 Hello, I'm Didier Stevens, senior handler with the InternetStorm Center. In this video we are going to look at a malicious payload hidden in a WAV file using Steganography. So a couple of months ago you had this article blog post about malicious software like CryptoMiner hidden in a WAV file. It would not execute automatically, you had a loader which is described here and this is the WAV file and inside the WAV file there is this DLL and now in this video I'm going to show you how you can use my tools to extract this DLL from the WAV file. So I have this WAV file here and let's identify it. So it is little engine, it's a WAV file, pulsecode modulation, 16-bit stereo. Let's look at the beginning of this file, do an ASCII, hexadecimal dump of the beginning of this file, so the first 256 bytes and here you see RIFF that it is WAV and then you have here data here, these four bytes which are then followed by these four bytes that is the length of the chunk, the data itself and then here you have the pulsecode modulated data. So you have 16 bits for the left channel, 16 bits for the right channel and then it repeats itself like this until the end of the file. The payload here, the windows executable is hidden in the least significant bit of each pulsecode modulated value, so each 16-bit value here. So we are going to extract this, for that I'm going to use my format bytes tools, we are going to specify a format and the format is a bit stream format and with the bit stream format you have to say first of all how to interpret the bytes, so the format of the bytes, so that's F, so it is little hand Indian, so smaller than, it's like the Python struct module, the format specified that I use here and then it is a 16-bit signed integer, so that's lowercase h. Next you specify which bits of this 16-bit integer you want to extract, so when it is the least significant bit, so that is bit 0 and finally you have to say how to join these bits together from left to right or from right to left here, it is little hand Indian, so smaller than and that is our format specifier for the bit stream that is encoded in the data using the least significant bits of 16-bit unsigned integers, little hand Indian and then I can provide the file and let's just look at the head, not the complete file, now this will not give the expected result because what we are doing now here is converting the bit stream from the first byte on, but it's actually not from the first byte that the payload is encoded, it's here starting from here, so that's data and then 8 bytes further, start of data 8 bytes further and that's actually where the data stream starts, so we have to cut out, we have to cut out that part, so I'm going to specify a cut expression, so that is the cut identifier and so I'm looking for the string data and then I add to that position 8 bytes, so the data starts 8 bytes after the beginning of that data string and then we want everything until the end of the file like this and as you can see now here we indeed have an executable area of MZ and near this program cannot be run in DOS mode and then a little bit further you will probably find the PE header, now also remark that MZ isn't at the start of the decoded stream, there are some other bytes before that and that is actually the size of the embedded file but let's first look at the embedded PE file, so now instead of doing an ASCII dump I'm going to do a binary dump because I'm going to pipe this into my tool PE check to analyze PE files and I'm going to say to my tool PE check to locate all the embedded files that are PE files, locate PE like this and it found at position 4 a 64-bit DLL with this MD5 hash and if you look up that MD5 hash on VirusTotal then you see here that it is indeed a crypto miner, a Monero crypto miner, the hash here is A292 and so on and if we go back here we have that same hash so we have recovered the PE file using my tool format byte, we can now also select that file I say okay you locate the first file and work with that file like this let's pipe this through less and then you have here an overview for example all the sections with the entropy and here for example the compile timestamp so May 28 2018 and if you look here that is also the compile timestamp that is mentioned and finally we are going to extract those first bytes that actually represent the length of the payload of the first bytes, the first four bytes now that these first four bytes if you read the article they are Bigendian encoding so I'm changing my format specifier here Bigendian and I'm piping this through my tool format bytes just to analyze the first bytes of of the stream and if you look here a four byte integer 32-bit integer the unsigned Bigendian value is here 733,696 which corresponds exactly with the data specified here in the article