Part 6 Analyzing WannaCry with Maltego
Video Activity
Analyzing WannaCry with Maltego This lesson offers a brief overview in how to analyze WannaCry ransomware using Maltego. WannaCry is a destructive ransomware program used to gain access to enterprise servers via exploiting a critical Windows SMB vulnerability. Maltego offers insight to show if this malware is detectable by various vendors and show...
Video Description
Analyzing WannaCry with Maltego This lesson offers a brief overview in how to analyze WannaCry ransomware using Maltego. WannaCry is a destructive ransomware program used to gain access to enterprise servers via exploiting a critical Windows SMB vulnerability. Maltego offers insight to show if this malware is detectable by various vendors and shows a series of hashes which offer additional valuable information.
Video Transcription
00:04
Okay, so let's do something interesting with multi go. Since the wanna cry ransomware is
00:13
really popular, Reese in the recent news, we could do a little bit of analysis,
00:19
see what's out there.
00:21
I've chosen us, sir dot gov is a good
00:24
choice for, uh,
00:27
getting some information
00:30
and you can see that they have a a fact sheet.
00:36
And this is what we're really interested in is the actual technical
00:40
alert.
00:42
This will give us some of the indicators like a hash, for instance,
00:45
And then we can use that in multi Go to see what kind of information we can dig up.
00:51
So tens of thousands of systems are affected 150 countries.
00:55
It's a really big deal. This malware is pretty
00:59
pretty nasty.
01:00
Microsoft has released a patch,
01:06
and, uh, we have some IOC information here. Indicators compromised.
01:12
Can we see that the exploit was related to server message block?
01:19
So eternal blues and the code name for this particular
01:23
a bit of the information
01:26
we're gonna skip over the signatures information will come back to that later.
01:30
I want to focus on.
01:32
There's a couple of things we see that there's a
01:34
an artifact here
01:38
copy That says this is the executed ble that will
01:44
act of the dropper for the wannacry ransomware
01:48
and even gives a domain name that will be connected to if the
01:53
dropper is successful,
01:57
we're gonna go back to
02:00
we're gonna take this, uh, hash and go back to multi. Go.
02:07
You know what
02:07
clicked a little button here to create new graph
02:10
and what I want to do first is
02:15
underneath the malware category.
02:16
I can drag a hash
02:21
a machine or object out to the, uh to the graph
02:24
double click this and paste in the value that I just got from the web page.
02:32
Now, if I select this, you'll notice on the left side it will automatically expand some areas where I have some transforms that are relevant to a particular hash.
02:46
So I can try the 1st 1 that gives me this one uses the threat clock threat, crowd
02:51
transform,
02:53
and
02:54
you can
02:57
expand its just a little bit.
03:00
Just over here. It's kinda hard to see. The inverse is very small, but there's a little button
03:06
that says Run so I can click that.
03:09
And it just gave me a domain name and most likely this is the same one
03:15
that we just saw on
03:19
us, sir dot gov And it looks like it's big, long,
03:23
big long name there.
03:27
Yep, that's the whole thing.
03:30
So now I know that this hash is associated with the domain.
03:36
If I right click on the hash, I can
03:38
see all the other choices. I've got another
03:40
transform called Threat Minor that gives me ah, lot of other options.
03:47
For instance, I could if I ran now where Two domains. I probably would get the same domain that I just
03:53
saw there.
03:54
I can also do something like this and
03:58
see if the malware
04:01
is detectable by various different vendors and we see that it iss these air. All the warns that multi go knows about
04:09
that have already have detection or signatures in place
04:13
looking for this particular dropper.
04:18
I can also select the domain, and we'll see that we've got a bunch of different things that expanded over here.
04:25
Um,
04:26
I could enrich the domain using threat crowds transform.
04:31
Go ahead and run that
04:34
and this has given me a lot more information.
04:40
It looks like this domain is associated with several other hashes each of these could be
04:46
anything that you know was related to this Ransomware and we even got an email address.
04:53
So if I select email address
04:56
now, I can take this a little bit further. I can. From since using threat crowd, I can return domains registered to this email address.
05:02
I could also look to see if it's in the poem the list. But this one looks to be more interesting. So I'm gonna go ahead and run that,
05:10
and we see that
05:14
there are several more domains
05:17
associated with this particular email address.
05:23
Any one of these could be involved in other kinds of malware,
05:28
and
05:29
therefore you could see how
05:30
Just getting one little piece of information can rapidly build
05:34
a pretty, pretty detailed diagram.
05:39
And as your diagram gets larger, you may change the way that you you look at it. This is the hierarchical layout
05:46
that might be better for certain things.
05:50
Visually, you might like a little bit better. There's also this circular mode
05:56
again, depending on your preference is this may be more suitable
06:01
and we have the
06:03
organic mode
06:08
and you get the idea of there are some fantastic
06:13
videos on YouTube from Petrova,
06:15
explaining in more detail how to get more out of a tool like multi go.
06:21
But here I just wanted to give a quick overview
06:25
and show some more capabilities, especially the integration with
06:29
with a passive total and threat Connect.
06:33
And you'll see that all of my,
06:36
uh,
06:39
transforms it had been integrated are available here or there in this list.
06:44
I've got quite a bit of tools at my disposal to get more information if I was researching this
06:49
or any other hash that I discovered as part of the
06:54
A forensics investigation,
06:57
All right, so I hope you enjoyed the multi go overview.
Up Next
Advanced Cyber Threat Intelligence
The Cyber Threat Intelligence (CTI) course is taught by Cybrary SME, Dean Pompilio. It consists of 12 modules and provides a comprehensive introduction to CTI. The subject is an important one, and in addition to discussing tactics and methods, quite a bit of focus is placed on operational matters including the various CTI analyst roles.
Instructed By
