02 - Performing Basic Triage Analysis and Unpacking with x64dbg
Вставка
- Опубліковано 9 лис 2024
- Part 02 picks up by spending a little time performing basic triage analysis on the resulting ransomware binaries that we produced from the builder in part 01. I rarely skip this step as it often yields important insights into what you may be considering reversing. In this video, we'll use Detect-It-Easy to look at PE file characteristics and use entropy to identify signs of packing. We'll then compare the obfuscated and unobfuscated binaries together and even go through dumping the obfuscated version using x64dbg and scylla.
Join this channel to get access to perks:
/ @jstrosch
🚨 WARNING! If you follow along by creating your own binaries, ensure you have a safe analysis environment. The builder produces the real Lockbit ransomware and can cause irreversible damage to your systems! 🚨
Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
🎓 Courses on Pluralsight 👉🏻 www.pluralsigh...
🌶️ UA-cam 👉🏻 Like, Comment & Subscribe!
🙏🏻 Support my work 👉🏻 / joshstroschein
🌎 Follow me 👉🏻 / jstrosch , / joshstroschein
⚙️ Tinker with me on Github 👉🏻 github.com/jst...
🤝 Join the Discord community and more 👉🏻 www.thecyberye...
1:01 What do the strings tell us?
3:40 Viewing strings in the obfuscated version
4:13 Using DIE to view imports
7:13 Analyzing the obfuscated version
9:35 Comparing versions with IDA Pro
14:35 Unpacking the obfuscated version with x64dbg
Great video, thank you!
Glad you enjoyed it, thanks for the feedback!
Nice one, thanks!Don't you use ret-sync during debugging session to keep ida and x64dbg synced?I love it :-)
Woah, I haven't heard of it before... going to check it out today! Thanks for the suggestion :)
Will you/have you made videos about samples we do not have the password for? Going in blind, so to speak?
Love your content btw!
Thank you!
I mention that in the first or second, you're likely stuck without the password and won't be able to analyze it. It won't run either, as it needs the password to unpack the main code. I haven't looked into the algorithm extensively, but a cursory glance suggests you need it!