1 00:00:00,360 --> 00:00:01,080 Welcome back. 2 00:00:01,350 --> 00:00:08,730 In a previous video before they set up the tools they are going to use before we run them away in this 3 00:00:09,390 --> 00:00:10,540 dynamic analysis. 4 00:00:10,950 --> 00:00:13,290 So in this video, we are going to continue. 5 00:00:16,110 --> 00:00:17,670 So not here now. 6 00:00:17,680 --> 00:00:18,690 We are ready to run. 7 00:00:18,720 --> 00:00:28,260 So we return on the capture now, which Fostoria and then if you want, we can also go to the tombs 8 00:00:28,260 --> 00:00:35,670 here and look at the process, see where we can look at the details of the processes which are running 9 00:00:36,060 --> 00:00:39,030 in this operating system, this virtual machine. 10 00:00:40,050 --> 00:00:46,650 Know that under the command column, we can also see the command line that started the process itself, 11 00:00:46,830 --> 00:00:49,710 as well as any parameters to any. 12 00:00:50,400 --> 00:00:50,820 All right. 13 00:00:50,830 --> 00:00:52,970 So the end closes for now. 14 00:00:53,310 --> 00:00:56,570 And now we are going to detonate our malware. 15 00:00:57,540 --> 00:01:05,040 So go back to the folder Vietnamese file and click on the malware with the extension. 16 00:01:06,780 --> 00:01:09,390 And immediately starts executing, as you can see. 17 00:01:10,440 --> 00:01:16,400 And if you look here, he doesn't show that he has created any any processes as well. 18 00:01:17,580 --> 00:01:26,400 And if you look at the way I it also doesn't seem to be trying to communicate out anyway, so that is 19 00:01:26,400 --> 00:01:30,090 not taking a look at process monitor and see what is happening. 20 00:01:31,260 --> 00:01:31,640 Yes. 21 00:01:33,810 --> 00:01:36,170 And this is a long list. 22 00:01:36,960 --> 00:01:42,960 Scroll down to see what is currently doing so you can scroll all the way to the bottom to see what it 23 00:01:42,960 --> 00:01:43,860 is currently doing. 24 00:01:44,970 --> 00:01:47,910 So now here you see it is trying to read your meals. 25 00:01:49,290 --> 00:01:51,600 Meals, tasty scraps. 26 00:01:51,600 --> 00:01:58,710 What you might see this thing popping up saying the application was unable to start correctly, asking 27 00:01:58,710 --> 00:01:59,490 you to close. 28 00:01:59,490 --> 00:02:00,240 Do not close it. 29 00:02:00,340 --> 00:02:03,480 Just using our continuing analysis. 30 00:02:03,840 --> 00:02:07,220 You you will see this also looking for this study. 31 00:02:08,520 --> 00:02:12,870 And then you keep scrolling upwards to look for more interesting things. 32 00:02:13,560 --> 00:02:20,490 And here is some new statistics, probably trying to steal some immune information. 33 00:02:21,060 --> 00:02:31,080 And here is also some evidence of looking for messages or messaging services as well as email identities. 34 00:02:31,590 --> 00:02:32,430 Look, profiles. 35 00:02:34,120 --> 00:02:35,380 User named Isabelle. 36 00:02:36,610 --> 00:02:41,350 It's always accounts fishing for accounts. 37 00:02:42,820 --> 00:02:50,200 Computer names and you see tons, but here is Neil Klein, Wazira Klein. 38 00:02:51,450 --> 00:02:52,000 OK. 39 00:02:52,020 --> 00:02:57,570 You do not discover much because probably the email email quit. 40 00:02:58,350 --> 00:03:04,530 So anyway, if you never had an agreement, we could probably have discovered much more information 41 00:03:04,680 --> 00:03:14,540 about what it is trying to steal, for example, the Firefox and Croom's passwords, as well as other 42 00:03:14,580 --> 00:03:15,240 passwords. 43 00:03:16,440 --> 00:03:22,190 So anyway, let us try to look at the strings now to look for the strings in memory. 44 00:03:22,500 --> 00:03:30,960 We can go over to the process hacker and double click on the process, a hangover to the memory tech 45 00:03:31,590 --> 00:03:35,640 and click on the strings button and click OK. 46 00:03:36,910 --> 00:03:45,970 So here are looking for any kind of hasty dip, so just cool down and see if we can find any and we 47 00:03:45,970 --> 00:03:47,290 found quite a lot of things here. 48 00:03:47,290 --> 00:03:49,140 Serabee Pottery. 49 00:03:49,330 --> 00:03:53,950 I met password GDP, SMTP password too. 50 00:03:54,490 --> 00:04:01,600 So this could be what he's trying to steal and even looking for this Gmail and Yahoo! 51 00:04:02,500 --> 00:04:06,640 Account passwords, login name and password for Google. 52 00:04:08,190 --> 00:04:16,560 And here is evidence that is using Picolo and encryption IP, and this is used by Firefox to encrypt 53 00:04:16,560 --> 00:04:17,590 the passwords. 54 00:04:17,940 --> 00:04:25,590 So it appears he may be stealing that Firefox passwords and ESKIL three as well, probably trying to 55 00:04:25,590 --> 00:04:30,390 access the decrypted passwords for the Chrome chrome passwords. 56 00:04:31,450 --> 00:04:34,870 That's also Tandberg, which is the Mozilla mule train. 57 00:04:35,430 --> 00:04:41,400 So this might be education is trying to steal the Mille Collines password email password. 58 00:04:42,210 --> 00:04:47,580 OK, let's try to filter for hash GDP to see if we can find any command and control servers. 59 00:04:48,240 --> 00:04:52,500 So just typing HTP and click OK. 60 00:04:53,940 --> 00:05:03,590 And it seems nothing he up and that because the program could be for sure, he could include any HDB 61 00:05:03,600 --> 00:05:07,950 service here, and you see this reference to an insult. 62 00:05:08,340 --> 00:05:17,540 This could be this could be a decryption software suggesting that there might be an embedded EIC inside 63 00:05:17,610 --> 00:05:19,950 this malware. 64 00:05:20,670 --> 00:05:24,600 So now we have a good overview of what it is trying to do. 65 00:05:24,900 --> 00:05:28,840 Vickery's to steal email and browser passwords. 66 00:05:29,310 --> 00:05:31,200 So this is the next step. 67 00:05:31,870 --> 00:05:34,260 We are going to look at the static analysis. 68 00:05:34,800 --> 00:05:36,390 So thank you for watching. 69 00:05:36,420 --> 00:05:38,010 I'll see you in the next one.