 Oh, sorry. What's up, everybody? Welcome back. My name is John Hammond. And you know, I love me some malware analysis. And it seems like you guys do too. So we're doing it a little bit once again. I'm gonna hop over to my computer screen here where all the good stuff's going on, my computer boy. And I've got this folder here. I'm in this Kaspersky directory. And this one I think is kind of fun. I think this is a neat story. It's a little bit peculiar, but we'll tinker and we'll play, right? So there was this little Kaspersky shortcut or Kaspersky.lnk and whatever in the comments you can wind if it's Kaspersky or Kaspersky or whatever. That shortcut file linked to this Kaspersky.exe. Now that was in the directory of C colon backslash windows backslash Kaspersky, which is not, by the way, the actual default installation path for Kaspersky, the antivirus program. And you can verify that by simply Googling. You can see, hey, I was kind of looking for IELTSBI to grab that and play with that a little bit. But if we just look for like, yo, what is the Kaspersky installation path? Pass the hash, like that PTH acronym there. You can change the installation path of Kaspersky by default, the application is installed folder program files, Kaspersky lab, Kaspersky endpoint security, et cetera, et cetera. It is not normally in C windows Kaspersky. So that was a little sus, you know? Kaspersky is sus in this case. I'm not positive. Hey, what is that thing? And we kind of want to look into it. I also saw in that directory of C windows Kaspersky an update.exe and inside of the directory was also all of these other files. I just put them in a related folder so we know that they were kind of in that present directory. So I'm sure you can see already by some of these file names, those look peculiar and not actually all of them are in here. Some of these other DLL core folders, core files, DLL, those other DLL libraries, I didn't actually end up pulling all in, but I do want to showcase some of these here and I'm doing a little bit differently, right? So you can see I'm in a virtual machine. I've got just a flat-oop unto in here and I also have another machine that's just running Windows over here so we can kind of be bought back and forth and I'm on the new rig, I'm on the new machine so thankfully I can run some virtual machines side by side and do some other neat, cool, fun stuff. So what I want to do first of all is take a look at what the files that we have are here, right? So Kaspersky.exe is of course a Windows executable but it is also a mono.net assembly. That means we can kind of peek and kind of peel behind the layers, look behind the curtain, see what that thing is actually made of in something like DN Spy or IELS Spy. So I actually wanted to get IELS Spy on this Linux machine and then it's like, oh no, you actually need to end up using the Avalancia or I honestly don't remember how that's called or pronounced, but that's the cross-platform addition of IELS Spy so I like, all right, let's just roll it up in Windows then because we have that and we might be able to do some other cool, fun stuff with it. So let's, excuse me, I hit my desk there. I don't know if you heard that. Let's hop on over to that Windows virtual machine and I've got this terminal here. My laptop that you might have saw off in the corner is actually hosting a web server right now so we can pull down that Kaspersky.exe and those other files. So laptop, desktop, working in harmony, you know, good, good stuff. Let's get over to my desktop so we can do some neat stuff and I'll W get this down. I'll go to my laptop's IP address that was 10.0.0.98 so a local thing here should be on port 8,000 because it's just a simple Python HTTP server and I wanna grab that Kaspersky.exe and it winds. Okay, we need to use the basic parsing parameter so that should be use basic parsing so that pulls it down without a problem. I should just kinda make that full screen, sorry. There we go, oh, but it wouldn't have saved it because I didn't specify an out file. So let's run that W get command one more time, let's specify an out file and we'll call it that Kaspersky.exe. Okay, now that should be downloaded, good. And I also wanna get that update.exe because we are going to explore and take a look at what that thing is, perfect. And they should both be on my desktop now. Oh, what is that? What is that icon? I feel like I've seen that icon before. I'm just gonna open that up in file explorer so it's behind a white background. Kaspersky with a B file description and version number is 1.0.0.0. Oh, okay, fascinating. Let's just steal that picture and let's see if we can do a Google image reverse search on it. I'll just save it with paint and I'll slap that like whatever in my desktop. I don't care if it's called untitled, that's totally fine. There we go. But I wanna know where that comes from. Is that genuinely a thing? Google image search, yeah, okay, cool. Search by image, let's upload that image and that was on my desktop with untitled.png. Oh, it's literally, it's the logo or thing for Kaspersky. I see, kind of neat, that's kind of funny. So you can probably tell like, hey, I'm kind of riding this train that this might not actually be Kaspersky, right? It's a facade, it's a decoy, it's deception. Let's take a look at what that update.exe is first before we dive into our little Kaspersky spooky thing but that update one is seemingly very small. So if I LS, right? Again, that's, there's not a lot in there. Oh, that's the image. Update.exe, is that this? Oh, I didn't even download the right thing. You guys should have told me, you guys should have let me know. All right, let's remove that old update.exe and we also don't need that image anymore but we will download that one more time and actually get the correct file there. Let's grab the update one. I was like, why are the length, why is the size the exact same size on both files? No, no, no, this update is much smaller. So let's crack that open, shall we? I have I LS by opened up here and let's go ahead and open on my desktop that update.exe and see that has a different icon because it's a different binary. Gotcha. All right, so this is using some reflection libraries, interrupt services, so stuff that might be able to do some peculiar things. Let's open it up and explore some of those other libraries or things that it might include. Nothing seemingly in metadata. I guess that's just kind of like the library headers and everything for the file itself. Resources, do we have anything in here? Not displayed for me. Let's go to update and update properties. Resources, that doesn't look like it's all that interesting code. Let's just go into the update form, right? And let's see what this thing does. I guess I can expand all these and we just initialize a component. So this is a graph user interface, right? We're like, we could run this and actually probably get a window to pop up and I might do that once we're done kind of looking around and analyzing this thing. It is a gooey. So dispose, we'll just remove it. Those are, I think, boilerplate stuff for when you end up having a, like, windows forms. And it just sets a font. Okay, so the program is probably where the fun stuff actually happens. See what we do. Check for some arguments here. And the argument that is supplied, is that arg zero going to be the program itself? Get process by ID and parse args in zero. Or is that going to be like what it supplies? It's kind of odd. It doesn't do anything other than that