subtitlecat.com

All language subtitles for 4. Fingerprinting

Afrikaans

Akan

Albanian

Amharic

Arabic

Armenian

Azerbaijani

Basque

Belarusian

Bemba

Bengali

Bihari

Bosnian

Breton

Bulgarian

Cambodian

Catalan

Cebuano

Cherokee

Chichewa

Chinese (Simplified)

Chinese (Traditional)

Corsican

Croatian

Czech

Danish

Dutch

English

Esperanto

Estonian

Ewe

Faroese

Filipino

Finnish

French

Frisian

Galician

Georgian

German

Greek

Guarani

Gujarati

Haitian Creole

Hausa

Hawaiian

Hebrew

Hindi

Hmong

Hungarian

Icelandic

Igbo

Indonesian

Interlingua

Irish

Italian

Japanese

Javanese

Kannada

Kazakh

Kinyarwanda

Kirundi

Kongo

Korean

Krio (Sierra Leone)

Kurdish

Kurdish (Soranî)

Kyrgyz

Laothian

Latin

Latvian

Lingala

Lithuanian

Lozi

Luganda

Luo

Luxembourgish

Macedonian

Malagasy

Malay

Malayalam

Maltese

Maori

Marathi

Mauritian Creole

Moldavian

Mongolian

Myanmar (Burmese)

Montenegrin

Nepali

Nigerian Pidgin

Northern Sotho

Norwegian

Norwegian (Nynorsk)

Occitan

Oriya

Oromo

Pashto

Persian

Polish

Portuguese (Brazil)

Portuguese (Portugal)

Punjabi

Quechua

Romanian

Romansh

Runyakitara

Russian

Samoan

Scots Gaelic

Serbian

Serbo-Croatian

Sesotho

Setswana

Seychellois Creole

Shona

Sindhi

Sinhalese

Slovak

Slovenian

Somali

Spanish

Spanish (Latin American)

