1
00:00:01,020 --> 00:00:09,540
Hello and welcome to another practical in this practical, we are going to take a look at a simulated

2
00:00:09,660 --> 00:00:17,790
malware written in Java and the file is here, both Java demo, which are so going down on this and

3
00:00:17,790 --> 00:00:25,110
unzip it and put it on your desktop inside this folder, you will find in Java, in the Java, as I

4
00:00:25,110 --> 00:00:30,480
mentioned before, he said Java archive consisting of multiple class files.

5
00:00:31,380 --> 00:00:32,390
I got on my bike.

6
00:00:32,600 --> 00:00:33,420
He was open.

7
00:00:33,930 --> 00:00:38,780
So I'm going to open this jar file using my computer.

8
00:00:39,420 --> 00:00:40,830
So click on file and.

9
00:00:43,000 --> 00:00:46,120
And then open these wanya.

10
00:00:49,180 --> 00:00:55,010
There's no booking on it and then click on the plus symbol here and.

11
00:00:55,940 --> 00:01:01,520
Insanities, Jaffa, you can see there are multiple files, including one for the.

12
00:01:03,150 --> 00:01:13,980
He's imitating folder containing some information and also dates and cost and I mean that, plus the

13
00:01:13,980 --> 00:01:23,100
first thing you want to do is to detect, right, is to mean that the main method is where the program

14
00:01:23,100 --> 00:01:24,210
execution starts.

15
00:01:24,990 --> 00:01:33,360
So looking for the class, looking at the class name, this could be the class which might contain the

16
00:01:33,360 --> 00:01:34,000
main method.

17
00:01:34,440 --> 00:01:40,610
So you click on it and here you scroll down and you can see this is where the main method is form.

18
00:01:42,000 --> 00:01:45,090
The main method always have the same signature.

19
00:01:45,450 --> 00:01:56,820
Public static, void main together you say here this is string x array of elements containing the parameters

20
00:01:57,180 --> 00:02:01,080
for the whole program.

21
00:02:01,920 --> 00:02:05,730
So inside here you see that there are also some obfuscations.

22
00:02:07,500 --> 00:02:10,230
Trying to make it difficult for the analyst.

23
00:02:13,080 --> 00:02:22,760
So now you can see the E string, a hasty GPS and string B, string C and string UEA and strings that

24
00:02:23,550 --> 00:02:26,610
and I hear the first function is.

25
00:02:27,460 --> 00:02:34,590
So if you scroll down to VB, you can see it is creating an object by concatenating.

26
00:02:36,210 --> 00:02:39,390
Three strings, A, B and C.

27
00:02:40,290 --> 00:02:43,350
ABC, this three, one, two, three.

28
00:02:44,400 --> 00:02:51,810
So what is he trying to do is trying to create a you are ill so we can defeat this anti analysis obfuscation

29
00:02:52,620 --> 00:02:54,330
by trying to decode this.

30
00:02:54,960 --> 00:03:02,970
You can see it on the screen as an equal sign indicating that this is an accurate basis for so we can

31
00:03:02,970 --> 00:03:06,240
use any on line basis for only for this.

32
00:03:06,720 --> 00:03:09,570
So just directly on this double click,

33
00:03:13,200 --> 00:03:20,760
double click and select the Cosini to copy this in an open browser.

34
00:03:25,180 --> 00:03:28,570
And then use Google to search for base64 to string.

35
00:03:32,320 --> 00:03:37,130
Click on the first one, basically for the court or Haiji.

36
00:03:38,220 --> 00:03:42,750
And the basis for encoded string here and the.

37
00:03:48,500 --> 00:03:50,390
And we have discovered that you are.

38
00:03:51,440 --> 00:03:55,220
So just copy this and put it in that.

39
00:04:04,790 --> 00:04:07,250
Next, you go back and look at the next string.

40
00:04:08,530 --> 00:04:13,490
Be suing on these over here these days.

41
00:04:13,510 --> 00:04:16,000
So now we're looking to see see so here.

42
00:04:18,310 --> 00:04:31,490
So we also copy this include equals copy this and we will remove this and paste a new string here and

43
00:04:31,510 --> 00:04:31,810
click.

44
00:04:34,220 --> 00:04:41,570
And now you're getting a name of the strain that has to be decoded, he copied a name you put here.

45
00:04:46,730 --> 00:04:57,650
Now we go back to the court again and we have decoded ABC and you know that string a hasty TB's so we

46
00:04:57,650 --> 00:04:58,610
can copy this.

47
00:05:01,440 --> 00:05:02,360
And Paysite now.

48
00:05:04,490 --> 00:05:05,150
In front.

49
00:05:14,780 --> 00:05:17,060
So now if you combine three things together.

50
00:05:19,820 --> 00:05:26,650
And these folks, they're here, if you look back at the core here, there's a former slash, we just

51
00:05:26,660 --> 00:05:28,490
can't get any to anybody out of trees.