try, though. That catch doesn't do anything. I might be misinterpreting that. But we get the path being supplied as the other argument and text being supplied as another argument. So we look for files with a string path. That is apparently just going to be passed to be text. And the extensions that will be supplied are exe and DLL. So for each of those items that we find, each of those files, we delete them. Okay. And then path two is set to an empty string. So both of these we end up going through, right? But list file files, we get everything that's supplied in the other argument, all exes or DLLs, and then we combine them. Oh, sorry. Bring me back. Destination file name will be path combine that original text that we deleted with an exe. If it is an exe, then we save that in what would have been path two. And then we try to copy it over there. Okay. And we run that process start on that process start info, which is now going to be that new thing. So that doesn't like actually update all that much. It's not like it's pulling down from the internet or anything. It's grabbing whatever files might be in the current directory. So if for whatever reason we got another DLL or if we got another exe, maybe that was doing something to pull it in, I think. This is just the definition for that get files function that we were seemingly just calling earlier. We just grabbed that list information and grab it in extensions, right? Okay. So they're actually using the real get files there now, seemingly, and checking if the extension matches and they're returning it all. Okay. So I don't think this does a whole lot else, honestly. Let's kind of stop the system IO thing from expanding because that is taking up a lot of space. But that update just seems to for the program do these things with exe files and like copy and delete them. Let's try and run it, you know? Just to have some fun here. I'm going to copy this Kaspersky.exe. I guess I can just download it from the other computer, right, if I need to again, but just to be like safe, let's disconnect from the internet, not that like it's actually doing anything. Let's just disable this. Okay. And let's try and run that update, even though we kind of looked through it and saw that it might just do some weird stuff with that other exe. Did anything happen? Did literally anything happen? I'm clicking on it a lot, but we could probably take a look at like sysmon or like sysinternals or anything to kind of process, examine that or see it, make sure it's actually running. But how about if I like made another, I mean, are these all going to be in the same directory, right? Working directory, oh, it needs the arguments, duh. So we need to supply text and looking for the path. So let's like, let's like simulate what this looked like to begin with. I'll go into C, let's make, I mean, we already have a Windows directory and I am in a virtual machine, right? So I can just kind of blow this thing up if for whatever reason it gets messy. Let's make a little Kaspersky directory and you won't let me because I'm not an admin. I don't care. I will start up Windows terminal as an admin. Let me do what I want. Am I actually an admin now? It doesn't actually tell me. Let's try to make that directory again. Let's see how it looks. Yeah, all right, cool, did it. So let's copy everything from me, my desktop, all of those EXE files. Let's put them right in this Kaspersky directory. And now let's, do I have the touch command? I do not. Silly PowerShell. Let's just echo nonsense into like a fake.exe because it's just seemingly checking for the file extensions and I've lost myself in a PowerShell prompt. Okay, so let's try and update the fake that is in C Windows Kaspersky. Am I understanding that right? I don't know. Path should be seemingly the third argument. Text should be what I've supplied as that file name. Do I need to include the EXE extension in here for some reason? No? Am I going down a rabbit hole? Honestly, this isn't obviously where the spooky stuff is going on. So we can table this. I think we've had our fun bumping around with this update but it doesn't exactly do much other than copy files. And I might be kind of getting in the weeds here and not exactly following what is happening because I'm dumb. So, let's try to make sure that I don't have to So, let's go do something else. Let's remove this update and let's try and add in. Yeah, we already nerfed internet so I'm not concerned about that. Let's just pull in that Kaspersky.exe and let's see what we got. Ladies and gentlemen, Kaspersky.exe 1.0.0.0.0. The assembly title is B. Assembly product is B, Copyright 2015. Yeah, okay. So metadata we know won't be anything else interesting. The references that it pulls in, however, are, I think, peculiar, right? So you saw those DLLs in my Linux folder over here. If I hop back to that, you might have seen a net.dll. You might have seen a Haglabo, a Newtonsoft.json.dll, S22. So let me kind of Google what these things are in case you might not be familiar with them. Because I wasn't, truth be told, right? The Newtonsoft.json.net is a high performance JSON framework for .net. So it is going to be allowing us to use JSON inside of the code that we end up running. Serializing it, working with it, deserializing it, et cetera, et cetera. So that we might see put to use. And the other one was Haglabo, Haglabo converter. Let's Google that guy and see what this thing does. Or what is just Haglabo on its own? Because I just pulled in just that converter, but there was like a core, there was like other fragments of the library. But it provides mail client features for SMTP, Pop3, and iMap, hmm. So our little Kaspersky program might be sending some emails. Is that fair to say? We got JSON, we got mail functionality. What is this sassel? What is this sassel.dll? Let's grab him, see what he's up to. This supports authentication methods. So, yeah, yeah, yeah. This repository can say to .NET assembly implementing the authentication and security layer or the sassel framework. Provides a protocol or specifies a protocol for authentication and optional establishment of security layer between a client and server applications used by internet protocols such as iMap, Pop3, SMTP. Ah, I see. So a little bit more nod to emails in SMTP, right? Okay, well, let's stop beating around the bush here. Let's go explore what this fun little kaspersky.exe might be doing. Now that we've got an idea as to what these are the references that were included are, actually I'm curious still about that net one, but we can explore that in just a moment. Let's check it out. This does have seemingly some resources. Again, theoretically it is supposed to be a GUI thing. So we can see what it exactly does. I don't know if you can see right here. I don't know if that's visible or not, but this is seemingly a namespace or a class kind of named SMTP sender. So it has some enumerations here. We have connect status it looks like with value set for none, connect and error, load config file results, succeed, file not found, format error and main form. Main form is a little bit hefty. There's a little bit more of that scroll bar there. So we have that default IP.text file that we had seen and checking out these references, right? Of course we see Higglabo if I'm pronouncing that right and the SMTP sender class itself, right? So, or the whole thing. I think namespace is the proper word. I might be wrong in the terms that I throw out as I'm just kind of rolling off the cuff here, but create