Malware Analysis Part #1: Basic Static Analysis

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I have a lot of certification primarily coming from networking and security occasion development and also fancy part of course I have a hacking forensic investigation incident responding this is my shortened a shorter email address John down at gmail duck normal back I'm sorry and this is my twitter handler okay let's go so today I will cover basic analysis basic static analysis and also basic automated analysis and those are basic dynamic Alice's so these three things that we are going to cover today I'm going to share the slides with you guys so you can download the tools if you want and not all of them have to be in your system but you may at least be aware of those there are some products that help you to do some analysis on that so primarily when we started to analyze a malware work we don't use you submitted two wives total directly it's us and you know people usually think that if we stop me the malware to go right up so that it's a good idea for incident response it depends actually if it is something that you think that the malware submitting the virus Adele is not a big problem is that you can submit it but if you are faced with an apt and if you submit your malware to write asoto you're letting your attacker that you already catch kids malware okay so it depends sometimes you may start from automated analysis or maybe start with the basic analysis okay so that's why i usually prefer basic analysis first if i wanted to submit something i submit the hash first and then if i figure out that the malware is exists before then i may consider to submit the whole and malware so just keep in mind that starting point is usually the basic analysis a lot you know it's not there you know the automatic and automatic analysis okay so in baby guy knows what kind of things that we need to take a look at that so first of all in order to analyze that piece of artifacts or piece of you know potential malware we need to know that it is really malware or not so and also we need to identify them what kind of malware my kind of programming language it contains and then we can use the some of these tools to analyze and figure it out what is going to do this piece of malware okay so we're going to take a look at the for example some c sharp tools which will help us you know reverse engineering on that soon and also we will take a look at the some Android malware and we will use JD grief with the x2 jar effort and also we will take a look at the defendants to work on in order to figure out that whether there is any you know executable file but what kind of executable we need to identify whether it's a you know C C++ family executable or it's a c-sharp you know if it is c-sharp it's helped a lot okay so how many people know that c-sharp codes are actually can be easily return to the source code interesting you didn't know that if a code is written if they're male way is written in C sharp we can go back to the source code easily okay I'm going to show that thank you gotta love that that's that that's a big big clock but if it's read them in C C++ it's not that easy actually it's almost impossible okay and then we will use some tools to analyze the arm you know basic part and then we will go to the automated analysis and at this point we think that hey I think we're in a position that we need to run this malware in an environment that we can get to some extra help for mother - first of all why so dull malware analysis and there's another one hybrid analysis third expert of course kouko-san back and you can use your own cookus and backs of course so things like that and then after we get enough results with static and you know automatic analysis we will consider to do some dynamic analysis as well in the dynamic analysis we're going to run the malware in a sandbox in a controlled environment and we will figure it out what this Mao is trying to do okay what kind of DNS queries what kind of IP connections what kind of activity is happening on the file system is it trying to lock something is just trying to write something so two things behavior of the malware we need to identify and so in this dynamic analysis section we're not going to just topically go to malware and just run it of course we would like to keep the malware you know as as protected as possible first so for example we will lock the DNS queries with a better DNS and also we will simulate some internet like a your honor I netsim and then we will understand that hey this malware is trying to connect with that server with the IP addresses I'm trying to get this thing so you can you know create a copy of that thing to your simulated internet environment and then treat the malware to do something ok and then we will approach you some of the system internal tools to analyze the what's happening on the file system in terms of which processes are running and you know what kind of registries are running what kind of files you know created or deleted things like that first process hacker or if you're a process Explorer event that's also fine we will take a look at the process hacker to analyze malware and what kind of communication it is trying to do and by the way you may need everything search because it's everything search actually indexing the all files names on there on an operating system it's easy small tool indexing the whole file names and putting in as searchable you know list so you can quickly search for the file name ok because in this environment you may need to find a file somewhere and this really helps you to find that very quick ok because we know search you know that it's not indexers right if you use Windows it's trying to fly look at every single files one by one but instead this thing is just searching for the list of file ment already compiled