Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,120 --> 00:00:03,159 one of the most important parts of the 2 00:00:03,159 --> 00:00:04,640 cat and mouse game that malware 3 00:00:04,640 --> 00:00:07,240 developers play with Defenders Network 4 00:00:07,240 --> 00:00:09,440 Defenders thread intelligence folks is 5 00:00:09,440 --> 00:00:10,960 creating malware that is very difficult 6 00:00:10,960 --> 00:00:12,679 to detect today we're going to talk 7 00:00:12,679 --> 00:00:14,440 about one of the ways that malware 8 00:00:14,440 --> 00:00:16,560 developers use to make malware that's 9 00:00:16,560 --> 00:00:18,480 more difficult to detect it doesn't make 10 00:00:18,480 --> 00:00:19,920 it impossible there's still ways that 11 00:00:19,920 --> 00:00:22,240 you can detect malware that uses 12 00:00:22,240 --> 00:00:23,519 cryptors which is what we're going to be 13 00:00:23,519 --> 00:00:25,920 talking about today but it does add an 14 00:00:25,920 --> 00:00:27,880 extra layer of complexity and I actually 15 00:00:27,880 --> 00:00:29,800 found a really good open- source Cryptor 16 00:00:29,800 --> 00:00:30,800 that we're going to be going through 17 00:00:30,800 --> 00:00:33,760 today um it is created by this person 18 00:00:33,760 --> 00:00:38,040 named Daniel Bard um ma a o p on GitHub 19 00:00:38,040 --> 00:00:40,239 um I'm going to leave a link down in the 20 00:00:40,239 --> 00:00:42,239 description and I actually contributed a 21 00:00:42,239 --> 00:00:44,320 little bit very very tiny piece of code 22 00:00:44,320 --> 00:00:45,800 to this project and I plan on doing a 23 00:00:45,800 --> 00:00:47,800 little bit more um with the project as 24 00:00:47,800 --> 00:00:49,120 well but they've got a really great 25 00:00:49,120 --> 00:00:52,359 GitHub um that has some resources of how 26 00:00:52,359 --> 00:00:54,359 to use the kryptor this is a fairly 27 00:00:54,359 --> 00:00:56,559 typical type of Cryptor um that you 28 00:00:56,559 --> 00:00:58,199 might see like actually out in the quote 29 00:00:58,199 --> 00:01:00,399 unquote wild um so it's actually fairly 30 00:01:00,399 --> 00:01:02,039 good example of one that we can kind of 31 00:01:02,039 --> 00:01:04,239 go through now it's unfinished he's got 32 00:01:04,239 --> 00:01:06,439 a couple of things in the to-do list to 33 00:01:06,439 --> 00:01:08,840 go through but it actually is unfinished 34 00:01:08,840 --> 00:01:10,640 in a way that is kind of beneficial 35 00:01:10,640 --> 00:01:11,920 we're going to talk about that here in a 36 00:01:11,920 --> 00:01:14,880 second um but yeah let's just dive into 37 00:01:14,880 --> 00:01:16,439 the code I'm going to do a full kind of 38 00:01:16,439 --> 00:01:18,040 code walk through and kind of a process 39 00:01:18,040 --> 00:01:20,720 walk through from a high level um but 40 00:01:20,720 --> 00:01:24,040 let's start with what cryptors are so 41 00:01:24,040 --> 00:01:25,680 cryptors you've got your your piece of 42 00:01:25,680 --> 00:01:29,280 malware right so you've got malware and 43 00:01:29,280 --> 00:01:31,520 that malware made up of bites this is 44 00:01:31,520 --> 00:01:35,040 not anything revolutionary nothing super 45 00:01:35,040 --> 00:01:37,280 surprising your malware is you know 46 00:01:37,280 --> 00:01:40,640 created from a series of bites so zeros 47 00:01:40,640 --> 00:01:44,560 and ones and zeros and ones and repeated 48 00:01:44,560 --> 00:01:46,920 until the end of your malware what 49 00:01:46,920 --> 00:01:48,640 Defenders are going to do is they are 50 00:01:48,640 --> 00:01:49,680 going to build what are called 51 00:01:49,680 --> 00:01:52,360 signatures based on these bites so they 52 00:01:52,360 --> 00:01:54,320 are going to find places within the 53 00:01:54,320 --> 00:01:57,240 malware that is indicative of what the 54 00:01:57,240 --> 00:01:59,399 malware is or what the malware does 55 00:01:59,399 --> 00:02:02,759 you've got different AV EDR things that 56 00:02:02,759 --> 00:02:05,479 can do this in different ways um but in 57 00:02:05,479 --> 00:02:08,599 general the way most signatures