1 00:00:08,000 --> 00:00:09,679 my name is philippe pedes and today 2 00:00:09,679 --> 00:00:11,519 we're gonna talk about mower hunting 3 00:00:11,519 --> 00:00:14,080 discovering techniques in malware no 4 00:00:14,080 --> 00:00:16,640 more malicious pdf right so this is my 5 00:00:16,640 --> 00:00:19,760 contact at twitter at flip piers 6 00:00:19,760 --> 00:00:22,400 my contacts and social media so you can 7 00:00:22,400 --> 00:00:24,960 find here some in my webpage we can find 8 00:00:24,960 --> 00:00:27,199 there some talks that are made in some 9 00:00:27,199 --> 00:00:29,679 events uh in english spanish and 10 00:00:29,679 --> 00:00:32,238 portuguese language my github here 11 00:00:32,238 --> 00:00:35,120 philip 86 in my linkedin so if you'd 12 00:00:35,120 --> 00:00:37,120 like to exchange something with me or 13 00:00:37,120 --> 00:00:38,719 send some questions i'm totally 14 00:00:38,719 --> 00:00:40,320 available right so let me introduce 15 00:00:40,320 --> 00:00:41,520 myself 16 00:00:41,520 --> 00:00:43,840 so i'm security research at sapporo 17 00:00:43,840 --> 00:00:46,160 saporiza company for 18 00:00:46,160 --> 00:00:47,600 from switzerland 19 00:00:47,600 --> 00:00:50,160 and i'm responsible for creating 20 00:00:50,160 --> 00:00:52,480 attacking modules for this company 21 00:00:52,480 --> 00:00:55,360 actually for the product of this 22 00:00:55,360 --> 00:00:58,800 company and i created this i just i 23 00:00:58,800 --> 00:01:01,039 create the design of the attack and send 24 00:01:01,039 --> 00:01:02,800 to the developer team in this team 25 00:01:02,800 --> 00:01:06,159 putting this in our product right i'm 26 00:01:06,159 --> 00:01:08,560 the founder of the black and white 27 00:01:08,560 --> 00:01:12,000 technology it's my my own company i'm an 28 00:01:12,000 --> 00:01:14,479 advisor and ceo of this company it's a 29 00:01:14,479 --> 00:01:16,400 consulting company responsible for 30 00:01:16,400 --> 00:01:18,720 provide services consulting services 31 00:01:18,720 --> 00:01:21,520 actually and for a pen privilege access 32 00:01:21,520 --> 00:01:22,720 management 33 00:01:22,720 --> 00:01:25,360 talk security security operation center 34 00:01:25,360 --> 00:01:27,439 for analysis fantastic and so on and so 35 00:01:27,439 --> 00:01:29,759 on i'm at developer advocate in 36 00:01:29,759 --> 00:01:30,880 different 37 00:01:30,880 --> 00:01:32,479 uh projects 38 00:01:32,479 --> 00:01:34,400 first is hacking's not a crime very 39 00:01:34,400 --> 00:01:36,320 known in in us 40 00:01:36,320 --> 00:01:38,720 and not only us but in europe and i'm 41 00:01:38,720 --> 00:01:40,799 vocate of these projects the idea behind 42 00:01:40,799 --> 00:01:42,479 of this project is to talk more about 43 00:01:42,479 --> 00:01:44,720 this concept in colleen hacking and how 44 00:01:44,720 --> 00:01:47,680 important it is to spread the message 45 00:01:47,680 --> 00:01:49,200 for 46 00:01:49,200 --> 00:01:51,119 many people because 47 00:01:51,119 --> 00:01:53,680 the idea is the hacking is how you can 48 00:01:53,680 --> 00:01:55,920 use your creative mining to help 49 00:01:55,920 --> 00:01:58,240 organization to helping companies 50 00:01:58,240 --> 00:02:00,640 protect their solutions their 51 00:02:00,640 --> 00:02:02,560 organization the product and not only 52 00:02:02,560 --> 00:02:05,280 that but using your creative mind 53 00:02:05,280 --> 00:02:07,920 uh to be a hacker is to using a 54 00:02:07,920 --> 00:02:10,878 lifestyle right so how you can using 55 00:02:10,878 --> 00:02:13,280 your creative mind in your life 56 00:02:13,280 --> 00:02:15,440 okay not how the 57 00:02:15,440 --> 00:02:19,120 the tvs or the newspaper using this this 58 00:02:19,120 --> 00:02:22,239 word or about to a bad guy right so 59 00:02:22,239 --> 00:02:24,000 that's the idea behind of this project 60 00:02:24,000 --> 00:02:26,400 and i'm advocate of the senior segura 61 00:02:26,400 --> 00:02:28,640 senior siguri it's a global company from 62 00:02:28,640 --> 00:02:31,200 brazil by the way um responsible for 63 00:02:31,200 --> 00:02:33,680 providing different solutions 64 00:02:33,680 --> 00:02:35,760 for a pen a privileged access management 65 00:02:35,760 --> 00:02:37,040 and different 66 00:02:37,040 --> 00:02:39,440 authentication process actually in 67 00:02:39,440 --> 00:02:42,400 ambassador of the sneak open source 68 00:02:42,400 --> 00:02:45,440 project right so this is the solution to 69 00:02:45,440 --> 00:02:48,160 protect the company actually producing 70 00:02:48,160 --> 00:02:50,640 assassin's solution a statistic analysis 71 00:02:50,640 --> 00:02:52,720 coding from the developer process 72 00:02:52,720 --> 00:02:55,360 actually and not only that but sca 73 00:02:55,360 --> 00:02:57,680 analysis composition a scan analysis 74 00:02:57,680 --> 00:02:59,680 composition actually looking from the 75 00:02:59,680 --> 00:03:01,680 libraries inside of the code and i'm 76 00:03:01,680 --> 00:03:03,760 ambassador of this project right and i'm 77 00:03:03,760 --> 00:03:06,239 a structured writer any viewer those at 78 00:03:06,239 --> 00:03:08,000 three magazines in europe fantastic 79 00:03:08,000 --> 00:03:10,640 magazine hockey 90 and net forensic and 80 00:03:10,640 --> 00:03:13,680 by the way i i am a structure of the 81 00:03:13,680 --> 00:03:15,760 specifically course course about the 82 00:03:15,760 --> 00:03:18,239 malware attack with the key chain in the 83 00:03:18,239 --> 00:03:19,680 dashing magazine so if you would like to 84 00:03:19,680 --> 00:03:21,519 know more about that so you 85 00:03:21,519 --> 00:03:23,840 can send them a message right so this is 86 00:03:23,840 --> 00:03:27,840 some informations about me and before to 87 00:03:27,840 --> 00:03:29,920 talk more about technical stuff so it's 88 00:03:29,920 --> 00:03:31,680 important to put all those peoples and 89 00:03:31,680 --> 00:03:33,360 the same equation first of all i would 90 00:03:33,360 --> 00:03:35,680 like to just a simple explanation what 91 00:03:35,680 --> 00:03:40,480 is a thread is according this iso is uh 92 00:03:40,480 --> 00:03:42,640 is defined as a potential cause of an 93 00:03:42,640 --> 00:03:43,680 incident 94 00:03:43,680 --> 00:03:45,599 that may cause arming to the system in 95 00:03:45,599 --> 00:03:47,519 organization but what does that mean 96 00:03:47,519 --> 00:03:50,239 phillip basically maybe is a softer 97 00:03:50,239 --> 00:03:53,040 attack on a specific exploitation 98 00:03:53,040 --> 00:03:56,400 about attack in software is a kind of a 99 00:03:56,400 --> 00:03:58,640 tough intellectual property so if you 100 00:03:58,640 --> 00:04:01,519 are if you produce some code or some 101 00:04:01,519 --> 00:04:03,439 product or if you have some intellectual 102 00:04:03,439 --> 00:04:06,080 property or some attacker or a threat 103 00:04:06,080 --> 00:04:07,680 actor try to 104 00:04:07,680 --> 00:04:09,920 to test this 105 00:04:09,920 --> 00:04:12,239 intellectual property so it's 106 00:04:12,239 --> 00:04:15,680 it is a threat another is identity death 107 00:04:15,680 --> 00:04:17,839 so for example if you have an 108 00:04:17,839 --> 00:04:20,560 organization and some user has a 109 00:04:20,560 --> 00:04:21,759 specifically 110 00:04:21,759 --> 00:04:24,320 uh authentication proc process or 111 00:04:24,320 --> 00:04:27,120 identity to authenticate something so 112 00:04:27,120 --> 00:04:28,639 it's something about the death of this 113 00:04:28,639 --> 00:04:31,040 specific identity it's a kind of threat 114 00:04:31,040 --> 00:04:34,880 sabotage is not another part of this um 115 00:04:34,880 --> 00:04:36,639 the threat because 116 00:04:36,639 --> 00:04:39,199 if someone talk about your organization 117 00:04:39,199 --> 00:04:41,440 on twitter or other social media for 118 00:04:41,440 --> 00:04:43,120 example to try 119 00:04:43,120 --> 00:04:44,639 uh you know 120 00:04:44,639 --> 00:04:46,800 pose some damage in the image of your 121 00:04:46,800 --> 00:04:49,120 company it's a kind of subutation is it 122 00:04:49,120 --> 00:04:51,600 is a threat okay and information 123 00:04:51,600 --> 00:04:54,320 distortion are example of information 124 00:04:54,320 --> 00:04:57,280 security thread just a simple definition 125 00:04:57,280 --> 00:04:59,040 why it's important to understand that 126 00:04:59,040 --> 00:05:01,840 because we are talking today about 127 00:05:01,840 --> 00:05:03,280 the 128 00:05:03,280 --> 00:05:06,320 malware and how you need to looking from 129 00:05:06,320 --> 00:05:07,919 these and how you can look in more 130 00:05:07,919 --> 00:05:09,919 deeply about that so malware is 131 00:05:09,919 --> 00:05:12,400 basically its acronym of the malicious 132 00:05:12,400 --> 00:05:15,840 software so it's a potential thread so 133 00:05:15,840 --> 00:05:17,039 because of that it's important to 134 00:05:17,039 --> 00:05:18,880 clarify what is a threat now definition 135 00:05:18,880 --> 00:05:21,440 from fleet is definition from these eyes 136 00:05:21,440 --> 00:05:22,560 okay 137 00:05:22,560 --> 00:05:26,160 so let's talk about this simple uh flow 138 00:05:26,160 --> 00:05:28,800 about the malware analysis okay so first 139 00:05:28,800 --> 00:05:31,919 of all we have a possible a thread or 140 00:05:31,919 --> 00:05:34,320 artifact or a symbol so this is the 141 00:05:34,320 --> 00:05:37,039 first step the identification step right 142 00:05:37,039 --> 00:05:39,680 so as you can see here we have a mower 143 00:05:39,680 --> 00:05:42,720 it's acronym of the malicious software 144 00:05:42,720 --> 00:05:46,000 or or modok malicious document right so 145 00:05:46,000 --> 00:05:48,240 remember you receive to analyze and 146 00:05:48,240 --> 00:05:50,720 specifically artifact or simple so you 147 00:05:50,720 --> 00:05:52,880 need to understand if he is a mower or 148 00:05:52,880 --> 00:05:55,199 is a small dog depends on the binary or 149 00:05:55,199 --> 00:05:58,240 the station not only that but many other 150 00:05:58,240 --> 00:05:59,840 factors not factors but points that you 151 00:05:59,840 --> 00:06:01,919 need to analyze after that you need to 152 00:06:01,919 --> 00:06:04,800 choose what the best methodology you use 153 00:06:04,800 --> 00:06:06,639 when you analyze something like you can 154 00:06:06,639 --> 00:06:08,639 use any statistical analysis and dynamic 155 00:06:08,639 --> 00:06:11,360 analysis two different approaches okay 156 00:06:11,360 --> 