and Wireshark we already covered that before and we will take a look at the traffic of that piece of malware and at the end of this dynamic analysis I'm going to show ya it's not a malware but malware developers use a lot of techniques that is exists on that executable so these techniques are known by the malware creators as also they know that they're going to use this so if they know that you're going to use these tools to analyze their malware's okay so that's why they are using some anty anty let's say anti-malware and also Cigna success so those kind of techniques can be you know forced you to do through some advanced and a static analysis by using the Ida and also only debugger unless you're not for me course and others it is actually two of them are identical and then we will do some advanced dynamic analysis with the same tools but it's how we're going to run the mail with okay we then in and you know again and at sandbox environment we will know that the bow is trying to do something in our system and there is a really important rule that you have to have a snapshot on that Bart's virtual machine because you will eventually infect your machine while you are doing that dynamic analysis okay because it's the malware if it is do they think that it is planning to do then you're going to run it's going to infect your machine itself it doesn't matter where you are doing for training purposes or not it is a ransomware it's going to lock your file okay so that's that's an important rule and in this case we are going to take a look at the some of the anti anti analysis techniques which means malware and malware creatives know that our analyzers technique and they create some anti analyzer techniques and we are going to use some of the anti internal Isis techniques to analyze their you know advantages so that's it curious now but let's start with the basic static analysis so the basic analysis are going to be this meetup and this advanced analysis are going to be in the next Meetup okay so I wanted to start with a couple of you know P and P analysis so I have a I have two editions in my environment so one is this Windows box the Windows boxes actually include a lot of static analysis tools and actually I've shared the pretty majority of and pretty much of them with you guys but if you wanted to ask for these what is this and what is I'm going to explain that since doing meeting Samhita and another one is actually a small test environment so this is the bottom of that I never run a malware just for set again else is nothing else okay but I have a separate Edition which is this one windows 7 malware tests this environment I'm running the malware is actually and trying to figure out what is this thing is trying to do okay so let me run this and let me say don't upgrade and as you can see guys here I have a I have a virtual machine and it's not well virtual machines and snapshots let's say that shots here so I have a snapshot here I can easily come back to this point so let's say it's a snapshot this is the thing that we have to do multiple times during the malware analysis okay all right yeah yes exactly by the way if you are dealing with a malware it has it potentially it has a potential to escape from sandbox environments let's say somebody found them zero day exploit on VMware fusion that allow them malware to escape from virtual machine to a host machine that might be the first scenario that happened to you but I don't know that never happened to me yet but yeah that's they argue later progressed I don't know so um let me quickly fix something here display all right so let's start with some of the malware that we can do for this static analysis so let's start with let's start with a funny thing okay so let's start with this one okay let me copy this and put it in my mouth we're setting analysis machine and now let me create a temporary folder here I already have one but when you create an algorithm if it is here okay the first thing we need to do is what kind of malware is this okay so the here is the problem if you see an extension that says that Exe doesn't mean that it's an executable okay there are there might be multiple reasons first of all in Windows by default the extension is hidden okay remember that if you're using mint windows you need to disable the hiding the extension okay and it is under this menu for this um two stronger options leave and yeah what is it yes hi the extension of a known file size so it is known by you but it's not known by me so if I see something like this it doesn't mean anything for me even if I see it still doesn't mean anything but at least we have an idea that it has an executable and the default handler for executable is bit slower okay so when you click on that the Explorer is going to run this executable okay so we know that but we need to prove that this is really executable how do I know that in Linux environment you are using a ram Knox or Kali Linux or any other so you can use file command ok file and just give the file name okay when I say that it says it's a p32 executable and it's also giving a lot of information and saying that it is model slash dotnet assembly which means it's a dotnet code and dotnet executable which is brilliant you know luckily there are a lot of malware developers they don't know how to write in C C++ that's a big plus for us they are using C sharp and there they don't know of code obfuscation that's good good thing for us so if we're in that position we are actually have a big class so let's let's understand it without even running that ok so what I'm going to do is first I'm going to put it in my c FF explorer so try to figure it out whether what kind of sections it has it will give me a lot of idea as well so tff explore I already mentioned that in my slide and also I shared the link so you guys download that from that URL so if I