work is 58 00:02:08,599 --> 00:02:12,440 they will find a bite string so let's 59 00:02:12,440 --> 00:02:14,599 just say this string right here and they 60 00:02:14,599 --> 00:02:16,840 are going to yint that out and say this 61 00:02:16,840 --> 00:02:19,360 string means this is 62 00:02:19,360 --> 00:02:22,760 malware that's ugly um so they're going 63 00:02:22,760 --> 00:02:24,000 to write a 64 00:02:24,000 --> 00:02:26,959 signature and they're going to say this 65 00:02:26,959 --> 00:02:28,959 indicates that we are talking about this 66 00:02:28,959 --> 00:02:32,519 malware okay so this is kind of like the 67 00:02:32,519 --> 00:02:34,560 basics of network defense or you know 68 00:02:34,560 --> 00:02:36,760 kind of like cyber security at least 69 00:02:36,760 --> 00:02:38,519 against malware you're finding these 70 00:02:38,519 --> 00:02:41,360 signatures within files that indicate 71 00:02:41,360 --> 00:02:43,080 that this is a piece of malware a 72 00:02:43,080 --> 00:02:44,480 specific piece of malware or at least 73 00:02:44,480 --> 00:02:46,519 something that's malicious so I might 74 00:02:46,519 --> 00:02:48,360 look into the code and I find a place 75 00:02:48,360 --> 00:02:50,760 where it loads dlls in a very specific 76 00:02:50,760 --> 00:02:53,159 way and I say okay anything that loads 77 00:02:53,159 --> 00:02:56,040 dlls in this specific way is malware 78 00:02:56,040 --> 00:02:58,239 well another part of the cat and mouse 79 00:02:58,239 --> 00:03:00,959 game is okay well there are also 80 00:03:00,959 --> 00:03:03,840 perfectly benign programs that use that 81 00:03:03,840 --> 00:03:05,599 specific bite string or use that 82 00:03:05,599 --> 00:03:08,480 specific way of loading dlls so you 83 00:03:08,480 --> 00:03:10,040 can't just say that everything that does 84 00:03:10,040 --> 00:03:11,760 it this way is malware otherwise you're 85 00:03:11,760 --> 00:03:13,000 going to be blocking a bunch of 86 00:03:13,000 --> 00:03:15,120 perfectly legitimate software this is 87 00:03:15,120 --> 00:03:16,360 something that I have had to deal with 88 00:03:16,360 --> 00:03:18,319 constantly in cyber security space with 89 00:03:18,319 --> 00:03:20,040 my day job and with other research that 90 00:03:20,040 --> 00:03:22,239 I've done so this signature building is 91 00:03:22,239 --> 00:03:24,599 actually very difficult you're trying to 92 00:03:24,599 --> 00:03:27,000 find specific areas within malware that 93 00:03:27,000 --> 00:03:28,400 indicates 94 00:03:28,400 --> 00:03:30,720 maliciousness but it only indicates 95 00:03:30,720 --> 00:03:32,040 maliciousness it doesn't indicate 96 00:03:32,040 --> 00:03:34,120 anything else that's it's incredibly 97 00:03:34,120 --> 00:03:35,000 difficult I'm not going to get too far 98 00:03:35,000 --> 00:03:36,080 into the weeds in this video because 99 00:03:36,080 --> 00:03:38,599 we're talking about cryptors so the 100 00:03:38,599 --> 00:03:41,000 reason why cryptors make it more 101 00:03:41,000 --> 00:03:43,319 difficult for people who create malware 102 00:03:43,319 --> 00:03:45,959 is that it takes the malware and instead 103 00:03:45,959 --> 00:03:48,400 of it just being that malware we're 104 00:03:48,400 --> 00:03:51,400 going to run it through another 105 00:03:51,400 --> 00:03:54,400 layer and we are going to 106 00:03:54,400 --> 00:03:58,280 create a second piece of code okay or 107 00:03:58,280 --> 00:03:59,560 not a second piece of code but kind of 108 00:03:59,560 --> 00:04:02,040 like a second executable this is going 109 00:04:02,040 --> 00:04:02,959 to 110 00:04:02,959 --> 00:04:06,840 be let's just call it crypted because 111 00:04:06,840 --> 00:04:08,360 cryptors can work in several different 112 00:04:08,360 --> 00:04:10,239 ways you can literally just base 64 113 00:04:10,239 --> 00:04:12,680 encode a piece of malware and create a 114 00:04:12,680 --> 00:04:15,599 stub or some kind of program that deop 115 00:04:15,599 --> 00:04:17,840 skates it or takes it from a base 64 116 00:04:17,840 --> 00:04:20,720 pieces piece of code to its raw binary 117 00:04:20,720 --> 00:04:22,639 form and that will actually trick a lot 118 00:04:22,639 --> 00:04:24,639 of AVS because a lot of AVS are very 119 00:04:24,639 --> 00:04:26,880 very stupid um so I'm going to call it 120 00:04:26,880 --> 00:04:29,240 crypted because it technically sometimes 121 00:04:29,240 --> 00:04:31,120 can just be being encoded and that's 122 00:04:31,120 --> 00:04:32,800 going to take these bites and transform 123 00:04:32,800 --> 00:04:34,880 them into something different we're 124 00:04:34,880 --> 00:04:37,199 going to call this piece of code red so 125 00:04:37,199 --> 00:04:38,960 this piece of code is changed in you 126 00:04:38,960 --> 00:04:40,840 know different ways it can be encrypted 127 00:04:40,840 --> 00:04:43,280 it can be obis skated it can be just 128 00:04:43,280 --> 00:04:45,360 different okay so we're changing the 129 00:04:45,360 --> 00:04:47,919 entirity of this code I'm not going to 130 00:04:47,919 --> 00:04:49,280 spend all of that time writing it out 131 00:04:49,280 --> 00:04:50,400 zeros and ones you kind of get the 132 00:04:50,400 --> 00:04:52,240 picture and it creates an encrypted 133 00:04:52,240 --> 00:04:54,440 version the reason why this is more 134 00:04:54,440 --> 00:04:56,919 difficult to detect is that now all of a 135 00:04:56,919 --> 00:05:00,199 sudden this piece of code might mean 136 00:05:00,199 --> 00:05:02,199 we're going to load this specific dll or 137 00:05:02,199 --> 00:05:04,800 we're going to make a call out to this 138 00:05:04,800 --> 00:05:07,199 you know C2 so that that may be what's 139 00:05:07,199 --> 00:05:09,680 represented by this piece of code and 140 00:05:09,680 --> 00:05:12,320 this encrypted piece of code that's not 141 00:05:12,320 --> 00:05:14,039 present anymore you don't see the same 142 00:05:14,039 --> 00:05:16,160 strings you don't see the same you know 143 00:05:16,160 --> 00:05:18,880 raw binary format you're going to have 144 00:05:18,880 --> 00:05:21,000 the encrypted version now here's the 145 00:05:21,000 --> 00:05:22,840 difficult part and create encrypts at 146 00:05:22,840 --> 00:05:25,240 least this right here is not runable by 147 00:05:25,240 --> 00:05:26,800 the machine because it's encrypted this 148 00:05:26,800 --> 00:05:29,360 is no longer raw binary format so what 149 00:05:29,360 --> 00:05:31,000 will end up happening is you will have 150 00:05:31,000 --> 00:05:34,840 the real code here and you will 151 00:05:34,840 --> 00:05:37,360 have a 152 00:05:37,360 --> 00:05:41,680 stub so this is going to be the stub so 153 00:05:41,680 --> 00:05:44,800 this right here is the encrypted 154 00:05:45,960 --> 00:05:48,080 binary let's just call it the obvious 155 00:05:48,080 --> 00:05:50,360 gated 156 00:05:52,039 --> 00:05:56,639 binary okay so what the stub's job is to 157 00:05:56,639 --> 00:06:00,080 take the what the stub's job is is its 158 00:06:00,080 --> 00:06:02,319 job is to take all of this right here 159 00:06:02,319 --> 00:06:04,400 and turn it back into the original 160 00:06:04,400 --> 00:06:06,880 malware form while it's running so the 161 00:06:06,880 --> 00:06:09,880 stub is actually executable code that 162 00:06:09,880 --> 00:06:12,919 will then decrypt or decate the code 163 00:06:12,919 --> 00:06:15,199 that is bundled with it that is the 164 00:06:15,199 --> 00:06:17,240 encrypted code here or the obus skated 165 00:06:17,240 --> 00:06:19,240 code and turn it back into the original 166 00:06:19,240 --> 00:06:20,919 malware code but it usually does it in 167 00:06:20,919 --> 00:06:23,240 memory so it's not just going to decrypt 168 00:06:23,240 --> 00:06:24,960 it drop to drop it the disc though it 169 00:06:24,960 --> 00:06:26,280 can do that that's actually going to be 170 00:06:26,280 --> 00:06:28,120 the example that we see here in a second 171 00:06:28,120 --> 00:06:29,440 so it makes it a little bit more 172 00:06:29,440 --> 00:06:31,960 difficult to create a signature because 173 00:06:31,960 --> 00:06:35,440 this stub isn't inherently malicious 174 00:06:35,440 --> 00:06:38,599 it's just doing normal dication