How do you get the suspicious file into your lab safely? If you're in host-only mode you can't transfer it from a web source. I assume you want to keep the VM isolated from the host so you can't copy via drag and drop. So what method do you recommend using for transferring those files into your lab?
Zip and password protect any malicious files, you can then safely transfer them to your lab, I use drag and drop. If you want to download from a web source such as app.any.run then switch the VM to NAT mode so it has an internet connection and then switch back to host only mode when done.
Well elaborated but I didn't get how you jumped to powershell.exe (13.25) when it was not really a child process by word document process. please explain if possible.
Great question, any processes such as cmd.exe and powershell.exe that can be used to execute code will always be of interest in this type of scenario. I knew I hadn’t launched powershell so based on that I knew the document must have launched it to do something malicious.
Hello, I Did a Debug to such files. It seems that the macro uses Win32_ProcessStartup and Win32_Process, those are Classes that can be used for running Powershell Throught WmiPrvse.exe. It is Very Well Documented here - www.bromium.com/wp-content/uploads/2019/07/Bromium-Emotet-Technical-Analysis-Report.pdf. HAVE FUN :)
Hey Hi, thanks for the great video tutorial. I am starting with your playlist. Just got stuck at process monitor step. how did you find out that powershell is running in this particular svchost.exe ?
Hey, I saw PowerShell in the process tree in ProcMon. As I hadn’t launched PowerShell and know it can be used for RCE I knew it was going to be something that the Word document had launched 👍
Hey , I dont understand a thing , how did you get the response 200 on since you are host only ? , Since you are on clean-Host there must be no internet connection , right ? IF you are not on Host-only ,then how did you transfer using winscp?
All the network traffic is being forwarded onto the Remnux VM. Inetsim is running on Remnux which is emulating a number services on specific ports such as http on port 80. That’s why I get a 200 response.
@@0xf0x Thanks for your response , i tried to deobfuscate the macros in this Emotet , but there is some wired appears Code : Fack = Xhrcwkmbidam.Diwqqciyfbjs.Tag Yaiciqbtusvb = Split(Tvsghavnh + LTrim(LTrim(Fack)), "///") i cannot find Diwqqciyfbjs in the function Xhrcwkmbidam , , can you help me ?
Man thank your for the video. But I didn't understand that why you used NAT setting. You didn't use host only. You had a internet connection. Is it safe? Because the malware can spread to your host machine.
@@0xf0x thank you for the answer man, but I don't understand that, you was searching on the google and downloading files. How do you do this with host only man? Can you explain for me , thank you .
You can just unzip the file and inspect the inner xml's. You do not need fancy tools. I would not recommend just opening it and looking for network traffic unless you really know what you are doing.
The idea of the video is to safely demo how to use malware analysis tools and give people an understanding of what the document is doing behind the scenes.
Found your channel after searching for Ghidra, but decided to watch from your first video. This one was very interesting!
Haven't found any better video than this on Malware Analysis. Keep up the good work mate👍
Thanks mate really appreciate it, always great to hear people get something out of these
I am unaware of(inetsim & fakedns)
Now I understand the complete concept through your video
Thanks for the video...
That’s awesome to hear, thanks for the feedback 👍
@@0xf0x please post more videos on malwares...
Very informative video. Curious of the types of tools used to study malware and you explained and gave examples very well. Thanks.
No probs, always great to hear the videos are well received and useful
Brilliant video, you’ve got me hooked!
Man this was such an amazing video. Keep posting such quality content
Glad to hear it, thanks for watching 👍
Amazing Content!!
How do you get the suspicious file into your lab safely? If you're in host-only mode you can't transfer it from a web source. I assume you want to keep the VM isolated from the host so you can't copy via drag and drop. So what method do you recommend using for transferring those files into your lab?
Zip and password protect any malicious files, you can then safely transfer them to your lab, I use drag and drop. If you want to download from a web source such as app.any.run then switch the VM to NAT mode so it has an internet connection and then switch back to host only mode when done.
Excellent work! Possible to share configuration of inetsim.conf please? I failed all the time and want to compare. Thanks!
Great video! Just subscribed.
Well elaborated but I didn't get how you jumped to powershell.exe (13.25) when it was not really a child process by word document process. please explain if possible.
Great question, any processes such as cmd.exe and powershell.exe that can be used to execute code will always be of interest in this type of scenario. I knew I hadn’t launched powershell so based on that I knew the document must have launched it to do something malicious.
@@0xf0x Ohh...thanks a lot for the quick response and clarification. will wait for upcoming vids. :) keep it up.
Hello, I Did a Debug to such files. It seems that the macro uses Win32_ProcessStartup and Win32_Process, those are Classes that can be used for running Powershell Throught WmiPrvse.exe. It is Very Well Documented here - www.bromium.com/wp-content/uploads/2019/07/Bromium-Emotet-Technical-Analysis-Report.pdf. HAVE FUN :)
Perfect, Well Done
Very good explanation. keep it up :)
Thanks!
Hey Hi, thanks for the great video tutorial. I am starting with your playlist. Just got stuck at process monitor step. how did you find out that powershell is running in this particular svchost.exe ?
Hey, I saw PowerShell in the process tree in ProcMon. As I hadn’t launched PowerShell and know it can be used for RCE I knew it was going to be something that the Word document had launched 👍
When your network setting is host only , how did you download this malware sample ? Thank you.
Switch to NAT from host only mode. In video #1 I keep two snapshots saved of my VM, 1 in host only and one in NAT mode
@@0xf0x Thank you for answer.
Hey , I dont understand a thing , how did you get the response 200 on since you are host only ? , Since you are on clean-Host there must be no internet connection , right ? IF you are not on Host-only ,then how did you transfer using winscp?
All the network traffic is being forwarded onto the Remnux VM. Inetsim is running on Remnux which is emulating a number services on specific ports such as http on port 80. That’s why I get a 200 response.
@@0xf0x Thanks for your response , i tried to deobfuscate the macros in this Emotet , but there is some wired appears Code : Fack = Xhrcwkmbidam.Diwqqciyfbjs.Tag
Yaiciqbtusvb = Split(Tvsghavnh + LTrim(LTrim(Fack)), "///") i cannot find Diwqqciyfbjs in the function Xhrcwkmbidam , , can you help me ?
Man thank your for the video. But I didn't understand that why you used NAT setting. You didn't use host only. You had a internet connection. Is it safe? Because the malware can spread to your host machine.
Thanks man glad you liked it. I definitely had host only mode in place in this video, that’s why the traffic routed to the Remnux machine 👍
@@0xf0x thank you for the answer man, but I don't understand that, you was searching on the google and downloading files. How do you do this with host only man? Can you explain for me , thank you .
@@metehandagl9068 No probs, I was searching on the internet using my host machine. The Guest VM was host only
@@0xf0x I got it man . Thank you so much. We are waiting for your new excellent videos!
@@metehandagl9068 Cheers, i will try and get some out soon. Life has been a bit crazy the past few months.
the link for the download of the macro file didn't work, but great video.
Thanks for flagging will check this tomorrow 👍
@@0xf0x thanks
Link now updated in video description
@@0xf0x I really appreciate it thanks for the reply and the effort
You can just unzip the file and inspect the inner xml's. You do not need fancy tools. I would not recommend just opening it and looking for network traffic unless you really know what you are doing.
The idea of the video is to safely demo how to use malware analysis tools and give people an understanding of what the document is doing behind the scenes.
Most likely Emotet!
Correct 👍