if you're at all open to content suggestions - and perhaps this is a request that can only be made by someone ignorant, but hey i'm gonna shoot... would love to understand the meta-process a bit more, like your mental decision-tree on how you go about analyzing. i'm sure it's most likely intuitive, and "one clue leads to the next", but for a n00b such as I having some scaffolding or "roadmap" will give me some confidence to go ahead and attempt a sample on my own. just something i can peek back to in case i feel stuck. i'm sure, if i follow along with these it would eventually be inferred organically, but hey if this idea seems at all cool to you i think it could also help the process for myself, and many other wanna-be's. thanks for sharing your epic knowledge dude.
I kinda thought that I was sharing my thought process along the way to be honest 😅 When you're analysing you really need to pick a question and try to answer that question otherwise you'll quickly find time being eaten up if the question is 'let's understand this binary and what it does 100%' For me the mental decisions usually begins with 'what may be the capability of this executable?' and then from there it guides how I'll go about analysing the sample. A lot of time dynamic analysis is a good starting point to help guide where you want your analysis to go, but also what imported APIs are there, and if there's imported APIs how can they be used by malware?
@@cyberraiju bruh, sorry man yeah you do an amazing job articulating your train of thought. thanks for the response btw. (asking as a white belt): assuming by "what imported APIs are there" you mean for example looking at the IAT to get a sense of Windows/native API functions being called? if you don't mind entertaining a follow-up to that: what if they're using custom functions? for example i just did the AES module on maldev and they discussed option of using either bcrypt (ie windows API) or tinyAES (custom). - is there a way to reliably get a sense of custom functions, and follow-up to learn more about them (since I'm assuming won't find them in MS Docs)? - how big of a deal are custom functions, or most malware will mostly rely on windows API most of the time? i did find it striking here in this video that a big chunk was really "deciphering" the scripts. almost like needing to find the starting thread and then just piece by piece unravel it until it made sense. aight keep well and thanks for sharing.
Yeah looking at the IAT to get a sense of potential capability as a starting point, and the absence of imports can also be indicative of other things such as packing being used. That being said there's other ways too. You mention AES encryption being used which leads to sections with high entropy which can be found using other tools and point to likely encoding or encryption functions. Custom functions often rely on some imported Windows APIs still but where they don't they can still be seen using disassemblers and decompilers. So it's sort of picking a starting point based on the context you have and really an exploratory process to find where you want to focus your efforts in analysis to answer any questions you may have about the malware. Thanks for the kind words 🙂. There's a large amount of loaders which just use scripts to invoke commodity malware into memory, and a larger audience base seems to find running through obfuscated scripts more fun and interesting than reading the assembly in a binary.
These analysis walkthroughs are awesome Jai! Keep it up!
Thankyou! I'll try 😁. They take a fair amount of work so I'm glad they're providing value to others
Amazing explanation. Thank you for sharing your knowledge and exp to community.... Learn lot from this single video. ♥
Awesome dude!
Really clear and just enough explanations to make me feel like I know what you are doing 😂.
Keep up the good work!
excellent work sir.
nice one mate
Amazing!
Thanks! 🙏
custom meme game on point bruh
thanks for this sharesssssssssssssssss
My pleasure!
if you're at all open to content suggestions - and perhaps this is a request that can only be made by someone ignorant, but hey i'm gonna shoot... would love to understand the meta-process a bit more, like your mental decision-tree on how you go about analyzing. i'm sure it's most likely intuitive, and "one clue leads to the next", but for a n00b such as I having some scaffolding or "roadmap" will give me some confidence to go ahead and attempt a sample on my own. just something i can peek back to in case i feel stuck. i'm sure, if i follow along with these it would eventually be inferred organically, but hey if this idea seems at all cool to you i think it could also help the process for myself, and many other wanna-be's. thanks for sharing your epic knowledge dude.
I kinda thought that I was sharing my thought process along the way to be honest 😅
When you're analysing you really need to pick a question and try to answer that question otherwise you'll quickly find time being eaten up if the question is 'let's understand this binary and what it does 100%'
For me the mental decisions usually begins with 'what may be the capability of this executable?' and then from there it guides how I'll go about analysing the sample. A lot of time dynamic analysis is a good starting point to help guide where you want your analysis to go, but also what imported APIs are there, and if there's imported APIs how can they be used by malware?
@@cyberraiju bruh, sorry man yeah you do an amazing job articulating your train of thought. thanks for the response btw.
(asking as a white belt): assuming by "what imported APIs are there" you mean for example looking at the IAT to get a sense of Windows/native API functions being called?
if you don't mind entertaining a follow-up to that: what if they're using custom functions? for example i just did the AES module on maldev and they discussed option of using either bcrypt (ie windows API) or tinyAES (custom).
- is there a way to reliably get a sense of custom functions, and follow-up to learn more about them (since I'm assuming won't find them in MS Docs)?
- how big of a deal are custom functions, or most malware will mostly rely on windows API most of the time?
i did find it striking here in this video that a big chunk was really "deciphering" the scripts. almost like needing to find the starting thread and then just piece by piece unravel it until it made sense.
aight keep well and thanks for sharing.
Yeah looking at the IAT to get a sense of potential capability as a starting point, and the absence of imports can also be indicative of other things such as packing being used. That being said there's other ways too. You mention AES encryption being used which leads to sections with high entropy which can be found using other tools and point to likely encoding or encryption functions. Custom functions often rely on some imported Windows APIs still but where they don't they can still be seen using disassemblers and decompilers.
So it's sort of picking a starting point based on the context you have and really an exploratory process to find where you want to focus your efforts in analysis to answer any questions you may have about the malware.
Thanks for the kind words 🙂. There's a large amount of loaders which just use scripts to invoke commodity malware into memory, and a larger audience base seems to find running through obfuscated scripts more fun and interesting than reading the assembly in a binary.
first, hehe
Another 20 internet points for you! Spend them as you see fit! 🎇🎆
@@cyberraiju don't be hilarious 😂. at least I write comments to support the channel 😄. (or comments shorter than 4 words or smth don't count? oh...)