move that again I see a lot of information here and also it is saying that this is Windows 32 much you know windows we just studio.net assembly which is perfect and as you can see guys it's version number is not illegitimate so if you see something like this it means they develop at home ok this is something that you can't see in a real Windows applications right so it is obviously a non professional ok so this is something and also you see that it is modified as also puts when if you've seen so it is another idea that gives us and of course you can take a look at the headers but I'm gonna I'm not going to dig into the details of this header but some of the important ones that I wanted to show you guys that net directory they decided to gives you a lot of information and let me show you the tables ok ok let me actually show this table ok so here it says methods and also there are a lot of methods here there are a lot of parameters here so and also memory references although they are a little bit complicated but I certain on the center right so some select character mags resource so these are the function names but it's little bit obfuscated it's not a professional application but at least it's that there is an obfuscation in there in here so there are something going on here so first of all we have an idea in a normal dotnet application you don't see something like start functioning like this so let's find a legitimate dotnet applications first and let me see what we can find it ah let me show you this everything so fiddler okay fiddler is right here oh yeah maybe foreign language as well but I believe that if they are using a kind of you know garbage letters it's trying to you know trick the aniline analyzer so I usually don't trust them so for example this is fit look assembly code I mean the method is it reinforced pressure as reported session sidestream session late so I see a really human readable function names in fiddler by the way fiddler is written in that map you know that before that's why I quickly jumped that but I can easily take a look at here how many people use the syllabus works great fiddler is a really good proxy web proxy local proxy and running on Windows and Vitamix so you guys can use that and it's also written in dotnet and again I see a good function names here but my singing my executable somehow have any interesting you know functioning so we signed a bunch of names it doesn't mean anything for me so that is something that I need to worry about so how can I get the source code of this thing because it doesn't mean anything right so this is the tool that you can use for that I also mentioned that in my presentation as well IL fi' actually how many people have heard red gate reflected before red plate reflected this is actually the very first version and eye-fi is also another version of that so let me get rid of this and get rid of this as well no I don't want to download it right now so this helps you to reverse engineer the dotnet application switch sources so here's the magic exam if I drag and drop my executable file here here I've given the commands here Sam malware c-sharp meta prater natural something and using something so here is the mask or lip and there's call it functions as well so this is a function should be a plot or function but it's a it has a - name and also this is this is the main function that the application when it's run it is running this program and then it runs this one so this is the source code of this pizza executable this is fabulous right when I see the first time I really surprised us so let's analyze this this is a t-shirt code obviously and we see the function here private study group and interesting file name is an accessor function here so those functions are all produced by as a you know overloaded method here is just this class as a functionally it's a two parameter this one in this one so this is not a legitimate application so let's compare it with fiddler as well again let me drag and drop here fiddler so as you can see guys fiddler autoresponder autoconfig and now it's again function by the way it was very very strange and unexpected to handle anyway let me click on any any of these things okay if you see you can see that signal application right say event argument and you know get them set function it's really readable and it's nice-looking right human readable and it was also you can see there you know commands or physics acute about which is perfect and also if you wanted to develop this code by yourself if you wanted to have the executable codes you cannot you cannot sort of copy and paste to a file create the source file but I outside has a fabulous features if you click on the executable and then file and then save course it's going to create your teacher project that is citizen desi Idol like that see here so you can get to see shortcodes as a project and you begin to develop that and you begin to you know modify that called and compiler that's that easy so let's come back and as you can see normal executable they usually don't hide their function name hiding function name is something unusual I'm nothing that means that it's malware but it's unusual okay and malware's are usually unusual sir yeah I mean you can come up with some meaningful names and you know try to figure out what this function name is kind of look like for example Oh business is taking a stream and returning at charlie or fishing with something websphere 256 I think it's a kind of a shifting over three and you know checking for a 92 we cool and so it's a kind of encoding obviously this is also another way to obfuscate the code so probably there are something here and they are not human readable and I he doesn't want to easily code by the source code analysis then he just wanted to hide this thing and this thing's probably speed decoded with this piece of you