00:06:13,520 so my recommendations to you when you 157 00:06:13,520 --> 00:06:15,440 perform something like this it's 158 00:06:15,440 --> 00:06:16,880 important you 159 00:06:16,880 --> 00:06:20,720 write this like you know um about all 160 00:06:20,720 --> 00:06:22,639 those steps that you are analyzing when 161 00:06:22,639 --> 00:06:24,560 you make something for example you have 162 00:06:24,560 --> 00:06:26,479 received this artifact you need to 163 00:06:26,479 --> 00:06:28,160 register all those steps because when 164 00:06:28,160 --> 00:06:29,520 you do that 165 00:06:29,520 --> 00:06:32,160 you can understand about the steps that 166 00:06:32,160 --> 00:06:34,560 possible attack using this attack and 167 00:06:34,560 --> 00:06:35,919 not only that but you can produce 168 00:06:35,919 --> 00:06:38,160 something like a report in this report 169 00:06:38,160 --> 00:06:40,000 you can present for example your manager 170 00:06:40,000 --> 00:06:42,319 your coordinator your tech lead or you 171 00:06:42,319 --> 00:06:44,080 can produce some article for example 172 00:06:44,080 --> 00:06:46,160 about your studies for example it's 173 00:06:46,160 --> 00:06:48,160 another interesting point and not only 174 00:06:48,160 --> 00:06:49,599 that but 175 00:06:49,599 --> 00:06:51,360 you can create a specifically 176 00:06:51,360 --> 00:06:53,520 improvement not create but you can help 177 00:06:53,520 --> 00:06:55,360 your organization your company to 178 00:06:55,360 --> 00:06:58,000 improve defense's mechanism because when 179 00:06:58,000 --> 00:07:00,800 you understand what kind of technique 180 00:07:00,800 --> 00:07:03,039 used by the attacker you can understand 181 00:07:03,039 --> 00:07:05,680 what kind of technique this threat actor 182 00:07:05,680 --> 00:07:08,319 or this attacker using to buy best the 183 00:07:08,319 --> 00:07:09,919 security sensor in your organization 184 00:07:09,919 --> 00:07:13,120 like a fire like ibs like ids like a 185 00:07:13,120 --> 00:07:15,440 possible sandbox or other tools that you 186 00:07:15,440 --> 00:07:17,360 have in your environment or antivirus 187 00:07:17,360 --> 00:07:20,479 egr so you can understand the technique 188 00:07:20,479 --> 00:07:22,160 used by the attacker to bypass those 189 00:07:22,160 --> 00:07:24,160 solutions and not only that but you can 190 00:07:24,160 --> 00:07:26,800 suggest it as improvement for your 191 00:07:26,800 --> 00:07:28,479 defense's mechanism 192 00:07:28,479 --> 00:07:31,440 and you can um 193 00:07:31,440 --> 00:07:34,639 creating this good word called cti or 194 00:07:34,639 --> 00:07:36,319 cyber threat intelligence you can build 195 00:07:36,319 --> 00:07:38,639 it in your organization i know that it's 196 00:07:38,639 --> 00:07:40,160 not too easy to create this if you're a 197 00:07:40,160 --> 00:07:43,199 small company but nowadays we have many 198 00:07:43,199 --> 00:07:44,800 tools to help you to give this 199 00:07:44,800 --> 00:07:46,639 information um 200 00:07:46,639 --> 00:07:47,520 like 201 00:07:47,520 --> 00:07:50,160 for example misp it's a malware sharing 202 00:07:50,160 --> 00:07:51,840 platform that you can use in an open 203 00:07:51,840 --> 00:07:53,919 source project by the way using for 204 00:07:53,919 --> 00:07:56,319 example elasticsearch to 205 00:07:56,319 --> 00:07:58,319 correlating the logs or other things 206 00:07:58,319 --> 00:08:00,240 like these so you can create these 207 00:08:00,240 --> 00:08:02,639 intelligence your organizations and you 208 00:08:02,639 --> 00:08:04,479 need to restrain cyber resilience you 209 00:08:04,479 --> 00:08:06,319 need to have this resilience because the 210 00:08:06,319 --> 00:08:09,840 threats are changing all the time so so 211 00:08:09,840 --> 00:08:10,879 we need to 212 00:08:10,879 --> 00:08:13,360 calculate of course it's difficult 213 00:08:13,360 --> 00:08:15,440 probably you can using some tools to 214 00:08:15,440 --> 00:08:17,680 help you to calculate the resistance 215 00:08:17,680 --> 00:08:19,599 against the thread in your environment 216 00:08:19,599 --> 00:08:21,440 but remember 217 00:08:21,440 --> 00:08:23,759 this is a defensive approach to 218 00:08:23,759 --> 00:08:25,199 understand how you can use in the 219 00:08:25,199 --> 00:08:27,599 offensive mindset okay so this is the 220 00:08:27,599 --> 00:08:30,560 simple flow using in our analysis in our 221 00:08:30,560 --> 00:08:32,559 studies so remember this is the first 222 00:08:32,559 --> 00:08:33,839 step the statistical analysis and 223 00:08:33,839 --> 00:08:35,360 dynamic analysis probably you already 224 00:08:35,360 --> 00:08:37,440 heard about that but if you are new here 225 00:08:37,440 --> 00:08:38,880 it's important you understand those 226 00:08:38,880 --> 00:08:40,880 differences so simple like this what is 227 00:08:40,880 --> 00:08:43,519 a statistic analysis when you talk about 228 00:08:43,519 --> 00:08:46,240 the moral analysis uh it usually is the 229 00:08:46,240 --> 00:08:48,640 first step using in the malware is 230 00:08:48,640 --> 00:08:51,760 studies why because the statistical 231 00:08:51,760 --> 00:08:54,240 describe the process of analyzing the 232 00:08:54,240 --> 00:08:57,120 program code it means that you you will 233 00:08:57,120 --> 00:08:59,440 looking more deeply about the structure 234 00:08:59,440 --> 00:09:01,839 of the specific code when you receive 235 00:09:01,839 --> 00:09:03,600 the binary we need to look more deeply 236 00:09:03,600 --> 00:09:04,560 about that 237 00:09:04,560 --> 00:09:07,360 or you can find and specifically 238 00:09:07,360 --> 00:09:10,880 function important by the dll using this 239 00:09:10,880 --> 00:09:14,240 attack or what kind of dll this at this 240 00:09:14,240 --> 00:09:16,160 specifically binary we're using your 241 00:09:16,160 --> 00:09:18,640 system operation to executing this 242 00:09:18,640 --> 00:09:20,480 attack in this specific environment 243 00:09:20,480 --> 00:09:23,839 right so the program itself doesn't run 244 00:09:23,839 --> 00:09:26,480 in in this time so because of that it's 245 00:09:26,480 --> 00:09:29,200 more safe when you analyze because we're 246 00:09:29,200 --> 00:09:30,720 looking from the 247 00:09:30,720 --> 00:09:33,040 behave no behavior but you're looking 248 00:09:33,040 --> 00:09:35,519 the code the program code so maybe you 249 00:09:35,519 --> 00:09:36,880 are thinking about the reversing 250 00:09:36,880 --> 00:09:39,600 engineers and why where is the reversing 251 00:09:39,600 --> 00:09:42,000 engineering here philippe basically 252 00:09:42,000 --> 00:09:43,920 reversing engineer if you are new here 253 00:09:43,920 --> 00:09:47,680 again is a technique that you can use in 254 00:09:47,680 --> 00:09:50,000 inside of the statistical analysis not 255 00:09:50,000 --> 00:09:52,240 only that but you can use it in dynamic 256 00:09:52,240 --> 00:09:53,680 analysis and we explain what the 257 00:09:53,680 --> 00:09:55,360 difference between statistical and 258 00:09:55,360 --> 00:09:59,120 dynamic but it's important to understand 259 00:09:59,120 --> 00:10:00,720 before to looking deeply about the 260 00:10:00,720 --> 00:10:02,959 reversal engineering you need understand 261 00:10:02,959 --> 00:10:05,440 those bases right so what is statistical 262 00:10:05,440 --> 00:10:07,279 analysis what is dynamic analysis how 263 00:10:07,279 --> 00:10:10,160 the tools can help you how the structure 264 00:10:10,160 --> 00:10:12,240 of the binary works and after that you 265 00:10:12,240 --> 00:10:14,399 can look in more about the reverse 266 00:10:14,399 --> 00:10:16,000 engineering through looking for 267 00:10:16,000 --> 00:10:19,600 debuggers looking for uh um assembly 268 00:10:19,600 --> 00:10:22,480 code and so on and so on okay 269 00:10:22,480 --> 00:10:24,560 so let's talk about the dynamic analysis 270 00:10:24,560 --> 00:10:26,000 this is the second 271 00:10:26,000 --> 00:10:28,480 methodology that you can use in in our 272 00:10:28,480 --> 00:10:31,360 studies right so dynamic analysis based 273 00:10:31,360 --> 00:10:34,560 on behavior in this case basically is 274 00:10:34,560 --> 00:10:37,040 the interactions that the malware or 275 00:10:37,040 --> 00:10:40,240 modok has when is executed in this 276 00:10:40,240 --> 00:10:42,640 environment basically is the runtime 277 00:10:42,640 --> 00:10:45,200 analysis remember so you have a two 278 00:10:45,200 --> 00:10:46,399 approach 279 00:10:46,399 --> 00:10:49,040 no run timing and runtime analysis one 280 00:10:49,040 --> 00:10:50,480 is a statistic analysis that you can 281 00:10:50,480 --> 00:10:51,920 look in from the 282 00:10:51,920 --> 00:10:55,120 structure of the code the functions the 283 00:10:55,120 --> 00:10:57,519 dlls libraries and another it's a 284 00:10:57,519 --> 00:10:59,600 runtime so you pick up the malware you 285 00:10:59,600 --> 00:11:01,680 put in a specific environment control 286 00:11:01,680 --> 00:11:03,680 that environment remember that and you 287 00:11:03,680 --> 00:11:06,000 execute itself inside of this controller 288 00:11:06,000 --> 00:11:08,480 environment you will see the behavior 289 00:11:08,480 --> 00:11:10,560 and after that you check 290 00:11:10,560 --> 00:11:13,120 if is militia or not 291 00:11:13,120 --> 00:11:14,640 and by the way 292 00:11:14,640 --> 00:11:15,760 it can be 293 00:11:15,760 --> 00:11:18,399 easily automated and basically we have a 294 00:11:18,399 --> 00:11:20,880 specific concept calling send blocks 295 00:11:20,880 --> 00:11:22,880 that call it sandbox actually 296 00:11:22,880 --> 00:11:25,200 baby maybe you are already heard about 297 00:11:25,200 --> 00:11:27,600 what is exactly sandbox it's is a 298 00:11:27,600 --> 00:11:29,760 specific environment basically it's a 299 00:11:29,760 --> 00:11:31,440 virtual machine 300 00:11:31,440 --> 00:11:33,519 when you talk about them or analysis or 301 00:11:33,519 --> 00:11:36,160 you know to analyze or or investigated 302 00:11:36,160 --> 00:11:38,240 ready hunting so on and so on basically 303 00:11:38,240 --> 00:11:40,000 you have the mower here who is good 304 00:11:40,000 --> 00:11:42,240 inside of this specific environment and 305 00:11:42,240 --> 00:11:44,320 you see the behavior but it's not only 306 00:11:44,320 --> 00:11:45,680 virtual machine 307 00:11:45,680 --> 00:11:48,480 to see if this is if this binary is 308 00:11:48,480 --> 00:11:51,040 malicious or not you need to we need to 309 