Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,030 --> 00:00:04,560 hello and welcome to malware analysis 2 00:00:02,010 --> 00:00:07,560 for hedgehogs I'm finally back from 3 00:00:04,560 --> 00:00:10,820 vacation and mahindra team has pointed 4 00:00:07,560 --> 00:00:15,240 me to an interesting sample that I 5 00:00:10,820 --> 00:00:17,880 indeed think is worth making a video 6 00:00:15,240 --> 00:00:21,810 although it's another dotnet unpacking 7 00:00:17,880 --> 00:00:23,670 tutorial it's there are some new 8 00:00:21,810 --> 00:00:27,119 techniques involve which I didn't show 9 00:00:23,670 --> 00:00:36,180 my other videos yet alright let's take a 10 00:00:27,119 --> 00:00:38,969 look at the sample first there's a debug 11 00:00:36,180 --> 00:00:40,710 path in the sample and it's it's indeed 12 00:00:38,969 --> 00:00:43,700 it on that file you can see this here 13 00:00:40,710 --> 00:00:47,780 and debug path is interesting because 14 00:00:43,700 --> 00:00:52,199 Visual Studio will put this path there 15 00:00:47,780 --> 00:00:56,489 by default so if a developer doesn't 16 00:00:52,199 --> 00:00:59,600 change it it will expose the user name 17 00:00:56,489 --> 00:01:04,610 for instance that's been used on the 18 00:00:59,600 --> 00:01:08,760 development computer and this although 19 00:01:04,610 --> 00:01:10,770 also the name of the project that has 20 00:01:08,760 --> 00:01:12,840 been used in this case it's a standard 21 00:01:10,770 --> 00:01:17,729 name that's Vanessa application and the 22 00:01:12,840 --> 00:01:20,340 number so that's if you click on visual 23 00:01:17,729 --> 00:01:22,830 studio on the new project button this 24 00:01:20,340 --> 00:01:25,080 will be created with the number behind 25 00:01:22,830 --> 00:01:31,229 it so it's the fourth standard project 26 00:01:25,080 --> 00:01:34,950 that this developer did to me it's an 27 00:01:31,229 --> 00:01:37,409 indication that the project wasn't very 28 00:01:34,950 --> 00:01:40,619 important to the developer because 29 00:01:37,409 --> 00:01:48,740 otherwise they would have given me the 30 00:01:40,619 --> 00:01:54,259 proper name and not that all right 31 00:01:48,740 --> 00:01:58,079 checking the strings will also show the 32 00:01:54,259 --> 00:02:01,750 path again and their sis a method X in 33 00:01:58,079 --> 00:02:07,020 which i think is worth 34 00:02:01,750 --> 00:02:13,120 to look at later and lots of lots of 35 00:02:07,020 --> 00:02:15,910 base64 strings now I assumed that piece 36 00:02:13,120 --> 00:02:20,440 2d has an upper limit for the size of 37 00:02:15,910 --> 00:02:26,340 the strings because that's actually just 38 00:02:20,440 --> 00:02:35,190 one string as you will see later okay 39 00:02:26,340 --> 00:02:35,190 let's check the code in a decompiler and 40 00:02:36,060 --> 00:02:42,610 now as soon as busily I clicked up the 41 00:02:40,720 --> 00:02:46,030 main because that's my code execution 42 00:02:42,610 --> 00:02:48,340 starts but as soon as you see a set of 43 00:02:46,030 --> 00:02:54,040 this as my computer my project my 44 00:02:48,340 --> 00:02:56,350 settings and so on you may want to check 45 00:02:54,040 --> 00:03:00,250 the form one first 46 00:02:56,350 --> 00:03:03,160 that's a fun application that means a 47 00:03:00,250 --> 00:03:05,890 lot of the code that's here has been 48 00:03:03,160 --> 00:03:08,620 generated by Visual Studio and that's 49 00:03:05,890 --> 00:03:11,320 nothing you're interested in so you look 50 00:03:08,620 --> 00:03:16,269 at the form