for the quick demo. Today I will be looking at the dire malware family Uh, a little bit old, but I think it's
pretty good for our purposes. Right here. So
here is another malware sample repositories upon Get hub. That's called Zoo A k a. The malware Devi dipper Data days. So if you go this Euro
elect will do here man, download this binary. Be careful. This is life now where?
let's go ahead and do that. It must look over some of these tools like
capture bat great shot in auto runs. I mentioned them last time we worked our BM.
So should we have to get hard for worse?
Particular gentleman and we go under the zoo. Get have dot com slash
flash the zoo, go under my wares.
We have no other buyers because here there is source code for many of our families that have been leaked over the years.
I was gonna click down here too dire.
And then we're quick here under dire doubts it
prompt us to download visit while
so I'm gonna go over here and drag and drop here.
drag and drop it into my virtual machine here.
I'm gonna do the same for another set of tools that I'm not sure I mentioned last time that your ivory down with them.
The fists and moral sweet
made by Mark This cottage for a smart guy and very, very
popular, very knowledgeable. Makes a lot of tools
dragon drop that into our
Is that the way we left it before? We're gonna install some of these tools.
now, before we in stolen.
We actually need to run the visual. C'mon, time re distributable packages.
Uh, and I don't know exactly which package it relies on by No. 2005 works Well,
Moses execute you, Mina,
are people supposed onetime libraries have been sold. Well, now install capture about.
So then these re boots. So we're gonna do that,
does it by installing ah, driver.
This is not working with those seven,
but usually I always, uh,
usual in his ex p machine to do my analysis. Most malware is backwards compatible.
number of tools. Just gonna go ahead and get rid of the
for a red shot. I want being kind sold with seven. Did Ray shot? I'm just gonna
extract out here. So it's on the desktop.
on track. This are here into the desktop
organizes a little bit.
Now, chapter, that is what we're gonna be using. So
I'm gonna do something here That'll make things easier
for us in the future.
Which is I'm gonna go shoot to capture secret Grandpa. Lt's capture. And here's capture that,
to go? I'm gonna say with some time
by going to hear capture, see
program files, capture and go to capture Bat right here is the program
I'm gonna say Send to stop which will be a short that
Here's a location on the desktop.
So little room is actually curable. I wanna run it with the arguments of Dash C
for capturing deleted files
dash l for store the files
for storing the output of capture about somewhere
I had copied it from this town
over here. I'm trying to say Logue, that t x t
now we're already start executing our malware.
So right before we do, I'd like to take a snapshot
Now we're gonna extract
Now, most malware is on file with the passport of Are infected
Now, we just downloaded this from the website here. We can see
Now, if you look at this, one will notice that it
will do. Most people know that that is an actual cuticle,
that it does have the same file format as got yet see,
and it can be just as dangerous. We can double the phone, and it would execute
good verification for this
would be open up. A hex editor like 010 is my favorite
And we can see that it does indeed have the empty file header,
which means it's a dos executable.
It's a classic string
and then we see down here there's a p x beautiful letter, but we will get more into this when we do some more stack analysis.
So we're gonna go ahead and execute this s e R. But first, we're gonna run Capture bad.
Well, first, I always like to check to make sure that it's not connected to the Internet.
I'm gonna see, you know, working doctor is how we left it last time has connected into our own virtual network of'em net, too.
The only other thing on being that, too, is our Callie linen
box that we have suspended. So,
you know, no one network traffic can get out,
so they execute cash about
There's long dot TFT. Now we're gonna execute the dire sample
warehouse it leads. So
the little icon for loading, waiting,
you might wanna wait
a few minutes, but I think we wait just 10 seconds.
Approach control. See if exits capture about
now. Look at the log
we can see here. Mother Partings are installed. Was no pad plus Plus,
hirable things of what the Donna Mauer has done. We can see that explored that yak scene we let us we executed by double quick enough.
So you see, process execute that.
We see that that program
current user software, Microsoft Windows current version Explorer, shell holders after data, That's pretty common. Just micrograms executing.
So snap out suspicious. Um, we see that. Then
created a file, wrote a file to see on slash documentarians administrator application at Google, updated on the exit. So I'm gonna copy that
because I think that is a good indicator of compromise.
And I usually keep a little note pad open on the side. Um,
just threw that kind data into.
Now, if you were going on the list, you notice right here
0.70 flight chewed up
70 then is then preceding 52 dot
these did not happen sequentially in.
They were timed sequentially, but they were not written to the file sequentially. So we're gonna
for online in the file
so that they are incorrect
So line operations sort of sending.
So now they're incorrect.
you know, 23 and 54 than you're so down at the bottom here. I'm gonna keep some little notes. I'm saying that is an indicator of compromise.
reading here, set value key after data. Now, that's pretty common. Shell folders,
three small face smile and then executes that final process created
So here we can see Cool update. Er, yeah. CSI create this registry key.
Yeah, that's pretty normal.
We feel great. Another register key down here.
Current user is somewhere
Microsoft. So that is another indicator of compromise right there.
We can see if there's a file, right,
and then we can see.
But there's another file right down here. Okay, So this is also importantly, signaling system,
not the will update her anymore.
and we see. See, program files, capture logs the weird While this is capture bat,
Had deleted it, deleted its original file.
So here, get this one to open logs. I'll make another shortcut. That
I doesn't matter Now. We've infected this machine. We're gonna revert it.
if we follow the long here,
you see, it makes ah whole thing. And this is the file that trying to delete.