00:11:51,040 --> 00:11:53,200 have inside of decent box 310 00:11:53,200 --> 00:11:54,639 engines 311 00:11:54,639 --> 00:11:57,760 to see the behavior basically it means 312 00:11:57,760 --> 00:12:00,320 i probably already heard about what is a 313 00:12:00,320 --> 00:12:02,800 virus total is antivirus scanning you 314 00:12:02,800 --> 00:12:04,480 have the boundary the binary you're 315 00:12:04,480 --> 00:12:07,120 putting this inside of this 316 00:12:07,120 --> 00:12:10,240 antivirus scanning and basin based on 317 00:12:10,240 --> 00:12:12,320 many engines inside of this antivirus 318 00:12:12,320 --> 00:12:15,120 scanning you can see if this mower is 319 00:12:15,120 --> 00:12:16,959 malicious or this is the sample actually 320 00:12:16,959 --> 00:12:19,360 it's malicious or not so based on this 321 00:12:19,360 --> 00:12:22,480 engine inside of that right so sandbox 322 00:12:22,480 --> 00:12:24,959 you need to have the same concept 323 00:12:24,959 --> 00:12:27,200 same concept you need to have this age 324 00:12:27,200 --> 00:12:29,360 inside of that for example you have many 325 00:12:29,360 --> 00:12:32,240 different open source projects like coco 326 00:12:32,240 --> 00:12:34,320 and like others so now you show you 327 00:12:34,320 --> 00:12:36,079 during these presentations right so 328 00:12:36,079 --> 00:12:38,480 remember synthboc is not only virtual 329 00:12:38,480 --> 00:12:40,240 machine you need to have this engine 330 00:12:40,240 --> 00:12:42,720 inside of that right so okay before to 331 00:12:42,720 --> 00:12:44,560 talk about the structure of the pdf 332 00:12:44,560 --> 00:12:46,720 files we need to see more about the 333 00:12:46,720 --> 00:12:48,480 structure of the binary it's important 334 00:12:48,480 --> 00:12:50,839 to clarify those difference 335 00:12:50,839 --> 00:12:54,800 okay so let's talk about that now in my 336 00:12:54,800 --> 00:12:58,320 virtual machine in live code here to you 337 00:12:58,320 --> 00:12:59,519 okay 338 00:12:59,519 --> 00:13:01,839 so 339 00:13:03,360 --> 00:13:06,560 sorry for that so i have here many 340 00:13:06,560 --> 00:13:08,959 different symbols 341 00:13:08,959 --> 00:13:11,519 and some some examples of this probably 342 00:13:11,519 --> 00:13:13,920 is malicious and other non-malicious so 343 00:13:13,920 --> 00:13:16,000 we need to check this and to see the 344 00:13:16,000 --> 00:13:18,240 difference between and one fire or 345 00:13:18,240 --> 00:13:20,720 another so let's check first of all 346 00:13:20,720 --> 00:13:22,800 remember the flow identification step 347 00:13:22,800 --> 00:13:24,880 you receive this binary you need to 348 00:13:24,880 --> 00:13:27,440 analyze that so i have here the amazon 349 00:13:27,440 --> 00:13:30,959 file so i'm using file command to see 350 00:13:30,959 --> 00:13:33,360 what kind of type of 351 00:13:33,360 --> 00:13:36,240 this file is right 352 00:13:36,240 --> 00:13:37,920 the second file that we're using i would 353 00:13:37,920 --> 00:13:41,959 check is amazon.com 354 00:13:42,560 --> 00:13:45,199 x sorry is a microsoft word is almost 355 00:13:45,199 --> 00:13:47,440 the same let me check my friend bill 356 00:13:47,440 --> 00:13:50,240 here i have enough file view is a pdf 357 00:13:50,240 --> 00:13:53,760 file let me check here malware.python 358 00:13:53,760 --> 00:13:55,760 maybe it's a python script 359 00:13:55,760 --> 00:13:59,120 yes it's a item script let me check the 360 00:13:59,120 --> 00:14:04,480 simple pdf is a simple and top text 361 00:14:04,480 --> 00:14:06,399 it's not it's a text but it's a python 362 00:14:06,399 --> 00:14:08,639 script but with a difference 363 00:14:08,639 --> 00:14:11,600 and another is a tar pdf is a pdf file 364 00:14:11,600 --> 00:14:13,760 okay so take a look at this we have a 365 00:14:13,760 --> 00:14:16,880 different binaries here different files 366 00:14:16,880 --> 00:14:20,560 so remember you receive this in your 367 00:14:20,560 --> 00:14:21,920 position 368 00:14:21,920 --> 00:14:24,000 let's suppose that you want an analyst 369 00:14:24,000 --> 00:14:27,279 some researcher more analyst or whatever 370 00:14:27,279 --> 00:14:28,959 so you need to look in more deeply about 371 00:14:28,959 --> 00:14:30,399 that so 372 00:14:30,399 --> 00:14:32,560 sorry this is my point here so what is 373 00:14:32,560 --> 00:14:34,800 important to see here in this 374 00:14:34,800 --> 00:14:37,680 conversation right so first we need to 375 00:14:37,680 --> 00:14:41,920 understand if this file is really 376 00:14:41,920 --> 00:14:44,000 a malware or not let me check here the 377 00:14:44,000 --> 00:14:46,880 file mower dock python here for example 378 00:14:46,880 --> 00:14:49,040 okay let me read 379 00:14:49,040 --> 00:14:52,000 first not i will not is it good himself 380 00:14:52,000 --> 00:14:54,000 but it's not a mower actually let's 381 00:14:54,000 --> 00:14:55,680 check here so let me try to as i could 382 00:14:55,680 --> 00:14:57,519 hear like a python 383 00:14:57,519 --> 00:14:58,480 nine 384 00:14:58,480 --> 00:15:01,440 in malware let's see here okay so it's a 385 00:15:01,440 --> 00:15:04,000 simple code in python take a look this 386 00:15:04,000 --> 00:15:07,440 it's a python script and if you see here 387 00:15:07,440 --> 00:15:09,519 basically this is a some information 388 00:15:09,519 --> 00:15:12,079 that we have in the beginning in here we 389 00:15:12,079 --> 00:15:14,399 have another file and by the way if i 390 00:15:14,399 --> 00:15:16,560 change here let's let me manipulate 391 00:15:16,560 --> 00:15:17,839 something here 392 00:15:17,839 --> 00:15:19,760 in this file 393 00:15:19,760 --> 00:15:22,800 okay let me cut here and i will save 394 00:15:22,800 --> 00:15:24,000 once again 395 00:15:24,000 --> 00:15:26,800 and i will try to execute again 396 00:15:26,800 --> 00:15:29,040 the same 397 00:15:29,040 --> 00:15:31,600 python39 398 00:15:31,600 --> 00:15:34,399 author nine python three block9 actually 399 00:15:34,399 --> 00:15:36,880 mower widen and take a look this is the 400 00:15:36,880 --> 00:15:39,600 same you see so if you're using once 401 00:15:39,600 --> 00:15:42,000 again file take a look the difference so 402 00:15:42,000 --> 00:15:45,440 here we have a mower we have this python 403 00:15:45,440 --> 00:15:46,639 script 404 00:15:46,639 --> 00:15:50,240 and we have here ascii text executable 405 00:15:50,240 --> 00:15:52,160 but here i changed something in the 406 00:15:52,160 --> 00:15:54,959 beginning i cut this part as you can see 407 00:15:54,959 --> 00:15:56,079 here 408 00:15:56,079 --> 00:16:00,399 and we changing this information so file 409 00:16:00,399 --> 00:16:02,399 identified the type of the file in a 410 00:16:02,399 --> 00:16:05,279 different way if you see here so let me 411 00:16:05,279 --> 00:16:08,240 change the other thing here in this file 412 00:16:08,240 --> 00:16:09,040 if 413 00:16:09,040 --> 00:16:10,399 i try 414 00:16:10,399 --> 00:16:11,759 to 415 00:16:11,759 --> 00:16:14,160 let me manipulate once again 416 00:16:14,160 --> 00:16:17,920 okay let me put here put here pdf or 417 00:16:17,920 --> 00:16:20,639 actually not pdf percent pdf i think is 418 00:16:20,639 --> 00:16:22,040 better 419 00:16:22,040 --> 00:16:25,600 1.7 maybe or i can use dash here i think 420 00:16:25,600 --> 00:16:28,399 it's more and then you save 421 00:16:28,399 --> 00:16:30,720 yes and let's check if what happened 422 00:16:30,720 --> 00:16:31,680 here 423 00:16:31,680 --> 00:16:34,160 wow take a look at this so now we have a 424 00:16:34,160 --> 00:16:38,079 pdf document and if i try to execute 425 00:16:38,079 --> 00:16:39,680 once again 426 00:16:39,680 --> 00:16:42,240 in python 427 00:16:42,240 --> 00:16:44,639 we have a problem here because i have 428 00:16:44,639 --> 00:16:47,920 this syntax problem okay because now the 429 00:16:47,920 --> 00:16:52,160 file types is different is pdf 430 00:16:52,160 --> 00:16:56,160 so take a look this i have here pdf ide 431 00:16:56,160 --> 00:16:59,120 is a tools from dda stevens and i have a 432 00:16:59,120 --> 00:17:02,720 view here and i will perform this 433 00:17:02,720 --> 00:17:05,679 sorry perform these tools executing here 434 00:17:05,679 --> 00:17:08,400 to analyze and specifically 435 00:17:08,400 --> 00:17:09,280 to 436 00:17:09,280 --> 00:17:11,359 search for some simple or some 437 00:17:11,359 --> 00:17:13,760 information inside of this pdf okay pdf 438 00:17:13,760 --> 00:17:14,720 id 439 00:17:14,720 --> 00:17:16,880 so if you see here i have a different 440 00:17:16,880 --> 00:17:18,720 object i will explain the difference 441 00:17:18,720 --> 00:17:21,039 between this uh during this conversation 442 00:17:21,039 --> 00:17:23,199 but just to show you something let me 443 00:17:23,199 --> 00:17:26,079 using this the same pdf ide 444 00:17:26,079 --> 00:17:28,960 for a mower dock python but philip is 445 00:17:28,960 --> 00:17:30,720 not a pilot is a 446 00:17:30,720 --> 00:17:32,400 an station 447 00:17:32,400 --> 00:17:34,799 and i isolating 448 00:17:34,799 --> 00:17:37,039 something but take a look at this 449 00:17:37,039 --> 00:17:40,720 now this full pdf id 450 00:17:40,720 --> 00:17:43,280 identified 451 00:17:43,280 --> 00:17:45,039 these 452 00:17:45,039 --> 00:17:47,919 simple has a pdf 453 00:17:47,919 --> 00:17:49,520 even this 454 00:17:49,520 --> 00:17:50,960 binary 455 00:17:50,960 --> 00:17:53,919 having another extension you see 456 00:17:53,919 --> 00:17:55,760 and take a look at this 457 00:17:55,760 --> 00:17:58,559 and um let me check other let me change 458 00:17:58,559 --> 00:18:00,960 something move mower 459 00:18:00,960 --> 00:18:01,840 dock 460 00:18:01,840 --> 00:18:03,120 to mower 461 00:18:03,120 --> 00:18:05,360 dock pdf 462 00:18:05,360 --> 00:18:09,039 i will change the next station pdf id 463 00:18:09,039 --> 00:18:12,000 and i would try to see is the same but 464 00:18:12,000 --> 00:18:13,360 if you see 465 00:18:13,360 --> 00:18:14,640 i 466 00:18:14,640 --> 00:18:18,080 it's occurring python once again 467 00:18:18,080 --> 00:18:20,320 once again i will show you the content 468 00:18:20,320 --> 00:18:21,360 of this 469 00:18:21,360 --> 00:18:22,320 is 470 00:18:22,320 --> 00:18:24,559 continue to be the same is the same 471 00:18:24,559 --> 00:18:27,520 content right but when i try to using 472 00:18:27,520 --> 00:18:30,240 pdf id 473 00:18:30,240 --> 00:18:32,799 this these tools identify has a are 474 