 Welcome to my analysis for Hedgehogs. So I have finally moved to a different apartment as you can probably see Because the background is quite different and I was at the virus bulletin 2017 which was really really great. So everyone who is considering going there. I I think you should go It's awesome to meet Meet the people on time. I'm thankful for everyone I met there So it was really great Today's video is about a Frequently asked question which I got in the last weeks and that was how do you get samples and how? How do I get samples and how can you get? samples that you can analyze and train with so First things first. I work at an antivirus company. So I have access to for instance virus total and That means I get most samples very easily Before I Started working there. I was a student in computer science and I was already Doing my master's thesis in malware analysis So I had to find other ways to get samples and that's probably something I can share that may also help you First off if you have an old email account Just look into the spam email you get there and into the email test branch. That's one way to get fresh samples furthermore, I suggest Forums that deal with my analysis like color mode info There are sections where you can ask for Malware samples if you provide the hashes So some people might post the samples that belong to them Secondly, that's how I started out someone told me you can simply search for ridiculous tools on the internet to find some other and Yeah, actually that works pretty well. So if you search for something that's too good to be true, it's probably malware for instance PayPal hack tool So oh, yeah at free money daily Updated October 2017 with proof That's most likely malware what we get here and This provides a media fire download link which Will be Downloading the file for you. So okay And it provides a password. There's a usually password protected archives Otherwise those Fire sharing sites will at some point realize that there's malware in it and they will disable the download So that's why those are usually password protected and Let's take a look at this and open it up with seven zip so password Money Craig July 2017 If we Upload the file, let's take a look at that now with these tools you Oftentimes you get a trojan that will just steal your credentials. So in a lot of cases they will ask you for your PayPal Credentials and then they simply steal it so Oftentimes, it's really a password stealer that you have there. It could also be something else could also be a remote access Trojan Or key logger in that case we have like bit defender says it's a password stealer G data says it's a key logger spy agent spy, so it's not really conclusive and some Keyhole thinks it's a Trojan dropper. So that's something you will have to check for which it actually is Yeah, have fun doing so We will move on to to other stuff Yeah, one of my favorite sites is hybridanalysis.com or reverse dot it. That's the same site and if you Register that and have a free account there. You can download samples that have been uploaded to this site. So I Think you know this site if you follow my videos There's a tap for submissions and there you get the latest submissions for Any files that have been uploaded and the interesting part for me at least is first the This red score. That's the score that payload security provides for this file based on the behavior When it was executed dynamically and based on the features or On static analysis, so they will say okay. This is most likely a malicious file And then they also say how many scanners detected on virus total in that case? It's 22% or in that case, it's only 3%. So you might find files with a high thread score in the low antivirus coverage Which are probably very fresh samples in that case. So that's the interesting part about that and You can also search for tags like in this case tags evasive Malware whatever whatever you're looking for and That's how you find interesting samples. Now one of those I found today is this one and It's a as you can see Something wrong. Okay. It looks like this Is it is a Microsoft Word document that? uses PowerShell to do something whatever that is and The good part of that is you can already just get this PowerShell command no need to Analyse the document so If you have an account you can download the sample here if it was shared also if you are in this overview Take look out for this symbol for this icon because that means the sample was not shared So no need to click it if you have no access to the files in other ways bitcoilnetta, okay and One thing that seems to be happening a lot These files that you download from hybrid analysis. They are in an archive So dot GZ that's an archive. So you have to unpack them With seven Z before you can start analyzing them and I think that's all you need to know for now Yeah, that worked. That's the That's the actual Word document right here So And just for the fun of it, we will continue and take a look at this PowerShell Script here That's also what we saw on hybrid analysis. We could have copied it from there Did I get this right? Looks right we turn on WordWrap so you can see it now That's an encoded PowerShell command and that's usually base 64 so we can simply decode this and Now you have Unicode and What I usually do with that is I simply replace this stuff here With nothing so turn it into ASCII basically And we get this we set the language to PowerShell All right, and if you look into this now Oh, that's also an interesting part that will probably tell you that this is malware That should really be a sign to you you see there are Several upper lowercase variants of this split for instance of string and join this upper lower case thing is weird and the reason is that a lot of times the Pattern signatures by antivirus gunners are case sensitive. So if you change the casing in case insensitive language like this like PowerShell it will just Evade this pattern signature Yeah, that's why they do it So what you can see is there's a string with some Numbers in it and in between there are a known digit Characters and these know digit characters are basically removed with the spit command like the split will split the string into an array Using this SD limiter and then the delimiter is gone and then they will join the array again So all this does is it filters out the non-digit characters and we can simply We can de-opfuscate this pretty simple Python we need to import the regex module and We will simply do the same like Let's say we We have this string Okay, and then we split the string and put the result into result string no Split it using regex Which is all non? Digit characters and the input is all a string And now we have as you can see we have the array with those integers that Have to be turned into characters first doing that We can say for every Every x in result We will say This should print. Yes this should This prints every single character. Yeah, and we put just everything in a string in the result string. So I say I initialize this and I say And we have the de-opfuscated script right here Mark this I can mark this and copy it And there we have this and Now we get the Result of that. That's the result Power show or ZLW script Anyways, we have now some You are all said I used to download something so and Download files from so that's a Power shell downloader Macro in there Yeah, that just as a side node and That's it for today. So I hope this is helpful for you to find some new and fresh samples You can also ask people Another's on Twitter. So they are usually very Nice and will share faults if you get if you provide some hashes for them Not all of them are able to do that because sometimes you are not allowed to share anything But in a lot of cases they will probably share the faults if you ask Yeah, that's it for today. Thanks for watching and see you next time