Dissecting & Comparing Different Binaries to Malware Analysis

hi everyone i'm so glad to be here so my name is philippe peers i think many people maybe know me another thing another people maybe don't know me but no worries so today we are talking about the this topic that i like a lot the more analysis so we talked about this specifically about the second comparing different binaries to more analysis so but the first of all are you talking about who am i i think you know many people using this kind of comment but usually i i like to put this kind of because you know it doesn't matter who i am or who am i so you can in the end of this this

presentation or you put my linkedin contacts and my emails so you would like to know me you can follow me linkedin or another social media pro but uh the first of all the one thing more important to me is my family so i am talking from poland now because i am living here in poland in krakow but uh maybe in june i will return to live in brazil so this is my big family so this is the first uh for my life you know this is the the most important for me i have a four children as you can see in this picture so yes it's a big big big family but this as i mentioned before that's uh

most important to me about my work so today i work as a global research manager in a hacker sec security this is company in brazil but i i work basically like uh research with this this company and i am starting a new uh challenge a new job in brazil this company zoop innovation um i am work have been working in this company like um security and research manager so this team this company's development company to build a new software new project it's the focus basically in open source code so you can follow this component so many different uh approach and codes you can use okay so uh and the most important for me as i mentioned it's my family okay

so today we are talking about the the the some steps that we can use when you talk about the mrna so the first of all you need to understand uh what this kind of sample because you know i don't know if he's malicious or not but i need to understand we need to identify this artifact you know so first of all we need to understand it's a maor or maldoc it's the name it's obviously so malware it's malicious software and maldox and document malicious so when i identify this this sample i can pass to the next step is to chose what the strategy i can use to analyze the sample or i can use for example a statistic

analyst or maybe dynamic analysis this is the two forms or two ways that i can use in my in my approach usually that many many different uh more analysts using okay so before it i can create or i can prepare the report you know this the many times the the coordinator or manager like this or tech lead like like this report because you know when you made different studies or you made or you proposed uh to prepare some analysis you can you need to to to write this in in some report and present this your your you know you know your pause your coordinator after that you can improving your defenses mechanism because you know

if you're working in any companies like a security team you can prepare you can improve yours um your tools that that can be used for example so you can use in different uh you change different settings in your tools and your environment you change different uh like a configurations or maybe settings in the you know it's using the different business practices okay after that you can create this a beautiful name that many times the mother like his name you know thread intelligence i am joking with this topic because it's very important i know but uh it's a big challenge to to build a disney in many different companies because you know when you talk about the cyber cyber

threads it's um a beautiful name but when you talk about the apt advanced persister and that it's so different it's so difficult to understand how this works for example so this is uh important when you talk about the more analysis and you understand what the behavior of this this different sample for example and you can't create you can create this intelligence you know so you you need to have for example many different uh approach different steps or different uh maybe server or you can create a honeypot or create or create for example misp uh some our inspection or or anyway you can create the repository you know to the the many different samples to to create

basically the threat intelligence and after that you can uh using this this kind of word it's it's it's very interesting resilience because you know the threads are changing yes so when you talk about now with you with amar analysis we have many other guys creating new mowers or new different strategies to exploit different customers or people you know people you know so this is the the the the picture that we can use in the more analysis so the first step is as static analysis usually uh this is the exploration using for the many many more analysts this is the first step usually often the the analyst using because you know uh will you talk about

the the describe this this statistical analysis describe the process of analyzing describing how the code works or or how is uh the structure of the the function if you in found for example is uh different dll or libs in the file and how is the function that this dll uh maybe can call for example so this is the first step so usually when you talk about this this analysis analysis this kind of analysis like a static analysis the program itself doesn't run you know i put here depending of course of the program because you know usually this process it's maybe more safe because usually you you don't using the as a coating in run time your simple you because

this approach when you run this or you perform on this sample you can using the environmental control environment or like a sandbox this is another uh analysis but the static analysis usually you can use the many different commons to understand of this behavior okay so the second step is dynamic analysis as you mentioned it's based solely on behavior uh that is you can basically you can execute the the sample in a in it's a lab in the lab on the bed labatory you can use it in the runtime analysis you can using this this concept call it sandbox you can prepare the the on virtual machine you can run this sample inside this virtual machine and understand what the