know code segments and then it will be there they're functioning that we are looking for so as you can see guys then it is certificate here so 15 here at the cell policy peers which means either there's a as a cell communication or there is a public infrastructure is going to be lamented so that is another thing that we understand here let's scroll down here and let's see what else we have here and as you guys say the best line it's a dotnet class library it's a web client it's going to create a web application or a piece of every quest with these headers user agent la jolla something except any language and any kind of things and some or some data and the length is similar smooth and this one is going to do the rest okay so that is interesting obviously it's gonna download something from somewhere you don't know but we know that it's going to download from somewhere and here's the thing finally we see something main function main function has to be named with me no way tend not be renamed so if you change the name function so let's say another garbage thing here it's not going to work because whenever an application runs it runs with manufacturing first and it has to have a main name that's why domain is obviously me and I see some of the states random SiC here getting some random and here's another local dot 4:43 and getting some you know URL so obviously this is going to connect to my local machine which is up top down on my local and port 443 it's going to be yes connection and it's going to get some URL in order to download something and it's probably it's going to be run in the memory so as you can see guys if it is a c-sharp code super easy it will help you a lot you can easily understand of course you can analyze this encoding thing and reverted encoding thing and you sense you know open that URL segment as well so you can easily understand so this is one thing that you can do in a static analysis okay and let's find another malware which is not c-sharp code okay so in this case this is going to be our thing we wanted to analyze this let's copy this and actually before that let me copy this thing first by the way if you are working with real malware it's a good idea to change the extensions to something that is not executable okay so for example I usually put series hash at the end of the file so I can understand that this is something with this hash whenever it's changed something whenever it's modified I can easily understand that it's not matching with its name so it is something modified okay so this is something I already tell you the password how can I know that it's pack and how can I know that it's an executable again let's use the same technique let's move drag and drop this to my command line and figure it out whether this is an executable or not obviously it's an executable it doesn't matter if you change the extension as you can see the best engine is something really doesn't mean anything but it's so obvious that if it's an executable the file type is defined by this very first four bytes of a file okay it is not defined by the expansion expansion is actually related with the operating system but the first full byte is related with the file itself so you can change the extension of a file but the file itself doesn't change you're changing something on your operating system okay so that piece of the vital air byte array let's say this is something a lot of bytes right this thing is not changing whenever you change the file name okay because firelamb long so operating system permissions along to operating system but five belong to the file cell okay so that is why you never change the file name it's not going to change anything so and the zip file command in that you're checking the very first provide of else--if executable and then telling you that hey guys this is something executable okay so obviously it's executable and let's analyze with our PFF Explorer again so let's get rid of this we already take a look at that and I'm going to move it here okay so it's done when I look at it it's a portable executable but firing points upx verjus 3.0 that's interesting what is this what does it mean so let's find some regular application whenever you confuse something just find the regular application just compare it okay so it gives you a lot of ideas well while you're starting to learn something so I usually you know use the system internals to compare the things let's say control and and computer system in Sona was it okay yeah let's use let's use one of this and let's use ultra okay when I click on that it says much of a visual C++ portable executable but it's something meaningful so we usually expect in the file in protection what kind of programming language is being used remember in the c-sharp code we see something we just see do that that executable right but this time in this file we're looking at something Yuki X version 2.0 how many people know you px by the rejecting okay new px is actually Universal packager which means it's packed okay what is the difference between packed and unpacked file so now I know a free agent they already know what you're going to do okay they know that you're going to use some of the static analysis techniques they're going to know they know that you're going to use some of the drink analysis things like that so that is why they are hiding this feeling tense unless you run that executable okay so for example let me show you something in a bin text with it so these eggs there we go so bin text is actually a small executable which helps me to analyze to find all the strings in a executable file okay and I'm gonna use my executable to analyze its string okay and before doing that actually let me use an regular normal executable so for example fintechs itself have these strings okay see that the file is when you're 32 feeling files that are seeing as