00:18:32,799 --> 00:18:35,360 really a pdf file you see 475 00:18:35,360 --> 00:18:37,280 and file 476 00:18:37,280 --> 00:18:40,400 the same case is a pdf document 477 00:18:40,400 --> 00:18:42,320 i manipulate something inside of the 478 00:18:42,320 --> 00:18:44,960 binary so my question to you is 479 00:18:44,960 --> 00:18:47,120 what exactly information i'm 480 00:18:47,120 --> 00:18:50,799 manipulating inside of this binary so 481 00:18:50,799 --> 00:18:54,000 think about that okay so let me change 482 00:18:54,000 --> 00:18:56,799 other things here so no no mower pdf 483 00:18:56,799 --> 00:18:59,600 again and i will cut here and i will 484 00:18:59,600 --> 00:19:01,520 save once again 485 00:19:01,520 --> 00:19:03,520 and now i have 486 00:19:03,520 --> 00:19:07,120 the same content i just cut in the first 487 00:19:07,120 --> 00:19:09,520 beginning of the information let me try 488 00:19:09,520 --> 00:19:12,400 to executing python once again probably 489 00:19:12,400 --> 00:19:14,640 we will have some problem 490 00:19:14,640 --> 00:19:18,240 but i will try powerdoc pdf let me try 491 00:19:18,240 --> 00:19:20,240 to as i could probably receive some 492 00:19:20,240 --> 00:19:24,160 effort no we don't ever we ever hear why 493 00:19:24,160 --> 00:19:25,840 because the extension is different so 494 00:19:25,840 --> 00:19:28,720 what happened here so if i try once 495 00:19:28,720 --> 00:19:30,240 again 496 00:19:30,240 --> 00:19:33,840 oh jesus now we have an ascii text 497 00:19:33,840 --> 00:19:36,960 and let me manipulate other thing here 498 00:19:36,960 --> 00:19:38,799 in the beginning of this 499 00:19:38,799 --> 00:19:42,799 file let me return here once again sorry 500 00:19:42,799 --> 00:19:45,039 and this is specifically 501 00:19:45,039 --> 00:19:49,039 ping python i will copy here let's check 502 00:19:49,039 --> 00:19:50,240 here 503 00:19:50,240 --> 00:19:52,880 i will cop these as you can see 504 00:19:52,880 --> 00:19:54,880 okay 505 00:19:54,880 --> 00:19:58,480 and i'll you manipulate once again this 506 00:19:58,480 --> 00:20:00,400 file 507 00:20:00,400 --> 00:20:03,039 enter i will pass here as you can see i 508 00:20:03,039 --> 00:20:05,360 will save once again 509 00:20:05,360 --> 00:20:08,880 biomower take a look this wow is a fine 510 00:20:08,880 --> 00:20:09,840 script 511 00:20:09,840 --> 00:20:12,320 binary let me 512 00:20:12,320 --> 00:20:14,400 try using python once again so probably 513 00:20:14,400 --> 00:20:18,159 works now continue works because 514 00:20:18,159 --> 00:20:20,480 i need to write the correct way so it 515 00:20:20,480 --> 00:20:23,440 works here so i changing here something 516 00:20:23,440 --> 00:20:25,120 and i will try again 517 00:20:25,120 --> 00:20:27,679 works again so let me use in pdf ig 518 00:20:27,679 --> 00:20:29,840 because it's a mower it's a pdf once 519 00:20:29,840 --> 00:20:32,080 again and take a look this 520 00:20:32,080 --> 00:20:35,520 wow it's not a pdf document 521 00:20:35,520 --> 00:20:37,600 take a look this so 522 00:20:37,600 --> 00:20:40,639 something happened here 523 00:20:41,039 --> 00:20:42,880 that's the point here of this object of 524 00:20:42,880 --> 00:20:45,200 this conversation today 525 00:20:45,200 --> 00:20:48,400 so i am using different tools to 526 00:20:48,400 --> 00:20:51,200 investigate and to see the remember i 527 00:20:51,200 --> 00:20:53,200 received this 528 00:20:53,200 --> 00:20:55,840 remember in your situation so you work 529 00:20:55,840 --> 00:20:58,159 in yard company you receive this file 530 00:20:58,159 --> 00:21:00,240 and you need to analyze that you 531 00:21:00,240 --> 00:21:03,120 you need to use any i'm sure i suggested 532 00:21:03,120 --> 00:21:05,840 it you need to use you you should use 533 00:21:05,840 --> 00:21:08,559 these two in your analysis but you need 534 00:21:08,559 --> 00:21:11,840 to understand how each tool works 535 00:21:11,840 --> 00:21:13,919 so here let me explain about the file 536 00:21:13,919 --> 00:21:14,960 command 537 00:21:14,960 --> 00:21:16,640 what kind of information remember my 538 00:21:16,640 --> 00:21:19,679 about my question what information file 539 00:21:19,679 --> 00:21:21,760 you use 540 00:21:21,760 --> 00:21:24,080 uses to collect the information inside 541 00:21:24,080 --> 00:21:27,360 of the binary here is the information 542 00:21:27,360 --> 00:21:31,360 collected by the file okay so 543 00:21:31,360 --> 00:21:34,400 this file have a magic number probably 544 00:21:34,400 --> 00:21:35,760 if you are 545 00:21:35,760 --> 00:21:38,480 uh you know if not a beginner if you are 546 00:21:38,480 --> 00:21:42,400 a senior a plan a medium guy a medium 547 00:21:42,400 --> 00:21:44,159 analyst or if you are a senior a 548 00:21:44,159 --> 00:21:47,120 specialist or you know um i don't know 549 00:21:47,120 --> 00:21:49,440 principal pro you obvious obviously you 550 00:21:49,440 --> 00:21:51,120 know about that about what is exactly 551 00:21:51,120 --> 00:21:53,919 magic number and each binary has a 552 00:21:53,919 --> 00:21:56,159 specifically magical number it's some 553 00:21:56,159 --> 00:21:58,080 binary is difficult to manipulate i made 554 00:21:58,080 --> 00:22:01,200 some manipulations actually in python 555 00:22:01,200 --> 00:22:04,240 code and pdf it's easier in this case 556 00:22:04,240 --> 00:22:06,400 but file 557 00:22:06,400 --> 00:22:07,280 c 558 00:22:07,280 --> 00:22:10,159 in the each binary the magic number 559 00:22:10,159 --> 00:22:12,480 basically this is important information 560 00:22:12,480 --> 00:22:15,679 they looking for this and basically the 561 00:22:15,679 --> 00:22:18,960 magic the file tools actually this 562 00:22:18,960 --> 00:22:21,280 binary this is a codable inside of the 563 00:22:21,280 --> 00:22:22,720 system operation 564 00:22:22,720 --> 00:22:23,679 the 565 00:22:23,679 --> 00:22:26,400 the file using specifically databases to 566 00:22:26,400 --> 00:22:28,559 find those information and those bad 567 00:22:28,559 --> 00:22:31,360 databases is here inside of this 568 00:22:31,360 --> 00:22:32,640 specifically 569 00:22:32,640 --> 00:22:34,159 um 570 00:22:34,159 --> 00:22:36,080 path inside of this temperature but of 571 00:22:36,080 --> 00:22:37,840 course it's compiling because of that 572 00:22:37,840 --> 00:22:39,840 you can you cannot see this information 573 00:22:39,840 --> 00:22:42,080 inside of that but i download this 574 00:22:42,080 --> 00:22:46,080 information this explanation i using by 575 00:22:46,080 --> 00:22:49,120 the another researcher my friend fernand 576 00:22:49,120 --> 00:22:51,679 mercies he hasn't specifically video 577 00:22:51,679 --> 00:22:54,400 explained many details about the file 578 00:22:54,400 --> 00:22:56,320 but in portuguese language importantly 579 00:22:56,320 --> 00:22:58,080 but probably you can use in subscribe 580 00:22:58,080 --> 00:23:00,960 subscription to see but i collect those 581 00:23:00,960 --> 00:23:03,120 the idea behind of this from this video 582 00:23:03,120 --> 00:23:05,760 basically friend mercies okay and i 583 00:23:05,760 --> 00:23:09,520 download the file database to share with 584 00:23:09,520 --> 00:23:13,840 you about how this works okay 585 00:23:13,840 --> 00:23:17,919 so if you see here i have many different 586 00:23:17,919 --> 00:23:19,280 database 587 00:23:19,280 --> 00:23:23,360 used by unix platform right so if i cut 588 00:23:23,360 --> 00:23:27,440 here pdf for example you can see here 589 00:23:27,440 --> 00:23:29,760 how many 590 00:23:29,760 --> 00:23:32,000 sorry how many 591 00:23:32,000 --> 00:23:34,960 informations rules and strings 592 00:23:34,960 --> 00:23:37,520 the file command using 593 00:23:37,520 --> 00:23:40,159 uh for a magic number okay that's 594 00:23:40,159 --> 00:23:41,520 important thing 595 00:23:41,520 --> 00:23:43,600 here okay as you can see here in the 596 00:23:43,600 --> 00:23:45,760 beginning if you see here person pdf 597 00:23:45,760 --> 00:23:48,240 dash this is the string that you can see 598 00:23:48,240 --> 00:23:50,720 in the beginning so if you read for a 599 00:23:50,720 --> 00:23:52,640 python for example 600 00:23:52,640 --> 00:23:54,880 take a look this 601 00:23:54,880 --> 00:23:58,240 we can see here the beginning of the 602 00:23:58,240 --> 00:24:01,200 information you see 603 00:24:01,200 --> 00:24:02,640 some information you can see in the 604 00:24:02,640 --> 00:24:05,039 beginning of the code strings and other 605 00:24:05,039 --> 00:24:07,600 things like this for example like 606 00:24:07,600 --> 00:24:10,320 user bing python and others and others 607 00:24:10,320 --> 00:24:12,960 of course not only one but more than one 608 00:24:12,960 --> 00:24:14,880 that you can find 609 00:24:14,880 --> 00:24:16,559 in the specifically database that you 610 00:24:16,559 --> 00:24:18,640 can see here so that's very interesting 611 00:24:18,640 --> 00:24:21,120 so let me see for example a javascript 612 00:24:21,120 --> 00:24:23,840 one a very interesting thing so if you 613 00:24:23,840 --> 00:24:26,240 see here in the beginning 614 00:24:26,240 --> 00:24:28,000 dash bing node 615 00:24:28,000 --> 00:24:31,039 let me copy here and manipulate the last 616 00:24:31,039 --> 00:24:34,640 time here our uh document here so let me 617 00:24:34,640 --> 00:24:36,880 return here in the malware folder none 618 00:24:36,880 --> 00:24:40,240 of our pdf and now you cut here and i 619 00:24:40,240 --> 00:24:41,520 will pass 620 00:24:41,520 --> 00:24:44,159 and let's see what happen if i can do 621 00:24:44,159 --> 00:24:47,520 this the last one biomower 622 00:24:47,520 --> 00:24:50,880 take a look this and pow we have 623 00:24:50,880 --> 00:24:53,760 executable in this case they use in a 624 00:24:53,760 --> 00:24:55,840 different way but 625 00:24:55,840 --> 00:24:59,279 if you see now we have a javascript 626 00:24:59,279 --> 00:25:01,520 and different way because a script is 627 00:25:01,520 --> 00:25:02,559 equal 628 00:25:02,559 --> 00:25:05,279 means very very interesting so if you 629 00:25:05,279 --> 00:25:07,840 see here other is a root 630 00:25:07,840 --> 00:25:09,440 malware 631 00:25:09,440 --> 00:25:10,720 file 632 00:25:10,720 --> 00:25:12,000 magic 633 00:25:12,000 --> 00:25:13,120 and 634 00:25:13,120 --> 00:25:16,480 what is another mag 635 00:25:16,480 --> 00:25:18,799 deer 636 00:25:18,960 --> 00:25:22,720 back deer and javascript 637 00:25:23,600 --> 00:25:25,360 