behavior that he eats this sample have okay so this is the different approach so when you talk about the statistical analysis you can use in many different comments because you know you understand of the inside of the code and you talk about the dynamic analysis you can run the sample in the you know in the in the own environment in our virtual machine okay so so this is the first step i would like to show you but uh i prepared the video but i would like to use in the demo lucky for you i will present in my machine okay so okay so here we have this my virtual machine you know i prepare here for you um

one one thing very interesting okay because you know the first comma that i could or i can use i like to use to identify the sample for example have you let me check here i use some simple mowers and suspicious okay this is the first machine when you see this kind of folders or folders of samples sorry when you can see different samples how the simple it's show you or you can see it's maybe suspicious for you so uh first of all when you use this for me for me for my side when you talk about in brazilian guys usually using this this this concept this term 171 is usually it's like a joking the when you talk about the person the

people in brazil uh this this this person it's like a one seven one section it's like the people don't pay your bills or something like that so in brazil and using this kind of file you know this kind of is like a suspicious it's like a joke you know so but if i use for example file command to understand what this means for example this 171 we can see here it's not executable file we can here we can see here this is the 171 it's a text file it's totally different it's not not not exactly because you know the file command is it's very interesting i i will explain about more this this this file because for me it's very

interesting to understand these bases you know so for example another five that i can see it's mower dll it's another file that i can read for example when when you see mower dock dll here oh my god it's a not executable file it's the same case it's a text fail oh my god so if you if you have the text today we can read for example the first the first file here you can read 171 when you when you hit when you read here you you can read you lose oh my god when you can read another file for example let me check here mower dll.com www never believe in extinction.com yes i know that is a joking this is the

purpose of this because the first of all we need to understand when you talk about the malware you need to see we need to understand what what this uh command maybe or this file maybe is for example here we can read for example it's uh it's an image document file okay so another file one seven here you can read it's a text file okay so here it's maybe as a putable file right so 10199 is a putable file so okay here we can read for example this is executable file p p e yes portable executable file this uh 32 the structure this is the architecture for windows of course because it's pe yes portable executable and here we

have the interesting information because here the samples uh are using it's using up upx compression that is we have a a a packer using when the attacker compiled this kind of sample right so and i mean here we have another different uh sample maybe we can analyze both uh i would like to read this file for example the text let me check here so cat110 rtf let me read so very interesting text if you see here we here we can see here the information of this file can be decrypted using the program dirtydecrypted.xc so maybe you can suppose here this is the communication from the attacker to the victim right so press ctrl d to run the krypton

maybe this file it's responsible to decrypt the malware right so the crypt is it's is it good it's not open it here we can read the path it's very interesting here we can read for example c uh user and in an all user of the victim and user for example ap ap data ramming dirty so when you look in the all files here you can look at this another it's maybe we talk about this file right dirty decrypted it's the similar name if you use for example file for this uh com this file fragment using file command for this file the sample for example when you execute you can read here it's pe executable but not compress it

you know not this file don't use it for example upx so maybe you can access this information basically or maybe this file can be using to decrypt these this encryption that can attack it or whitman can suffering in the environment right so this is very very very interesting simple um to analyze but the important thing to understand guys is here is it for example five common it's it's very useful common you know i know it's a simple a simple comment it's for me it's totally clear but you know you need to understand this basis because uh many people i can i can see in different conference when i talk about this this topic is mainly uh the people don't

understand how this works this why what i can use this file what can i use this common file why this is important if you read the man because you know i i understand it's very very very the people don't like to read a lot information it's i know but here we have uh the gold the gold point right right for example here we can read what this comment works for example here this explanation the magic tests are using the check for files with data in particular fixed format right so uh when you talk about the file command let me check here these files have a magic number so that's that is this is the key

because all files has the magic number to identify this fire right so the magical number number is stored in a particular place near the beginning of this file that tells the unix operation systems right so here we have many information another point here the the canonical example of this is binary executable compiled for program as i mentioned whose format is defined in elf doc h so here the another information is very interesting because we when you talk about the instructor of the the alpha from the unix format you can read here the exactly format in the linux file so i i i propose here to i i download the the the file code the the file code here from the debian

for example i would like to to understand how this database works because my proposal now is understand of this code how this works because you know you need to understand this this all days you know so let me check here cd file okay let's see the magicking and magic machine magner okay so here guys we have the database of the all all magic numbers that we have in the linux machine for example when you see here in javascript okay let me check here in the cat and javascript you have script here you can read the information of the the magic number that we that that usually the the commands read in the beginning of the file in the