Sundanese

Swahili

Swedish

Tajik

Tamil

Tatar

Telugu

Thai

Tigrinya

Tonga

Tshiluba

Tumbuka

Turkish

Turkmen

Twi

Uighur

Ukrainian

Urdu

Uzbek

Vietnamese Download

Welsh

Wolof

Xhosa

Yiddish

Yoruba

Zulu

Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:04,000 hello and welcome to this new lesson 2 00:00:07,533 --> 00:00:14,466 fingerprinting, it means generating a cryptographic hash value based on the malware content. 3 00:00:14,466 --> 00:00:19,632 hashing is meant to verify that a file or piece of data hasn't been altered. 4 00:00:20,633 --> 00:00:24,499 fingerprinting uniquely identify a malware sample 5 00:00:26,200 --> 00:00:31,200 we'll perform fuzzy hashing to compare files for similarity 6 00:00:37,433 --> 00:00:44,466 So, first lets start our windows virtual machine 7 00:00:55,933 --> 00:00:59,933 Here we go, first thing I wanna do is visit this site, 8 00:01:01,833 --> 00:01:05,833 get the link in web resources 9 00:01:05,833 --> 00:01:22,999 on this web page we'll be uploading our binary or malware sample named Rams1, then we'll get its hash value or fingerprinting 10 00:01:23,000 --> 00:01:34,333 a hash value coould be generated by different algoritms like: md5, sha1, or sha two five six. 11 00:01:34,333 --> 00:01:45,466 so on this site we can get the fingerprinting to our Rams1 binary on any of these three algorithms 12 00:01:45,466 --> 00:01:55,132 And of course you can get the fingerprinting from tools like pe studio, so now we're gonna see the hash generated by this tool. 13 00:01:55,133 --> 00:02:01,199 don't forget to run in it as administrator 14 00:02:04,400 --> 00:02:09,900 now this time I'm gonna use the proyect Rams1, which is a ransomware compiled in c# visual studio 15 00:02:09,900 --> 00:02:13,666 so lets get the folder proyect 16 00:02:13,666 --> 00:02:20,599 by the way we have an entire section dedicated to ransomware Rams1 later, and you have full acces to source code. 17 00:02:23,100 --> 00:02:25,366 here it is our Rams1 proyect 18 00:02:28,400 --> 00:02:38,066 visual studio makes this structure directories, and we are looking for our executable in folder bin 19 00:02:41,000 --> 00:02:48,900 we see pe studio has generated same three hashes we saw before 20 00:02:48,900 --> 00:02:55,466 if you compare these with our online tool, must be the same. 21 00:03:00,933 --> 00:03:15,699 same content, same hashes values or fingerprinting. 22 00:03:16,400 --> 00:03:22,766 finally let see the hash generated by cff explorer 23 00:03:22,766 --> 00:03:27,832 your rather have several tools at hand, although seems redundant 24 00:03:27,833 --> 00:03:28,666 your rather have several tools at hand, although seems redundant 25 00:03:28,666 --> 00:03:35,232 your analysis will be enriched by combining this info, there we see the hashes. 26 00:03:35,733 --> 00:03:41,799 now I'm going to do a demonstration to proof how hashes are unique 27 00:03:41,800 --> 00:03:45,500 and they are attached to the content 28 00:03:45,500 --> 00:03:52,633 I'll be using visual studio, you don't need to do this you better just watch. 29 00:03:52,633 --> 00:03:58,533 What we have here is Rams1 project, I am gonna copy this executable on the desktop 30 00:03:58,533 --> 00:04:03,533 and open it in pe studio to expose the hashes 31 00:04:31,566 --> 00:04:40,366 What I am gonna do, is a small change in the Rams1 code and see what happened with the hashes 32 00:04:40,366 --> 00:04:46,332 so lets open the code, and I'm going to add a class 33 00:04:56,833 --> 00:05:00,833 I named the class delete3 34 00:05:03,733 --> 00:05:08,833 and now I'll build the executable again 35 00:05:11,000 --> 00:05:15,000 there we go 36 00:05:15,000 --> 00:05:19,000 and is ready 37 00:05:23,533 --> 00:05:29,533 now I'm gonna open the executable I just build in pe studio 38 00:05:36,900 --> 00:05:40,900 and now I can compare hashes 39 00:05:44,300 --> 00:05:52,566 remember on left we have the binary hashes before, and on the right side, the binary we just modified. 40 00:05:52,566 --> 00:05:58,566 they are different because even the small modification causes the hashes to change 41 00:05:58,566 --> 00:06:05,566 and that's what fingerprinting technique is for, to id your binary. 42 00:06:06,066 --> 00:06:09,766 Now I'm gonna talk to you about fuzzy hashes 43 00:06:09,766 --> 00:06:14,132 imagine you have a Rams1 binary and you already got the hash 44 00:06:14,133 --> 00:06:20,899 Remember the tinier change in input will output a hash value completely different 45 00:06:20,900 --> 00:06:26,266 now the atackers add a new functionalitie to Rams1 and release the malware. 46 00:06:26,266 --> 00:06:30,332 now let say you managed to get infected again 47 00:06:30,333 --> 00:06:34,333 so the Question is. Are you infected with a new malware? 48 00:06:34,333 --> 00:06:38,366 If you compare hashes, it seems two different binaries right? 49 00:06:38,366 --> 00:06:44,366 but that doesn't make much sense, because is the same malware with slightly improvement 50 00:06:44,366 --> 00:06:45,632 So what you must do is compare these binaries to see how much they alike each other 51 00:06:45,633 --> 00:06:50,333 So what you must do is compare these binaries to see how much they alike each other 52 00:06:50,333 --> 00:06:57,433 this is a fuzzy comparison, and we have a tool for that, named ssdeep 53 00:06:57,933 --> 00:07:04,833 so I'm gonna compile two binaries, one I'll make a small source code change 54 00:07:04,833 --> 00:07:08,799 and then will use ssdeep to compare them 55 00:07:12,966 --> 00:07:16,966 ok this binary is ready, let's save it 56 00:07:26,466 --> 00:07:33,366 ok, now I'm going to add some random class to our project just to change the binarie a little 57 00:07:52,266 --> 00:07:58,232 we modified this just a little now compile it and build our new binarie 58 00:08:07,833 --> 00:08:11,833 now we got two binaries, let's change the name of this first 59 00:08:26,333 --> 00:08:33,199 now I'm gonna copy our two binaries in the same directory our ssdeep tool is 60 00:08:51,066 --> 00:08:56,866 ssdeep is a console application I have it ready 61 00:09:00,133 --> 00:09:05,066 you'll find this instructions in the tool documentation 62 00:09:05,066 --> 00:09:10,232 and as you can see this two binaries are 55% alike 63 00:09:10,233 --> 00:09:16,566 so even we changed it, this tool is telling us it is the same malware 64 00:09:16,566 --> 00:09:21,932 or at least belong to the same malware family 65 00:09:21,933 --> 00:09:27,099 please join me on next lesson to look for strings in our malware sample 6918