a main form, create an SMTP config, which looks like it's something that's defined over here. Cancellation token source, that is not defined elsewhere that I know of seemingly last 60 cent count, last 60 cent timestamp, IP list, send mail, tax, I'm assuming that should be task, maybe a list of tasks, IP list count, STR IP list, filename, current IP index, et cetera, et cetera, et cetera. So we're saving some IP addresses in this default IP.text file. Take that for what you will. Let's hop over back to our Linux machine here and in that related directory, I do have a default IP.text. So let's just take a gander, you know? Let's take a look at what that might actually include here. I'll run CAD and pipe that to less. Just a big long list of IP addresses, everybody. So I'm kind of curious what, there's a lot, by the way, there are a lot in this. I don't think I actually have sublime text installed in this VM yet. So how many of them are there? Let's just, let's pipe that to WC-TACL to get the word count lines. Oh, 73,312. Of course. Don't you need that many IP addresses for your antivirus program? I don't know. Let's cat that out one last time and let's see where these IP addresses just like might be. Is there like a cheeky IP locator thing or IP location finder? Yeah, where's my IP address? I don't want you to tell me for myself actually. I just, I don't need that. I do want to put it over here. Taiwan. I don't know how well you can see that. Is that a, does that have a domain? Hagen.com.tw in Taiwan. Let's go to it. Like let's just do it. I mean, it's a thing. Okay, let's check out this guy. How about you? Are you also in Taiwan? Ta-da. Nope, Israel. Okay. What about you? 72.52.170.252. Slap that in. Oh, that's over in, what was that? Kansas. United States. It didn't tell me. I don't know. Where's the state that you were just showing me that I accidentally clicked out of? Would you talk? Or somewhere close to it? And that, Kansas. Okay. We could go down this rabbit hole for a while. Obviously I'm not going to go through all 73,000 of them. Maybe we could write something that would loop through it if we wanted to, but these are all over. We've got Brazil, we had Israel, we have Taiwan, we have Kansas and the United States. What else we got here? Miami. Cool. All right, just one more and let's get back to something more fun. It's over in Argentina. Let's take a vacay guys. Yeah, all right. That's enough spooking around the internet, but as you can see, there were a lot of IP addresses and maybe we could write something fun and funky to see all those locations. Let's do that in a different video because that's not what we're doing in this one. Let's get back to our little kaspersky.exe. So to speak. Let's check out SMTP mode count, SMTP string header text, string body. So just based off of these variable names, I'm assuming like all the references and the kind of the loaded in libraries that we've seen at SMTP robot, I'm gonna assume this thing is gonna end up sending emails, right? Kind of somehow some way at some point. So what else we got? Here's the main form and that is another okay form here, initialize component. We should just, we should run this thing. We should see what this thing does. Get total memory in bytes. Okay, doing little reconnaissance, computer info and that is an actual class. That's like a Microsoft thing. That is loaded in though, right? Microsoft Visual Basic. Yeah, devices, it just, it grabs that. Hey, how much memory do we have? What's my device info? Oh, and that uses some WMI. CPU info, memory info, pulls it in for each management base object and management object searcher. And that looks like a WMI query for Windows management instrumentation. That's some of the thing, hey, let's grab in whatever. And it parses out the number of logical processors, apparently let's get CPU info, memory info, et cetera. Nido, Nido Benito. Get instance is gonna return itself for the main forms themingly load config comes in from config data, which is passed in and looks like we load from stream reader but that config was defined as a new SMTP config. So that might be something we could actually kind of follow through. Get count from file. Oh goodness, what the heck? We have a file stream object read in with a file name number, buffer size, read access, random access, seemingly that just looks like it's counting. Counting the number of entries in a file, I think maybe. Let's get the IP list from a file. Okay, okay, that looks like the exact same thing. It looks like it's doing the exact same thing, just counting. Start send mail task. Now we get to the weird stuff, right? Send mail tax.clear with threads, adding new tasks to send with a robot, with our robot status, our SMTP robot and we got a completed function that just checks, hey, whether that robot status is stopped with three Ps or not, same thing with the stop function and that won't be reading. So is it like going through each of the IP addresses and trying to send stuff? Every single one of those servers or something was, I don't know if that would be the mail server itself or I mean maybe, when we looked at that one in Taiwan, the HTTP had a domain to it, but I don't wanna obviously run an Nmap scan on something like that, but maybe that has port 25 open or anything for SMTP or IMAP or pop three. Spooky, we got log thread, wait a second. Are those in the logs? It has strings like, oh, mail sent, okay. And an authentication error, authenticate error. Good, after first, oh, and it writes it to smtplog.txt. Did we have that? It does explain the thread, oh, oh, oh, but it literally logs like everything it does. The IP address, the port that it calls out to, the SMTP server password, what? And the subject, that is neat. Also horrific, but neat. What do we got? We don't have SMTP log, no. Do we have log? What is in that log.txt? I don't know what those are. But we didn't have an SMTP log. Okay, is that a dead end? Log good SMTP. Get used auth mode, HTTP client, does it like check it? Oh, does it like check to see if the server is up by like the HTTP thing? So that Taiwan one was maybe was up? I don't know. I don't know. I'm not gonna pretend that I know. I'm gonna keep cruising though because we got a lot to go through. Send mail thread, send mail thread for test. A weird poll one server. What is that? Oh, that's later down. Let's, is that later down? Where am I? Yeah, okay, that's later down. So let's wait till we get to that. But it will sleep, determine if we need to wait and create a new SMTP client with the IP address, the port, the password, generating message, setting cryptic communication, try to connect, connection error, et cetera, et cetera. Mail sent okay, mail not sent. Okay, I think it's fair to say guys that this is not Kaspersky. I think it's fair to say that this is not the Kaspersky antivirus at this point. If you've got classes named SMTP sender and all that weird stuff, completed thread, get replace string, get random. Ooh, ooh, ooh. It's like replacing the segments that it would be using in an email, subject from, recipient mail from, and just that's neat. And then it applies random on each of those things. We have generate random and we have apply random as other functions here we can take a look at. Oh, and we have a little like schema as to like what we wanna replace the random with. So get characters from this range, get characters from that range. That's neat. Apply random does, I think a similar thing, right? Yeah, okay. So it's just checking if that random