Dissecting and Comparing different Binaries to Malware Analysis

hello guys i'm so glad to be here and today we're gonna talk about the second and compary binaries two analysis when do we talking about the modernizes right my name is felipe pierce and this is my contact in the twitter github and a medium i use a lot the linkaging profile not profile actually in social medias if you have any doubts or any questions please this is my contact and i am available to talk to you right so uh some information about me i have been working in a hacker security as a global research manager right this is the brazilian company i am a founder this course is about amar analysis fundamentals and now not actually not now i started to

to work in this company zoop innovation i am responsible to zap zoop security labs i am a research and security manager as well i'm responsible to provide many research in antivirals and many different sensors of secured products right and this is a brazilian company as well and um this is a like a software house responsible to create a software's apps and applications and as you can imagine the kind of softwares and apps right so here's some papers or not papers in this case it's article that i was uh wrote yeah i put publish it in a fantasy magazine a foreign sick magazine and the cyber security hub as well this is not um you know my idea here is not to hack the

nscr nsa or fbi or you know microsoft uh my idea when i and i published this kind of articles is to provide some basis you know so my idea is to talk about the basis what the fundamentals uh is important when you talk about the security products or s or more analysis or maybe trading hunting or maybe up and testing so we need to know about the buzzes during this our conversation now i will explain more about this right so here are not uh another papers that i was uh wrote right and you can read uh in my social medias or this uh magazine as well right so uh the first step that we need to do when you talk about the

mara analysis to identify right uh this is that's called identification right because we have the artifact we don't know if the artifact is malicious or not or not we need to understand if if this if this malicious or this artifact actually is malware software malicious or maldoc document malicious right this is the first and very important uh part right after that you can chose what the kind of analysis you chose if you use static analysis or dynamical as analysis right after that have to realize or you executed it you can prepare a report right actually this kind of a step it's very important because you need to present it to the your manager your tech lead your

coordinator maybe and you can prepare prepare many of these uh informations that you analyze it before right after that you can improve your security defenses mechanism right this is the main point here because for example if you try to explore any antivirus in your environment right you maybe you can try explore explore many you know daily injections you can try using another different mower or try or maybe using some exploits to try explore your antivirus solutions this is a very interesting point you can present this to the our or not our your manager or your tech lead and when you find any uh for example vulnerability maybe bags maybe maybe uh i don't know filers in your softwares in your

security software for example you can improve you can uh adjust many settings inside your platform right and after that you can prepare the beautiful world has no like a cyber threat intelligence or cti right you can build it you can build this kind of intelligence in your company i know maybe you don't have a big company you have a small company but you can work uh with for example ioc's uh indicator of compromise or maybe you can work with uh maybe uh eor or eoa it's like a indicator of attack and you can build it right this is the main point when we talk about the moroni's because you know when you mention our analysis

maybe the people that was watching me now maybe are thinking for example okay if i have this kind of knowledgement maybe i can work as in a sock or maybe on a support but you can receive this kind of knowledgement and you can improve it it you can work for example at 3d hunting or for the hunter or the person that realizes or is equal to this kind of work right or you can maybe do this research has has me for example because i am creating this in my uh my company now and in hakasaki and uh zoop innovation as well and my idea to put this kind of uh professional guy this is the mower hunter in a top of the tower

right the idea is to put in the research guy in the top of the tower this is my idea you know because when you talk for example with many companies in the world for example uh the the this kind of person or this this you know this is a skill is it's not clear if this guy's working with a sock with a sassart uh in a you know for example in in cesare or maybe in a support team or maybe in a red team or or blue team you know it's it's maybe a confusion it's many companies so this is my idea to put in the top of tower because this guy have a defensive you know essentially but they

