1
00:00:00,540 --> 00:00:07,260
Hello and welcome to this let walk through for the exercise, which I've already given you to do in

2
00:00:07,260 --> 00:00:08,770
the previous video.

3
00:00:09,540 --> 00:00:17,480
So this is a file which you have downloaded in a zip inside you find the cross java.

4
00:00:18,240 --> 00:00:20,790
So that is opening you by viewer.

5
00:00:24,490 --> 00:00:27,220
So click on file on air.

6
00:00:29,880 --> 00:00:40,350
And then select the cross ranger file and hopefully expand on the contents of the jar file to see what

7
00:00:40,350 --> 00:00:47,490
is contained in it, and you find out, one, two, three, one, two, three, four packages between

8
00:00:48,030 --> 00:00:51,540
package B cross-bred Angurugu.

9
00:00:52,410 --> 00:01:00,210
One of the first things we normally do is to look for the main the entry point, because that is the

10
00:01:00,210 --> 00:01:04,230
main function, which is start whenever the job is done, run.

11
00:01:04,830 --> 00:01:08,040
So to have us look for the main, we can use the plugin.

12
00:01:08,400 --> 00:01:16,920
So click on plugins here and select the show minutes and they will tell you that the main method to

13
00:01:17,070 --> 00:01:25,500
find two packages to cross package and the Ogi Janita, a sample package.

14
00:01:26,250 --> 00:01:35,130
And from these two here, Janete is something similar to what we did in the previous video where he

15
00:01:35,130 --> 00:01:37,800
was keyboard gilger.

16
00:01:38,460 --> 00:01:40,530
So this probably is not the main.

17
00:01:41,310 --> 00:01:42,120
This is the main.

18
00:01:42,160 --> 00:01:49,410
So let's open cross-bred, find me so good across array and look for the client class.

19
00:01:49,890 --> 00:01:51,810
Click on it for the decompiled.

20
00:01:52,770 --> 00:02:00,510
One of the important skills of our member analysts is to look at the high level picture, no need to

21
00:02:00,510 --> 00:02:08,190
go into every single line of code, but try to look at a high level view of what the malware is trying

22
00:02:08,190 --> 00:02:08,740
to do.

23
00:02:09,330 --> 00:02:13,230
So, for example, over here, we can see that there's a string here.

24
00:02:13,540 --> 00:02:19,070
We here trying to look for a temporary directory inside the operating system.

25
00:02:19,860 --> 00:02:27,660
And then if you look at a next line like UniFi, you will see it is trying to create a location, get

26
00:02:27,660 --> 00:02:28,710
class protection.

27
00:02:28,710 --> 00:02:35,980
The source code location bar is actually trying to get the string path for the location of the current

28
00:02:35,980 --> 00:02:36,720
jar file.

29
00:02:37,200 --> 00:02:45,000
Now, one of the common things that every member will try to do is trying to relocate to a new directory

30
00:02:45,000 --> 00:02:48,060
or new path after he has infected the system.

31
00:02:48,540 --> 00:02:54,510
And this is what he may be trying to do, look for a temporary directory and then look for the current

32
00:02:54,510 --> 00:02:59,960
directory and probably copy it out to the temp directory or maybe some other party.

33
00:02:59,960 --> 00:03:06,030
Even all of this is part of his trying to get persistance on the operating system.

34
00:03:06,600 --> 00:03:14,480
A persistance means that he is trying to survive a reboot or a logger and login so that whenever the

35
00:03:14,580 --> 00:03:21,720
operating system is reboot, locking the malware is can be sure of being able to restart again.

36
00:03:22,140 --> 00:03:25,020
That is the meaning of persistence for all of these.

37
00:03:25,980 --> 00:03:30,690
Enumeration is merely part of the effort to gain persistence.

38
00:03:31,110 --> 00:03:37,800
Coming down the line, turning nine, you will find if elusive statements and you can see here it is

39
00:03:37,800 --> 00:03:41,370
trying to create a path to a user's home directory.

40
00:03:42,540 --> 00:03:47,280
And in here, this appears to be a Windows bar because of the two backslash.

41
00:03:47,730 --> 00:03:54,040
And this one appears to be a Mac OS bar and this one a possible enough spot.