javascript and 638 00:25:25,360 --> 00:25:28,480 you can see here node.js for example 639 00:25:28,480 --> 00:25:30,799 let me copy 640 00:25:30,799 --> 00:25:34,240 manipulate once again 641 00:25:34,240 --> 00:25:37,440 paste here and now you cut oh just to 642 00:25:37,440 --> 00:25:40,000 put the js in the end actually fire 643 00:25:40,000 --> 00:25:43,000 mower 644 00:25:43,600 --> 00:25:44,640 you see 645 00:25:44,640 --> 00:25:46,400 is a 646 00:25:46,400 --> 00:25:48,960 node.js 647 00:25:48,960 --> 00:25:51,760 script so it's very important thing 648 00:25:51,760 --> 00:25:54,559 other thing interesting here is about 649 00:25:54,559 --> 00:25:57,520 this informations about the structure of 650 00:25:57,520 --> 00:25:58,880 the binder of course i will talk more 651 00:25:58,880 --> 00:26:01,679 about the pdf but i will explain more 652 00:26:01,679 --> 00:26:03,120 about that about this structure if you 653 00:26:03,120 --> 00:26:05,279 see here in the manual take a look this 654 00:26:05,279 --> 00:26:07,440 information is interesting here about 655 00:26:07,440 --> 00:26:08,720 the elf 656 00:26:08,720 --> 00:26:10,159 we don't have a time to talk about the 657 00:26:10,159 --> 00:26:12,159 healthy structure or pe portable 658 00:26:12,159 --> 00:26:14,640 executable but here we have a specific 659 00:26:14,640 --> 00:26:17,039 information about the format 660 00:26:17,039 --> 00:26:20,720 of the alpha structure actually so how 661 00:26:20,720 --> 00:26:22,720 the how is the difference or how you can 662 00:26:22,720 --> 00:26:25,360 find the array inside of these how the 663 00:26:25,360 --> 00:26:26,799 informations you can find these for 664 00:26:26,799 --> 00:26:29,279 example let me copy here just to show 665 00:26:29,279 --> 00:26:31,679 you here in this presentation so let me 666 00:26:31,679 --> 00:26:33,120 locate here 667 00:26:33,120 --> 00:26:33,919 um 668 00:26:33,919 --> 00:26:37,640 now you pass here 669 00:26:38,559 --> 00:26:42,400 let me find here is uh 670 00:26:42,400 --> 00:26:45,600 headers is what is located here is okay 671 00:26:45,600 --> 00:26:47,440 is here user 672 00:26:47,440 --> 00:26:48,880 it's here 673 00:26:48,880 --> 00:26:50,799 so i will copy here 674 00:26:50,799 --> 00:26:52,159 and are you sure you're simple this is 675 00:26:52,159 --> 00:26:52,960 not 676 00:26:52,960 --> 00:26:54,080 better 677 00:26:54,080 --> 00:26:55,120 no 678 00:26:55,120 --> 00:26:56,799 best 679 00:26:56,799 --> 00:26:59,679 and take a look this this file define is 680 00:26:59,679 --> 00:27:02,080 standard elf types is structured in 681 00:27:02,080 --> 00:27:03,120 macros 682 00:27:03,120 --> 00:27:05,120 you see very very interesting 683 00:27:05,120 --> 00:27:06,400 interesting 684 00:27:06,400 --> 00:27:09,039 and useful information 685 00:27:09,039 --> 00:27:11,039 sorry and here you can see how many 686 00:27:11,039 --> 00:27:12,799 bytes you have it 687 00:27:12,799 --> 00:27:15,200 you know divided in specifically uh a 688 00:27:15,200 --> 00:27:17,840 structure of the elf this is the first 689 00:27:17,840 --> 00:27:21,120 one the first array called for example e 690 00:27:21,120 --> 00:27:24,720 identity is a first array that you have 691 00:27:24,720 --> 00:27:28,320 the 16 bytes and and this specific array 692 00:27:28,320 --> 00:27:30,880 you can find the magic number and others 693 00:27:30,880 --> 00:27:32,480 information again we don't have a time 694 00:27:32,480 --> 00:27:34,399 to explain many things here but it's a 695 00:27:34,399 --> 00:27:37,520 topic for another uh talk okay just to 696 00:27:37,520 --> 00:27:39,520 show you so 697 00:27:39,520 --> 00:27:40,559 oops 698 00:27:40,559 --> 00:27:42,399 let me 699 00:27:42,399 --> 00:27:43,600 oh 700 00:27:43,600 --> 00:27:46,559 here no okay so 701 00:27:46,559 --> 00:27:48,720 let's talk about the pdf structure 702 00:27:48,720 --> 00:27:50,880 because it's very important part of our 703 00:27:50,880 --> 00:27:52,880 presentation so we have a physical and 704 00:27:52,880 --> 00:27:55,440 logical structure of the pdf so usually 705 00:27:55,440 --> 00:27:56,799 you have a four parts when you talk 706 00:27:56,799 --> 00:27:59,919 about the pdf okay so we have a rather 707 00:27:59,919 --> 00:28:01,600 it's very common in 708 00:28:01,600 --> 00:28:04,240 many different binary we have a body and 709 00:28:04,240 --> 00:28:06,640 cross reference table and trader let's 710 00:28:06,640 --> 00:28:08,640 looking more deeply about the four parts 711 00:28:08,640 --> 00:28:11,120 inside of the pdf okay so we have a 712 00:28:11,120 --> 00:28:12,880 specifically 713 00:28:12,880 --> 00:28:15,279 version header here 714 00:28:15,279 --> 00:28:16,399 we have a 715 00:28:16,399 --> 00:28:18,640 inside of the body we have a page image 716 00:28:18,640 --> 00:28:20,480 and phones like a shiny thing is inside 717 00:28:20,480 --> 00:28:23,200 of the pdf 718 00:28:23,840 --> 00:28:25,760 in cross reference table we have a 719 00:28:25,760 --> 00:28:28,320 specific locations of the object ethan 720 00:28:28,320 --> 00:28:31,200 the file for a random access okay it 721 00:28:31,200 --> 00:28:33,360 means that we haven't specifically 722 00:28:33,360 --> 00:28:37,600 structure of this uh pdf just let me 723 00:28:37,600 --> 00:28:39,120 share with you here 724 00:28:39,120 --> 00:28:41,279 um 725 00:28:41,279 --> 00:28:43,919 this is my github basically so let me 726 00:28:43,919 --> 00:28:46,399 let's go to the dd air 727 00:28:46,399 --> 00:28:47,919 here 728 00:28:47,919 --> 00:28:49,120 stevens 729 00:28:49,120 --> 00:28:52,240 okay this is the guy the researcher um 730 00:28:52,240 --> 00:28:56,000 dda stephen sorry here's the blog 731 00:28:56,000 --> 00:28:58,640 his blog we can find many informations 732 00:28:58,640 --> 00:28:59,520 about 733 00:28:59,520 --> 00:29:02,320 uh pdf and other structure i would like 734 00:29:02,320 --> 00:29:04,799 to share this specifically uh picture if 735 00:29:04,799 --> 00:29:07,360 you not okay you can find here but i i 736 00:29:07,360 --> 00:29:09,679 think it's more easy so here you can see 737 00:29:09,679 --> 00:29:12,480 pdf tools it's it's 738 00:29:12,480 --> 00:29:14,320 a small ladder but uh 739 00:29:14,320 --> 00:29:15,919 it's very nice 740 00:29:15,919 --> 00:29:19,200 tools that i'm using here in the 741 00:29:19,200 --> 00:29:21,440 in our conversation here is the 742 00:29:21,440 --> 00:29:23,440 fundamental elements 743 00:29:23,440 --> 00:29:25,039 i think we can find here the information 744 00:29:25,039 --> 00:29:27,440 that i do like to share with you 745 00:29:27,440 --> 00:29:30,159 elements let's see if is here 746 00:29:30,159 --> 00:29:31,679 and i think yes 747 00:29:31,679 --> 00:29:34,559 yes it's here so it's old but the 748 00:29:34,559 --> 00:29:36,960 structure is the same you see so take a 749 00:29:36,960 --> 00:29:39,120 look this the header so remember the 750 00:29:39,120 --> 00:29:41,360 magic number is the header percent pdf 751 00:29:41,360 --> 00:29:43,760 dash so here is the 752 00:29:43,760 --> 00:29:46,320 old version that you can read 753 00:29:46,320 --> 00:29:47,679 here is this 754 00:29:47,679 --> 00:29:49,679 different objects that you you have 755 00:29:49,679 --> 00:29:52,640 inside of this specifically pdf and 756 00:29:52,640 --> 00:29:54,720 cross reference table okay 757 00:29:54,720 --> 00:29:56,480 four parts and here is the most 758 00:29:56,480 --> 00:29:58,960 important to see how the structure works 759 00:29:58,960 --> 00:30:01,520 on the pdf take a look this specifically 760 00:30:01,520 --> 00:30:04,080 picture because it's important so here 761 00:30:04,080 --> 00:30:07,120 is how the object pdf works so we have 762 00:30:07,120 --> 00:30:09,600 here the root object is the main object 763 00:30:09,600 --> 00:30:12,399 and you have a two child object right 764 00:30:12,399 --> 00:30:14,080 object two and object 765 00:30:14,080 --> 00:30:16,080 three so if you've seen this picture for 766 00:30:16,080 --> 00:30:18,960 example those uh 767 00:30:18,960 --> 00:30:22,640 these two objects it's totally linked 768 00:30:22,640 --> 00:30:24,880 or referring this specific object one 769 00:30:24,880 --> 00:30:27,120 you see like a tree okay and this is 770 00:30:27,120 --> 00:30:30,080 specific object object four no it's not 771 00:30:30,080 --> 00:30:32,159 related on this object this reference 772 00:30:32,159 --> 00:30:36,320 object two but only reference three like 773 00:30:36,320 --> 00:30:39,919 object three like again like a and as 774 00:30:39,919 --> 00:30:43,600 a big three if you think about that okay 775 00:30:43,600 --> 00:30:44,880 so you see 776 00:30:44,880 --> 00:30:46,240 how this 777 00:30:46,240 --> 00:30:49,520 uh referencing each object in another 778 00:30:49,520 --> 00:30:51,200 object so this is very important you 779 00:30:51,200 --> 00:30:53,679 understand why because for example let 780 00:30:53,679 --> 00:30:57,039 me uh explain about the pdf 781 00:30:57,039 --> 00:31:01,039 id uh in this case bu is a is a one of 782 00:31:01,039 --> 00:31:03,279 these because take a look this we have 783 00:31:03,279 --> 00:31:04,840 here 784 00:31:04,840 --> 00:31:07,039 44 object 785 00:31:07,039 --> 00:31:10,000 so let's check pdf at thor 786 00:31:10,000 --> 00:31:11,279 it's another 787 00:31:11,279 --> 00:31:13,840 how many objects open 788 00:31:13,840 --> 00:31:16,159 how many objects we have here 789 00:31:16,159 --> 00:31:19,279 so in this case we have a six no 16 we 790 00:31:19,279 --> 00:31:20,320 have a 791 00:31:20,320 --> 00:31:25,760 18 objects so remember this picture so 792 00:31:25,760 --> 00:31:27,200 each object 793 00:31:27,200 --> 00:31:28,240 is 794 00:31:28,240 --> 00:31:32,320 connected in the root object and other 795 00:31:32,320 --> 00:31:34,320 child object remember that it's very 796 00:31:34,320 --> 00:31:37,360 important you understand that because in 797 00:31:37,360 --> 00:31:41,039 depends of the specific pdf we have more 798 00:31:41,039 --> 00:31:43,519 than one object to analyze 799 00:31:43,519 --> 00:31:46,000 okay so that's the point here of this 800 00:31:46,000 --> 00:31:49,279 specifically is structure is a location 801 00:31:49,279 --> 00:31:52,240 of the object eaten the fire not only 802 00:31:52,240 --> 00:31:54,000 that but you have it specifically 803 00:31:54,000 --> 00:31:55,279 streaming 804 00:31:55,279 --> 00:31:57,679 it's important