first that's the user code 51 00:03:11,320 --> 00:03:21,190 the code of the developer and here's a 52 00:03:16,269 --> 00:03:26,769 lot of junk right there so the more 53 00:03:21,190 --> 00:03:29,110 interesting methods to look at are the 54 00:03:26,769 --> 00:03:32,829 form load and initialized component 55 00:03:29,110 --> 00:03:36,940 method so I was the school but through 56 00:03:32,829 --> 00:03:38,650 you see that's nothing nothing 57 00:03:36,940 --> 00:03:44,350 interesting here and here's the form 58 00:03:38,650 --> 00:03:47,500 node and that's interesting code there 59 00:03:44,350 --> 00:03:52,360 is our emitted eggs a it's a fall and 60 00:03:47,500 --> 00:03:56,530 temp directory and what's written to is 61 00:03:52,360 --> 00:03:58,810 it is base64 string so there we have the 62 00:03:56,530 --> 00:04:02,549 base64 string now we just need to find 63 00:03:58,810 --> 00:04:07,250 the string so we can decode it ourselves 64 00:04:02,549 --> 00:04:10,140 in this case that's the easiest way 65 00:04:07,250 --> 00:04:14,370 okay of course you can also execute the 66 00:04:10,140 --> 00:04:17,940 file and then get the are murdered eggsy 67 00:04:14,370 --> 00:04:20,580 and then you also have the dropped file 68 00:04:17,940 --> 00:04:27,450 and obviously it's a dropper it rides a 69 00:04:20,580 --> 00:04:29,250 two-disc and so it's a dropper what did 70 00:04:27,450 --> 00:04:37,880 I want to do I wanted to check the 71 00:04:29,250 --> 00:04:41,580 resources these buttons are t-money 72 00:04:37,880 --> 00:04:44,790 all right here's the text for one 73 00:04:41,580 --> 00:04:50,310 resource and now we can save this with 74 00:04:44,790 --> 00:04:54,270 the button here safe and here we have it 75 00:04:50,310 --> 00:04:56,790 open it with notepad and then you might 76 00:04:54,270 --> 00:04:58,830 want to remove the header of the 77 00:04:56,790 --> 00:05:05,180 resource we don't need it anymore and 78 00:04:58,830 --> 00:05:09,060 just decode the base64 string save it to 79 00:05:05,180 --> 00:05:15,330 the file and then you might want to 80 00:05:09,060 --> 00:05:18,420 recheck what you've got here okay again 81 00:05:15,330 --> 00:05:21,240 it does not fall nice and it has 82 00:05:18,420 --> 00:05:24,810 internal name and origin I'm server dot 83 00:05:21,240 --> 00:05:29,910 exe that's a huge sign to me that this 84 00:05:24,810 --> 00:05:33,540 is a remote access trojan because they 85 00:05:29,910 --> 00:05:36,720 call the pad that's on the victims 86 00:05:33,540 --> 00:05:42,560 computer server and the client is the 87 00:05:36,720 --> 00:05:42,560 pad that's on the attackers computer so 88 00:05:43,190 --> 00:05:50,300 it 89 00:05:45,790 --> 00:05:55,610 all right users reflection and load load 90 00:05:50,300 --> 00:05:59,510 module so it's it seems it's loading 91 00:05:55,610 --> 00:06:02,200 something then Emily and we need to 92 00:05:59,510 --> 00:06:02,200 check that 93 00:06:11,020 --> 00:06:17,710 all right at this point you can see that 94 00:06:14,229 --> 00:06:20,849 this is obfuscated by confuse err and 95 00:06:17,710 --> 00:06:27,039 confuses one of the more difficult 96 00:06:20,849 --> 00:06:30,099 obfuscators but we will be able to 97 00:06:27,039 --> 00:06:34,300 tackle that nevertheless and here you 98 00:06:30,099 --> 00:06:36,940 can see the load module call which is 99 00:06:34,300 --> 00:06:39,970 interesting for us and also an invoke 100 00:06:36,940 --> 00:06:45,220 but I at this point you should be able 101 00:06:39,970 --> 