notation is in there and then generating it as needed, spooky. Populate number doesn't seem all that interesting. Just populating a number, construct the header and body of the email, I'm assuming. Yeah, content type, you get some headers in there. You add in the body, generate message. Ooh. Okay, SMTP message, is that something that's defined in here? I don't think so. But SMTP mode, recipient and SMTP server are all added in and we add in the text, we grab the email addresses set from and set to all from SMTP message and all these configs come from that. You could send either HTML or plain text and we have the load IP address list from file, taking a count, load next IP list file. Ooh, that has a new file name in it. Oh, so the log status is being added into log.text and we have log.text. But I don't see any of those hyphens in there or anything that's an IP address. There's nothing in there, but tempgoodservers.dat might be kind of neat. What do we have in that? Do we have temp good servers? Oh, we do. Are those just the good servers that it found? Is that the same as our Taiwan guy? Was that? Let me bring back those pages. That was a Ukraine with mx.urizal.com. Mx indicates mail for me. Okay, so those are some of the good servers that we were able to send emails to from or through. Spooky. What else we got? Pull one server we saw earlier. That looks like it's just grabbing things and getting out of the config the SMTP accounts, et cetera, et cetera, refresh time variable. How many more do we have to look through on this one? We should probably move on to something that might have a little bit more spice to it. But I think we can, at this point, come to the conclusion that this is sending emails and if there are mail tasks, I wonder if this is a command and control framework. I wonder if this is some, like rat might not be the right word. Not our remote access thing. But part of me wonders, okay, is this being used to send like command and control or to actually be able to interact with this victim that this Kaspersky.exe supposedly our fake antivirus is on? Oh yeah, load good servers comes from tempgoodservers.dat. So we know that those are a thing. Let me see if those other ones, I'm sorry. I'm going on a tangent. That was kind of neat and interesting. Let's check out our other one. Where's he at? Indonesia? Got an 89 here. There aren't a lot of good servers in this out of the list of 73,000 that we just saw. That is over in Italy. And we could poke through some of these if we wanted. But each of them seemingly have had a domain name associated with them. Did the other one, that second one have one? I just want to check one more time. Because the first one I know did, this one did. Yeah, they all have domains. And they're all related to a male domain or at least kind of indicated. Okay, okay. We got a few of the proud over here. We got our temporary good servers. And let's get back to IELTSPY. Let's get back to the fun stuff. But we know those are the good servers and we've been logging some of that. Good server index, load previous status. Oh, the previous status must also come from that log.txt that it's keeping track of. And it is seemingly the robot status messages. Is that right? Or, oh, each of these. Oh. Oh, these all indicate like different lines in that log.txt current pass index done IP count. So how many has this gone through? Yo, that's kind of neat. Where, let me go back to... Let's go back to that log.txt and see what of these makes sense if they do. So we know that that was all of this as we read lines. So let's copy that. Can I copy in and out of my... Try it? No, I can't. Dang it. All right. Let's make this minimized. And now let's expand that window to kind of see what we got here. So current IP index is 41,972. That makes sense. Current pass index, 122. Done IP count. Excuse me. STR current IP list file name? Is this hash? Is that a hash? That looks like a hash. Next IP list file name, deposited time, send mail counter done try count, total try count, good IP count. Yep, that makes sense. And the int IP list is exactly what we saw when we counted all those. Whoa. Okay. That was kind of neat to tie those together. Go to current position in the file. That must be taking everything that we had seen thus far and skipping over to that part. On start invoke, on stop invoke. We begin invoking some delegates. Action. Okay, that is from the runtime stuff. So that I might, I might not, oh, on stop and on start though are called in each of those. So the robot, if it is started, then it doesn't need to start anymore. Then it, what? If it doesn't need to continue. Oh my God. Stop, please. No. Where did I go? No. It's the very, very top of the document again. Okay. Sorry. We'll get back to it. We are trying to figure out what this on start boy does. He'll delete the next IP address list. Load default config from the default IP addresses. Good. Download IP. I don't know what exactly that might be, but did load default config? So is that something we already saw? Temp good servers, log dot tax, it clears them out. Then we get the number of IP addresses, how many that we need to go through, go to current position file and load the good servers. So we delete those that aren't necessary, seemingly set up some threads, see how long we're going to end up waiting. I think like give it a little bit of time to not look so spooky, not look so sketchy. And whenever the timer goes off, it does some other task on stop. Okay. Yeah. It stops it all reset robot status on set config default CFG. Ooh, that's a new one. What is that file going to end up being used for on set config robot status has started. We get a binary writer and we write the config data, which is passed in as an argument, but that's a byte string. What is in that? What is in that default dot CFG? That's called again on on get config when we read the data out binary reader. We read that data in. Sorry. I realized my face was kind of in the way base stream length. And then we do send config on our SMTP robot. So we should totally check out that SMTP robot. We do check all the URLs or the IP addresses. Once we're connected on a master, then we start a monitoring loop. Okay. Master disconnected server IP import. What is that? HTTP client response message. It retrieves that server URL. Make sure that we have a successful status code. I'm going to go to that just real quick just to see what it looks like. Yep. Looks like it. Okay. It's just checking if it got like a 200 or something. And if we did, we get the results from that. And then we decrypt them with a string cipher with shangway forest foresight. What is that? Is that something that like is existing? Is that a thing? Let me go back to Google. Google. I know I'm already on Google, but I'm on the image search one and I don't want to. I don't have internet. Gosh darn it. All right. Get me back to my adapter settings, please. Enable that. Go, go, go. We're getting intense here. All right. All right. Let's see what this is. Let's go to Google.com. Please load. Cool. Slap in shangway forest foresight. No. There are no results. There aren't that many good ones. That's sad. What if I look for like malware? Is that, is it like a known thing? Is there any? Is that our totally random key or something? I don't even know what this is actually being used for yet. So like, let's, let's, let's table that from now. And let's go back to analyzing that. That is, that is passed into the decrypt method that is inside that string cipher that it calls. We