02:37.300
95% of the file is packed.

02:38.100 --> 02:39.600
As you can see, fact.

02:41.160 --> 02:47.660
The other tool we can use to do a preliminary analysis is to use B studio.

02:47.670 --> 02:55.500
So let's go to utilities folder and Fire B studio and then drag it into B studio.

02:58.020 --> 03:01.110
And from here you can see it is a 32 bit executable.

03:01.990 --> 03:03.550
And entropy is also high.

03:03.970 --> 03:05.020
Bone is seven.

03:05.320 --> 03:07.840
More than seven normally indicates it is packed.

03:08.470 --> 03:10.900
And if you look at the session.

03:12.820 --> 03:22.780
You can see there, there's an additional text section which is irregular, and this text section is

03:22.780 --> 03:25.210
quite high entropy, which means it is packed.

03:25.780 --> 03:27.130
Same with the resource here.

03:28.090 --> 03:28.870
7.8.

03:28.870 --> 03:29.680
7.9.

03:31.380 --> 03:35.570
And now we are going to unpack it with Xdebug.

03:36.240 --> 03:39.180
So fire up the 32 bit version of Xdebug.

03:43.690 --> 03:50.320
And then in the options preferences, uncheck system, breakpoints and callbacks.

03:50.350 --> 03:55.300
Click on Save and then open the remnant Trojan.

03:58.590 --> 04:01.890
Click on the dropdown, select all files select on.

04:04.590 --> 04:07.710
And now we are going to put certain break points.

04:10.260 --> 04:12.810
First one is virtual lock.

04:18.580 --> 04:21.430
Next one is virtual product.

04:26.650 --> 04:31.470
And then create process internal w.

04:41.790 --> 04:46.290
Followed by write process Memory.

04:51.360 --> 04:55.380
And then breakpoint or is debugger present?

05:00.550 --> 05:05.290
And one more on breakpoint on empty resume track.

05:08.400 --> 05:15.570
Now we go to the breakpoints tab and confirm that we have those breakpoints, which we have set.

05:16.530 --> 05:24.630
And as I mentioned before, if it's is the first time you are encountering this malware, you do not

05:24.630 --> 05:27.410
know which breakpoint is set.

05:27.420 --> 05:29.480
So you should set on all of them.

05:29.490 --> 05:34.950
Those that I mentioned earlier in the start of this course, as many as you can.

05:35.310 --> 05:41.700
But after a few rounds you will narrow down to just a few to those which are more likely to get hit.

05:43.020 --> 05:45.330
So now you can run it.

05:47.860 --> 05:50.890
F9, Click on this to run.

05:53.760 --> 06:03.480
And straight away it hits this createprocess internal W and this process is going to run this file.

06:03.660 --> 06:08.490
And it appears that this file has just been dropped into this location.

06:08.490 --> 06:10.320
So let's go there and see.

06:11.220 --> 06:17.940
That location is actually the same folder where we started the original Trojan.

06:18.150 --> 06:20.010
So you can see from here.

06:21.620 --> 06:26.540
So this is a new file which has been dropped and it is about to execute this.

06:26.870 --> 06:31.170
So now, before we can attach to this, we must let it execute this.

06:31.190 --> 06:34.080
That means we have to let it run this API.

06:34.220 --> 06:38.420
So to let it run this API, we can click this one run to user code.

06:39.920 --> 06:40.370
Right?

06:40.370 --> 06:46.800
So the API has been run and probably this process has already been started.

06:46.820 --> 06:51.980
So you can confirm that by going to the process Hacker And take a look.

06:52.010 --> 06:55.250
Click on Flash Utilities.

06:55.940 --> 06:59.630
Go to process Hacker and fire up process Hacker.

07:03.350 --> 07:05.090
And then scroll down and look for it.

07:05.120 --> 07:05.990
There you go.

07:07.160 --> 07:14.030
Remnick is the parent process, and it has spawned this new process called Remnick Manager through this

07:14.030 --> 07:19.970
API create process internal, which we saw just now, just before we stepped over it.

07:20.600 --> 07:27.950
So now, since we know that it is running, we can attach to it by opening a new instance of X32 debug

07:28.250 --> 07:32.300
without closing the old instance of xdebug.

07:32.660 --> 07:39.920
So to open a new instance of X32 debug, we will come down here, right click on this and then select

07:39.950 --> 07:41.030
x32 debug.

07:42.750 --> 07:42.880
Click.

07:42.990 --> 07:43.590
Yes.

07:45.020 --> 07:53.420
And now, since this second process, remnant manager is already running in memory, we can attach by

07:53.420 --> 08:02.130
clicking file and then here click on attach and then you can see here it is already in memory Remnant

08:02.150 --> 08:02.780
Manager.

08:03.200 --> 08:05.600
So we can click on this and click Attach.

08:07.430 --> 08:12.230
We will continue with the analysis from where we left off in the next video.

08:12.260 --> 08:13.760
Thank you for watching.