00:06:47,050 to dump this array here and that's what 102 00:06:45,220 --> 00:06:49,870 we want to do it gets something from the 103 00:06:47,050 --> 00:06:56,830 resources and then reads it and into 104 00:06:49,870 --> 00:07:03,370 this array and then loads it here here's 105 00:06:56,830 --> 00:07:07,800 the every so the best way to get this as 106 00:07:03,370 --> 00:07:07,800 using the inspire and 107 00:07:10,330 --> 00:07:14,669 we will just do that 108 00:07:15,750 --> 00:07:21,310 all right 109 00:07:18,280 --> 00:07:26,350 you need to take the right version for 110 00:07:21,310 --> 00:07:29,350 debugging if it's 64-bit application you 111 00:07:26,350 --> 00:07:36,120 need the inspired exe otherwise you need 112 00:07:29,350 --> 00:07:36,120 the 86th or DC run it as administrator 113 00:07:37,920 --> 00:07:51,040 all right 114 00:07:40,910 --> 00:07:51,040 and we okay we open up the debugging 115 00:07:55,540 --> 00:07:58,560 that is 116 00:08:00,380 --> 00:08:05,270 now you might ask why I do not do pro 117 00:08:03,230 --> 00:08:07,880 skate the confuse awright here because 118 00:08:05,270 --> 00:08:12,320 it's not necessary the important parts 119 00:08:07,880 --> 00:08:15,040 are readable right here so that's what I 120 00:08:12,320 --> 00:08:15,040 will do 121 00:08:16,750 --> 00:08:22,610 okay I quit and here that was the 122 00:08:19,760 --> 00:08:25,870 interesting part we want to dump this 123 00:08:22,610 --> 00:08:29,780 array I would set a breakpoint here and 124 00:08:25,870 --> 00:08:33,770 press Continue and there we have our 125 00:08:29,780 --> 00:08:42,229 array let's see what's in there yeah 126 00:08:33,770 --> 00:08:44,990 nothing useful yet and we will step once 127 00:08:42,229 --> 00:08:49,700 and then yes please 128 00:08:44,990 --> 00:08:52,420 and here it's been decoded or decrypted 129 00:08:49,700 --> 00:08:56,840 or whatever I guess this function is 130 00:08:52,420 --> 00:09:01,130 decrypting the array and that's here the 131 00:08:56,840 --> 00:09:04,400 MM zet so we have probably a executable 132 00:09:01,130 --> 00:09:08,540 or well a part of a executable at least 133 00:09:04,400 --> 00:09:10,010 so take a look in the memory when 134 00:09:08,540 --> 00:09:13,760 they're all right now you can 135 00:09:10,010 --> 00:09:14,570 right-click and say save selection to 136 00:09:13,760 --> 00:09:18,970 the desktop 137 00:09:14,570 --> 00:09:26,770 that's all first dump and say that okay 138 00:09:18,970 --> 00:09:26,770 no need to check this here this 139 00:09:31,580 --> 00:09:35,780 okay the first up 140 00:09:42,329 --> 00:09:50,290 now that's interesting right here that's 141 00:09:45,129 --> 00:09:54,459 a net module and it's interesting 142 00:09:50,290 --> 00:09:57,970 insofar as if you want to debug this 143 00:09:54,459 --> 00:09:59,829 dump you need to make it run away first 144 00:09:57,970 --> 00:10:05,079 and that module is not run away on its 145 00:09:59,829 --> 00:10:08,639 own the smallest runnable thing and 146 00:10:05,079 --> 00:10:13,929 and.net executables is the assembly and 147 00:10:08,639 --> 00:10:16,299 the assembly has a manifest that it's 148 00:10:13,929 --> 00:10:18,369 necessary to make it run the net module 149 00:10:16,299 --> 00:10:21,009 does not have this manifest and it's 150 00:10:18,369 --> 00:10:25,269 only meant to be used in context of an 151 00:10:21,009 --> 00:10:29,109 assembly so but the inspire is able to 152 00:10:25,269 --> 00:10:34,869 create on assembly out of the net module 153 00:10:29,109 --> 00:10:40,689 so in case you want to use debugging to 154 00:10:34,869 --> 00:10:43,600 unpack this open up the inspire and 155 00:10:40,689 --> 00:10:46,919 that's our new thing that we do right we 156 00:10:43,600 --> 00:10:46,919 learn how to write here 157 00:10:53,200 --> 00:11:04,120 so we open the dumb where is it there 158 00:11:01,260 --> 00:11:08,139 now you can also see its names net 159 00:11:04,120 --> 00:11:10,720 module and you can right click on it 160 00:11:08,139 --> 00:11:15,100 then you can say convert to assembly did 161 00:11:10,720 --> 00:11:19,269 that and then say save all and I would 162 00:11:15,100 --> 00:11:26,620 save it to you like modified that's the 163 00:11:19,269 --> 00:11:31,839 modified dump right and if you do not do 164 00:11:26,620 --> 00:11:35,399 that well let me just open up process 165 00:11:31,839 --> 00:11:39,269 Explorer to check if that's all right 166 00:11:35,399 --> 00:11:39,269 just that half 167 00:11:41,640 --> 00:11:47,360 okay that's the unmodified file 168 00:11:48,529 --> 00:11:57,199 and this shouldn't work it's not a well 169 00:11:52,969 --> 00:12:00,429 in 32 application and I will show you 170 00:11:57,199 --> 00:12:00,429 soon the reason 171 00:12:07,380 --> 00:12:12,350 I think the same should happen here the 172 00:12:12,950 --> 00:12:18,870 this one still should not run and I'm 173 00:12:16,650 --> 00:12:21,390 just verifying this by looking at 174 00:12:18,870 --> 00:12:24,060 persons Explorer and again it does not 175 00:12:21,390 --> 00:12:25,110 run although we added or we made an 176 00:12:24,060 --> 00:12:28,470 assembly out of it 177 00:12:25,110 --> 00:12:31,710 so what's the problem now you need to 178 00:12:28,470 --> 00:12:36,360 open this with cff explorer that's also 179 00:12:31,710 --> 00:12:41,030 a viewer for PE relevant related 180 00:12:36,360 --> 00:12:45,300 metadata but you can also edit the 181 00:12:41,030 --> 00:12:48,120 metadata and there's one thing here 182 00:12:45,300 --> 00:12:50,790 that's wrong that's this the file is a 183 00:12:48,120 --> 00:12:53,610 deal just uncheck this it's not a deal 184 00:12:50,790 --> 00:12:57,990 you want an executable and another 185 00:12:53,610 --> 00:13:00,690 dynamic link library and the other thing 186 00:12:57,990 --> 00:13:04,670 is if it's a forms application like like 187 00:13:00,690 --> 00:13:12,180 our first far we had you might want to 188 00:13:04,670 --> 00:13:15,300 change this to two windows graphical 189 00:13:12,180 --> 00:13:19,500 user interface instead of this so but we 190 00:13:15,300 --> 00:13:24,720 don't need that here for alpha yes save 191 00:13:19,500 --> 00:13:27,780 the changes yes that's okay and now we 192 00:13:24,720 --> 00:13:34,040 need to be a bit careful it's now able 193 00:13:27,780 --> 00:13:34,040 to run and infect our machine alright 194 00:13:37,270 --> 00:13:50,540 so but let's take a look at it again 195 00:13:41,060 --> 00:13:54,140 with the inspire now in this case that 196 00:13:50,540 --> 00:13:58,130 was the fire yeah it's the old one but 197 00:13:54,140 --> 00:13:59,870 doesn't matter you can already see if I 198 00:13:58,130 --> 00:14:02,810 click on the entry point that this is 199 00:13:59,870 --> 00:14:09,140 really a mess you don't want to analyze 200 00:14:02,810 --> 00:14:13,130 this code right well if you if there's 201 00:14:09,140 --> 00:14:16,730 no possibility 2d obfuscated that's one 202 00:14:13,130 --> 00:14:19,459 you can can use this to make it run 203 00:14:16,730 --> 00:14:24,589 