52
00:05:29,330 --> 00:05:36,080
So we in our forests this year and immediately we get our indicator compromised.

53
00:05:36,590 --> 00:05:38,950
So this is the father is trying to download.

54
00:05:39,710 --> 00:05:48,050
So we go back to court here and we can see that he's creating this object in your arm and then which

55
00:05:48,050 --> 00:05:50,840
is this is Hoti.

56
00:05:51,560 --> 00:05:53,000
And then he is going to.

57
00:05:54,560 --> 00:05:57,470
A hefty DPL connection object.

58
00:05:58,410 --> 00:06:00,420
And after that, he's going to open a commission.

59
00:06:06,160 --> 00:06:16,030
And then he's going to set a commission request again, using these diseases also, and this is before

60
00:06:16,480 --> 00:06:19,720
you can confirm this, if we click on this.

61
00:06:22,490 --> 00:06:23,270
See, the.

62
00:06:24,400 --> 00:06:32,770
Yes, he's coming from here and see you click on this A from here, you can see the function inside

63
00:06:33,010 --> 00:06:40,060
is basically for DeCota, not because this is not a confirmation that it is using base64, including

64
00:06:41,350 --> 00:06:43,590
something here in C deck.

65
00:06:43,600 --> 00:06:47,450
The day is the same function here.

66
00:06:47,470 --> 00:06:50,260
So this also basically for this.

67
00:06:52,510 --> 00:06:54,910
So if you want that, you can do the same thing.

68
00:06:55,210 --> 00:07:04,300
You can copy the existing easy variable all over you and then go to decoding, but leave it to you as

69
00:07:04,300 --> 00:07:04,990
an exercise.

70
00:07:05,560 --> 00:07:08,050
So now we know enough about what he's trying to do.

71
00:07:08,650 --> 00:07:15,400
It is trying to reach out to the command and control server and download the file.

72
00:07:15,910 --> 00:07:24,140
And then if the connection, response to hunger that Mr. Farr managed to download is going to do this,

73
00:07:24,710 --> 00:07:25,050
you.

74
00:07:25,390 --> 00:07:26,750
The connection is fierce.

75
00:07:27,130 --> 00:07:29,090
He is going to return the program.

76
00:07:30,280 --> 00:07:38,290
So after downloading the file, you open a buffer reader to read the input stream and then create a

77
00:07:38,470 --> 00:07:40,630
string out of it.

78
00:07:41,290 --> 00:07:46,930
And then here you assemble the string that you've written, the string.

79
00:07:47,350 --> 00:07:48,730
So the string is written.

80
00:07:50,510 --> 00:08:00,520
We're here and safe as the variable eighty nine zero Z, and in the next line we will split that string

81
00:08:00,940 --> 00:08:08,170
based on the separator, the colon separator, and then you will check the first part in a second.

82
00:08:08,180 --> 00:08:13,690
But in the first part of the string is C, and the second part is the one.

83
00:08:14,080 --> 00:08:19,370
Then you execute the function, call a function is down here.

84
00:08:21,460 --> 00:08:23,920
So in a function, you scroll down.

85
00:08:24,100 --> 00:08:28,540
It is trying to create a screen capture.

86
00:08:30,010 --> 00:08:37,010
We're here, and then after creating a screen capture, you is saving this local one.

87
00:08:38,410 --> 00:08:44,860
And over here is trying to create a random name, a random integer.

88
00:08:45,840 --> 00:08:47,640
And here is going to create a look of.

89
00:08:49,560 --> 00:08:50,280
Two star.

90
00:08:53,360 --> 00:08:57,440
To start a Philco extension GPG.

91
00:08:58,970 --> 00:09:01,070
And this is updated from the.

92
00:09:02,500 --> 00:09:11,610
Integer high here, which is a random number and over here is going to write to death for the local

93
00:09:11,620 --> 00:09:12,030
fire.

94
00:09:13,030 --> 00:09:18,790
The local object, one means, is going to store the captured desktop image.

95
00:09:19,770 --> 00:09:24,460
The screen capture into a look of which is the name Dungee RPG.

96
00:09:25,200 --> 00:09:26,770
So this is your mother artifact.

97
00:09:26,790 --> 00:09:31,540
You can actually trace this far it is in a 10 directory for your operating system.

98
00:09:32,370 --> 00:09:39,540
So from this analysis, we already know so much about what happened when this simulated malware is trying

99
00:09:39,540 --> 00:09:39,920
to do.

100
00:09:40,410 --> 00:09:46,860
We were able to defeat is and the analysis obfuscation.

101
00:09:47,430 --> 00:09:56,150
We managed to also find the indicator of compromise and also the malware artifact.

102
00:09:57,000 --> 00:10:03,820
So this is how you can use reverse engineering to help us do malware analysis on Java binaries.

103
00:10:04,230 --> 00:10:05,280
Thank you for watching.

104
00:10:05,640 --> 00:10:06,900
I'll see you in the next one.