WEBVTT 00:00.500 --> 00:02.990 Hello and welcome to a new section. 00:03.770 --> 00:11.810 In this new session, we are going to unpack the Zloader Trojan and here is some write up on the Zloader 00:11.810 --> 00:12.470 Trojan. 00:12.710 --> 00:20.660 The Z loader Trojan is a variant of the Zeus malware Trojan that hit the banking industry beginning 00:20.660 --> 00:28.040 in 2006 and recently has been used in over 100 attack campaigns since that date. 00:28.490 --> 00:35.390 Z loader relies on the emails containing Covid 19 layers that recent incarnations of Zeus has also been 00:35.810 --> 00:36.620 using. 00:36.740 --> 00:44.540 Taking a step further, Z Loader also uses other layers such as malicious resume series invoices and 00:44.810 --> 00:46.040 Excel attachments. 00:46.990 --> 00:53.430 As of May 20th, 2020, researchers were discovering one new campaign of xeloda each day. 00:53.440 --> 00:55.000 How Xeloda works. 00:55.030 --> 01:01.240 Xeloda is spread through aggressive email campaigns, where the email contains a malicious attachment 01:01.240 --> 01:09.430 with a provocative title referring to either Covid 19 or seeking a job and invoices with links to infected 01:09.430 --> 01:10.750 Microsoft Word files. 01:10.930 --> 01:17.200 In the case of the invoice, email users will download the malware installer and when they click the 01:17.200 --> 01:19.810 enable content button on the document. 01:19.930 --> 01:22.240 So that's some background on Xeloda. 01:23.390 --> 01:27.950 Go and download the loader and from the resource section and unzip it. 01:27.980 --> 01:35.570 Put it on the folder in the desktop called Xeloda and you will notice Xeloda is a file dynamic link 01:35.660 --> 01:36.350 library. 01:37.070 --> 01:40.300 So we will now take a look at p-studio. 01:41.660 --> 01:45.770 So open up vs studio from Flair utilities. 01:49.320 --> 01:52.020 And drag Zloader into studio. 01:52.920 --> 01:56.610 And you see here the entropy is 6.432. 01:57.690 --> 01:59.190 But that is quite misleading. 01:59.760 --> 02:02.970 Even though it's less than seven, meaning it is unpacked. 02:03.000 --> 02:05.070 In actuality, it is packed. 02:05.100 --> 02:06.840 It's a 32 bit program. 02:07.410 --> 02:19.200 And then over here in the file header, the compiler stamp is April 24th, 2020 Sections 4.2. Data dot 02:19.200 --> 02:21.800 Data dot Resource dot reloc. 02:24.110 --> 02:24.850 Libraries. 02:25.010 --> 02:25.980 Three libraries. 02:26.000 --> 02:32.270 Kernel32 uses 32 at vaapi 32 and contains about 100 imports. 02:34.020 --> 02:36.070 Here are the some of the imports. 02:36.090 --> 02:36.990 Quite a lot of them. 02:36.990 --> 02:38.250 100 imports. 02:42.430 --> 02:45.700 And you can see his debugger present is there as well. 02:46.600 --> 02:55.540 Under resources, you can see string tables version and manifest under strings, mostly encrypted. 03:00.030 --> 03:09.130 This lends credence to the fact that it is a packed executable version is double double band. 03:09.150 --> 03:15.870 The company name is the movie SIM SIM must as a file description. 03:16.890 --> 03:20.820 So let us now try to unpack this with X32 DBG. 03:21.780 --> 03:24.300 So fire up your x32 dbg. 03:27.510 --> 03:32.820 Under the options Preferences, uncheck System, breakpoint and callbacks. 03:33.840 --> 03:37.080 Click save and then open the Trojan. 03:43.320 --> 03:50.190 Immediately downloader is fired up in order to load your DSL. 03:50.220 --> 03:52.050 So that is quite normal. 03:52.050 --> 03:52.950 Just leave it alone. 03:55.470 --> 03:57.750 Now we shall set some breakpoints. 03:58.860 --> 04:01.490 First breakpoint is Virtualalloc. 04:04.830 --> 04:05.190 Hit. 04:05.190 --> 04:05.730 Enter. 04:07.960 --> 04:09.130 Click on the breakpoints tab. 04:09.520 --> 04:11.590 Keep an eye on the breakpoints. 04:11.920 --> 04:14.830 Second breakpoint is Virtualprotect. 04:18.970 --> 04:19.660 Hit Enter. 04:23.200 --> 04:27.130 Third breakpoint is create process internal w. 04:32.200 --> 04:36.430 Hit enter for breakpoint is w present 04:38.770 --> 04:43.690 is debugger present. 04:44.470 --> 04:45.310 Next. 04:46.920 --> 04:54.030 Go up to the breakpoints that confirm that all the breakpoints are set. 04:56.080 --> 05:00.100 Then go to the CPU and hit Run or F9. 05:04.850 --> 05:06.320 And now it is running. 05:06.350 --> 05:09.770 It will take some time to unpack the code. 05:10.830 --> 05:12.180 So just let it run. 05:14.100 --> 05:16.500 Finally, it has hit a breakpoint. 05:16.530 --> 05:17.820 Virtual lock. 05:18.480 --> 05:20.610 So we can step over this, 05:23.610 --> 05:29.040 jump to virtual lock and then come to the call here. 05:29.100 --> 05:33.510 The virtual call step will wait and look at the X. 05:34.530 --> 05:36.030 We are going to follow this in time. 05:36.070 --> 05:44.940 So right click, follow in dump, which is currently dump number one over here, then F9 to run again. 05:46.680 --> 05:48.630 In his virtual alloc a second time. 05:49.140 --> 05:50.310 Again we step over it. 05:52.560 --> 05:59.220 Come to the virtual alloc call this one step over and look at X. 05:59.880 --> 06:02.040 This time we are going to follow in dump number two. 06:02.070 --> 06:03.690 So select dump number two. 06:04.110 --> 06:06.810 Right click on the X and follow in dump. 06:07.470 --> 06:10.380 And it is now being followed in dump number two. 06:10.530 --> 06:15.570 Meanwhile, dump number one, you will see that it has populated it with some shell code. 06:17.470 --> 06:18.240 Dum dum, dum. 06:18.280 --> 06:19.270 Is still empty. 06:20.170 --> 06:22.300 Now we hit F9 again. 06:22.450 --> 06:23.980 Or this icon here. 06:26.110 --> 06:31.270 It hits Virtualalloc for the third time and we shall step over it again. 06:33.400 --> 06:46.060 Jump, jump, step over until we come to this virtual call where we step over it again and look at X. 06:46.390 --> 06:51.190 This time we click on Done number three because we want to follow it in. 06:51.190 --> 06:52.120 Done number three. 06:52.690 --> 06:56.740 So we right click on X register and select following Done. 06:57.790 --> 06:59.980 And now we are following done number three. 07:00.010 --> 07:04.600 Meanwhile, done number two has been populated with some shell code. 07:05.350 --> 07:06.490 So presently done. 07:06.490 --> 07:10.420 One and two, we can find some unpacked code. 07:12.550 --> 07:17.620 So we now have done number three and then we click on F9 to run again. 07:18.970 --> 07:22.360 And this time it hits virtual protect. 07:22.780 --> 07:30.220 So at this point in time, we will pause here and we will continue in the next video. 07:31.150 --> 07:32.390 Thank you for watching.