above run it and then use mega number to 204 00:14:19,459 --> 00:14:29,029 dump what's inside but in this case it's 205 00:14:24,589 --> 00:14:32,240 not necessary we can do fiscale it with 206 00:14:29,029 --> 00:14:38,320 no fuser but it doesn't work every time 207 00:14:32,240 --> 00:14:41,330 so you might you might want you always 208 00:14:38,320 --> 00:14:44,500 have to keep in mind several ways of 209 00:14:41,330 --> 00:14:48,940 achieving what you want to achieve and 210 00:14:44,500 --> 00:14:48,940 in this case I think it's 211 00:14:49,640 --> 00:14:58,820 it's quite good to check this and then I 212 00:14:55,180 --> 00:15:08,420 would just mean I'm attic clean clean 213 00:14:58,820 --> 00:15:14,120 clean dump one yes please change it we 214 00:15:08,420 --> 00:15:19,000 have it all here and we will open the 215 00:15:14,120 --> 00:15:19,000 Queen's dump 216 00:15:24,450 --> 00:15:32,550 the diablo skated one and that looks 217 00:15:27,899 --> 00:15:36,089 much better already and now if you 218 00:15:32,550 --> 00:15:42,180 analyze the code now you can see that 219 00:15:36,089 --> 00:15:47,149 this is opening a zip file an archive 220 00:15:42,180 --> 00:15:50,820 and this archive is loaded into memory 221 00:15:47,149 --> 00:15:57,269 so we want what's inside this archive 222 00:15:50,820 --> 00:16:02,240 and let's check the method that's using 223 00:15:57,269 --> 00:16:02,240 it think it's this one so it's 224 00:16:03,650 --> 00:16:09,610 well oh it's doing some stuff here 225 00:16:15,240 --> 00:16:22,380 here okay this method gets the archive 226 00:16:19,560 --> 00:16:25,860 from the resource stream so again it's 227 00:16:22,380 --> 00:16:30,149 in the resources and that's where you 228 00:16:25,860 --> 00:16:31,310 will find the archive you can just save 229 00:16:30,149 --> 00:16:40,170 it from here 230 00:16:31,310 --> 00:16:44,029 there are needs to debug this code now 231 00:16:40,170 --> 00:16:44,029 just extract this 232 00:16:44,920 --> 00:16:55,410 okay that's not important here can check 233 00:16:51,040 --> 00:16:59,139 this nevertheless but no not important 234 00:16:55,410 --> 00:17:07,559 but this one is its again cold servidor 235 00:16:59,139 --> 00:17:11,189 Dixie I would say it's dump to dump - 236 00:17:07,559 --> 00:17:11,189 yes and 237 00:17:13,260 --> 00:17:18,589 all right 238 00:17:15,390 --> 00:17:18,589 take a look at it 239 00:17:20,500 --> 00:17:29,460 so the entry point is Jay a main 240 00:17:24,039 --> 00:17:32,980 interesting and now it has some ugly 241 00:17:29,460 --> 00:17:40,059 method name so that's that's really not 242 00:17:32,980 --> 00:17:42,760 so nice if you do not want to hurt your 243 00:17:40,059 --> 00:17:46,750 eyes with ugly method names use default 244 00:17:42,760 --> 00:17:51,370 default has a list of several operators 245 00:17:46,750 --> 00:17:53,260 it can DFS Cade successfully but even if 246 00:17:51,370 --> 00:17:57,669 it doesn't know the upper scaler it will 247 00:17:53,260 --> 00:18:02,830 at least rename the method name so just 248 00:17:57,669 --> 00:18:08,230 try it if it looks ugly here's our clean 249 00:18:02,830 --> 00:18:10,590 dump and now we may analyze this instead 250 00:18:08,230 --> 00:18:10,590 so 251 00:18:15,460 --> 00:18:19,950 okay yeah that's better 252 00:18:21,420 --> 00:18:24,049 we 253 00:18:25,809 --> 00:18:34,970 Wow and we are at the end that's the 254 00:18:30,380 --> 00:18:35,120 actual megaphone and I just clicked you 255 00:18:34,970 --> 00:18:37,400 know 