stuff so 175 00:06:38,599 --> 00:06:40,840 you can't necessarily call De obus 176 00:06:40,840 --> 00:06:43,240 malicious in the same easy way that you 177 00:06:43,240 --> 00:06:46,880 can call calling out to a C2 malicious 178 00:06:46,880 --> 00:06:48,560 so it's much more difficult to create a 179 00:06:48,560 --> 00:06:50,319 signature based on the stub and it's 180 00:06:50,319 --> 00:06:51,520 very very difficult to create a 181 00:06:51,520 --> 00:06:53,720 signature based on the obious Gated 182 00:06:53,720 --> 00:06:56,080 binary but there are still ways that you 183 00:06:56,080 --> 00:06:57,360 know Network Defenders can do it we're 184 00:06:57,360 --> 00:06:58,680 not going to talk about that as much as 185 00:06:58,680 --> 00:07:00,599 we are going to talk about cryptors so 186 00:07:00,599 --> 00:07:03,360 this Cryptor right here fairly simple at 187 00:07:03,360 --> 00:07:05,120 a high level what this Cryptor is 188 00:07:05,120 --> 00:07:09,240 essentially doing is it is creating a an 189 00:07:09,240 --> 00:07:12,080 obious skated binary using AES 190 00:07:12,080 --> 00:07:14,479 encryption and then it appends the key 191 00:07:14,479 --> 00:07:16,560 at the very end along with some padding 192 00:07:16,560 --> 00:07:18,560 and then it creates a stub that is going 193 00:07:18,560 --> 00:07:21,120 to take that encrypted binary that is 194 00:07:21,120 --> 00:07:23,400 bundled with the stub it is going to 195 00:07:23,400 --> 00:07:24,879 decrypt it and then it's going to drop 196 00:07:24,879 --> 00:07:26,720 it into memory um and it's also got a 197 00:07:26,720 --> 00:07:28,440 couple of pretty cool add-ons we'll talk 198 00:07:28,440 --> 00:07:29,800 about here in a second it's got got you 199 00:07:29,800 --> 00:07:31,400 know the ability to run it quote unquote 200 00:07:31,400 --> 00:07:33,560 fileless um so it's basically going to 201 00:07:33,560 --> 00:07:36,440 load that binary into memory and run it 202 00:07:36,440 --> 00:07:38,639 you know basically like that instead of 203 00:07:38,639 --> 00:07:40,639 you know dropping it to desk um and it's 204 00:07:40,639 --> 00:07:44,159 got some anti-vm stuff as well so let's 205 00:07:44,159 --> 00:07:47,120 walk through the code um so this is a 206 00:07:47,120 --> 00:07:48,919 rust project because that's all I do 207 00:07:48,919 --> 00:07:52,560 anymore is just malware rust stuff um 208 00:07:52,560 --> 00:07:54,440 we've got two different parts we've got 209 00:07:54,440 --> 00:07:56,199 the encryption part and we've got the 210 00:07:56,199 --> 00:07:58,479 step part um I'm not going to show an 211 00:07:58,479 --> 00:08:00,080 actual walkthrough of the code because 212 00:08:00,080 --> 00:08:01,960 I'm actually in the middle of kind of 213 00:08:01,960 --> 00:08:05,240 pseudo rewriting this um not fully 214 00:08:05,240 --> 00:08:07,000 rewriting it but basically rewriting it 215 00:08:07,000 --> 00:08:08,319 in such a way it's a little bit easier 216 00:08:08,319 --> 00:08:10,319 to use so I'm not going to show a full 217 00:08:10,319 --> 00:08:13,560 demo of this but um you can also access 218 00:08:13,560 --> 00:08:16,800 it on GitHub pretty easily so this Crypt 219 00:08:16,800 --> 00:08:18,080 part is the first part that we're going 220 00:08:18,080 --> 00:08:19,759 to talk about let's look over here at 221 00:08:19,759 --> 00:08:23,560 the source and look at Main um so here's 222 00:08:23,560 --> 00:08:24,759 the part that I actually contributed 223 00:08:24,759 --> 00:08:26,440 it's very very minimal basically all 224 00:08:26,440 --> 00:08:28,520 it's doing is instead of requiring a 225 00:08:28,520 --> 00:08:31,960 specific file name to encrypt you are 226 00:08:31,960 --> 00:08:34,560 able to pass that as an input argument 227 00:08:34,560 --> 00:08:36,519 which you know again it it was a matter 228 00:08:36,519 --> 00:08:39,200 of of like a couple lines of code like 229 00:08:39,200 --> 00:08:41,519 five lines of code um but essentially 230 00:08:41,519 --> 00:08:43,320 what it does is it takes an input file 231 00:08:43,320 --> 00:08:45,720 