parse out the empty entries. They're separated and delineated by a colon. So we get a server IP address and port just like that. Yeah. Oh, what does that mean? So the servers that are passed in here, we retreat. No, no, no string server URL is going to end up being different than that. We have some server that will return a list of other servers that will be used for, so it'll be used for that communication with SMTP maybe master connect thread is going to end up trying to get some of these things. It'll wait for 10 seconds to do that over and over again to see how many times we can get it. And then we keep reconnecting and checking. Okay. That's evil. That is nefarious. Low default config will take in default config as that file. Oh yeah. We still need to look at that default IP address, pull all that stuff in and check to see if the IP list ends with a slash or a URL dot text. Oh, so in case there are like other directories, is that right? IP list URL file. I'm kind of cruising through this. So I might not actually have fully understand it under. Get public IP address is just going to get public IP address is just checking itself. Come back. It's just going to check IP dot din dns.org. That's a thing though, isn't it? Will that give you with a real IP address? I'm going to have to blur this out. So I show my IP address. Yeah. Yeah. Confirmed. It does give you your IP address, your public IP address. Needle. Okay. And we're almost done. We're at the very, very end of this of SMTP main form. Connect.dat is pulled in. And again, it's using this Shangui foresight. 1988 227 to decrypt it. So we got to check for that. And we, ooh, please make sure it's a valid connect.dat file. Well, this thing die if I try and run it. Cause I don't have that file on this machine. And then timer son log tick. You can't see that cause my face is in the way and I just moved the screen. I'm very sorry. It just pulls in from log and temp good servers as we kind of dispose and initialize component are going to be what we've seen before. Let me get that screen back to where it should be. And let's go explore that default config file. Cause we have that. There we go. We don't need to be in here anymore. Let's see. We do have default config. So let's cat that out default CFG. Is that just a bunch of base 64? Is that just base 64? There's a lot. There's a lot in here guys. How long is this file? Let's WCTack all that 5,337. Okie dokie. Let's do a little like wow read line. So we can echo out that line. I'm pretty sure you could do this with XR just as well, right? Let's slap all that out on the screen and let's try and pipe that into base 64 tack D to decode it. Non-principle characters. Bites that humans can't understand. Imagine that. That makes sense though, right? Cause this default config file was decrypted supposedly. So let's see what else we got. Net data. What is net data? This is another class that I'm looking through in this SMTP sender namespace. These just look like they send packets. That makes sense considering what? Excuse me? Let's see what that thing is, shall we? Let's go explore. Let's do a little Google translate. Slap that right in there. Signature does not match with the Korean language detected. Ok. I'm not one for like hey attribution. I don't care about that stuff. I'm not one for like pointing fingers. It was him. He stole my lunch money. I'm not inviting him to my birthday party anymore. I don't do that. I don't care. It is kind of neat though to at least see the traces to at least kind of walk through all of these. Every single one of these is what? The number of pieces of material you were trying to obtain is not correct. What does that mean? Oh, it's trying to get a certain number of data. Pop all of these exceptions. I'm just trying to understand them though. I just kind of want to know like what's what here. There is no data. Yep. Pop. More. This is kind of homegrown though. Like they're adding in their own exceptions here. Like they wrote this on their own. Slap that in. Same thing with pop. Has the same exact output. Are there any other exceptions that might be interesting Korean strings here? This looks spooky-wookie. Slap that in. The data type is incorrect. They're leaving some notes for themselves, everybody. Net data event. That looks like a delegate. Is that something that's like, is that like one of those tasks that's being pulled in? Message code. Parse item enum. Parse random enum. Oh God. The program. Oh, this is kind of neat. This is like what's going to end up just calling, right? So it's going to check if .net is installed. It has functions for that. Get the, check the registry to see, hey, do we have v4? Seemingly leave of .net. And maybe I'm going too quick on that. But yeah, yeah, it checks. Okay. If .net is installed. If it's not, you need to install it to run this program. Starts a robot status with a little scanner time starting right now. Table visual styles. Message show. If there are any errors. Okay. Robot status. Has just a lot of stuff defined. Time span is get up time. Whoa. Just trying to see how long, hey, how long has this robot been alive for? How long has a C2 been active? Connection status. A couple getters and setters. SMTP robot. We're on server connect right now. So server connect will connect with seemingly a socket. Connect will connect to server. On connect. We'll try. And if we do get a connected connection. We'll get the main instance and explain that we have connected with the on master connect. We'll call that on receive. On receive. Does that do anything spooky? I don't, I can't click into it. I can't see it. Analyze packet is going to end up invoking something from the net data. And our net data did do something. Type code binary data, right? Net message code. What is this? So these are the control codes seemingly to do a certain thing, but it's just sending logs and sending the data that it knows. Update status, control server. Do we ever see that 1004 control server being set? Telling it to save the config, it get the config, starting communication. Totally C2, but I don't see it do anything to like run code. I don't see it doing anything to like run commands yet. Invoke does something though. And that data event, we seemingly don't know. Okay. Okay. Let's get to our server status, right? That's just another enum. SMTP account. We do parse from. SMTP account is parsed from with an ID and a password. And it's just pulling out again with a colon separation. Two string, obviously two string. SMTP config. All right. We knew we were looking at some weird stuff in this because this is in relation to that default.CFG. So what do we got here? Constant string, string config password is that. Shanghai. I don't know. Foresight, that thing must continue auto threads, STR receipt. A lot in here. SMTP config. Reset. And a string config file name is default default.CFG. SMTP ports, port 25. We have some timeout set up and we're trying to keep track of the headers and the accounts. And that's that. So load from stream reader. Is reading from. The data and it looks like this is like. Breadcrumbs of what that config file might actually look like we have headers defined here, SMTP accounts and the ending. Tags for those. So it has its own like. Structure and schema has how to understand that config file. And this just looks like the function to parse all that data out. Cool. Wow, we get the auto threads, the recipient, the from SMTP, the thread connection time IP list file, all of it, all of it is included in that