resource microsoft rate so so they were really human readable X right so you can easily understand the safe-sex file PHP file for my line things like that so this is a normal executable file looks like okay we usually see something in an executable if it is not obligated if it's not taxed we said something like this let me draw a drag and drop my potentially malware file okay so if I'd rather drop it here in this string making sense no and this is something if you see something there is a 90% chance that this is something malware okay you can easily identify this you are really facing with and let's say pact malware so you see this is a really good example of pack malware and this is a really good sector for fire and other malware so for example let's take a look at our C sharp example here and so here for example if I scroll down here I see these routes to exe remember and also I see the command and control center right so it's been closed in the static analysis so the malware author of this malware let's prove that right because we couldn't pass the first level further than others in this code it's not so even the aesthetic and viruses can catch this malware so it's not good that's why they are packing their executables what if that means let me quickly show you an example so in normal executable here's this code section let's say it is a CSV section and also rest of the file okay so this this part if it is open you know it's not packed you can easily read that and the malware author is appreciating this let's say a kind of encryption here okay and the encryption code the cripton code is embedded in the code section okay so in the very first segment of the executables there is this a piece of code that decrypt the rest of the file and use it for the purpose that's why we can't see the rest because when you run this in style it is going to be decrypted it is going to be plain text format and then you can catch it but unfortunately I see stage and the sarig analysis you can see there any chance that we can decode this since it's a UTI cubic the very well-known packager and there is an defectors available and cff can do that let's do that and see FF let's go back and let's you know if they you see AK file and here we have a UPS facility and I'm going to lick unpack here just say it is unpacked you get something TMP and it's embedded and you know created another version of these pack file so what I'm going to do is it's creating the file directly or dire needs to save it ok let's I'll save as let's say unpack so we save that file I think and let me drag and drop this files to here and let's see ok so in this case we're looking exactly the same file but this time it is a fact and we see that it's my source of visual C++ and let's analyze that in our bin texture saying because because you know a few seconds ago we see that it was a lot of there was a lot of garbage text but this time when I drag and drop I see again a little bit garbage but I will see something something meaningful if I scroll down like it is more there we go ok so Spanish China South Korea obviously there are you know name of fun that we didn't see before and also comes country names some language things and also you know some description here relating you and you know creating something downloading and this HTML is gonna do something you know download something and it's going to be an HTML thing and we see some HTML here here I seven piece of code and there we go cinco's download dot mega gasps calm so this is actually a piece of malware this when you we saw that it's change your you know before search engine and those of your homepage and also download some Edward things like that this is one of them okay I hate they don't do anything other than you know annoying you and it's not a serious malware is also I don't want to be standard stuff okay so installing some Edwards and things like that we can check out for this say they are also you know trying to increase the heat overhead their YouTube channel page things like that there are a lot actually we can you know what sorts get a lot of information when we see their stream text so it's obviously going to do some ad very related things and it's going to download something from media gets comm site and this is how you can get around and pack malware okay this is the second stage that you can actively use vintage and EFS and also those are unpacking UPA unpacking okay is that clear exactly how we can identify a pack file and also unpack that so there is a question maybe actually a lot of people are asking that what is this packing thing okay are this is okay is a file I think let's assume that this file this file was packed with some of the packages that we have never heard before let's say we see something said upx but it's not actually UPA something up in total resistance of the middle s whereas if I mean analysis advanced I am Galarraga so we know that in order to run this executable it hasn't cigrip the rest of the file right it's sub useful it doesn't leak rip that right you have to decrypt in somewhere and we can attach a debugger to this executable run step by step whenever this piece is decrypted we can pause this execution flow and then copy that content put it in the ball and put there you know hybrids and we can compile exactly the same executable which is in fact whether it's a custom package or or not doesn't matter we still done factors but this is the easy way to find anise and a lot of people in malware there was actually 75% of them are using ups because they don't know they write a custom package okay so this is a good thing let me give you a secret malware developers are not that professional as well so there are some professionals but majority of them are mid-level violence emergency work actually sits text embedded and also this tool is an annoyed with it's consistent with