name and it is going to encrypt that 232 00:08:45,720 --> 00:08:48,600 using as encryption and it will output a 233 00:08:48,600 --> 00:08:52,200 key so here is the encrypted this is 234 00:08:52,200 --> 00:08:54,160 going to be the um file that ends up 235 00:08:54,160 --> 00:08:55,880 holding the encrypted bytes and it's 236 00:08:55,880 --> 00:08:58,200 going to create this key now AES 237 00:08:58,200 --> 00:09:00,600 encryption depends on on a set block 238 00:09:00,600 --> 00:09:03,399 size usually of size 16 I believe um 239 00:09:03,399 --> 00:09:05,839 yeah so as 128 requires a block size of 240 00:09:05,839 --> 00:09:08,240 16 in order to ensure that you've got 241 00:09:08,240 --> 00:09:10,320 block alignment there you add padding to 242 00:09:10,320 --> 00:09:12,040 the blocks um or at least to one of the 243 00:09:12,040 --> 00:09:14,360 blocks um so that padding size will 244 00:09:14,360 --> 00:09:16,760 basically be the difference between the 245 00:09:16,760 --> 00:09:19,959 block size and the um required block 246 00:09:19,959 --> 00:09:22,120 size so if you got a block of size 12 247 00:09:22,120 --> 00:09:24,360 you basically add six bytes of padding 248 00:09:24,360 --> 00:09:26,360 to that and you will have a block of 16 249 00:09:26,360 --> 00:09:28,560 that padding is usually just null bytes 250 00:09:28,560 --> 00:09:30,640 um so yeah that where you set the nulles 251 00:09:30,640 --> 00:09:33,480 there um you create a random string um 252 00:09:33,480 --> 00:09:35,959 using the standard range from entropy 253 00:09:35,959 --> 00:09:38,079 function here um you're going to fill 254 00:09:38,079 --> 00:09:39,800 those bites so B basically that's what's 255 00:09:39,800 --> 00:09:42,720 actually creating that um padding there 256 00:09:42,720 --> 00:09:45,560 and you are generating your key um from 257 00:09:45,560 --> 00:09:48,160 a slice you know so fairly simple stuff 258 00:09:48,160 --> 00:09:49,560 there so that's actually creating the 259 00:09:49,560 --> 00:09:51,920 key that's not um doing the padding the 260 00:09:51,920 --> 00:09:54,360 padding is done down here I believe um 261 00:09:54,360 --> 00:09:57,800 so for every single block within your 262 00:09:57,800 --> 00:10:00,200 padded plane text bites so that padded 263 00:10:00,200 --> 00:10:02,480 plain text bite is being created right 264 00:10:02,480 --> 00:10:05,640 here um so we're extending that array by 265 00:10:05,640 --> 00:10:07,279 that padding size that's where that's 266 00:10:07,279 --> 00:10:08,320 actually happening if I were paying 267 00:10:08,320 --> 00:10:10,160 attention to the code I would have known 268 00:10:10,160 --> 00:10:12,160 that already um so we're going through 269 00:10:12,160 --> 00:10:14,440 each individual block and we are 270 00:10:14,440 --> 00:10:17,079 encrypting it so that's using that key 271 00:10:17,079 --> 00:10:21,360 um right let's see so that's that Cipher 272 00:10:21,360 --> 00:10:22,680 which is being created with the key 273 00:10:22,680 --> 00:10:24,880 right here and then you're encrypting it 274 00:10:24,880 --> 00:10:27,240 and writing it out to disk so that's 275 00:10:27,240 --> 00:10:29,399 that encrypted file. write all and 276 00:10:29,399 --> 00:10:31,560 you're writing out those encrypted bytes 277 00:10:31,560 --> 00:10:34,279 um and that is writing out the key as 278 00:10:34,279 --> 00:10:35,920 well so what you'll end up getting is 279 00:10:35,920 --> 00:10:39,200 you'll have an encrypted block of bytes 280 00:10:39,200 --> 00:10:41,000 and you will have the key that is 281 00:10:41,000 --> 00:10:43,480 outputed so that is part one you are 282 00:10:43,480 --> 00:10:46,320 encrypting the file now the second part 283 00:10:46,320 --> 00:10:47,920 basically if you Dro that encrypted file 284 00:10:47,920 --> 00:10:50,920 in the key down to you know a victim you 285 00:10:50,920 --> 00:10:52,320 wouldn't really be able to do much with 286 00:10:52,320 --> 00:10:55,200 it without like directly as decrypting 287 00:10:55,200 --> 00:10:57,399 it with that key um so that's what the 288 