Crack The BAT - Identifying Compression, Packers & Googling for IOCs
In this video I show you an interesting sample sent to me via Twitter, which is a password-protected malware sample. Our goal is to obtain the true malware indicators and first of all crack the password. It turns out, this wasn't hard at all; some simple malware initial assessment (using PEStudio) enabled me to find a ZLIB compressed resource. Inflating that yielded what looked to be an MD5 hash; simply Googling for that hash yields the password.
Then, using the password we can run the malware, obtain additional indicators and identify the tool the adversary used to create their malware. We then turn the same tool back on the malware to decompile it into its true source. RESULT!
The aim of this video is to showcase that you don't have to understand every single line of assembly code to understand what malware is doing and to bypass security-evasion techniques that adversaries often use.
Peace,
@cybercdh
SAMPLE
=======
You can get the sample and follow along here
https://app.any.run/tasks/d2547910-3a16-467c-9251-63cb60a7a6c7/
TOOLS
=====
Here are the key tools I used
PeStudio - https://www.winitor.com
x64dbg - https://x64dbg.com/#start
UPX - https://upx.github.io
BAT2EXE - https://documentation.help/BAT2EXE/en.html
THANKS
=======
I had a lot of fun making this video and I really enjoy this community. If you enjoyed watching please LIKE and SUBSCRIBE for more content.
FOLLOW
=======
You can also find me on https://twitter.com/cybercdh
Видео Crack The BAT - Identifying Compression, Packers & Googling for IOCs канала cybercdh
Then, using the password we can run the malware, obtain additional indicators and identify the tool the adversary used to create their malware. We then turn the same tool back on the malware to decompile it into its true source. RESULT!
The aim of this video is to showcase that you don't have to understand every single line of assembly code to understand what malware is doing and to bypass security-evasion techniques that adversaries often use.
Peace,
@cybercdh
SAMPLE
=======
You can get the sample and follow along here
https://app.any.run/tasks/d2547910-3a16-467c-9251-63cb60a7a6c7/
TOOLS
=====
Here are the key tools I used
PeStudio - https://www.winitor.com
x64dbg - https://x64dbg.com/#start
UPX - https://upx.github.io
BAT2EXE - https://documentation.help/BAT2EXE/en.html
THANKS
=======
I had a lot of fun making this video and I really enjoy this community. If you enjoyed watching please LIKE and SUBSCRIBE for more content.
FOLLOW
=======
You can also find me on https://twitter.com/cybercdh
Видео Crack The BAT - Identifying Compression, Packers & Googling for IOCs канала cybercdh
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
![Remcos Config - Using RC4 to Get Command & Control from CyberChef](https://i.ytimg.com/vi/CYnzzJ8f3Ts/default.jpg)
![SUPERNOVA - Everything you need to know to Reverse Engineer an APT WebShell](https://i.ytimg.com/vi/7WX5fCEzTlA/default.jpg)
![Y2K22 - Why 2022 Broke Email](https://i.ytimg.com/vi/3zkpM6szWHM/default.jpg)
![WannaCry Ransomware - Revisited. Behavioural and Static Analysis Techniques](https://i.ytimg.com/vi/AwouoQ802fA/default.jpg)
![CVE-2017-8570 - Dynamic analysis of Exploit used in Powerpoint to deliver KeyBase InfoStealer](https://i.ytimg.com/vi/5JQEmr7_Cus/default.jpg)
![Live Stream - Malware Analysis Tools Tactics & Techniques](https://i.ytimg.com/vi/ZmUq28bnHQg/default.jpg)
![Adylkuzz CryptoMiner - A quick behavioural analysis](https://i.ytimg.com/vi/-T0SjvIo910/default.jpg)
![Cyber Defender REACTS to THEFT of Microsoft Exchange Server ZERO DAYS used by HAFNIUM](https://i.ytimg.com/vi/TIwkDLJZKbo/default.jpg)
![Jaff Ransomware - A quick technical analysis](https://i.ytimg.com/vi/mNwOoc41Prs/default.jpg)
![Extracting encrypted contents from Kronos Banking Trojan](https://i.ytimg.com/vi/gQGRhjRWs_4/default.jpg)
![Using WhatsApp for Malware Persistence](https://i.ytimg.com/vi/yaGPWmvjKu4/default.jpg)
![Five Awesome Tools to perform Behavioural Analysis of Malware](https://i.ytimg.com/vi/noErOEHcAj8/default.jpg)
![Emotet is Dead](https://i.ytimg.com/vi/qKrfqasbWrg/default.jpg)
![Threat Hunting with Inquest Labs](https://i.ytimg.com/vi/q1H0PDzsq3E/default.jpg)
![Wrangle with Hangul - Analysis of a malicious hwp document](https://i.ytimg.com/vi/ajTKi_gqq5s/default.jpg)
![Olympic Destroyer - Quick behavioural Analysis of this Wiper Malware](https://i.ytimg.com/vi/GkSJn8sGAKw/default.jpg)
![Analysing Obfuscated VBA - Extracting indicators from a Trickbot downloader](https://i.ytimg.com/vi/auB7mkwfHrk/default.jpg)
![Bashing LOLSnif - Defeating Anti-Analysis Techniques to get real IOCs](https://i.ytimg.com/vi/YXPk2LrOxJg/default.jpg)
![Extract Shellcode from Fileless Malware like a Pro](https://i.ytimg.com/vi/jbieGfML0Bs/default.jpg)
![Overcome Self-Defending Malware - Tools, Techniques and Lab Setup](https://i.ytimg.com/vi/rtkAwfM7QO8/default.jpg)