part as you can see here 805 00:31:57,679 --> 00:32:01,519 so we have here 16 or streaming to 806 00:32:01,519 --> 00:32:05,200 analyze so if you see for example ptf id 807 00:32:05,200 --> 00:32:08,399 in view i think we don't have any 808 00:32:08,399 --> 00:32:09,600 uh 809 00:32:09,600 --> 00:32:12,799 in this case we have a 8 streaming 810 00:32:12,799 --> 00:32:14,320 usually the streaming in part of 811 00:32:14,320 --> 00:32:16,320 important that attacker using to putting 812 00:32:16,320 --> 00:32:18,720 something malicious inside of that so 813 00:32:18,720 --> 00:32:20,399 that's a oops 814 00:32:20,399 --> 00:32:23,760 that's important thing interesting okay 815 00:32:23,760 --> 00:32:25,440 so and the trailer basically is the 816 00:32:25,440 --> 00:32:28,080 locations of certain object eat in the 817 00:32:28,080 --> 00:32:30,399 body okay so you have a part of this 818 00:32:30,399 --> 00:32:32,880 object ethan de bori that's the shiny 819 00:32:32,880 --> 00:32:36,240 things like a phony image but usually 820 00:32:36,240 --> 00:32:40,559 you have some links like urls okay so to 821 00:32:40,559 --> 00:32:42,320 when you receive some pdf you click in 822 00:32:42,320 --> 00:32:44,799 this url you redirected these access in 823 00:32:44,799 --> 00:32:47,200 a specific web page for example it's the 824 00:32:47,200 --> 00:32:49,760 part of the trailer information okay so 825 00:32:49,760 --> 00:32:52,240 let's go to the specifically 826 00:32:52,240 --> 00:32:54,720 investigation that i made when i receive 827 00:32:54,720 --> 00:32:56,799 any specific pdf let's go through this 828 00:32:56,799 --> 00:32:58,880 step by step so i receive a specific 829 00:32:58,880 --> 00:33:01,760 object and i will receive the cve id 830 00:33:01,760 --> 00:33:04,240 it's a uh it's um 831 00:33:04,240 --> 00:33:07,039 you know resume actually so it's very 832 00:33:07,039 --> 00:33:09,200 common for uh uh our recruiter 833 00:33:09,200 --> 00:33:11,679 recruiters okay so remember this is a 834 00:33:11,679 --> 00:33:13,600 part of important to identify if this 835 00:33:13,600 --> 00:33:17,039 objectism is a pdf or not of course just 836 00:33:17,039 --> 00:33:20,000 to show you that important buyer in 837 00:33:20,000 --> 00:33:21,840 part remember 838 00:33:21,840 --> 00:33:23,200 in the beginning of this conversation 839 00:33:23,200 --> 00:33:24,880 explaining about how important you 840 00:33:24,880 --> 00:33:27,120 understand these bases 841 00:33:27,120 --> 00:33:29,279 again probably you you are a senior if 842 00:33:29,279 --> 00:33:31,120 you are a senior or a specialist you 843 00:33:31,120 --> 00:33:32,240 know about that but if you are a 844 00:33:32,240 --> 00:33:34,320 beginner or 845 00:33:34,320 --> 00:33:36,960 starting to a studies of the malware 846 00:33:36,960 --> 00:33:38,559 analysis 847 00:33:38,559 --> 00:33:40,000 you need to understand those base this 848 00:33:40,000 --> 00:33:42,320 is very important okay so 849 00:33:42,320 --> 00:33:45,679 first of all i check the pdf id 850 00:33:45,679 --> 00:33:48,080 to see how many objects i have inside of 851 00:33:48,080 --> 00:33:51,120 this pdf how many streams i could have 852 00:33:51,120 --> 00:33:54,240 and some possible suspicious behavior 853 00:33:54,240 --> 00:33:56,480 okay so i have here 854 00:33:56,480 --> 00:33:59,919 15 objects two strings not only that but 855 00:33:59,919 --> 00:34:02,159 take a look this very interesting 856 00:34:02,159 --> 00:34:04,559 the five reference of javascript two in 857 00:34:04,559 --> 00:34:05,760 js 858 00:34:05,760 --> 00:34:07,760 three in javascript in one open actions 859 00:34:07,760 --> 00:34:09,760 but we don't know what is exactly open 860 00:34:09,760 --> 00:34:12,000 action right but we need to check this 861 00:34:12,000 --> 00:34:14,719 okay cool so the second tool that i'm 862 00:34:14,719 --> 00:34:17,359 using here is a pdf-parser it's another 863 00:34:17,359 --> 00:34:20,800 true from the da stevens so we can use 864 00:34:20,800 --> 00:34:22,960 in here the dash s 865 00:34:22,960 --> 00:34:25,440 to see a possible uh 866 00:34:25,440 --> 00:34:27,040 specific information that you can find 867 00:34:27,040 --> 00:34:29,839 here so i set dash ash 868 00:34:29,839 --> 00:34:32,639 s javascript to check remember we have 869 00:34:32,639 --> 00:34:34,800 three reference so first of all in 870 00:34:34,800 --> 00:34:36,239 object one 871 00:34:36,239 --> 00:34:39,040 the second reference object seven and 872 00:34:39,040 --> 00:34:42,079 third object is object 12 remember three 873 00:34:42,079 --> 00:34:46,239 javascript and js remember two reference 874 00:34:46,239 --> 00:34:47,040 so 875 00:34:47,040 --> 00:34:50,879 if you see here object 12 in object one 876 00:34:50,879 --> 00:34:54,399 others two so i using two 877 00:34:54,399 --> 00:34:57,440 different tools to check the same 878 00:34:57,440 --> 00:35:00,320 information you see so my idea here is 879 00:35:00,320 --> 00:35:03,520 to show you those two different the same 880 00:35:03,520 --> 00:35:05,440 informations in two different tools to 881 00:35:05,440 --> 00:35:07,760 check how important it is to understand 882 00:35:07,760 --> 00:35:09,680 how the tools works and how what kind of 883 00:35:09,680 --> 00:35:12,000 information you can find this the second 884 00:35:12,000 --> 00:35:14,480 flag or command that i'm using here 885 00:35:14,480 --> 00:35:18,640 using pdf parsers is dash um 886 00:35:18,640 --> 00:35:23,440 i think it's w or yeah w is to 887 00:35:23,440 --> 00:35:26,000 find it for a round output data because 888 00:35:26,000 --> 00:35:27,760 my id here is to looking more deeply 889 00:35:27,760 --> 00:35:30,720 about the data not only but about the 890 00:35:30,720 --> 00:35:33,839 pro possible uh streaming right or to 891 00:35:33,839 --> 00:35:36,640 see more information about that to read 892 00:35:36,640 --> 00:35:39,520 our raw data okay first of all we have 893 00:35:39,520 --> 00:35:42,079 an object one and take a look at this 894 00:35:42,079 --> 00:35:44,320 interesting information remember that so 895 00:35:44,320 --> 00:35:45,760 object one 896 00:35:45,760 --> 00:35:48,000 the root and you have a reference in 897 00:35:48,000 --> 00:35:49,520 object two 898 00:35:49,520 --> 00:35:52,880 three four five six and seven seven 899 00:35:52,880 --> 00:35:56,480 remember this not this but this 900 00:35:56,480 --> 00:35:59,599 picture object one referring 901 00:35:59,599 --> 00:36:01,040 seven 902 00:36:01,040 --> 00:36:02,160 until 903 00:36:02,160 --> 00:36:03,680 object 904 00:36:03,680 --> 00:36:05,440 sorry and two object 905 00:36:05,440 --> 00:36:08,000 seven exactly that's correct so remember 906 00:36:08,000 --> 00:36:10,800 this picture object one two three four 907 00:36:10,800 --> 00:36:14,240 five six seven seven objects totally 908 00:36:14,240 --> 00:36:16,720 refer reference it or not reference but 909 00:36:16,720 --> 00:36:19,680 link it on a specific object one as you 910 00:36:19,680 --> 00:36:23,599 can see here in this demo okay so 911 00:36:23,599 --> 00:36:24,880 because of that it's important to 912 00:36:24,880 --> 00:36:27,359 understand this flow 913 00:36:27,359 --> 00:36:29,440 sorry this flow about that sorry for my 914 00:36:29,440 --> 00:36:31,200 for this cough but because i have a 915 00:36:31,200 --> 00:36:33,599 coffee in a few weeks ago and i still 916 00:36:33,599 --> 00:36:35,680 have some problem a few weeks ago not in 917 00:36:35,680 --> 00:36:37,839 the last week actually and okay let's 918 00:36:37,839 --> 00:36:39,599 continue 919 00:36:39,599 --> 00:36:42,160 so if you see here all those objects so 920 00:36:42,160 --> 00:36:44,560 we need to analyze each object to see 921 00:36:44,560 --> 00:36:46,480 and take a look at this we have a 922 00:36:46,480 --> 00:36:49,280 specifically open action 923 00:36:49,280 --> 00:36:51,920 linked with this specific javascript and 924 00:36:51,920 --> 00:36:53,760 here is not a javascript because we 925 00:36:53,760 --> 00:36:56,000 don't have any we don't 926 00:36:56,000 --> 00:36:59,520 we don't use now the correct tools to 927 00:36:59,520 --> 00:37:01,200 looking from this specifically 928 00:37:01,200 --> 00:37:03,520 information and if you see here below 929 00:37:03,520 --> 00:37:06,160 take a look this we still have the 930 00:37:06,160 --> 00:37:08,160 information about open action but feel 931 00:37:08,160 --> 00:37:11,359 it what that means open action so let's 932 00:37:11,359 --> 00:37:13,760 check if i have this information here 933 00:37:13,760 --> 00:37:15,760 i think i don't have these informations 934 00:37:15,760 --> 00:37:17,359 here 935 00:37:17,359 --> 00:37:20,240 yeah we don't have her here but 936 00:37:20,240 --> 00:37:21,760 i don't know 937 00:37:21,760 --> 00:37:24,320 if we have these informations here 938 00:37:24,320 --> 00:37:25,760 i would like to share with you this 939 00:37:25,760 --> 00:37:28,320 information in more details let me check 940 00:37:28,320 --> 00:37:31,359 here if i have here this information 941 00:37:31,359 --> 00:37:34,560 or oh yeah i have here take a look this 942 00:37:34,560 --> 00:37:36,960 was that means okay 943 00:37:36,960 --> 00:37:39,200 nice oh a a 944 00:37:39,200 --> 00:37:40,800 or open action 945 00:37:40,800 --> 00:37:44,000 indicate an automatic automatic 946 00:37:44,000 --> 00:37:46,800 reactions to be performed when the page 947 00:37:46,800 --> 00:37:49,920 or document is filled take a look this 948 00:37:49,920 --> 00:37:52,000 important information 949 00:37:52,000 --> 00:37:54,960 so indicate an automatic 950 00:37:54,960 --> 00:37:57,520 automatic action to be performed when 951 00:37:57,520 --> 00:37:58,720 the page 952 00:37:58,720 --> 00:38:00,640 or document is viewed 953 00:38:00,640 --> 00:38:04,400 so now take a look at this the user or 954 00:38:04,400 --> 00:38:06,720 the recruiter or the talent acquisition 955 00:38:06,720 --> 00:38:10,320 person receive this resume or the cv or 956 00:38:10,320 --> 00:38:12,400 if you of the people of the financial 957 00:38:12,400 --> 00:38:15,119 receiving specifically invoice 958 00:38:15,119 --> 00:38:17,680 when they receive it by mail so they 959 00:38:17,680 --> 00:38:19,680 need to check this email they need to 960 00:38:19,680 --> 00:38:22,880 open this pdf so this is the action open 961 00:38:22,880 --> 00:38:25,760 the page view document right so this is 962 00:38:25,760 --> 00:38:28,560 the action the normal action view 963 00:38:28,560 --> 00:38:32,320 document but after that 964 00:38:33,520 --> 00:38:35,760 when you find this open action it means 965 00:38:35,760 --> 00:38:38,720 that an automatic action will be 966 00:38:38,720 --> 00:38:39,920 performed 967 00:38:39,920 --> 00:38:43,839 when this page is open okay 968 00:38:44,960 --> 00:38:47,359 so it means that 969 00:38:47,359 --> 00:38:48,400 something 970 00:38:48,400 --> 00:38:51,520 will be happen after this view and the 971 00:38:51,520 --> 00:38:54,960 combination of the automatic action and 972 00:38:54,960 --> 00:38:59,839 javascript makes a pdf document very 973 00:38:59,839 --> 00:39:01,760 so what we have here 974 00:39:01,760 --> 00:39:04,480 an open action is a javascript 975 00:39:04,480 --> 00:39:05,839 linkage 976 00:39:05,839 --> 00:39:08,400 means it's a suspicious it's malicious 977 00:39:08,400 --> 00:39:11,280 probably right so if you are analyst 978 00:39:11,280 --> 00:39:13,599 here so we can check this information we 979 00:39:13,599 --> 00:39:15,839 can agree with me that is totally 980 00:39:15,839 --> 00:39:18,000 malicious but let's continue our 981 00:39:18,000 --> 00:39:21,040 investigation okay so now we know what 982 00:39:21,040 --> 00:39:23,200 that means the open action and we need 983 00:39:23,200 --> 00:39:26,880 to find where or is where this 984 00:39:26,880 --> 00:39:28,720 javascript so take a look this other 985 00:39:28,720 --> 00:39:30,240 object 986 00:39:30,240 --> 00:39:31,599 take a look this 987 00:39:31,599 --> 00:39:34,240 font and research an image on here other 988 00:39:34,240 --> 00:39:36,880 resource auto reference object eight and 989 00:39:36,880 --> 00:39:39,119 nine remember the picture okay 990 00:39:39,119 --> 00:39:43,359 reference linked other objects so let me 991 00:39:43,359 --> 00:39:46,240 up here the video remember this image 992 00:39:46,240 --> 00:39:47,200 here 993 00:39:47,200 --> 00:39:49,520 okay it's not this image is yeah 994 00:39:49,520 --> 00:39:52,480 remember this image so object four 995 00:39:52,480 --> 00:39:55,440 link it with another object you see an 996 00:39:55,440 --> 00:39:59,599 object 7 is referring object 10 you see 997 00:39:59,599 --> 00:40:02,720 the image so many childs for the 998 00:40:02,720 --> 00:40:05,119 specifically object you see how 999 00:40:05,119 --> 00:40:07,040 important you understand this 1000 00:40:07,040 --> 00:40:08,240 nice 1001 00:40:08,240 --> 00:40:11,359 so in this reference we have an object 1002 00:40:11,359 --> 00:40:13,440 inside of this object tn 1003 00:40:13,440 --> 00:40:15,599 we have a possible javascript so let's 1004 00:40:15,599 --> 00:40:18,000 go more deeply another information of 1005 00:40:18,000 --> 00:40:19,200 the body 1006 00:40:19,200 --> 00:40:21,599 other informations about the body 1007 00:40:21,599 --> 00:40:25,079 so let's see 1008 00:40:25,599 --> 00:40:28,079 object 11 so remember we have a 15 1009 00:40:28,079 --> 00:40:30,560 object so inside of the object 10 1010 00:40:30,560 --> 00:40:33,599 we have all the reference object 12 here 1011 00:40:33,599 --> 00:40:35,440 and here is the first 1012 00:40:35,440 --> 00:40:36,880 streaming 1013 00:40:36,880 --> 00:40:39,680 contains streaming not only that but we 1014 00:40:39,680 --> 00:40:42,160 have here the flat decode so it means 1015 00:40:42,160 --> 00:40:44,720 that we need to decode the content 1016 00:40:44,720 --> 00:40:46,880 inside of this stream and here as you 1017 00:40:46,880 --> 00:40:50,160 can see the laugh is 36 1018 00:40:50,160 --> 00:40:52,000 in this case it's not too big it's it's 1019 00:40:52,000 --> 00:40:54,160 a small so maybe we don't have any 1020 00:40:54,160 --> 00:40:56,319 important information here but we have a 1021 00:40:56,319 --> 00:40:58,400 tool streaming here so we need to find 1022 00:40:58,400 --> 00:41:00,400 other streaming or what kind of 1023 00:41:00,400 --> 00:41:02,400 information we can find here so here we 1024 00:41:02,400 --> 00:41:06,160 have another object take a look this in 1025 00:41:06,160 --> 00:41:08,720 object 11 1026 00:41:08,720 --> 00:41:11,119 he ferry and objet 1027 00:41:11,119 --> 00:41:12,960 13 okay 1028 00:41:12,960 --> 00:41:15,920 inside of this object 13 we have a what 1029 00:41:15,920 --> 00:41:17,920 we haven't streaming 1030 00:41:17,920 --> 00:41:20,960 so inside of this is streaming we have a 1031 00:41:20,960 --> 00:41:23,200 what we have a javascript 1032 00:41:23,200 --> 00:41:25,760 so and as you can see here the left when 1033 00:41:25,760 --> 00:41:29,280 you compare to another is too high 1034 00:41:29,280 --> 00:41:31,280 so it means that 1035 00:41:31,280 --> 00:41:34,240 the javascript probably malicious we can 1036 00:41:34,240 --> 00:41:37,520 find here in this specifically object so 1037 00:41:37,520 --> 00:41:39,520 this is 1038 00:41:39,520 --> 00:41:41,520 this should be the our 1039 00:41:41,520 --> 00:41:44,640 main object to investigate okay so we 1040 00:41:44,640 --> 00:41:46,960 need to looking more about that so let's 1041 00:41:46,960 --> 00:41:50,000 go to this specifically object okay 1042 00:41:50,000 --> 00:41:52,480 so then another tool that i'm using here 1043 00:41:52,480 --> 00:41:55,839 it's pdf deca what is a pdf techa is a 1044 00:41:55,839 --> 00:41:59,280 handle tool for a manipulating pdf okay 1045 00:41:59,280 --> 00:42:00,400 oh 1046 00:42:00,400 --> 00:42:04,160 it means you can using to uh 1047 00:42:04,160 --> 00:42:06,079 you know creating a pdf 1048 00:42:06,079 --> 00:42:10,240 a merge of different pdfs collating pdf 1049 00:42:10,240 --> 00:42:13,280 and compress is streaming pages and then 1050 00:42:13,280 --> 00:42:16,400 compress or hey compress i mean 1051 00:42:16,400 --> 00:42:18,560 uncompress actually or recompress 1052 00:42:18,560 --> 00:42:20,720 remember i have a content here inside of 1053 00:42:20,720 --> 00:42:22,800 the stream so i need to uncompress this 1054 00:42:22,800 --> 00:42:25,599 information so that's my action here so 1055 00:42:25,599 --> 00:42:27,119 i have a pdf 1056 00:42:27,119 --> 00:42:28,400 tv 1057 00:42:28,400 --> 00:42:31,920 the file set the output or i will copy 1058 00:42:31,920 --> 00:42:34,160 the information i passed here in the 1059 00:42:34,160 --> 00:42:37,119 text and i will set the uncompressed 1060 00:42:37,119 --> 00:42:39,200 activity because my idea is to looking 1061 00:42:39,200 --> 00:42:42,240 for the simple information the content 1062 00:42:42,240 --> 00:42:45,119 inside of this is specifically 1063 00:42:45,119 --> 00:42:48,240 streaming remember that in object 13 and 1064 00:42:48,240 --> 00:42:50,560 here is the the information is important 1065 00:42:50,560 --> 00:42:54,160 we find object 13 the left 1066 00:42:54,160 --> 00:42:56,400 we have a content this is the first 1067 00:42:56,400 --> 00:42:58,480 technique used by the attacker the 1068 00:42:58,480 --> 00:43:00,960 javascript obfuscated so here is the 1069 00:43:00,960 --> 00:43:03,200 javascript but this javascript is 1070 00:43:03,200 --> 00:43:05,680 obfuscated so you need the zoho skate 1071 00:43:05,680 --> 00:43:07,680 this code basically is the second action 1072 00:43:07,680 --> 00:43:11,359 so remember we have pdf 1073 00:43:11,359 --> 00:43:14,079 this pdf has a javascript 1074 00:43:14,079 --> 00:43:16,079 inside those dots just javascript we 1075 00:43:16,079 --> 00:43:17,680 have and specifically 1076 00:43:17,680 --> 00:43:20,560 open actions remember the when the user 1077 00:43:20,560 --> 00:43:22,880 viewed this information 1078 00:43:22,880 --> 00:43:23,599 the 1079 00:43:23,599 --> 00:43:25,520 attacker will use in a javascript and 1080 00:43:25,520 --> 00:43:27,520 here is the first technique used by the 1081 00:43:27,520 --> 00:43:30,800 attacker obfuscation technique using 1082 00:43:30,800 --> 00:43:32,640 this specific if you see here inside of 1083 00:43:32,640 --> 00:43:34,319 this parenthesis you can see 1084 00:43:34,319 --> 00:43:36,640 specifically standard number like 1085 00:43:36,640 --> 00:43:40,240 you see numbers and more uh 1086 00:43:40,240 --> 00:43:41,760 more um 1087 00:43:41,760 --> 00:43:44,000 more uh below or not below but if you 1088 00:43:44,000 --> 00:43:45,440 see here inside of the parenthesis as 1089 00:43:45,440 --> 00:43:46,640 you can see here 1090 00:43:46,640 --> 00:43:47,680 letters 1091 00:43:47,680 --> 00:43:49,680 numbers other informations as you can 1092 00:43:49,680 --> 00:43:50,960 see here so 1093 00:43:50,960 --> 00:43:53,440 kind of standard information so after 1094 00:43:53,440 --> 00:43:55,599 that i need to dissociate this code 1095 00:43:55,599 --> 00:43:57,920 remember so if they use a notification i 1096 00:43:57,920 --> 00:44:00,560 need to do so for skate here so i find i 1097 00:44:00,560 --> 00:44:02,560 found here some specifically evo 1098 00:44:02,560 --> 00:44:04,800 parameter and my idea here if i have a 1099 00:44:04,800 --> 00:44:06,800 javascript i will try to rewrite this 1100 00:44:06,800 --> 00:44:08,640 information using 1101 00:44:08,640 --> 00:44:11,119 html basically this is the idea here so 1102 00:44:11,119 --> 00:44:12,400 i i 1103 00:44:12,400 --> 00:44:14,160 using this specifically copy and paste 1104 00:44:14,160 --> 00:44:17,520 here to facilitate our gamble okay 1105 00:44:17,520 --> 00:44:18,960 so 1106 00:44:18,960 --> 00:44:21,520 i will copy here and i pass it here the 1107 00:44:21,520 --> 00:44:22,880 document right 1108 00:44:22,880 --> 00:44:24,720 so you see 1109 00:44:24,720 --> 00:44:26,880 i viewed this overskate this javascript 1110 00:44:26,880 --> 00:44:28,560 has you can see here so this is the 1111 00:44:28,560 --> 00:44:30,800 second action so remember the attacker 1112 00:44:30,800 --> 00:44:33,280 using the obfuscation technique i would 1113 00:44:33,280 --> 00:44:36,079 describe this code and let's see now 1114 00:44:36,079 --> 00:44:38,000 what kind of information we can find 1115 00:44:38,000 --> 00:44:41,359 here inside of this is specifically code 1116 00:44:41,359 --> 00:44:44,640 so i basically i will rewrite in a in 1117 00:44:44,640 --> 00:44:47,359 html file i save 1118 00:44:47,359 --> 00:44:48,880 and after that 1119 00:44:48,880 --> 00:44:52,240 i give the permission to execute itself 1120 00:44:52,240 --> 00:44:53,760 in the 1121 00:44:53,760 --> 00:44:55,599 in a web browser because my id is to 1122 00:44:55,599 --> 