00:10:57,399 --> 00:10:59,560 stub is doing so that second part of 289 00:10:59,560 --> 00:11:01,160 code back 290 00:11:01,160 --> 00:11:03,880 here which he has basically broken out 291 00:11:03,880 --> 00:11:06,560 broken it out into two different rust um 292 00:11:06,560 --> 00:11:08,480 code bases what I'm planning on doing is 293 00:11:08,480 --> 00:11:09,680 just kind of combining those and that's 294 00:11:09,680 --> 00:11:11,279 going to be my next contribution in this 295 00:11:11,279 --> 00:11:13,399 open source project um so if we look 296 00:11:13,399 --> 00:11:15,440 over here at the stub this is what is 297 00:11:15,440 --> 00:11:17,440 actually doing this stuff so you've got 298 00:11:17,440 --> 00:11:21,320 an inside VM function here um but you 299 00:11:21,320 --> 00:11:23,560 are creating the infected directory so 300 00:11:23,560 --> 00:11:25,160 this is what is actually running on the 301 00:11:25,160 --> 00:11:27,760 victim by the way this stub is actually 302 00:11:27,760 --> 00:11:28,880 going to be running on the victim so 303 00:11:28,880 --> 00:11:31,279 when you see this is in a VM create the 304 00:11:31,279 --> 00:11:33,399 infected directory establish persistence 305 00:11:33,399 --> 00:11:35,279 things like that um it actually uses the 306 00:11:35,279 --> 00:11:37,720 same persistent persistence mechanism 307 00:11:37,720 --> 00:11:39,880 that I use within my malware that I'm 308 00:11:39,880 --> 00:11:41,959 writing um so it's establishing 309 00:11:41,959 --> 00:11:44,399 persistence and then it is decrypting 310 00:11:44,399 --> 00:11:46,839 the file into PE bytes and it is running 311 00:11:46,839 --> 00:11:49,360 it in a fileless manner so we'll we'll 312 00:11:49,360 --> 00:11:51,240 walk through that here in a bit um so 313 00:11:51,240 --> 00:11:54,200 this decrypt file here actually let's 314 00:11:54,200 --> 00:11:56,880 start there's a better place to start 315 00:11:56,880 --> 00:11:58,880 let's look down here so you're creating 316 00:11:58,880 --> 00:12:00,320 the in the directory here that's where 317 00:12:00,320 --> 00:12:02,360 you're actually just creating the file 318 00:12:02,360 --> 00:12:04,000 or the folders where you're going to you 319 00:12:04,000 --> 00:12:07,639 know do all of this stuff at um you are 320 00:12:07,639 --> 00:12:09,639 grabbing the name of the current 321 00:12:09,639 --> 00:12:13,199 executable let's see let skip down a 322 00:12:13,199 --> 00:12:14,199 little 323 00:12:14,199 --> 00:12:17,560 bit um you're basically here um he's got 324 00:12:17,560 --> 00:12:19,079 a pretty interesting way that I'm going 325 00:12:19,079 --> 00:12:22,040 to steal a little bit um to create a 326 00:12:22,040 --> 00:12:24,320 hidden file or a hidden directory um 327 00:12:24,320 --> 00:12:26,880 which is kind of neat and let's see 328 00:12:26,880 --> 00:12:28,320 establishing persistence like I was 329 00:12:28,320 --> 00:12:31,079 saying this is basically the way that um 330 00:12:31,079 --> 00:12:32,839 he is establishing persistence which is 331 00:12:32,839 --> 00:12:34,120 similar to the way that I'm doing it 332 00:12:34,120 --> 00:12:36,000 within my malware he's using the I 333 00:12:36,000 --> 00:12:37,560 believe he's using a different library 334 00:12:37,560 --> 00:12:40,560 is using win regge um so he's using winr 335 00:12:40,560 --> 00:12:43,120 I'm doing the full like Windows API 336 00:12:43,120 --> 00:12:45,680 calls um winr is probably a better way 337 00:12:45,680 --> 00:12:48,320 to do it but I'm not doing it that way 338 00:12:48,320 --> 00:12:50,600 um so he's establishing persistence by 339 00:12:50,600 --> 00:12:53,519 setting up that registry key within run 340 00:12:53,519 --> 00:12:56,120 um which is the way most malware doesn't 341 00:12:56,120 --> 00:12:58,480 I I would think um and this file less 342 00:12:58,480 --> 00:13:00,480 here is what is actually interesting 343 00:13:00,480 --> 00:13:03,199 fileless uses um MIM exag which is a way 344 00:13:03,199 --> 00:13:05,680 of executing memory directly in memory 345 00:13:05,680 --> 00:13:08,120 