00:04
Okay, so let's do something interesting with multi go. Since the wanna cry ransomware is
00:13
really popular, Reese in the recent news, we could do a little bit of analysis,
00:19
see what's out there.
00:21
I've chosen us, sir dot gov is a good
00:27
getting some information
00:30
and you can see that they have a a fact sheet.
00:36
And this is what we're really interested in is the actual technical
00:42
This will give us some of the indicators like a hash, for instance,
00:45
And then we can use that in multi Go to see what kind of information we can dig up.
00:51
So tens of thousands of systems are affected 150 countries.
00:55
It's a really big deal. This malware is pretty
01:00
Microsoft has released a patch,
01:06
and, uh, we have some IOC information here. Indicators compromised.
01:12
Can we see that the exploit was related to server message block?
01:19
So eternal blues and the code name for this particular
01:23
a bit of the information
01:26
we're gonna skip over the signatures information will come back to that later.
01:32
There's a couple of things we see that there's a
01:38
copy That says this is the executed ble that will
01:44
act of the dropper for the wannacry ransomware
01:48
and even gives a domain name that will be connected to if the
01:53
dropper is successful,
01:57
we're gonna go back to
02:00
we're gonna take this, uh, hash and go back to multi. Go.
02:07
clicked a little button here to create new graph
02:10
and what I want to do first is
02:15
underneath the malware category.
02:21
a machine or object out to the, uh to the graph
02:24
double click this and paste in the value that I just got from the web page.
02:32
Now, if I select this, you'll notice on the left side it will automatically expand some areas where I have some transforms that are relevant to a particular hash.
02:46
So I can try the 1st 1 that gives me this one uses the threat clock threat, crowd
02:57
expand its just a little bit.
03:00
Just over here. It's kinda hard to see. The inverse is very small, but there's a little button
03:06
that says Run so I can click that.
03:09
And it just gave me a domain name and most likely this is the same one
03:19
us, sir dot gov And it looks like it's big, long,
03:23
big long name there.
03:27
Yep, that's the whole thing.
03:30
So now I know that this hash is associated with the domain.
03:36
If I right click on the hash, I can
03:38
see all the other choices. I've got another
03:40
transform called Threat Minor that gives me ah, lot of other options.
03:47
For instance, I could if I ran now where Two domains. I probably would get the same domain that I just
03:54
I can also do something like this and
04:01
is detectable by various different vendors and we see that it iss these air. All the warns that multi go knows about
04:09
that have already have detection or signatures in place
04:13
looking for this particular dropper.
04:18
I can also select the domain, and we'll see that we've got a bunch of different things that expanded over here.
04:26
I could enrich the domain using threat crowds transform.
04:31
Go ahead and run that
04:34
and this has given me a lot more information.
04:40
It looks like this domain is associated with several other hashes each of these could be
04:46
anything that you know was related to this Ransomware and we even got an email address.
04:53
So if I select email address
04:56
now, I can take this a little bit further. I can. From since using threat crowd, I can return domains registered to this email address.
05:02
I could also look to see if it's in the poem the list. But this one looks to be more interesting. So I'm gonna go ahead and run that,
05:14
there are several more domains
05:17
associated with this particular email address.
05:23
Any one of these could be involved in other kinds of malware,
05:29
therefore you could see how
05:30
Just getting one little piece of information can rapidly build
05:34
a pretty, pretty detailed diagram.
05:39
And as your diagram gets larger, you may change the way that you you look at it. This is the hierarchical layout
05:46
that might be better for certain things.
05:50
Visually, you might like a little bit better. There's also this circular mode
05:56
again, depending on your preference is this may be more suitable
06:08
and you get the idea of there are some fantastic
06:13
videos on YouTube from Petrova,
06:15
explaining in more detail how to get more out of a tool like multi go.
06:21
But here I just wanted to give a quick overview
06:25
and show some more capabilities, especially the integration with
06:29
with a passive total and threat Connect.
06:33
And you'll see that all of my,
06:39
transforms it had been integrated are available here or there in this list.
06:44
I've got quite a bit of tools at my disposal to get more information if I was researching this
06:49
or any other hash that I discovered as part of the
06:54
A forensics investigation,
06:57
All right, so I hope you enjoyed the multi go overview.