think the mind it's totally offensive that's my idea right and after that you can create the uh uh the strengthening yes that you are cyber resilience because the threats are changing all the time right this is maybe a a not a life cycle of the morales but it's some i want a suggestion right it's one idea you know that's my suggestion for you right so the first step is static analysis it's very simple usually this is the first step use it by uh more analysts yes because this is usually it's described of the process of the the the some programs maybe the structure or maybe what the function function it is colored by any dll or

maybe call it by any a library for example if you are analysing for example a unix platform right and usually this program itself it doesn't run at this time right because of course it's the painting of the program that you can for example using your analysis but usually it's more safe right because it's not 100 safe but usually it's more safe because you not put um in in real time right the analysis it's not in real time that's a a simple point here when you talk about the statistical analysis right the second step is dynamic analysis just to explain for everyone that was watching now right the dynamic the dynamic analysis it's based as just in in behavior right uh

basically it's the interactions that the mower uh has with them the the files inside the the the systems operation or maybe what the um the document maybe uh this file can call it but usually you put in the sample inside of the virtual machine one environment controller right you run this sample inside this environment and you can analyze this behavior right so usually you can auto you can automatizate that many this kind of uh analysis right because you can today you have a many websites with uh antivirus and engines to try execute your suspicious files right and you or you can create you can use it as well the another concept called sandbox this is the

basically it's a controlled environment that you can put your your sample inside this product for example you can run and you can look in the all uh the allows and many informations are called but the big point the very important thing here is okay i put my sample inside the sandbox but uh what the response what the answer are receiving report i can't uh i can understand what the the dll are called because i understand very well in low level in the kernel level or the user level uh you know i can understand this because you know i have the automatization too but i need to interpreter i need to turn like a translate not translate but you

need to understand what this report is talking you know that's very important thing because of this that's my mission now here to try explain some basis for you right so okay so here i have a demo are you showing my machine by the way okay so i will try put here i will call i will pray to the you know to the the the lords of demo to try let me check here i have here some samples right i have by the way here file linux 32 yes this is the a simple uh executable file right so if i check here another in a wheel machining machine let me check here what i have here a

simple file okay let me check here if i use file command i can find here the the in this case it's a portable executable from uh windows from microsoft right so you have different uh files here's to understand if he's malicious or not let me check here i have another different here um let me check here i have a view let me check here bill bill file bill this is a pdf file right it's a pdf file okay so but here i would like to try uh explain about the basis right because we're gonna talk about file command right i don't know if you read something about this but what means what are what means fire in this case

fire determine fire type i know philip but how this kind of tools or this tool in that case in this case works that's a a simple and very important point right because when you when you put this command inside your machine this a file or this tool actually will run or are running your environment and you show some answer right in the in the in the screen but how this tools works that's that's important because if you read here if you read here you can can read here the message tests are used to check for files each data in particular fixed format maybe you can maybe you are thinking now and and maybe uh i don't i know

philippis show me about the men of files but here you can understand something because here you can understand those format is defined in elf dot h so maybe here we have interesting information if you let me for example if you check here for example if i put here for example no no you know let me oh yes i will open okay so here you can if you see here this information right that i was receiving here in demo from file you can read here this file define the standard elf types structure in macros right and here below you can read another informations about the structure because here in the beginning you can read here the elf files header

this appears at the start of every elf file right you have here 16 bytes the first array of the name e identity and you have the magicking number and others information so we have here for example the magic number so what are what means this in this case uh magic number here you have the key right so these files have a magic number is stored in particular place near the beginning of the file that tells the unix operation systems right so what's what's this means in this case it's very simple the file command has a database responsible to provide all this information to find all these all those magic number in the beginning of the

fire right so here if you i will show you now here for example i have here the i i downloaded this this uh this file this file code to to look inside this to show you this information right so here we can read you can read many informations here's of many information of this kind of database for example if you for example read the information of javascript in this case here okay so javascript let me show you for you here javascript we have here many informations in the beginning of the file in this case is the magic number of the fire having many rules here that you could use you that basically this file command