default config file. Okay. So. The config file result. Encrypt write line. Ah, so the string cipher can encrypt with that line with that's passing this function with the again exact same key. Same thing with decrypt line and save the file. We'll just spit it all in there. General recipient. Okay, so this is what it would look like, but all this data is going to end up being pulled from that master server that we end up reaching out to. With our. Kaspersky.exe, right? So SMTP robot has. An encryption key SMTP mode was just another enum. So I didn't want to explore through that, but SMTP robot does seemingly do stuff and that is probably like the agent or the bot, right? That's going to be the task or thing when it's. I'm assuming. Doing the nefarious needs. Do performing the C2. Get first IP address list. SMTP robot adds all these codes. Proc get log. Yep. Get instance and it loads it. Send data connect to server do start com. We have our. Good servers pulled in. Send data must be for message codes connect to server we saw early as we understand that basic functionality, the monitoring loop though. Ooh, the monitoring loop. Every. Five seconds. Tries to connect and send data. Do start com. Just. Starts communication and sends it. Yep. Yeah. Yeah. Just okay. It just sends the hate. We're talking now having a conversation. Hello. Send data and heartbeat. These are all the net message codes that we're kind of added in. Send config save. So this just looks like honestly, it just looks like it's still in communication. It's still just talking back and forth, sharing the data and the information that's received or getting. But I don't see anything. That like runs commands yet. It's still spooky one way or the other. Like, hey, let's monitor your machine. Is that normal? Just because Bersky do that. Do they send it across all these different worldwide IP addresses through mail? Like through SMTP. All right. SMTP server. Pulls in the. Hig Lambo stuff so it can get encryption. SMTP server pulls in that encryption module. It will parse in data from the config seemingly that we had seen. I would think. Yeah. Yeah. Yeah. All that stuff that might be passed in. And two string again. So string cipher. Ooh. Okay. Now we're getting to some. Now we're getting to some cool stuff, right? So we know. And before I dive into this, let me just, let me just check out SMTP sender. Doesn't look like there's anything all that interesting in here. So as string cipher is where we're going to focus right now. So. We know that default dot CFG or that default config file is encrypted with what looked like base 64, right? When we took a look at it, but it's encrypted supposedly with this string cipher class and functionality passing in that Shanghai, Shang Wei thing. So. We have. This initialization vector. Also visible for us with the bytes here. Some random. Ascii letters. And we have the functionality to encrypt and decrypt. Which is cool. Because. We have the data. That was encrypted. We have the decrypt and encrypt function. And we have all the keys that were used to encrypt it and decrypt it. So. We could just try and. Decrypt all the data. Uh, yeah. Let's try it. So. I would do this because this is in C sharp, right? Normally what you could end up doing is just compiling your own code, right? And you can do that on Linux if you want to with X build or mono or et cetera. Or you could just plop an individual studio if you're running windows, but that's very large and very clunky. I would think I would go through this and try and do it in link pad or L.I. and Q pad and that. It makes it sort of like C sharp feels like an interpreter or an interpretive language like a scripting language. Like, Hey, you can just slap code in and it'll compile it and run it like on the fly. Uh, I'm sure it's doing more cool, nerdy bells and whistles things under the hood, but that feels cool and feels fun. So I have link pad installed in this. I think link. Pad and pad five. All right, cool. So. I will make this take them up most of my screen. So you can see it and I'm pretty sure. Like, Hey, let me, let me type in some words here. Hey, hello, please subscribe. So we, uh, I want to make that larger so you can see it actually. Uh, preferences. Yep. Enter font. Can I, oh, I can make it dark mode. So much better. Show line numbers and enter. Yep. Let's do a world word wrap. Can I expand the font size, please? Hello to change font size. Oh, duh. Sorry. Use control scroll wheel or control. Oh, oh, oh, I didn't need to do any of that then. Uh, give me go back to my default font. I like that one better zooming in. All right. All right. Cool. Now we're, now we're up in action and let's get to some cool stuff here. Um, there is a way to just straight up run a program though. Uh, C sharp program. Oh, sweet. And it just, we'll do it. So let's do a console. Right line for a little proof of concept. Please sup. Cool. Uh, yeah. Do you want to save that? Let's just slap it into my desktop. Um, decryption. Get decrypt shop. Apparently I had to be at the end there. Okay. It just says please. So now let's get the functionality to encrypt and decrypt with all of this. We need all of these using statements and let's build out this functionality in this string cipher class here. So I'll slap all that in and yet let's move the using directives into whatever. They need to handle it. Um, can I remove that please? And we're still missing something. Aren't we password derived bytes? We're in all this new password derived bytes. Oh, is it using a different like C sharp syntax rather than using the using using statement? Can I just define them like that? Yeah. Okay. Okay. Um, then let's clear all those out. And now we've got that function out. Now we've got that code inside of the string cipher class and back in the main function, I will have a string cipher. So how do they do that? They use the string cipher dot decrypt. And we saw that in main, right? String cipher dot decrypt something passing in this. Right. Yeah. So. Let's. Grab one of those. Encrypted strings and see if we can get it. To decrypt. I think that's all we need, right? Let's let's just head out default. Dot CFG. So this right here. Can I please, please, please paste this in? Please. No. Okay. You suck. Um. I'm pretty sure I'm going to need sublime text so that I can do some quick multi-line editing stuff. So let me just download that super duper quickly. And in the meantime, we will download the. Good, good, good. Let's download. What am I thinking? I'm so sorry. I need to download the default config that we have up on the server. That laptop that's beside me is hosting the. Related files still in related. I should be able to grab default CFG. Of course I need that stupid use basic parsing. And now let's out file that to default. Default dot CFG. Yup. Okay. How is sublime text doing? Is he all good? He's all good. Okay. I probably should use like chocolate or something to install that, but you know what? You live and learn. Like that's bad sonic the hedgehog song. If you know what I'm talking about, then maybe that joke hit close to home. Anyway, let's let's actually open up explore like in this directory so we could actually open this with sublime text. Open with more apps. Oh gosh, don't make me look for you. Sublime text.exe. Good, good, good. Okay. Here are all of the encrypted lines on our windows analysis VM so we can fire up link pad and try and decrypt this thing and let's display it out onto the screen console dot right line of that. And let's run