magic number five for example if the beginning of the file we have this information maybe this command will be identified like a node.js scripted test executable you know of course when you talk about the the portable executable the e or the else we have a different approach or we have a different regex that can be used to identify this kind of file right so for example if um let me open another another terminal here so i use terminator it's no problem here so let me i'd like to works like that [Music] okay that's what works okay now so cd mars and paul maurer malware not simple it's um okay let me check it here in suspicious

suspicious cgr and ptf i like to not suspicious

okay so i think it's here it's okay yes perfect here we have a difference uh let me open better this okay to read more to read better i think so if i can create here i will use nano okay you can you can uh yeah i think you can don't like nano you can use vi no worries so i'm using here besides okay so here i used to the any tests here i can create here malware is uh dangerous okay so i will save here okay if i if i using the file command game besides is a text right okay so now it's very interesting so for example here let me change here to compare the both of this

approach with you okay here the same case perfect so we have here when you let me the job script for example that i mentioned to you at the beginning of the file the regex speeds it's been dash node so i will change this file for example i will put here and i save if i use file you're talking about oops oh my god it's not just text but here we have a node.js script and executable file you know that's very interesting when you manipulating in the magic number of the file i will change again another different no no i will take this i will put for example percent pdf 1.9 and x is safe so we can use file besides when you talk

about oops not um

here yes right so you can see here i manipulate again the same file it's pdf document but you know document fights basically it's a a text file but i using the file command to identify this um magic number you know i changed different approach three times the first i created the text file the simple text after that i change it to nano js script executable but not executable right so because of this i need to understand how this command works you know because i know it's simple comment but you need understand what this command works you know this is the database i can't change again for example i can look another different approach here maybe i don't

know let me check here another you can using another regex it's maybe it's pdf that i can use i can use another for example uh let me check here yara what's this the beginning regrets uh it's it's it's maybe difficult to put here now different but anyway now it's important thing here you understand it can be it's you need to understand what this works very well okay so let's change to let's come back to the presentation

so this kind of part it's very interesting i talk about the the structure of the elf as i mentioned before in the file command you know i talk about the structure it's basically it's it's the same for example when you talk about elf you can read for example we have the elf header you have the program header table you have the session in the text the doc taxi and and really only data and you have a session tables and another part in the same case when you talk about the pf the pe portable is equitable we have the same or not same almost structured because you have the dos mg header it's you usually the

the analyst uh run the different command you can identify for example the mzx structure right so and you have the the same of course we have we need to have for example another talk to explain about the p because it's very very very compressive or or complicated to talk about the pe because i know you have different uh optional header p header there's a need for it to to to the file you have the session table you have you can read the code uh you here we have different sessions oh i think it's in front of the session but okay anyway you have a different structure it's very uh compressive but okay uh i will return the the my

machine to show you the some information very interesting for you so here let me exit here okay i was determinated because i think it's better to manipulate the file here i are you talking i will show you before i show before so about the structure right when you when you read uh the file command we we read here about the elf structure right so here we have the information about the structure of that i would like to cop and i will check here um locate here okay here it's the sample i would like to read i would like to nano here yes very interesting so user include elf doc hg this is we talk about the structure

of the alph right so here let me change here i would like to compare this both of this for you no no here no no sorry

[Music] oh yes okay so here um let me check here cd mars sample uh and linux mauler and linux okay we have different linux here okay so here when let me clarify some information here we have the instructor of the elf for example here they are file header this is appears at the start of the every elf file we have the first uh step that we identify define the l file we find for example the i identity this is the first uh 16 bytes that you can look and you can found the magical number and others information if you use for example let me check here we have different binaries we have for example airbus one

this is a a ransomware malware for linux let me confirm erebus yes airbus this is this is here it's our l fires to uh 64 bits this is equitable this is the version it's dynamic linked and that is okay let me check another i think it's here linux anki it's the same 64. it's like to another file linux i think it's check here

yes right so i've used this thing in two areas because i will i will compare this both of the samples elf and and 32 bits and here and 64 bits right so when you even come back the structure of the elf when you you can read in 60 bytes in the beginning we have the information of the magical number in the orders information so let's let's to explain it to understand this kind of steps you know the structure so fields in the i didn't array because you know do you have the array of the 60 16 bits here so the first you have in the first position we have the zero in the second position