that things if it's not consistent with that algorithm it's just say that it's a custom ups but it's still relying on that text but this doesn't give up anything and unless it's what doesn't work it doesn't mean anything so it's made I can write my name over there so but I can't give you an idea at least okay so that is another thing and let me see what else to get a better cover ok so by the way there is a string executable available on the command line you can use it and I send the Linux and also Mac OS it has a string on but since usually we deal with a malware rather than a Windows environment you may want to use a pin tags as well so sunless is here I think but I'm gonna forget from ok let's let's take a look at some Android file and by the way what damages okay what do you see sighs people fans out there a lot people okay okay all right great so I have an apk file it's better happy a DJ and and I see a lot of applications on the private market that say download the apk file of this thing which is a cracked version which is a candy crush crack version or let's say at free version of this particular application not a lot of markets actually let me show you something except again but it's called shameless advertisement pretty nice browser yes for example here it's a ACMA free android app games download somewhere and it says free download it says you know exactly this is legitimate application you can find in a lot of ways we gotta hide the name but it says wealth management mobile application of something as you can see right here shutdown all is yes people are creating a lot of applications and they are putting in an apk format it doesn't mean that somebody is doing a favor for you and I'm going to show you something in the in the dynamic analysis correcting an application is extremely difficult practice really difficult and even in a super expert first people they spent a couple of days to crack an application and can you guys tell me a good reason why should I spend my two or three days to provide you a free application so the only idea I can provide your free application you can provide here free Android device okay so here's the deal if we like you on that we can do that so this is the thing that works so now it says in a cracked version of Office application we know that Windows or any kind of application if I don't if I'm if I were in their shoes if I don't embed a Trojan in that executable I'm not going to create that because I'm not a charged organization I'm a hacker I don't have any exit back steps watch because I'm hacker and I'm not going to create your free application for a just a donation to you guys because you're inside is also that you wanted to use an application in an illegal way and that's a good deal so you're in my side you are all side that person just like me and let's do some bad things together you know you can you next idea that's why if you see an apk file that says a free version Stratasys version a better version of that application is that puts too difficult to create at 14 and buy this version no not only I mean it depends some of the applications are actually just there just downloading the legitimate versions and making the surgeon and applications sort if they got be the same version it's not ad free it's just a new this text say ad free or unlimited you know Infinity Blade applications so he can play forever okay but it's not the case so let's assume that we have an apk file how can we analyze so first of all apk files are jela file but it said stacks formatted Java files we need to come up with a jar file is in TK file so there is a way to do that okay so here's the thing and Android application when you are in delicate your is cording into Dex let's say not that first it's converted into dark y'all are at library and then it's converted into exact formatted bytecode okay this is something like that executable and you can come back to the ER file if you use your proper tool so we can come back to the jar and of course we can come back to the Java file it is also perfectly valid so there is a way to come back to the source code of a apk file by using the proper tools let's see them in action so this time I'm not going to use Windows because that because Java Runtime environment if you cause a lot of space I have only Java Runtime and vitamin my host machine but you can easily create you know set up the Java Runtime environment and Java in your host system and then you know because of things oh let me see where am I now alright right here so the tool actually should be in the list okay yeah there we go so this is the dexstar jar open source project because Windows Linux and Mac OS version of tax codes to the jar file okay so if you download and extract it you will get a folder something like this okay it includes some licensing and also various version of the tool set the but the one that I am really interested in is extra jar and it is outdated that's what you need to you need to J that's terrific this is latest version we're going to use that so the idea is simpler so if I run this on me - J - Dex - char Sh it's just showed me the help file and say that hey guys this is a working style if you gave me some options and also some file and also the output I'm going to do whatever you want to do okay so all I need to do is I'm going to use the same code with this apk file this is going to be my file 0 and then I'm going to put - OH as an output of course I can use the some of the details here but I don't need that so the output is going to be the jar file and I'm going to use instead of dot apk I'm going to put J a are okay and hit enter for fingers there we go we have the jar file of this particular application okay so how can we get the source code there is a application which is also open source which is called JD GUI ok this is the application that I'm going to