Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,000 --> 00:00:07,700
Welcome and thanks for watching, on this lesson we'll keep looking for malware funcionalities in strings
2
00:00:09,166 --> 00:00:13,999
Strings are sequences of characters embedded within our malware sample.
3
00:00:14,000 --> 00:00:18,366
These characters contain clues about malware functionality
4
00:00:20,566 --> 00:00:30,466
you could find Command and Control domain names, url's, file names that malware is creating, apis the malware is using and so on.
5
00:00:34,566 --> 00:00:38,566
lets start our windows virtual machine
6
00:00:47,466 --> 00:00:54,532
ok then , we are going to extract strings from our binary Rams1
7
00:00:54,533 --> 00:00:58,699
first tool we'll try is floss
8
00:00:58,700 --> 00:01:04,900
its easier if you just copy Rams1 in floss folder
9
00:01:04,900 --> 00:01:10,900
floss is a console application, I have it ready here
10
00:01:10,900 --> 00:01:26,766
in my case I download floss in my c drive, folder floss, then just type floss sixty four space Rams1.exe
11
00:01:29,200 --> 00:01:38,200
what we're seeing here, is floss getting all strings it can, from our Rams1 binary
12
00:01:38,833 --> 00:01:44,833
you will always get this cannot run in dos, just ignore it
13
00:01:47,366 --> 00:01:54,366
so we start inspecting this and we'll find some interesting strings
14
00:02:01,500 --> 00:02:11,500
and look what we have here, this link could be a Command and Control center this malware is connecting to
15
00:02:11,500 --> 00:02:18,500
here we see something else, it's the rescue note, this ransomware is dropping.
16
00:02:27,000 --> 00:02:34,133
if you keep digging you probably find functions, apis and so on.
17
00:02:44,166 --> 00:02:50,166
ok, now will see this in bintext tool, as I told you before you should try more than one
18
00:02:50,166 --> 00:02:55,166
because one tool could extract strings that other can't
19
00:02:55,333 --> 00:02:59,333
so lets open this and upload our binary
20
00:03:10,200 --> 00:03:14,200
and there we go
21
00:03:21,366 --> 00:03:26,399
that's it, for starters these tools are enough.
22
00:03:28,900 --> 00:03:33,966
Thanks for watching and please join me on next static analysis lesson
2399
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.