instead of executing a file um you have 346 00:13:08,120 --> 00:13:09,480 to use unsafe for that because you're 347 00:13:09,480 --> 00:13:11,040 accessing memory and rust doesn't really 348 00:13:11,040 --> 00:13:15,199 like that very much um so let's see p 349 00:13:15,199 --> 00:13:17,240 bytes equals decrypt file that's going 350 00:13:17,240 --> 00:13:18,839 to be where we do where we're doing all 351 00:13:18,839 --> 00:13:21,959 of the fun stuff um so we we're grabbing 352 00:13:21,959 --> 00:13:25,240 our encrypted bytes right here um now 353 00:13:25,240 --> 00:13:27,760 this is this is the interesting part and 354 00:13:27,760 --> 00:13:29,279 this is the part that I don't really 355 00:13:29,279 --> 00:13:30,959 understand that well which you know kind 356 00:13:30,959 --> 00:13:32,120 of sucks since I'm doing a full 357 00:13:32,120 --> 00:13:33,320 walkthrough of it this is going to be 358 00:13:33,320 --> 00:13:34,440 something that I do a little bit of 359 00:13:34,440 --> 00:13:35,800 research on throughout the rest of the 360 00:13:35,800 --> 00:13:38,440 week rust has a macro that's called 361 00:13:38,440 --> 00:13:41,680 include bytes and basically what include 362 00:13:41,680 --> 00:13:45,079 bytes does is it runs at compile time 363 00:13:45,079 --> 00:13:49,560 and it allows you to include bytes from 364 00:13:49,560 --> 00:13:52,720 another file within the malware itself 365 00:13:52,720 --> 00:13:54,959 and refer or within the program itself 366 00:13:54,959 --> 00:13:57,440 sorry and you can refer to those bites 367 00:13:57,440 --> 00:13:59,240 within the program so what's really 368 00:13:59,240 --> 00:14:01,480 interesting here is that this include 369 00:14:01,480 --> 00:14:05,160 bytes macro runs at compile time to 370 00:14:05,160 --> 00:14:08,160 append the bytes to the end or I believe 371 00:14:08,160 --> 00:14:09,279 yeah I would think it would be to the 372 00:14:09,279 --> 00:14:11,839 end of your executable and then within 373 00:14:11,839 --> 00:14:14,680 the executable at runtime you can refer 374 00:14:14,680 --> 00:14:16,959 to those bites so this is perfect for a 375 00:14:16,959 --> 00:14:18,720 Cryptor because essentially what a stub 376 00:14:18,720 --> 00:14:21,680 Cryptor setup is is you've got the stub 377 00:14:21,680 --> 00:14:23,800 and you've got the included encrypted 378 00:14:23,800 --> 00:14:25,800 bytes and that's you know kind of how 379 00:14:25,800 --> 00:14:27,800 you do everything um so you're call 380 00:14:27,800 --> 00:14:29,399 you're making reference to those 381 00:14:29,399 --> 00:14:33,519 encrypted byes here you are grabbing the 382 00:14:33,519 --> 00:14:36,160 key bytes in the key file which uses the 383 00:14:36,160 --> 00:14:38,320 same included byes here so I believe 384 00:14:38,320 --> 00:14:39,959 technically that does append it to the 385 00:14:39,959 --> 00:14:42,199 end so I was actually wrong there um so 386 00:14:42,199 --> 00:14:43,880 you're actually referring to the 387 00:14:43,880 --> 00:14:46,279 included bytes within key. text um which 388 00:14:46,279 --> 00:14:49,240 are included within the malware itself 389 00:14:49,240 --> 00:14:51,040 and um that's done at compile time like 390 00:14:51,040 --> 00:14:54,079 I said and you are reading those keys 391 00:14:54,079 --> 00:14:57,480 into your key file reference here and 392 00:14:57,480 --> 00:14:59,720 then you're doing the full decryption 393 00:14:59,720 --> 00:15:01,759 now what what this does which is 394 00:15:01,759 --> 00:15:03,920 interesting and I actually like this 395 00:15:03,920 --> 00:15:06,519 approach a lot is all of this happens in 396 00:15:06,519 --> 00:15:09,480 memory so you don't ever actually have 397 00:15:09,480 --> 00:15:11,600 the encrypted biant being written out to 398 00:15:11,600 --> 00:15:14,800 disk which makes it a little bit more 399 00:15:14,800 --> 00:15:16,360 difficult to defend against it because 400 00:15:16,360 --> 00:15:18,839 you know if you've got a an endpoint EDR 401 00:15:18,839 --> 00:15:21,560 so something like a a traditional AV 402 