So no one of those tools I installed back. That's great. Last time was the map.
Do get in 95. Copy that hash.
And then now I'm going to
go find this program.
This will update her.
Copy, Paste, go. That efficient rule update. Er,
I'm gonna grab that. Seem injured by cash.
What do you know? It's the same.
Compare them. Look round off of each other. Yep, they're the same. So that means
from whatever folder was in to this older, the application data folder.
And then it added a registry
running as soon as the current user want them.
That is interesting,
running one of the current user run it is lying in is ***. And most computers are Siegel used computers and only ones there uses about a time. But this is administrator on X T machine. That means
if they had made the thing registry value to high key
it would have executed whenever anyone logged in. But instead of did it only for this user. That's kind of interesting to me, because maybe my world, you know that or maybe this our simple was doing from the very specific um,
and interesting that the same hash or a copy itself? We didn't confirm that with him because it is the same hash, because
some malware will actually drop something else has another
execute herbal within it and it will decrypt that and then drop it somewhere on the system so the hashes don't always match. So I'd like to confirm that
anything that it drops.
Uh, there's something that we are aware of. So these right here, these are our first indicators of compromises, their local host indicators of compromise.
And that's important because next time we're going to look at other indicators to compromise, such as network under indicators that compromise and those are very important because you can find those much more easily across hundreds of thousands of machines. If you have large enterprise,
network indicators are harder to find
unless you have some agent or you have some group policy, wizard or, um,
you know, someone who has set up some kind of
sim some kind of security events long aggregation thing, and you've configured all your years on the network to send their logs
I want to show you some of the tools now because you just shouldn't rely on one or two tools
or your findings like this.
So let's go back and reset.
It is also good to run a sample multiple times because many pieces in our out there we'll use not just one
or two names for their malware will have multiple names. Sometimes they'll name.
They've dropped or copied.
windows don't yet see or winter to the or
SAS. Don't yet see or whatever those switch between them randomly here to pay on the time of day or whatever the Mauer author has made.
We should also use other tools. Confirm what we just saw.
So another good one is a great shot. Those what you would imagine.
So we're going to launch it.
Unico, you're anti use.
Not really important what you're doing. International stuff.
Standard infected, Password protected Wrong.
oh, don't decrypt the file names.
So if you send something with a sense of file name of the Internet and you think it's password protected, Um, the following is not possible. Protective and far
inside the files aren't encrypted either.
so you can positively identify something
inside of a zip file by CRC values. So someone could have identified. This is a bunch of dire samples
inside it, just by the CRC codes. GRCs aren't as good as hashes like Good. Legit hash is like Indy five sharp water shot 56
but they can be used to confirm things.
So we have our second tool, great shot.
And it does what? You think it would take the snapshot of the registry and then another snapshot of the restaurant after you execute our sample?
Now we're ready to explore sample
shut the network feelings
for executing the same cycle
some stuff like user assist.
These things are normal
So any excusable will produce in the ways on a system.
and you will realize that you're doing this malware analysis is just a subset of software analysis.
So agent on these tools for all sorts of things. Like an installer. You want to see exactly what changes in some program is making to your registry. Deacon, use these tools toe figure that out, or what files it's leaking or whatever else.
So here we see that same value in the registry that we saw before, you know,
Microsoft Windows current version run
file is there that it will execute
and you see here to values modified
cryptography, random number generator seed. These things change very frequently. And, um, if you just,
your red shot for a while
and then stopped it, having not done anything, you will see a bunch of these values have been modified. It's just
way that Windows is executing her
the natural way. It does things
so we can also scan directories and see what files have changed within those on that could be useful to.
But for now, we're just going to reset
Before, we didn't have to reset, but I like to be scientific about things,
really use assistant journals, tool old auto runs fantastic.
It can. Also, there's two hour runs,
one that in Venice E, which is command line, which is great if you just want to do a lot of automated stuff.
*** ex script to know. Excuse this and then execute the Mauer and then execute this again.
And basically what you would give you and the man mind format and says this nice graphical form that is
always locations where programs or use to execute. As soon as your boots or Susan Persons, the user logs onto the computer and Burkes ease up into some pre,
um, well organized categories over on the left of people. Tab is where we see everything, but we can break that out and say, Okay, you know, this is where user along. Then you know what runs like something I would express helper program?
I just booked six. Who's pretty normal? This is a fresh install, the M or tools. We knew about that, and we could go through all of these and really take apart. You know whats
burning on our system.
At least we'll start on our system.
we have a bunch of things that are made by Microsoft,
and that's pretty common. So
a good option is to hide Microsoft entry. So anything that's unsigned by Marcus are we can just automatically discount this like, Okay, Big sign things
and that their stuff is we can trust him. Girls, we have a lot
you know, we could probably trust am wear just all these other things. And we trust these drivers because, you know, this is a fresh install of the OS.
So here we're going to
house were infected.
Excuse the same malware and see what pops up here.
And these colors will indicate different levels of trust.
Like the That doesn't trust so much.
There's our double updates.
He didn't trust it very well.
what we call low integrity.
We can see the time it was added
1983. I don't think so.
Uh, So it was time. Stop.
That's what we what we would say.
Or as some of these other ones have more legitimate looking times,
You know, it's wrong
here. We can talk to entry. We can see
where it is. If we wanted to disable this an hour
we can simply delete this key
and then restart the machine and it would not get up again.
That's one way of saving this malware.