it. General. Okay. It looks like we did it then because I think from what we remember looking through this, that should have been the very, very first line explaining all the definitions here. So if I did something horrific and wrote on every single line here, let's do a console dot right line with our string dot sorry string cipher dot decrypt passing in that data. Let's go all the way to the end of the line. And then let's include that swing foresight password or key here, slap that in on every line, close that line and copy it. Sure, I could have done a for loop, but then I'd have to know C sharp and I'm bad at everything. Oh, it is all currently string cipher, not string cipher. That would have been a messy. So let's try and get that corrected string cipher. We go. Now everything should be decrypting with that key. And I can disgustingly slap all of that in. And we'll write it all out. So let's see what we got. Crank. Oh gosh. Why did you die? What happened? Oh, I forgot. No, I forgot a parentheses. You know, this is when you guys are going to be like, you know, John, writing a stupid stinking for loop would have been a lot easier. And I'm like, you're right, you know, you're right. All right, let's control Z that out of there. Slap that all in successfully. Now fingers crossed and let's try and run that one more time. Why? Oh, did one of the lines break? Oh, no. Wait, where's my string cipher? Why is that still a problem? You know what? We should take this from the top one more time. I screwed it up so bad that it wasn't worthwhile whatsoever. So why is that line muffed up? Yeah, that line 27 and some of these other lines are like jank. All right, let's control Z all the way home. There we go. Okay. Now again, console dot write line. Sublime text is like chugging along, trying to keep up string cipher dot decrypt all the way to the very end of the line. And we want to copy our gosh, Shanghai forest. This will all be worth it in the end guys. I promise hopefully we'll get something cool out of this. Shanghai forest. Close those. And now third time's a charm everybody. That doesn't look broken to me unless I messed it up somewhere else. Let's give it a go now. I'm pretty sure I just copied that into the output pane. No, no, it's good. Okay, let's try it. Pray please. Padding is invalid and cannot be removed. Excuse me. What are you talking about? You just decrypted this. You literally just did this. What? Padding is invalid. I am so confused. You just did this. Is that the right line? No. Why do these all have a Z in front of them? Every single one of them has a Z. Did I hit control Z? Oh my God. No. Agony. We're almost done, ladies and gentlemen. I promise you. Console dot right line. For the fourth time. String cipher dot decrypt. That. Take me all the way to the end of the line. I'm sorry for sticking to my guns here. I know everyone is screaming. John, write a stinking for loop. Have it read a file on its own. Look, dude. Sometimes a man's got to do what a man's got to do. In this case, publicly embarrass himself on the internet for thousands of people. I think we're good. Famous last words. Because I've said that like four times now. Please God. Run. Nice. All right. What do we got? Let's slap this into sublime text. So it's a little bit easier to read. And I probably shouldn't overwrite my default config. But what are we looking at? Ladies and gentlemen, what the heck is this? All right. The general tab is not setting continue or auto threads has a recipient to cookie dot Nick 2017 outlook dot com from SMTP. It looks like it's going to end up using those random things. Nice. At super user dot com. Oh, sure. Sure. You and your stack overflow stack exchange super user things. Now we have threads connection time out read time out group header config name 2017 tack one IP list file name IP URL is HTTP new five ways dot com slash IP IP list URL file Inc 29 Is that a thing? Does that exist? Um, does this machine have internet now? I think it does. I want a virtual machine. Once again, famous last words. All right. So slash IP doesn't get us anywhere but this Inc 29 that looks like its IP list URL file. Does that need to be included? Should there be like a dot text or something dot CFG or dot log this is a C panel server. So, you know load config URL is empty. What is all that something died in the decryption config subject server body server again, super user port 25 log good to file log good file name is empty just a lot of settings right. So headers from recipient subject easy SMTP accounts what is that Phillip the password these are the usernames and passwords that it's using to log into all of the SMTP servers is that right I think what look at these there are so many of them look at this scroll bar there's so many of them so crazy yeah 5336 just stupid username oh that's why there was that count in the in the log dot text as to which password you were on because you're going to try all of these fake accounts to see what you could get an authentication with oh wow that's cool that's crazy that was fun I like doing that little decryption there because I mean we had the key we had the initialization vector that was everything that we would have needed but wow can I set this to like an I and I file or something or like a bash script yeah that's somewhat readable in a disgusting way yeah no no no just like it's got some cotton candy colors but the strings look funny the variables that are set what is this some username port user pass setup okay so that must be like how it's going to end up connecting okay I almost forgot to try and run the malware because that would be kind of fun and neat so let's do that I will minimize the sublime text window and I'll make sure I actually don't have internet connection for real now because I don't want that to legitimately infect my VM if it's something spooky so we'll change network adapters and disable that guy cool the other thing I want to do is actually look at that net.dll also I don't think I had that one downloaded just yet so that I want to go back to my user's John H okay and we put it on the desktop let's also do I have a W get can I control R alright so let's get that net.dll and also save that to explore that in ilspy net.dll is it dead did I stop it no oh I just turned off internet I'm a stupid let's turn that back on just to download that down I should have like put that together you know I should have kind of mentally knew that that was going to happen now I need to remember to actually turn that off when I want to run this malware next but let's check out this DLL just kind of see what it does because it looks also weird client sock KS seemingly references that includes nothing new ksit .net is that a thing can I google that does that have like an understanding of the world is that an actual thing no go google google that not don't pretend it's a URL no seemingly enterprise application no no I don't think I will be able to find anything based off of that but determines and is ink okay has an encryption decryption key receive disconnect so I'm assuming this is just going to end up being for how it these are the client sock functions that we saw earlier but begin receive and on receive client socket has error messages that are there and we have new Korean languages to look at let's go to google translate take a look at that guy receive data on receive it has hash codes seemingly in here received format is not correct identification code it has a hash code and then some bytes that might be included