00:15:21,560 --> 00:15:23,440 that scans files that are being written 403 00:15:23,440 --> 00:15:25,600 out to your system they're going to be 404 00:15:25,600 --> 00:15:27,600 able to catch things fairly easily that 405 00:15:27,600 --> 00:15:29,240 are being dropped to desk so if I 406 00:15:29,240 --> 00:15:31,800 dropped a piece of malware straight to 407 00:15:31,800 --> 00:15:33,560 disk that AV is probably going to catch 408 00:15:33,560 --> 00:15:36,600 it fairly easily with this the encrypted 409 00:15:36,600 --> 00:15:38,240 btes are kept in memory they're never 410 00:15:38,240 --> 00:15:39,680 actually written out to disk and then 411 00:15:39,680 --> 00:15:41,440 they are actually run from memory as 412 00:15:41,440 --> 00:15:42,720 well which is what that fileless 413 00:15:42,720 --> 00:15:44,560 function does there at the end so here 414 00:15:44,560 --> 00:15:46,680 we're doing our decryption um block by 415 00:15:46,680 --> 00:15:49,600 block and we are writing it out to the 416 00:15:49,600 --> 00:15:53,199 decrypted bytes object here um so that 417 00:15:53,199 --> 00:15:55,680 is yeah right here so that's that's that 418 00:15:55,680 --> 00:15:57,040 Vector right there you're writing it out 419 00:15:57,040 --> 00:15:59,319 to that Vector um so here we're doing 420 00:15:59,319 --> 00:16:02,680 the actual removal of the padding itself 421 00:16:02,680 --> 00:16:04,600 and you are returning the decrypted 422 00:16:04,600 --> 00:16:08,519 bytes so when we go up here to let's say 423 00:16:08,519 --> 00:16:11,199 decrypt file you're getting those PE 424 00:16:11,199 --> 00:16:13,279 bytes and then you are passing that to 425 00:16:13,279 --> 00:16:15,000 the file less function so if we look at 426 00:16:15,000 --> 00:16:17,199 Function fileless One More Time all 427 00:16:17,199 --> 00:16:20,000 you're doing there is executing that 428 00:16:20,000 --> 00:16:22,360 memory directly instead of writing it 429 00:16:22,360 --> 00:16:23,800 out to file you are executing that 430 00:16:23,800 --> 00:16:26,880 memory directly so this is a really 431 00:16:26,880 --> 00:16:28,720 really good project to look at if you're 432 00:16:28,720 --> 00:16:30,199 trying trying to kind of learn how 433 00:16:30,199 --> 00:16:32,199 cryptors work from a really high level I 434 00:16:32,199 --> 00:16:33,440 actually learned a ton from this 435 00:16:33,440 --> 00:16:35,560 including that include macro that I'm 436 00:16:35,560 --> 00:16:38,519 going to use within my own um Cryptor 437 00:16:38,519 --> 00:16:40,120 that I'm writing that might be kind of a 438 00:16:40,120 --> 00:16:41,800 spoiler but probably within the next 439 00:16:41,800 --> 00:16:43,199 couple of days I'm going to put out a 440 00:16:43,199 --> 00:16:45,519 video on my own Cryptor um I'm going to 441 00:16:45,519 --> 00:16:46,759 call it Scrambler and I'm going to open 442 00:16:46,759 --> 00:16:50,519 source it as well um and that's also the 443 00:16:50,519 --> 00:16:52,720 subject of the research week that I'm 444 00:16:52,720 --> 00:16:54,240 doing within my Discord server if you 445 00:16:54,240 --> 00:16:56,480 become a member of my Discord server you 446 00:16:56,480 --> 00:16:58,000 get access to all of the research weeks 447 00:16:58,000 --> 00:16:59,279 that we're doing this week we're doing 448 00:16:59,279 --> 00:17:01,240 cryptors next week um we're going to 449 00:17:01,240 --> 00:17:03,000 hold a vote on it but it's more than 450 00:17:03,000 --> 00:17:05,240 likely going to be um peer-to-peer 451 00:17:05,240 --> 00:17:06,959 networking within malware which is 452 00:17:06,959 --> 00:17:09,000 always an interesting subject um but 453 00:17:09,000 --> 00:17:10,559 yeah if you're interested you can join 454 00:17:10,559 --> 00:17:12,839 the Discord for free just be a normal 455 00:17:12,839 --> 00:17:14,280 person in the Discord if you want to 456 00:17:14,280 --> 00:17:16,240 become a member $8 a month through sub 457 00:17:16,240 --> 00:17:18,880 I'll leave a link to that as well that's 458 00:17:18,880 --> 00:17:22,720 about it take it easy peace33275