we have the e the third position we have the l in the three position you have the f if you use for example x damp you can use x t c minor 32 bytes and you check the the the first linux mali you can read here the first the four position that you are that i mentioned in in the elf file you know this is the first position the fourth position right the first is zero the second is e the third position is l the fourth position is f you can read here so it's the same case here you can read so let me compare this for areas file a reverse file let me check here it's the same case yes

that is we have the structure in the file structure here in the file that's very important to understand because you know when you talk many people talk about the malware analysis reversal engineer it's very very interesting but guys we need to understand these first steps you know this is my idea here with you in this presentation because you need to understand this basis for example the next steps when do you look in the for example this five position this is the five position right one two three four five position here zero one what explained this extractor of the elf the position of class 32 0 1 means it means 32-bit object when you zero one you can read here it's zero one

it's because the linux moly is 32 bits but another file the error was it's not 32 it's 64 that you can read here so in this case it's not zero one you can see what here zero two and of course it's here zero two it's perfect another uh position is position six let's talk about the little engine in the indian if you read here it's zero one or zero two it's the same case they both are files it's zero one it's that means it's just it's little wings you can read and and um not in front of but you know it's different the another position that i like to show for example it's a let me check

here it's about the structure for example uh of the machine you can read here alpha it's creating for example the using alliance or unix systems or hp or net views and e-ibm or another structure if you can see here the eighth position so one two three four five six seven eight position is zero zero here you talk about the unix systems or zero three you talk about the object you know alpha station right so maybe you can read here the both of its uh exactly of the explanation after that you can read more more and more and more so another thing it's very interesting is the next step it's i type the object file when you

talk about the 16 array you know the 16 bits in the first array the name of identity identity the first array is i type it's the second it's the 17 position right so here we have a 16 position and here we have the 17 position one it's what this means here when you read the another position let me check here legal values for e i t object file types here and we read the information for example with if this file is executable it's locatable or shared object file right so here we have the two both files executable let me confirm here with another binary enough it's um user user bean i think ls no yes and that's here

so here we have different format i will can show you here ls it's a it's this command right so this is a binary so using file user binary ls this is a l5 right so here in the 17 position we can look what we can look at the share object you know because this is created in in language c program right so here we can read this information it's the same case because it's not executable yes it's equitable because you know we have different buildings different in structuring the linux or unix system operation but it's another talk right so here we can read the different here the shared object not different when you talk about the

first uh files it's executable you know so this is it's very important to understand the structure right so i i can talk about the the the portable executable but my focus here is to show what the important understand the basis of the the structure right so let's come back to the presentation so here we talk about now some physical and logical structure of the files pdf files okay because we understand the first about the the structure of the how one strategy can use for example in a static analysis or dynamic analysis and if after that we read about the file command how this works of how this database this file command have and understand more about the structure

the pa files the sorry the l files right so now i i look in to the pdf files right so basically general pdf documents has four main parts the first part is the header the second part is the bar it's very common the third part is cross reference table or x table and the trailer it's basically the end of the document right so basically this divide is this form header body cross reference table and trailer so here i would like to show the very interesting information the header we can read the version number do you remember when i created uh the text file and then manipulated the magic number and we look in the pdf file do you remember it

to change it to the pdf file yes you can read this information here it's very important so inside the body we have the pages objects image and font in book making and many different things in cross reference table that here it's very interesting because we have the locations of the object inked into the file so basic all this this the parts of the structure it's linkable into the body in the cross reference table to reference and many parts i will show you for you and the trailer is the same case your location of the certain basic unique presentation i am in front of the presentation but that's it's not a problem i will show you in my

videos okay so i will use basically the pdf i did it's a very interesting comment using in uh in the unix platform you can use it in the windows platform it's of part of the tools created by dj stevens it's a very known guy to talk to to create to build many different tools so i recommend by the way to read more about this information the point here guys it's not talk about the tools but to understand how these tools work do you remember before we talk about the file commands the office structure that's the pointing very very important you know so pdf id will scan a pdf document to give a string list you remember we talk about strings and

this is very interesting i can show you for you if we come back to the strings ah okay philip i know how these strings works ah you know blah blah blah okay so i will show one thing very interesting maybe you know but maybe you don't know so the same case i would like to show you here so let me change your windows page windows files we have different files here uh jigaso mamba patcha wannacry server it's many different brands of ours so here we have a string common so the first of all we need to understand how this are you talking about the but not it's not not correct but okay i will talk about the how this strings

