Okay, so let's do something interesting with multi go. Since the wanna cry ransomware is
really popular, Reese in the recent news, we could do a little bit of analysis,
see what's out there.
I've chosen us, sir dot gov is a good
getting some information
and you can see that they have a a fact sheet.
And this is what we're really interested in is the actual technical
This will give us some of the indicators like a hash, for instance,
And then we can use that in multi Go to see what kind of information we can dig up.
So tens of thousands of systems are affected 150 countries.
It's a really big deal. This malware is pretty
Microsoft has released a patch,
and, uh, we have some IOC information here. Indicators compromised.
Can we see that the exploit was related to server message block?
So eternal blues and the code name for this particular
a bit of the information
we're gonna skip over the signatures information will come back to that later.
There's a couple of things we see that there's a
copy That says this is the executed ble that will
act of the dropper for the wannacry ransomware
and even gives a domain name that will be connected to if the
dropper is successful,
we're gonna go back to
we're gonna take this, uh, hash and go back to multi. Go.
clicked a little button here to create new graph
and what I want to do first is
underneath the malware category.
a machine or object out to the, uh to the graph
double click this and paste in the value that I just got from the web page.
Now, if I select this, you'll notice on the left side it will automatically expand some areas where I have some transforms that are relevant to a particular hash.
So I can try the 1st 1 that gives me this one uses the threat clock threat, crowd
expand its just a little bit.
Just over here. It's kinda hard to see. The inverse is very small, but there's a little button
that says Run so I can click that.
And it just gave me a domain name and most likely this is the same one
us, sir dot gov And it looks like it's big, long,
big long name there.
Yep, that's the whole thing.
So now I know that this hash is associated with the domain.
If I right click on the hash, I can
see all the other choices. I've got another
transform called Threat Minor that gives me ah, lot of other options.
For instance, I could if I ran now where Two domains. I probably would get the same domain that I just
I can also do something like this and
is detectable by various different vendors and we see that it iss these air. All the warns that multi go knows about
that have already have detection or signatures in place
looking for this particular dropper.
I can also select the domain, and we'll see that we've got a bunch of different things that expanded over here.
I could enrich the domain using threat crowds transform.
Go ahead and run that
and this has given me a lot more information.
It looks like this domain is associated with several other hashes each of these could be
anything that you know was related to this Ransomware and we even got an email address.
So if I select email address
now, I can take this a little bit further. I can. From since using threat crowd, I can return domains registered to this email address.
I could also look to see if it's in the poem the list. But this one looks to be more interesting. So I'm gonna go ahead and run that,
there are several more domains
associated with this particular email address.
Any one of these could be involved in other kinds of malware,
therefore you could see how
Just getting one little piece of information can rapidly build
a pretty, pretty detailed diagram.
And as your diagram gets larger, you may change the way that you you look at it. This is the hierarchical layout
that might be better for certain things.
Visually, you might like a little bit better. There's also this circular mode
again, depending on your preference is this may be more suitable
and you get the idea of there are some fantastic
videos on YouTube from Petrova,
explaining in more detail how to get more out of a tool like multi go.
But here I just wanted to give a quick overview
and show some more capabilities, especially the integration with
with a passive total and threat Connect.
And you'll see that all of my,
transforms it had been integrated are available here or there in this list.
I've got quite a bit of tools at my disposal to get more information if I was researching this
or any other hash that I discovered as part of the
A forensics investigation,
All right, so I hope you enjoyed the multi go overview.