used to identify the fi they are defined in this case if is executable or not right so let me show you some example now here you create this file the name our doctex that's your stereo text right um is it malicious let me right here okay this is a simple question have you read this information this perfect let me use file command here it's really really text file right perfect so for example if i manipulate the match key number information here let me manipulate here i will put some string here that i know what this information means i will change here and i use the file again don't text dot text and let me check

here and here looking this incredible information now we have a python script in this case is as it is a cutable file right so if is executable i can call it i can call me python after you think about it so i can call on not python python text in this case text because it's python right show you him let me read again this file yes but we have a problem maybe you can think about it some but the station here is different right let's let me uh because i have another python here in the other representations i will okay so i have a key i have here yes okay so let me change now here

mower let me move our text to the mower dot pi right so here we gonna buy so in this case we can run now just buy maybe you need to have you need to have um the authorization that the privilege to to execute this kind of information maybe let me change here okay so now let's python again and let's check is the same error why did this happen because it's not a script python right if you for example you can manipulate again uh this information here it's very interesting point another again let me move again and send pdf truss maybe slash oh oh dash actually 1.9 and i will save here and i you clean and let me check here

mower pump pie dog pie it's a pdf document take a look at the very interesting you know that's a big point here uh maybe you can ask so philip now the file commander is not confident it's not uh you know it's not a confidence comp comment i can use this kind of comment no you need to use right but you need to understand all those days right this is the very important thing you never need you never can believe in the extension because of course you it's the same case when you talk about the strings for example if you see here the strings the amount of the strings for example here the strings comment right so let me

check here is strings command string printed the sequence of printable characters in file right so here's the the simple key the many many people never think maybe because in the beginning of the description uh says for example for each file given you know strings print the printable characteristic sequence that are at least four characteristics long because of this you when do you execute for example here um a string in strings that they may be you as you put for example in the beginning of this the many comments for example you you don't you you don't find for example the elf information or mz information on the pe information right for example here if you read here the x damp any let me check

here any 32 um the linux 32 but less okay in the beginning you can you can read here the elf right so but here we have a just three la three characters not four in this case right so if you try here for example let me change here if you train if you change it should if you try for example run the strings dash a putting in the linux let me put pipe here i put like the last sec here and you put by plus here and you if you try oops maybe yes receive some red horse here oh of course i need to put the fire correct yes so here is you put here

in the beginning take a look here you you don't find here the beginning the elf information because alfie just said three characters not four characters that is important thing right this is all those bases right that's very important when you mention here right so we explain more than uh elf now so basically when you talk about the structure about the elf or maybe pe portables executable you can see in the pictures it's the similar form not exactly the same but very very similar because you have the same header you have the sessions here in the taxi or uh and doc or dot dot dot oh my goodness you have the text you have uh a or data

you have the data and you and you have many sessions heather in the pa portable we have for example the the two uh parts first right the header in the sessions of course it's dividing on other parts and you have for example in in inside the header you have the dos header when you can see the mz information the signature mz right when basically it's responsible to the creator of this kind of binary and you have here the pe header when you can find the pe signature this information and below you can see the sessions here is the informations where the usually the attacker can put your malicious code usually inside this session doc's text

right and when you try to analyze any artifacts for example you can find the upx compressed or maybe a packer tools this is a technique maybe many times the attackers can be using us many different attackers um usually the packer can absolute all these in the sessions inside in one of those uh packer basic basically and you can when you use some tools to try in finds information you you find for example the packer information right do you you don't you can't see this information in the session right so okay so we talk about the pe and alpha structure of course it's very very simple uh we i can't i don't have a time actually to explain all this

uh binaries because you know uh if you talk about the for example just a pe portable executable from microsoft man we have a many many hours to try explaining and to try uh goes to inside this all this information right so we try to explain more than pdf structure because basically it's it's in four main parts the header it's made baby it's basic basically it's the same when you talk about another binaries we have always you have the header right you have the boring you have the cross reference table and you have the trailer right so here we have the all those structure in the beginning of the file you have the version number it's the same information

