 Welcome to my analysis for HeadTracks. Now, today's sample is not really challenging and it's not difficult to analyze, but it's quite fun. And I just want to share it with you so you can have some fun too. Okay, we will jump in right away and run it while it's looking at it with process explorer, is it? There it is. I agree. Okay, we renamed the file on the pen.exe extension so we can run it. Here a nice icon. And let's just run it. There's our process. And it opens up a small window with the title infect and the content label one. That's interesting. And there's an exception. The program crashes so far. It's no fun at all. And the reason is remote name could not be resolved because I have no internet connection. If you have an internet connection for your analysis machine, it will still not work because the remote host is not on mine anymore. And, well, what are we going to do? If you look at this sample with the end slide, and that's what I did first, I found some quite some interesting images in it, which I saw. Well, I want to get this to run so I can make some screenshots. How are we going to do that? There's a nice tool called Fiddler. And Fiddler is actually it's meant for web developers so they can debug their web applications. But it's also quite useful for malware analysis. For instance, if we run the sample, okay, quit it again. We run the sample. We will get here a protocol with a log file with requests that our sample made. And these are all the same requests with this host and it requests a site.html. So it's a get request. You can check some details here in the inspector tab and change the format of that request. Text or raw, hex or whatever. And here's another very interesting feature of this. That's the autoresponder. So we will just make Fiddler respond to that request by enabling the role. And we drag this right in here. So we basically copy the request in here. And we say we want our own custom request. Let's just start with providing a fiddlergif.dat. Save that. So now you see it's saved here. That's our respond and it's enabled. So this should be green. We will remove the things that we already captured and then run it again. Now, this time it doesn't crash. So that's good, but nothing else happens. It's still not found, right? Okay, kill the process, remove that. So we need to make the right response for this sample so something funny happens. And for that you have to analyze it. Now let's just take a short look into it. I won't go too much into detail, but I will just show you the location of the code where you find the stuff you need. It's not obfuscated. It's not packed. It's really quite easy. And you already see that it's not serious at all. Just based on the strings that you find here already. There's form one. And it kills task manager. That's interesting. And here is this timer one tick method. There you find a lot of compare string commands. And the strings that are in here, zero, verbung. Verbung is German for advertisements. The strings that are in here are the commands for this vector. So every command will make the vector do a certain thing. And this looks quite interesting. So one of the commands is music. Let's just try this. That looks like something nice. And we might want to see that. So we just say create new response and click on save. And now you can enter your response, which is music. And now you save that. And then run the form. And that's what happens. Lots of windows. We will just kill the process. Crying baby. System 32 not found. And the other commands are also interesting. So you might just want to try them out a bit. I will show you another one. And that's Kofen. Kofen means buy something to buy something. Create our response again and say Kofen. Save. And then run the sample. And that's what happens. It's basically a screen locker here. And it says kind XPII cleaner. And then some German stuff. Like best protection, no errors, best performance, system modding, life console. And it lives very long. So your PC will live very long. And here you can buy it. Okay, let's click on that. Okay, the payment options. And obviously it was meant to use the way that it messes up your computer with error messages and crying babies. And so then the screener will show up as a mean and say it will rescue you from these errors on your system. And you have to buy it. Yeah, that's interesting. I cannot close this anymore. It's a screen locker. So let's see you next time. Please try out the sample. It's worth it. It's fun. See you next time.