Hello, My Youtube Friends
Digiboy16 Back :D
in their ethical hacking and Cyber-security Channel Every weekend
Cyber-Security Environment
Today we have a super special Chapter
Today we have the 100 subscribers special
in cyber-security environment
Today we have a super interesting Trojan called Adylkuzz
We going to make a Malware Test
And a Packet Analysis
And Let's Get started
The first is that we have a website
in which we can see all the related information about this Trojan Adylkuzz
we can see a preview about the Information
we can see some commands, The payload
The CnC
Etc, Etc
The technical part
About the Trojan
But obviously I going to explain how we can interact with it
Now, Let's Get started :D
The first Step is We have a Virtual Machine
Running Windows 7 Starter
It will be our Test machine
Have no internet Connection
And Let's go to execute the Malware
Song Time (Don't forget subscribe)
it comes in .bin format to keep protected
I'll change to .Exe to execute the Malware
Now Let's Execute it
But before execute Let's Open two Tools
Before start
Song Time (Don't forget subscribe)
Come on to execute Process Hacker
Song Time (Don't forget subscribe)
We let Process Hacker Running alone
And let's go to open another last one tool
called process monitor
Song Time (Don't forget subscribe)
Here we have process Monitor
We let process Monitor running
Now Let's go to execute the Malware
Song Time (Don't forget subscribe)
As you can see the Malware is being executed look at there
Song Time (Don't forget subscribe)
Look at the Taskkill.exe
the CMD console did the command
Song Time (Don't forget subscribe)
it continue executing itself
Song Time (Don't forget subscribe)
executing some processes
Look at here
Song Time (Don't forget subscribe)
And continue executing itself
The netsh.exe
to make commands in the network
Song Time (Don't forget subscribe)
This malware is too interesting because
the objective is to encrypt all financial transaction and all related to financial movements in your machine
and obviously encrypting with a cryptominner connected to a Command and control (CnC)
And the malware is executed correctly
Let's go to process monitor
Let's go to make a little filter
about the malware has done
a service was created by the malware
about the malware done at the moment in the execution
all the process that took executing
some process that going to realize the main function about the malware
and still continue in execution
Let's go to Make a little filter
We select in the process monitor filter
We select Operation
because all that change is the operation
cause the process can change
The time stamp can change too
the route can change
and the details about the command can change too
but the most important in this case is the Operation
We select Operation
And here we select Process Create
Created process
To have this filter
We click the Add button
Apply And Accept :D
Let's go to open the time-stamp
The process name, The Process ID (PID)
The operation that was the filter I did
The route about the file
that make the action
And the Result
We can see
That at the moment the malware was executed
As you can see here
Look at the malware and the name name
with explorer.exe
in Desktop in the execution place
Look at here
the result was SUCCESS
Look at there the Time take a sequence 11:15
11:16
and so on
we can see the malware
Look at here the process Name
The malware
it execute a command with the Taskkill
to the Hdmanager.exe
That's the Hardware manager
Also we can see
other commands Like taskkill Look at here
Another command killing with a force tag
The hardware manager
with the /f tag
look also the malware is trying to kill the MMC.exe
to some files about the system32 folder
And some other commands as you can see here
Another interesting part is
that create some politics in the firewall
with the netsh
An IPsec policy
IPsec
static add policy
netbc
And another commands that realize to connect directly with the command and control (CnC)
to receive the payload and the actions that going to realize
As you can see Look at this that is too interesting
A filter to block /32 masks with a destination port 445
With the SMB protocol that's the port that wannacry ransonware exploit with the eternal-blue vulnerability
We can also watch another firewall rules
about IPsec
in other more killing the Hardware manager
with a force with the /f Tag
Look at another rule
to the google chrome
the firewall
Song Time (Don't forget subscribe)
And another more And........
Let's go the next step
Let's go to wireshark
Let's see the packets generated in the process execution
That's the packet capture captured in all the process
Let's open :D
Song Time (Don't forget subscribe)
We can watch all the Packets involved in the malware execution
If for example we make an HTTP stream
or a little filter
Song Time (Don't forget subscribe)
That's the HTTP packets involved in the malware execution
Let's go to make a TCP stream
Song Time (Don't forget subscribe)
we can watch
That connect to a Host
Look at here
08.super5566.com
Look at the HTTP response code 200 ok
If we see for example
The DNS
the queries made
Song Time (Don't forget subscribe)
Look at the Query that was an A record
indicating an IPV4
Here the website Again
Song Time (Don't forget subscribe)
Look at the A record
aa1.super5566.com
Look at the Public IP Address that is indicating in this host
Song Time (Don't forget subscribe)
That's another page that try to connect
Song Time (Don't forget subscribe)
The query
to this website crypto-pool
.fr
indicating is from France
Song Time (Don't forget subscribe)
Look at the IP address about the same
A public IP address
Song Time (Don't forget subscribe)
And connect to different sites to different command and control (CnC )
And receive different actions
If we for example we make a little filter
With for example HTTP
We have a preview
http.request.method == GET
And we apply the filter
we can watch in want to connect directly
it tried to get some files Like 86.exe
87.lua
445.exe
are file that request to the Command and control (CnC)
is requesting to receive it
That's part of the Payload
In the case we want to get those files
we click file
export objects
Http
Song Time (Don't forget subscribe)
we can watch the files
.Txt files
087.lua 445.exe
we can store in our machine
see the checksum about those files and analyze them
And that's set
That's everything for today
See you Next weekend
Bye bye!
If you Liked the video, Give a Like
JUST SUBSCRIBE!!!
No comments:
Post a Comment