42
00:03:54,420 --> 00:04:02,880
So what the malware is trying to do is trying to process itself by first determining which path is suitable

43
00:04:03,240 --> 00:04:04,680
based on the operating system.

44
00:04:05,220 --> 00:04:13,590
And then in 98 is connected in the past decade, killed key to a far many, many years, which are probably

45
00:04:13,740 --> 00:04:17,100
deceased, relocated file for the malware itself.

46
00:04:17,550 --> 00:04:22,080
So this gives us a very good, clear indication of compromise.

47
00:04:22,080 --> 00:04:27,810
If you can find this file in any of these locations, depending on your operating system, then it is

48
00:04:27,810 --> 00:04:30,300
a clear case of an indicator of compromise.

49
00:04:30,600 --> 00:04:40,080
Now, if you scroll down further to line 77, you will find gate property or name gate property or some

50
00:04:40,080 --> 00:04:45,010
version user name, as well as the Internet address, IP address.

51
00:04:45,030 --> 00:04:50,820
So it appears that the malware is trying to fingerprint the victim's machine.

52
00:04:50,850 --> 00:04:57,000
So probably sending this data on down here to command and control server.

53
00:04:57,360 --> 00:05:04,140
And then if you go down to this line over here, a socket is being created to connect to the Internet

54
00:05:04,440 --> 00:05:11,770
with the parameters killer B and C. So let us take a look at this, Klasky to see what's inside here.

55
00:05:12,150 --> 00:05:16,470
So if you click on Klasky, you will see in scroll down.

56
00:05:17,720 --> 00:05:23,750
Care to be flexible, Dot, common courtesy is a pot to to to treat.

57
00:05:23,810 --> 00:05:29,510
So now we know that this malware is trying to connect to a command and control node.

58
00:05:29,810 --> 00:05:34,570
And this you are Al Belgacom airport to two to three.

59
00:05:35,150 --> 00:05:36,980
So let's get back to our main here.

60
00:05:37,220 --> 00:05:39,910
And you can see that is happening down here.

61
00:05:40,250 --> 00:05:47,540
And like 89, he's opening a data stream to the complex, very dot com and sending some data.

62
00:05:48,200 --> 00:05:49,520
And what is it sending?

63
00:05:49,520 --> 00:05:55,690
It is sending via one wire to wire three, along with some other data.

64
00:05:56,000 --> 00:06:03,350
So far, Vanuatu and so on are coming from here with named shouldn't user name as well as the IP address

65
00:06:03,440 --> 00:06:03,990
hostname.

66
00:06:04,610 --> 00:06:11,840
So this will allow you to use this information, this indicator of compromise to update your organization's

67
00:06:11,840 --> 00:06:20,810
network or intrusion detection or firewall system to detect or block this YAHEL and also to locate the

68
00:06:20,930 --> 00:06:24,920
running machines in your organization has already been compromised.

69
00:06:25,340 --> 00:06:34,010
And if you go to further, you will see that it is reading return something from the command and control

70
00:06:34,010 --> 00:06:38,450
server and then this thing gets back from LA five here.

71
00:06:38,750 --> 00:06:44,230
It is going to pass it and see what is the what are you supposed to do.

72
00:06:44,540 --> 00:06:50,840
So as you can see here, based on the response it gets Gaspé you various other commands.

73
00:06:51,350 --> 00:07:00,140
So now our remote access to is being used by command and control is not in order for some kind of remote

74
00:07:00,290 --> 00:07:01,250
access control.

75
00:07:01,790 --> 00:07:08,810
And if you want, you can go on further to explore the entire functionality for this remote access to.

76
00:07:09,290 --> 00:07:11,140
And there are other things as well.

77
00:07:11,150 --> 00:07:12,160
You can go ahead and look.

78
00:07:12,410 --> 00:07:20,450
But suffice it to say that we've already found the malware artifacts as well as the indicators of COMPRIS

79
00:07:21,080 --> 00:07:23,170
for our purpose for this video.

80
00:07:23,630 --> 00:07:25,780
So go ahead and exploit for the evil.

81
00:07:26,600 --> 00:07:27,800
Thank you for watching.