why did we do this? Why go into stack analysis mode instead of just executing in of'em?
Well, we were able to understand them. Our a lot better and relatively quickly to wouldn't didn't take us a few hours to get this done. It it took us a few minutes. Uh, we were able to discover some indicators to compromise. So if someone was doing dynamic analysis and another person was doing stack analysis, they could
produce indicators of compromise. But you'll notice we didn't really watch for any mu texts created or uh
when we were analyzing normal where dynamically, That's something we could
and plant a tool in our environment to do. But, uh, it's not something I usually do.
so we could confirm dynamic analysis. With a lot of our static analysis, we could say, Oh, yes, I saw manipulating the registry for
open up or disable the firewall. I saw
that it was had some stuff toe some code to create a service,
and I saw anti debugging code. So if the dynamic person was trying to execute any d bugger on it failed, you could say, Oh, I think I know why. And you could go follow those functions and say, Okay, there is something I could do about that and
actually modify the malware to handle that. And in the future, we can see that there's some plug ins for Ali
that will defend against a lot of that anti debugging code. So it would be anti anti debugging code.
And we also saw some tricks used by malware such a stack corruption to tryto fool or disassemble er.
We also saw import hiding through dynamic function. Resolving it was trying to dynamically resolve all the functions that needed from libraries that needed,
um, rather than list them in its import address table. So if we ever looked at the imports just by themselves in the P Header with a P Explorer, we could only find a few function calls. We wouldn't really know what it's trying to do,
such as messed with registry or access the Internet or access certain files.
And we also saw there was using some string office cation.
And while we didn't fully reverse engineer
how the strings were being a few skated,
there's a little trick I'll show you in the next video
Thanks for watching this video