works what the command works so strings basically it's a command to to understand to compare what displanation of the strings let me check here man is strings yes many streaks strings prints the sequence of printable characters and files right so i can understand basically if the strings is print of the sequence of the printable characters so here we have a an accredited right so if i use for example strings to uh not right okay like less because you know i am in the terminator i can change i i don't change the buffer of this but when they use here it's appears for us just that this document cannot be run in the in the dos model reaching the docs test

is the first session the second session another session in another session so i have a question for you it's very interesting so let me okay here uh i would like to check another another file for example a patcher it's another ram server it's the same case this program cannot be run we have here you look in here the text or data data and section or esrc okay so very interesting so i will come back i will go to the linux okay so let me check here strings erebus my friend less the leaves so they we have interesting questions for you for everyone that can listen this presentation why doesn't show for example the mz in the case of the windows what don't

show the elf instructor as you can see before when i when i using the extent command right not appears for us it's the simple answer but maybe you know but maybe you don't know why don't appear but basically here we have the explanation for each file given the new strings prints the printable characteristic sequences that are at least four characters long because of this don't show you the mz you know because if you come back here to the windows x damp extent minnows 32 bits for wannacry next

right you know here this is the stream it's these strings should be appears in the comments strings right but that's doesn't uh appears because of this explanation just it started to show that the four characteristics you know so that's point it's very important to understand how this command works it's not as a tool you know it's i think i know i think i know that is a tool but you need to understand how this tools works you know because you need to understand how this tools works how this uh tool are works for example you i don't know if you read for example if you know this kind of um tools okay now yeah it's really great

cry less right so here we can read for example the simple structure of the the the pi structure you know so we have here you read we read the magic number you can read the the paragraphs you can read the machine the structure of the machine you know it's x86 you can read another different uh you know here you can read the optional header the the signing of the pa structure you can read many information here we can read the all interesting information for example kanye 32dll they all functions that these dll defendings of the get directory create files they let critical sessions you you receive many information you know i don't know if you

if you look if you know this this tools it's a part of the the pavi project you know created by uh friendly mercedes it's a brazilian guy to create and another guy's running road to today's it's part of the debian i think uh association but it's this tools is created based in these another tools that maybe you can you you you know they read else for example it's the same

oops

okay setting yes here it's the same you know so but this tools it's for elf not be that's that's the the important point you know because this is the first two uh are be created was be created um but the another tool in the the project they read pa it's the same it's them that they almost too created inspired you know in these tools but when the guy created these tools this guy need to understand how this tools works that's the my you know my objective here in this talk you know so let's come back to presentation so pdf id have many structure here the first of the structure you talk about the we talking

which explain about the object end of the object streaming and of streaming that is open the object close the object and cross reference table cross ref and trailer and start the ref here we have the slash pages live encrypt we have the many slashes in front of the word so basically this latch is it means uh all these slashes are information inside it is the melee structure right so again we have the we have the structure there is a structure and here there are many slashes but all these lessons are inside into this object this principle information right so here i explain i will show you a video uh explain about the pdf structure so you can read this video i i prepare

i can i could use but basically i will looking first the sample here we can read for example this object this file has a 15 object that you can read here and we have a very interesting information we have a two extremes so if you have extreme maybe maybe you can you can have here you can have here the the obscated because you know inside this pdf we have a five javascript you know we have a java two javascripts so now i will use another tools pdf parses and other tools uh inside this uh this package from dj stevens i executed this file this comment inside this this this structure here we can read for example the pdf

version the object one in inside object one is referring another let me pulse here the video to explain more better yes so here we have object one and this object one referencing object two object three four five six and seven you know so do you remember when i showed this video we have a 15 object inside the pdf inside this pdf we have a two extremes and five javascript right so uh let me look in this uh file so he here we have the object one and reference another object so following the file you have here the object inside and you reference in here you have another open action what's the means of an action

open action mean it means when the user click basically the pdf this action execute basically they script inside the pdf file right so basically you can understand here if the user click the opening action he started the we we started the job script you know so basically when you're looking here the sample pdf you can understand it's a suspicious right because when do you have a pdf with javascript it's a red it's a red picture and after that you can look the option action you have the action of the automatically run descriptive it's totally suspicious right so let's come back to the file here objects 3 four and five six so here let me pause another let me