collected by file command do you remember when you execute the file command you can read you can read actually the magic number of this information you can find this information you have the body and inside this kind of boring you know you have many reference inside of this body you have the cross reference table here and you can read here it's locate location of object ethernet file or a random access what else what as what this the things means in this case is basically one structure referring another instructor or another object inside this bar in this case right in the trailer it's the same thing you have here location of the certain objects inside the body

that is you have many connections of this parts of this structure right so here i will show you one of my my analysis in a pdf file right to try understand i will use basically here i used the pdf id it's very tools it's very known tools uh provided by dda stevens right this is basically i think it's in installed in many unix platform but you can download this information in the blog website from dj stevens as you can use this in windows in windows machines sorry we have problem here with my demo let me try here okay i will pause actually this this demo because here we have all those informations you have the header

you have 15 objects here and you have this two extreme you have the one trailer one cross reference table here and you have one trailer right so below this tool we we can find this uh informations this is lash writing this information all those information all those slashes are inside of this object that's a very interesting point because if you uh see in the manner of the pdf id you can note you can see this information that's basically it's uh is it's too is responsible to print many strings inside of the pdf right so here we have another interesting point we have the encryption file and you have here five java script inside this pdf you know so you

can think about it what do you think you have a javascript inside of the pdf file maybe it's uh it's a safer or malicious you know i i don't talk about the reverse engineer here just to try to interpret or to try understand of this file right and here you can see another information open action it's one what's this means in this case open actions refer basically when the user received the file and user click in the file in this case is pdf file and after that and after that the file can execute something in this case we can see here we have five javascript we just need to understand what this uh or what this command represent in

this case right so i will put uh mars let me check here okay so here i will use another uh platform in this case it's a pdf run right did some another platform created by dj steven pdf parser right oh my goodness we haven't i do have many problems here with my in this case my finger you know because i am clicking in a mouse but no but but now i have you try to show you the the all those information in this case right because i will pause the video to explain as you can see here this information in the beginning we can see the header right and here you can read the object

one if you remember when i explained about the body about the cross reference table all those in for all those these parts of this pdf are connected one both another right right so here for example you have the object one referring object to object 3 4 5 6 and 7 but you know and i know that we have 15 object inside this file right so let's continue to try understand here we can see the my goodness here we can see the javascript but here we we can we can't understand what this information means right so we need to try understand more here as you can see we have the option open action as you explained before to you right the

open action when the user click in this file this file uh will run someone or or or any javascript but we don't know right uh what this uh javascript uh maybe call it or maybe can call it right so let's continue to understand we have object one and here i will put okay above here object four we have another reference here we have a reference eight and reference nine and we have a two more referencing right so uh you can see here more connectivity in the many objects inside the pdf right so here another interesting thing we have the object 7 connected or referencing by um object 10 you know we are growing up of this pdf file right

in here the object nine we have the same case we have the referencing the four because the four connected to the nine nt8 and the eleven right so we can see many connections of the object inside this name of body right so here we have the the object 10 connected to 12 and here we have one first interesting uh information object 11 we have the contain extreme in this case uh when this object has some strings maybe you have a javascript inside this or maybe you can have some exploit inside this and you have this information flakes decoded it means these are streaming are obfuscated i are closed inside this flash decode you need to decode this

information uh by the way so here another information is you have object 12 it's connected to 13 and if you compare here this is streaming it's much uh bigger than uh than than another that we see that we saw uh later right if you compare this stream it's very very high the the size it's very high right when you compare here so maybe the idea is to try to looking all those informations inside this object right you have here the object 14 and here the 15 and finish the file right so the next step is to try to look inside the object 13 right so in this case i will use another two pdf ticker