256 00:18:35,120 --> 00:18:40,100 I got into the method that was called 257 00:18:37,400 --> 00:18:42,620 from the main and I usually then click 258 00:18:40,100 --> 00:18:46,730 on the class to see the other method and 259 00:18:42,620 --> 00:18:50,150 methods in the in that class mostly to 260 00:18:46,730 --> 00:18:53,120 get an overview like and here we have 261 00:18:50,150 --> 00:18:57,320 what's the most interest in pal usually 262 00:18:53,120 --> 00:19:00,790 if you have a remote access trojan 263 00:18:57,320 --> 00:19:06,980 that's the configuration file and 264 00:19:00,790 --> 00:19:10,640 because there you can see what where 265 00:19:06,980 --> 00:19:17,090 where it's connecting to which port and 266 00:19:10,640 --> 00:19:19,910 and so on and read also saves the copies 267 00:19:17,090 --> 00:19:22,610 the executable to you and into which 268 00:19:19,910 --> 00:19:26,059 locations and here's a version number 269 00:19:22,610 --> 00:19:32,960 that's the version number of NJ read and 270 00:19:26,059 --> 00:19:36,650 reread is our mobile file if you upload 271 00:19:32,960 --> 00:19:39,230 this to virustotal 272 00:19:36,650 --> 00:19:41,840 you will probably get the mother names 273 00:19:39,230 --> 00:19:45,830 blood I believe that's the name for NJ 274 00:19:41,840 --> 00:19:48,410 read it's bad practice to use the name 275 00:19:45,830 --> 00:19:51,710 that it that the author intended to have 276 00:19:48,410 --> 00:19:54,799 so if they named it blood windy and also 277 00:19:51,710 --> 00:19:57,860 other files that copied source code from 278 00:19:54,799 --> 00:20:01,100 and I read might be detected by a blood 279 00:19:57,860 --> 00:20:03,830 a bunny because detection might be based 280 00:20:01,100 --> 00:20:08,150 on that source piece that they have 281 00:20:03,830 --> 00:20:13,179 copied so nowadays we are bled a vinius 282 00:20:08,150 --> 00:20:14,480 basically a detection name for lots of 283 00:20:13,179 --> 00:20:18,530 Wow 284 00:20:14,480 --> 00:20:22,190 remote access tools and 285 00:20:18,530 --> 00:20:25,100 yeah again you might now want to check 286 00:20:22,190 --> 00:20:27,800 the sauce what it can do there's some 287 00:20:25,100 --> 00:20:31,390 keyboard logging right here you see 288 00:20:27,800 --> 00:20:34,460 they'll get keep it stayed and so on 289 00:20:31,390 --> 00:20:39,020 KL probably also stands for keyboard 290 00:20:34,460 --> 00:20:45,370 logging there that's how it indicates 291 00:20:39,020 --> 00:20:49,550 the certain keys in the lock file and 292 00:20:45,370 --> 00:20:51,410 here are the keys oh yeah that's quite 293 00:20:49,550 --> 00:20:54,070 interesting I will leave it to you to 294 00:20:51,410 --> 00:21:00,350 analyze this and unpack it yourself 295 00:20:54,070 --> 00:21:06,200 yeah many things to never hand a team 296 00:21:00,350 --> 00:21:08,390 because they explain to me how to tackle 297 00:21:06,200 --> 00:21:13,000 this with the net module basically how 298 00:21:08,390 --> 00:21:15,440 to make the net module executable and I 299 00:21:13,000 --> 00:21:19,430 yeah I'll and I learned something new 300 00:21:15,440 --> 00:21:22,760 today and I love to share this with you 301 00:21:19,430 --> 00:21:26,000 so thank you Mary hunter if you want 302 00:21:22,760 --> 00:21:28,850 something here I will link my 100 teams 303 00:21:26,000 --> 00:21:31,670 Twitter profile also in the description 304 00:21:28,850 --> 00:21:34,090 below and thanks for watching see you 305 00:21:31,670 --> 00:21:34,090 next time 22734