receiving park at length inbox okay so that has to be like some mail obviously we're seeing here the else probably has very similar identification code that hash is that hash code something for the instance yeah because it does the converter dot get instance and we have we have converter down here and a server sock so on receive that's still errors out that is a long message longer than usual I think no no just a number of bytes and their own encryption more logging I'm curious if any of these it's all going to end up being the same stuff though send data on send and close log to file it puts it in a socket log I don't think we ever saw those like a directory with a socket underscore log file it just copies it all in it also has date and year has messages failed to leave log file huh okay what does our converter do is that going to end up actually doing anything peculiar or just converting bytes looks like it's just a bunch of functionality overloaded functions for the get bytes function with different parameters being passed in so yeah it looks like it's just trying to understand how to interpret that data UN64 oh there's encrypt and decrypto and that is just XOR it's literally just XORing with the deck key and ink key are those defined anywhere encoding format process packet not included server sock and that looks like the kind of the same stuff that we had just seen except for the server and the key is one two three four nice yep yep yep IP address parsing connecting to a server just by a socket receiving on receipt disconnect send data analyze packet okay that's really all there is to it of course we could have expected that's going to be doing like net connection stuff great let's see if the program let's see if our little fake antivirus program actually does anything so let's turn off internet for like the fourth time and this will probably whine that I don't have um that default config file setup if it actually runs it all here we go double click in on our fake antivirus kaspersky.exe has really anti-climactic not going to lie I don't have a default.cfg does it do anything still no is it running in the background no I think details is the one that has it is kaspersky doing anything I don't see him so something must still be wrong I could download all the files and see what it might do but I don't think that's really going to be worth salt so we had our fun we analyzed we explored um I think that is okay to uh call it quits here maybe we needed all the other files though what's trying fine fine you convinced me let's see if we can download everything and see what happens just to just to go through it all that is listening on port 8000 or my local okay so we have all the related stuff let's download download download this file can harm your computer the default cfg chrome tried to stop that's kind of neat um yeah let's save that let's get that dll keep let's see if defender actually triggers any of this stuff ah log.txt didn't get saved save it keep it anyway keep it anyway give me all the dll oh I actually still don't have all the other ones that I didn't pull in maybe it just won't work maybe it just straight up won't work let's do it for the lol's let's do it for the internet memes let's do it for the youtube algorithm gods let's just do it uh so I put that all in my downloads yaga alright good luck kaspersky do it oh yeah turn off internet don't do it just yet actually I was just kidding I was jumping the gun on that one uh let's turn off that adapter okay internet is no longer a thing kaspersky you may now infect my computer wait did I click on don't run it's in downloads holy crap click run I could like kick it over to some uh like joe's sandbox or anything or throw it in virus total and see what other whatever weirdness comes from it but I don't see it starting on my machine it's probably because it's missing those dll's that's fine that's fine we'll move on we'll uh enable that one more time let's just kick it to virus total and see if it sees any nito bonito stuff and then I'm calling it quits then I'm ending this video so kaspersky do it up one engine detected it viper trojan win 32 generic cobra what is that supposed to be um am I infected what do I do hi I just ran a scan I got this program great damaging power to completely mess up the system I need a simple malware analysis is there anything in the community section anonymous negative 32 voting details okay okay everything else is like not totally cool meet look maybe I don't know I don't know if that's really what it should be doing let's see what this guy thinks swollenator swollenator ooh huh they didn't really do anything with it they thought it was a false positive what does this thing think this lob a batch of spam email messages has been distributing a variant of this lob trojan venomous to your computer it sends pizza themed emails what is this lob I don't know I don't know if that's it I don't think it is I don't think that is the right malware family not exactly positive so I think that's all the research or other post mortem I kind of want to do looks like my VM is chrome which just didn't want to play nice but I think we can start to wrap it up you know we done our analysis we done some fun stuff I'll pivot back to the outro thanks everybody appreciate but wow look at all those username and passwords that are just set up for like dummy accounts and it'll crawl out to all those different IP addresses all 73,000 of them find some good ones that we happen to see in all those different areas of the world and send monitoring status or information via SMTP I don't know if I could say it's command and control I don't know if I could say it's C2 because I didn't see anything running commands or like running code on the victim or on this target but that's not to say like else that could be happening or anything else that's set up and maybe I could be completely wrong I could be completely totally wrong hopefully you guys saw going through this video like hey I'm cruising through IELTSpy I would look through dnspy I want to explore all these different files see what I can make sense of but look I'm still learning too so if there is anything that you can teach me if there's anything that you can tell me I'm all about it I want to hear it please do put it in the comments please do help not only me learn but help everyone learn and that's what this is all about so that was fun I hope that was cool I hope I don't know how this stacks up in the other videos of the malware analysis stuff we've been doing but I think using C sharp and using Li and Q pad or link pad to be able to decrypt that stuff that we see defined here that's kind of neat and kind of cool took a little bit of finagling took a couple of trips me stumbling over and banging my head against the wall but I hope it was fun so thanks so much everybody for tuning into this video I hope you enjoyed it I hope you're enjoying all these others and hopefully we can keep doing more of this because it seems to be really really well received and it's helping the channel grow and you know what else helps the channel grow is you engaging with the YouTube algorithm so please do press that like button please leave a little comment please hit that subscribe button hit the bell smash destroy literally obliterate the bell that actually helps get you notified when I produce another video so alright that's it that's my outro that's the whole thing I had fun hope you did too I love you everybody I'll see you in the next video take care