pause again the video here we have another information interesting object four here you know we have a referencing in eight file in in eight object and nine so here we have another object nine object so let me explain another here and object seven you the file referencing another object object 10 inside the object 10 we have a javascript reference you know so you note this you can note this very interesting information because we have the object one reference two for example and six and seven you you can read you can see many different uh references in this file right so here you have another amazing information object nine referencing the four when we can see before but here we have another

object the object 11 right so let's continue and object 10 reference 11 object and here in object 11 11 sorry uh yes 11. you can read it's contain is streaming this is the first of information interesting we have a stream inside the object 11 but here we have the light it's the sizing of the file it's not a big it's a small but when you read the object 12 reference the 13 object we have another javascript and another javascript we have a streaming in the 13 object and here the size it's more than bigger than first you know so here we can stop and you can uh looking be looking this file because here contain some important information for

us for for our analysis right so here we can looking inside this object into works basically this so here another information but not important information for our analysis so here i will use another tool of course as i mentioned to you i need to understand how these tools work so pdf tikka to sample the file i will use output to put output information in this in this text but i will request the uncompressed because the information that i can find in the stream i need to uncompress this information right so i will read this information and wow what the information can read here this is the information i can read inside it is streaming looking is very very

interesting here because you know here we have a javascript do you remember is javascript 13 13 javascript so here we have a javascript but we have a technique that attacker can be used not can we use it you can see this uh off skated javascript right so now i need to obfuscate this uh this string basically so have you copied this information have you used the my friend nano i know you you don't like nano but i like but anyway you can use another text editor so what i can i what i do will do here i will change the sense parameters because i can read this information i generate the payload dot h tml because i would like to open this

information in the web browser right so i will change here and i will change the evo because i i i see i saw the evo parameter if you works with javas you can understand very well this information but if you don't understand i know because in the past i don't understand but now i understand the same but i'm studying it's very important you know so here i am open the information and i will save and i would like to open in the web browser to try see what the information are inside this in this obscure code so i am putting the privilege access to this file right so now it's okay so i will open this information in a web browser

so i will scrum basic so you know it's the same machine that i will use for you and bow what's the information perfect that we can read it's payload guys we have a payload do you know what's the payload when you talk about the mower the payload is the packaging responsible to put in the vitamin machine and this payload with uh it's the callback for me uh it's it's if i will be the attacker you know but basically this is uh payload is responsible to recall to to the information or to open the ways in the attacker individuals right so after that another video explaining about this analysis so we have the payload so we

need to understand more i need to find more information here i can if i would like to stop my analysis i can i have the payload right so this is malicious fire we have a pdf files we have a malicious file so i would rely when my under i made this analyze i i tried to looking another informations right so here i'll be using i i will try to to make it at the coldest information because i read here another encode so we have the of skate code and after that i read i read i saw the encode information because this file using in in use c2 encode like a a unicode format so i will try to looking inside this

information what is information it's it's it's i can read for example because this payload is responsible to attack the vitamin but this callback for you know so so this is the callback the vitamin to attacker maybe you can you can go to to see ac you know a commanding controller to the attacker so that's my that i will i was thinking you know so i will try so what let me check here okay so here we we will see this uh let me come back here the video to explain so here that i use this command here to set to to take the many different uh uh uh ascent to have the only code the the run unicode information right so

i use here in the in the linux machine and here are using the the mozilla in the windows machine so after that i i found the unicode information i generate in this tools module the x file binary why why you do this because when i generation this x file i use another tool from dj steven search search to find in this file if i found any http uh or any uh url because my my idea here is to find the cec and the commanding controller from the attacker and when i use this this uh this tools looking what i found http or ip from the attacker when you're looking inside this information of obviously this attacker

can be used the tour but the the last hope is in the estonia europe and i found the ip from the commanding controller look at it's very interesting when you start this analysis in the pdf file you look in the of skate code you the code the information after that you look in the uh the payload files the payload code inside this payload we have another information like uh uh i encode information in unicode uh characters i by generating extra binary and after this uh extra binary i found the uh ip from the attacker in this time i end i finally i end my analysis right so questions i if you have many questions are you open for us so i would like to

thanks for everyone to to to watching me yes it's uh honor for me to talk in besides conference i you know for me it's very very very important i am excited to be here so again if you can follow me in the the in the linkedin you know thank you so much and again thank you for your time have a wonderful day