00:44:58,319 open here in the web browser check what 1123 00:44:58,319 --> 00:45:00,560 kind of information we can find 1124 00:45:00,560 --> 00:45:03,119 here okay so are you using firefox to 1125 00:45:03,119 --> 00:45:04,640 call 1126 00:45:04,640 --> 00:45:06,319 code is simple and let's see what 1127 00:45:06,319 --> 00:45:10,560 happened now take a look this and 1128 00:45:12,720 --> 00:45:14,960 we have a payload you know what that 1129 00:45:14,960 --> 00:45:17,599 means so probably if you again probably 1130 00:45:17,599 --> 00:45:19,599 if you know no problem but the payload 1131 00:45:19,599 --> 00:45:22,079 is a part of code is a package 1132 00:45:22,079 --> 00:45:24,880 responsible to download or to disk just 1133 00:45:24,880 --> 00:45:26,880 you know download individual machine 1134 00:45:26,880 --> 00:45:28,079 actually 1135 00:45:28,079 --> 00:45:30,800 and this package is responsible to 1136 00:45:30,800 --> 00:45:33,359 execute the callback 1137 00:45:33,359 --> 00:45:37,040 to the cnc commanding controller to 1138 00:45:37,040 --> 00:45:40,880 make a response to the attacker okay so 1139 00:45:40,880 --> 00:45:42,319 remember 1140 00:45:42,319 --> 00:45:45,359 inside of this streaming remember we 1141 00:45:45,359 --> 00:45:48,079 have a a javascript obfuscated inside of 1142 00:45:48,079 --> 00:45:50,880 javascript javascript we have a payload 1143 00:45:50,880 --> 00:45:53,760 this payload basically is the package 1144 00:45:53,760 --> 00:45:57,200 that he will explore the vpn machine and 1145 00:45:57,200 --> 00:45:59,440 after that what i'm using here i will 1146 00:45:59,440 --> 00:46:00,400 see the 1147 00:46:00,400 --> 00:46:01,440 standard 1148 00:46:01,440 --> 00:46:03,920 you know ladders and percent i will copy 1149 00:46:03,920 --> 00:46:06,160 and paste here and i put in here in a 1150 00:46:06,160 --> 00:46:10,079 specifically file and my idea here is to 1151 00:46:10,079 --> 00:46:13,200 try or to find in specific informations 1152 00:46:13,200 --> 00:46:15,760 are using said to cut this information 1153 00:46:15,760 --> 00:46:19,839 because here we have now a pure 1154 00:46:19,839 --> 00:46:21,839 pure 1155 00:46:21,839 --> 00:46:22,880 code 1156 00:46:22,880 --> 00:46:24,720 used by the attacker the attacker using 1157 00:46:24,720 --> 00:46:25,760 specific 1158 00:46:25,760 --> 00:46:27,119 unicode 1159 00:46:27,119 --> 00:46:28,400 technique 1160 00:46:28,400 --> 00:46:29,200 to 1161 00:46:29,200 --> 00:46:32,240 encode informations here so and not only 1162 00:46:32,240 --> 00:46:34,640 that but i use in here in unix platform 1163 00:46:34,640 --> 00:46:37,760 but i use in here in windows 2 because i 1164 00:46:37,760 --> 00:46:40,079 would like to show to show you different 1165 00:46:40,079 --> 00:46:42,240 approach not only in unix but using 1166 00:46:42,240 --> 00:46:45,280 linux so here's the same uh mower the 1167 00:46:45,280 --> 00:46:47,280 same artifact as you can see here take a 1168 00:46:47,280 --> 00:46:49,280 look at this the javascript obfuscated 1169 00:46:49,280 --> 00:46:51,680 and i'm using here another platform in 1170 00:46:51,680 --> 00:46:53,680 use in windows 1171 00:46:53,680 --> 00:46:55,440 platform to show you those difference 1172 00:46:55,440 --> 00:46:57,200 okay so 1173 00:46:57,200 --> 00:47:00,000 here is the the real payload remember 1174 00:47:00,000 --> 00:47:01,839 have you cop 1175 00:47:01,839 --> 00:47:04,640 and i use sat in in when i using the 1176 00:47:04,640 --> 00:47:06,880 linux platform but here you're using 1177 00:47:06,880 --> 00:47:10,160 mouse dealer okay so when you up here 1178 00:47:10,160 --> 00:47:12,560 and i will pass and i will share with 1179 00:47:12,560 --> 00:47:15,280 you here what kind of technique using by 1180 00:47:15,280 --> 00:47:17,599 the attacker remember i mentioned about 1181 00:47:17,599 --> 00:47:20,160 the specifically encode technique used 1182 00:47:20,160 --> 00:47:22,160 by the attacker because remember we have 1183 00:47:22,160 --> 00:47:24,000 a payload and the attacker using a 1184 00:47:24,000 --> 00:47:27,040 specifically unique encoding technique 1185 00:47:27,040 --> 00:47:29,520 to encode this content inside of this 1186 00:47:29,520 --> 00:47:33,359 payload and this encoding this 1187 00:47:33,359 --> 00:47:35,920 technique used by the attacker is used 1188 00:47:35,920 --> 00:47:36,720 by 1189 00:47:36,720 --> 00:47:38,640 ucs 1190 00:47:38,640 --> 00:47:41,920 okay it's not too it's not new it's old 1191 00:47:41,920 --> 00:47:44,520 now the evolution actually we have a new 1192 00:47:44,520 --> 00:47:47,760 utf-16 which i have 32 and so on and so 1193 00:47:47,760 --> 00:47:51,400 on but before that we had 1194 00:47:51,400 --> 00:47:54,880 ucs2 it's old okay so 1195 00:47:54,880 --> 00:47:58,480 i using here ucs2 to generate here so i 1196 00:47:58,480 --> 00:48:00,400 will basically to 1197 00:48:00,400 --> 00:48:03,359 uh decode this information to generate a 1198 00:48:03,359 --> 00:48:05,839 extra decimal information as you can see 1199 00:48:05,839 --> 00:48:08,400 here and now i have an extra decimal 1200 00:48:08,400 --> 00:48:11,520 fire file okay so after that i generate 1201 00:48:11,520 --> 00:48:14,800 this extra decimal file in a binary why 1202 00:48:14,800 --> 00:48:17,040 i do that because remember this not 1203 00:48:17,040 --> 00:48:19,520 remember but usually the most of our 1204 00:48:19,520 --> 00:48:22,480 more than 90 percent is 1205 00:48:22,480 --> 00:48:25,359 for the windows platform so i generate 1206 00:48:25,359 --> 00:48:27,200 this specifically binary to execute 1207 00:48:27,200 --> 00:48:29,839 itself inside of the windows machine and 1208 00:48:29,839 --> 00:48:32,839 after that i call i use ensure 1209 00:48:32,839 --> 00:48:34,400 to 1210 00:48:34,400 --> 00:48:37,920 search for a possible http protocol 1211 00:48:37,920 --> 00:48:40,160 inside of this binary to see if this 1212 00:48:40,160 --> 00:48:43,040 binary will cause something and take a 1213 00:48:43,040 --> 00:48:46,160 look what i found here i found the 1214 00:48:46,160 --> 00:48:48,400 commander in controller from the 1215 00:48:48,400 --> 00:48:51,680 attacker so now we haven't cnc the 1216 00:48:51,680 --> 00:48:54,720 attacker remember about the payload 1217 00:48:54,720 --> 00:48:58,880 yes the payload is a will be 1218 00:48:58,880 --> 00:49:00,319 a callback 1219 00:49:00,319 --> 00:49:01,359 or 1220 00:49:01,359 --> 00:49:03,440 these is specifically 1221 00:49:03,440 --> 00:49:07,440 cnc you see how interesting is so if you 1222 00:49:07,440 --> 00:49:09,440 pass here the 1223 00:49:09,440 --> 00:49:12,800 ip address you see this ip address is 1224 00:49:12,800 --> 00:49:16,880 from estonia europe okay so here as you 1225 00:49:16,880 --> 00:49:21,599 can see this is the information we found 1226 00:49:21,599 --> 00:49:24,160 in this specific file so let me just to 1227 00:49:24,160 --> 00:49:26,720 finalize this information so if you see 1228 00:49:26,720 --> 00:49:29,760 here so many urls related to the 1229 00:49:29,760 --> 00:49:32,800 specifically attack and if you see here 1230 00:49:32,800 --> 00:49:35,680 so they have a many victims machine 1231 00:49:35,680 --> 00:49:38,400 explored by this specifically attack 1232 00:49:38,400 --> 00:49:40,079 using ptf 1233 00:49:40,079 --> 00:49:43,920 malicious okay so just to summarize this 1234 00:49:43,920 --> 00:49:46,079 uh demo 1235 00:49:46,079 --> 00:49:48,960 actually remember the user received this 1236 00:49:48,960 --> 00:49:50,079 pdf 1237 00:49:50,079 --> 00:49:53,200 this pdf has a specifically javascript 1238 00:49:53,200 --> 00:49:54,559 inside of that 1239 00:49:54,559 --> 00:49:56,400 this pdf 1240 00:49:56,400 --> 00:49:57,359 is 1241 00:49:57,359 --> 00:49:59,440 or was in this case 1242 00:49:59,440 --> 00:50:00,319 uh 1243 00:50:00,319 --> 00:50:02,000 obfuscated 1244 00:50:02,000 --> 00:50:04,240 or javascript obfuscated 1245 00:50:04,240 --> 00:50:05,920 inside of this javascript remember this 1246 00:50:05,920 --> 00:50:07,200 javascript 1247 00:50:07,200 --> 00:50:08,880 is ethan 1248 00:50:08,880 --> 00:50:11,920 is streaming this content is inside of 1249 00:50:11,920 --> 00:50:13,920 this is streaming 1250 00:50:13,920 --> 00:50:15,920 and we deserve skate that this 1251 00:50:15,920 --> 00:50:18,079 information inside of that the attacker 1252 00:50:18,079 --> 00:50:19,920 using a specifically 1253 00:50:19,920 --> 00:50:22,720 encoding techniques actually inside of 1254 00:50:22,720 --> 00:50:24,400 the javascript we have a payload 1255 00:50:24,400 --> 00:50:26,480 remember the payload is a package 1256 00:50:26,480 --> 00:50:28,880 responsible for this callback 1257 00:50:28,880 --> 00:50:30,640 this information actually this 1258 00:50:30,640 --> 00:50:32,960 information you know so the victory 1259 00:50:32,960 --> 00:50:36,960 machine into the attacker remember that 1260 00:50:38,720 --> 00:50:41,040 inside of this payload we have another 1261 00:50:41,040 --> 00:50:42,640 technique used by the attack this 1262 00:50:42,640 --> 00:50:48,319 encoding technique using ec ec ucs2 1263 00:50:48,319 --> 00:50:50,720 and inside of that 1264 00:50:50,720 --> 00:50:53,520 we have a cnc responsible for this 1265 00:50:53,520 --> 00:50:56,720 explanation okay 1266 00:50:57,440 --> 00:51:00,800 so here i can suggest you some books 1267 00:51:00,800 --> 00:51:02,960 would you like to read and study more 1268 00:51:02,960 --> 00:51:05,359 about the ali so here four books 1269 00:51:05,359 --> 00:51:07,359 that i can recommend you write about the 1270 00:51:07,359 --> 00:51:10,000 moral analysis power analysis techniques 1271 00:51:10,000 --> 00:51:12,800 stratified with the elasticity stack and 1272 00:51:12,800 --> 00:51:15,359 practical spread intelligence and data 1273 00:51:15,359 --> 00:51:18,480 driven 3d hunting soft four very nice 1274 00:51:18,480 --> 00:51:20,640 books that i can recommend you if you 1275 00:51:20,640 --> 00:51:22,960 would you like to read instead more 1276 00:51:22,960 --> 00:51:26,240 about that and that said that's it so i 1277 00:51:26,240 --> 00:51:28,640 finished my presentation here i hope 1278 00:51:28,640 --> 00:51:31,200 that i can help you during this journey 1279 00:51:31,200 --> 00:51:33,520 in our conversation so if you have any 1280 00:51:33,520 --> 00:51:36,880 question so please let me know and see 1281 00:51:36,880 --> 00:51:39,920 you in the next