use ad exactly and kind of the file back to a container file here's my key degree by the way if you guys see J degrees please let me know because this search is not working here table right ok yeah thank you so this helps you to convert your files to Java code ok so this is the second stage and I'm gonna drag and drop my jar file to here okay there we go so first of all it says combat Metasploit at stage you get the idea that it's something created with meta Floyd but we need to identify the you know command and control center and things like that so this is a build configuration how many people are developer here I mean let's say Android developers a few okay so you guys that this is the old configuration and that is our slots they don't include any executable code the usual what you're looking for is either in main activity or in the payload okay this is payload is actually imported in the main activity probably so you can see that in here yeah expands payload yeah there did so main activity Sun in front of the payload and also certain tasks so obviously I need to analyze this thing so again the same as ideology so whenever an Android application starts is wrong remain active through all the way our main activity when I will define main activity so you can focus on what kinds of things are not going to run on this list so ever engine sputters one the potatoes are cut in half so let's take a look at the payload clock okay it's right here so when I look at it I see a lot of things here that send interesting things by the way so here's an ad string full of numbers and letters and also here I see you have IP address once over to 16 16 144 and another port here Albert output and also tray up here and some URL here so that's interesting interesting first of all it's going to use a some sort that is really uncommon secondly alphas output parameters are really similar here for us it is coming from that's Lloyd if it's metalloid default settings are coming from register so obviously this is something created with a mess event oh okay so it's going to connect this IP address in this port in this URL probably to save you that kind of a ship yet because it also has a URL section and here we have a let's see sex imperatives not a problem random here okay load safe there we go so freaking long page for example this is the stage so let me give you a secret and malware well so you hilum malware creators they wanted to hide their sager on their server unless you run the applications okay because if they embedded failure in the executables it can be easily identified with add viruses so the usual is tends to hide their failure on the server side whenever this piece of canvas executable run on a PC it's going to connect you this Oh monocle throat and and it's going to download the same so it's going to do the bad added accident so for example you can see any key local codes here you can see any you know screen capturing or contact lists and things like that you can't see anything here but it says that I'm going download single at your file OTA so it is going to download while it is running and then it's going to run that okay this is usually we see that if you don't see anything if you see something like this that means that you need to contact with the command console and of course I'm going to do that as well we're going to contact with the command console Center for some files to see there what kind of things they're going to download and what how can we freak out okay and let me see so again I see a connection obviously here and it's a gap connection and it is going to so here is interesting thing you see that this first act for X what is that going to sample so this is not a legitimate URL right it said before that anything that some stream of forth stuff from the fourth string and then continue it and swim all the right places okay so finally you're going to get the actual IP address it is a very simplest version of and you know decoding but malware creators they usually tend to hide a command and control centers in the static code analysis and same kind of tricks that you can see so you need to understand what kind of encoding is running here so we identified that it's actually 14 months for the water people to see sixteen point four one four four and it's gonna RTA figured with okay so huge try to parse an integer like that format it's not part only the numbers and then it's going to be of course our multiple circuits on a corn egg and it's going to download the thing that it is planning to download okay so that is how we can analyze this and Android malware as well so this is the end of our static analysis so do you guys have any questions yes yes so this is what Valley tomorrow so first of all we bother with this because it says combat Metasploit sub stage we have it you know identity that it could be a malware secondly this is an apk file we downloaded from a private market why would they offer these waters yes oh okay okay so is the thing yeah but if you hear only this is that you know stupid example but uh so if you put only the IP others in a plain text format you can mess with an IP address and I clear cy % ez lock that IP address it's let's say I embedded as bad reputation I feel it in my executable job you know IPS device will probably block it or your content filtering device and for above the block that while we are downloading okay so those kind of things may affect that's why they're usually sensor and code there you know encrypt their you know IP address and so obviously it's not a good example of encoding but they usually try to hide their URL so

Info

Channel: Candan BOLUKBAS

Views: 45,853

Rating: 4.8907437 out of 5

Keywords: peview, cff explorer, peinsider, bintext, ilspy, jd-gui, dex2jar

Id: SIem8ZIe1xk

Channel Id: undefined

Length: 50min 49sec (3049 seconds)

Published: Wed Jun 07 2017