Analyzing a Malicious File

00:00

hi and welcome to everyday digital forensics. I'm your hostess, singing said.

00:04

And in today's mantra of Imagine Assist, we're gonna be analyzing a malicious file,

00:10

since it is that you were gonna use the e clear sight to acquire a malicious file and then using that follower and analyze it using three separate tools we ever virus total, which is a you I tool. There's also an A p I available for this. If you want to automate this process,

00:26

you have autopsy and abdicate imager, which were familiar with.

00:30

So here we are in the EQ, their site for testing reasons. Your antivirus software should be disabled or pause when you're downloading this file. The E clear site provides four different types of files. You have your dot com You don't chromed out text

00:46

and two separates It falls. If you could read more on the difference, says all those files where we're gonna be examining your dot com dot texts and your dot zippo.

00:58

So there's just a little overview of the site

01:00

where you can download the file.

01:03

So the first thing I was gonna be the doctor combat texts,

01:07

and we're gonna save this file

01:23

And as you can see, we have a foul in our Donald's folder.

01:26

So for this point, we're gonna use the virus Total site concert for a file based on I p domain and the sense we're just gonna

01:33

through your head and upload

01:36

r e clear dot com file

01:42

checks the hash. And once they're going to his page, you can see that 65 different engines have detected

01:49

on the left. You have the name of the engine.

01:52

You also have your community score where

01:53

3343 people have said it's OK, while others have said it's not.

01:59

You see that you have it, your detection system,

02:02

either anti virus or anti my work and then kind of the value that it gives. A lot of this says test file, not of IRS

02:09

undetected.

02:12

So just from this, you can kind of tell that this isn't that a malicious file. They may trigger it and made detective for testing purposes. Malicious fob, you go into a little bit more details of the file anti five.

02:23

Some of your history is as far as submission to his lost person. Submit the bottle when the fire was created

02:30

some of the different names.

02:34

These are some of the relations and my hump different nations to these I p addresses or to these systems,

02:39

some of the execution parents. So some of the processes or information

02:45

processes or files that you may find your machine may have them related.

02:51

You can go to your behavior and it'll tell you kind of network traffic. And he falls to some actions that it may take any processes that I meet create.

02:59

And then you have your community section where you're able to post comments or re Commons from previous members that have written about their analysis of this while.

03:08

So that was virus total. Now, moving over the autopsy, we're gonna see what this malicious follow looks like.

03:14

So you're gonna add a data source severing it added logical file.

03:19

Now we're going to search for the FAO itself in the download folder.

03:23

So we're gonna selected e clear dot com dot text file and on that file only.

03:30

We don't know autopsy to perform any analysis that it wants,

03:35

and we're finished. No autopsy will go ahead and performance analysis.

03:38

So this is just an overview of what the file metadata is any annotations, other occurrence of this file,

03:46

some of the text values they can get and the hex few for those files? You can see it. There's not much in it as far as analyzing it from up top. See, we have a definition file the name of the file, and that's about it.

03:58

So now we're gonna go over to you after K image.

04:00

We're gonna open the contents of that folder, and we're just open. Everything within the Donald's folder

04:16

says Exceed Inter Downloads folder. We have multiple directories or zip fouls, but here we're only interested in the e clear dot com dot text file.

04:26

So selecting this file,

04:28

you see that after Kate gives you the same strings that you are getting an autopsy when you looked at the hex. But these are the string data's that you see in the asking value.

04:39

There's not much more that abdicate can give you about this file.

04:43

So I hope you enjoyed today's video and where we used to eat clear sight to acquire a malicious file called e clear dot com's out texts

04:50

and using three separate tools. We reviewed that file to see what kind of data and information can provide and see the difference between the separate tools bars total provided the most information about the malicious file itself op topsy and after K just kind of gave us a view what was contained in the file.

05:09

So I hope you enjoyed today's video. If you have any recommendations or any feedback on this course, please feel free to reach out