in this case these two it's not from dda steven by the way so i will run the dump of this information and this uh a key information and compress it because of you uncompress all those information inside these pdfs right because you remember i run the pdf person and i i can read all those run information in here we i can uncompress because i know inside of this stream we have a flat the code information so now i am seeing here the javascript obfuscated in this case the attacker used the first technique the obfuscation technique right because i can see the evil parameters and i can try to find any information inside this obfuscated code

right so here i will use uh then you know i could i can use vi maybe or another tools to edit all those informations and i will just uh change any information here you can see many informations in javascript so here we can find or you can try to read any information because you can if you imagine for example we're gonna talk about the javascript javascript javascript user usually uh that you know the following it's uh application your web application page maybe so because of this i will try to uh there's a full skate this kind of code so because i have the here the parameter i use in the script html i will using the document right to try

read any information inside of this code right so i generate the payload.html and i will try to read if i find for example uh any information inside of this java script obfuscated right so basically i will run now this code in a html page and i'll take a look all the what's the inf the in the interesting information that we find here the variable payload do you know what this means it's basically the packer or not the packer the package responsible to download uh in the vitmen machine and this package is responsible to response this information to the attacker server right the it's known uh the name it's a cac or command and controller right

so take a look in the first step we find that the pdf file and this pdf file we have a five javascript but we have a one of this java it's the bigger javascript in this javascript have received the obfuscated technique right and after after that i will i i needed to change all those information i need to do sophisticated of this code and when i execute the information in a html page i can find the payload responsible to download in the vitamin machine so if you remember in the beginning of this analysis when the user maybe you the vitamin this case click in the file do you remember the open action the next action of this file is to

execute this javascript in this case it's you know it's obfuscated so when the the user or the vitamin clicking this file this is scripted the javascript uh we run in the victim and will download this payload that you can see in the in the screen inside the victim machine right so in this case i i was i was thinking when i was uh uh doing this analysis so if i have the payload maybe i can try to find the cac from the attacker right so i will continue to do my analysis in this case so i have here some informations inside this payload right so here have you used again my big friend nano maybe many people don't like this

friend but you know it's in my case it's simple oh i could use again vino vi or another edit test so if if you see here we have a very percent inside of this information here when when i look at when i look at all those uh percent all those information i can notes i can see here no notes i can see here the interesting information in this case here we have a you see two based on unique code you know uh information it's it's almost different when you talk about the ascii or ascii ascii it means a two by one bytes and you talk about the unicode you used in two bytes right so here i have the the the the pure

not pure but the the run data of this unicode right so now i need to translate all this information so i had the payload package but when i see i i see another technique the encode technique right so this the this payload is use it with a unique um sorry it's used a unicode encoding right i know it's very it's maybe confusing but take a look at this i have a payload package i have an information all those information receive a encode technique this encode technique is spaced in only code right so basically as you can see here i just using the unix platform but maybe you can ask uh or you can asking philippe but i use just windows

but not a problem you don't you however you you don't need to have a consonant in this case right so here i use another platform in mozilla by bobby it's it's a similar platform i have here the same code i need to cut you remember i need to cut this percent because i need to have the run uh unicode uh information right the unicode code right so here i have the unicode information and i can generate here the extra file binary this these two it's responsible to generate this kind of information after that i use it another information uh another tools created by dda steven sure search executable to try and find any http information because remember if i

have the payload package probably this package went after to downloaded in the vitamin machine probably this package will make some requests into the commanding controller from attacker right so that's my idea when i to continue to do this investigation so when you as you can see here i found the ip from the attacker in this case the ip is based in estonia europe writes all this information from the cac the attacker i don't use it basically here the reverse engineer but we find the javascript obfuscated we find the encode technique based in in in unicode right um we've we can learn about the for example open action inside the pdf files so we can learn about many informations

right so if you have any question i i am available to you this is my contact again and one more time thank you thank you for this opportunity if you have any question please let me know