 Welcome to MAV analysis for head shocks. So let's address the elephant in the room first. Yes, I cut my hair It's just it just got too thin on the top. So that's the only reason it's not because I want to look like OA labs. So Yeah now Today's topic is speak easy. I Came across a bunch of car remote drivers during my work lately which were packed and Speak easy was in that case a very handy tool. So let me showcase to you how to install and how to use it So the tool that I mentioned is called speak easy. It's from mandiant So That's where you get it from that's the github page So all you have to do is download it with code download Archive and then extract the archive and you follow exactly these installation options Now this is Python based. So you need Python 3 So install Python 3 first if you haven't already and then simply Execute those two and speak easy is installed onto your system. So it's not that Complicated now you might be tempted to just type pip install speak easy I think there's another package called speak easy, which is not this one. So This will not work. I tried this on Linux and there was something else. So With that said what is speak easy actually speak easy is an emulator so it will not execute your sample Instead it will emulate the sample. It will create API traces for you and it can create memory dumps for you I already created some memory dumps beforehand because For the kernel mode samples that I want to show you it takes a little bit of time And I did not want to waste too much time on that. So During the video. So how do you use it? Well, wow after installing it you have a speak easy.exe in your path and If you don't enter anything you see all of the options The options are also explained on the website on github. So But the most important one is minus t for target So that's how you specify the sample that you are using for instance the current driver and now the kernel mode step takes a little bit longer than the user mode samples and For these I'm gonna break here for these you to get valuable memory dumps for these you have to set the Time out a little bit higher, maybe one hundred twenty So it's like two minutes and Then you got a set was three hundred worked for me But I think one hundred twenty might work as well. And then you was set with minus d the memdump Archive name so and then maybe specify what it is for so That's how you execute this one now I'm gonna do it like this Now if I execute this it takes far too long, so I'm not gonna do it for this one But maybe showcase it instead for the user mode sample So and now it's already finished Yeah, the user mode samples go by pretty quickly you just need to know on Just using this one. It will not work immediately. It will not work on dot net It will not work on VB 5 VB 6 Because these need additional libraries, which it doesn't ship with so those will not work but some samples will work very well and for this sample what I find quite useful here is you get all of the dynamically resolved Imports so it has some imports that it it's a packed file and it Resolves some imports when executed and those are the ones and that you get so you already know, okay? These are probably also the API is it's been using later Very very useful and here are some more and You can kind of see Sometimes also path when if it copies itself somewhere you see more path is and The memdump of course is Useful one. It's now Been put here So let's take a look at the memdump actually. So I got these During my daily work as a member and has got these as tickets kind of mode drivers and now my task as a member and it's usually Just to say to give it a verdict say it's matter. It's clean. Yeah and for these I Got The same task and the issue is they are packed. That's already quite unusual that drivers are packed Now let's check it. Is it really packed? Yeah Creating the visualization for this one This is kind of driver Png and You want this for corner driver? so we create the visualization it also Tells us here We have some weird section names dot VMP zero and dot VMP one You might want to know or See it from from the output of politics that this is typical for VM protect Detected easy will tell you the same and If you check the visualization and also just the entropy Could tell you the same because like this far is packed So you you have very high entropy area here which matches this packed entropy and yeah Fractionated imports, you know, they are spread all over here. This is typical for the unpack VM protect sorry, so There's that and I had the issue I could not just I tried installing this with SC.exe on to a Windows 10 VM And then I realized it doesn't work for Windows 10 So you need to find out which system does the corner driver work with in order to execute it dynamically and this It turned out to be a bit time intensive I'm always trying to get things done faster and takes shortcuts a bit if I have to analyze lots of files every day. So That's why I came across speak easy and Tried it. So here When we actually check the memdum of this one Here that's that's the output from speak easy. I set the time of 300 seconds And there is one Memory file memdum file that is quite big That's usually the interesting one. So you're gonna look at that first and We are gonna check this with strings.exe. Let's see so Gonna put that into Kernel memdum strings And then I'm gonna open a notepad because I Increase the size a bit so you see it better So this is still a lot of stuff. We have like tools to script Superway the more uninteresting strings, but Now this is a if you don't have that you're gonna scroll a little bit more and If you scroll down a little bit you get to this area here So that has some readable strings that you do not see in the file on disc so and That's interesting because these are like two bigger strings for some kind of Game cheat tool so it says like trigger board auto flash auto ace blog auto not bag And down below you see stuff like Names from overwatch characters. So this is quite likely a game cheat tool and at this point it is a my line of work We stop analyzing because those are Not tools we spend more time to check if it's matter. It's in the graveyard category. So they generally get No more analysis time That's Then just graveyard tool and graveyard is often handled as don't care So if you have cheats illegal software or anything of that sort most of the time analysts will not Take care to I neither take care to fix false positives nor take care to check if there's extra matter behind it So With the second one That's kind of similar to the first and That's also check the strings from this one So and this is the kind of driver to Memdum strings Now if I assume now here's this thing these are also a lot a lot of strings I know it's a kernel driver and most of the time if drivers have to install themselves They use some folder named device to get there For the installation. So I'm searching for device and that's actually how I get to this area here and what Made me now able to say the verdict for this one is I what if I had if analyzed files before I create Yara rules for them and I create Specifically create Yara rules that do not that are not tied to work to pee on PE five formats So I create them in a way that they work for memory dumps as well And in that case the code that I created the rule for it matched on this because I had a file like this before that was not packed and Then I found out. Okay. So it's a root kit that I checked before and Yeah, these are also the strings now if you don't have if you haven't seen this before I would recommend Unless it's essential that you analyze specifically this example Just search for those strings and Look look at virus total for instance if you find files that are already unpacked and that have All of those strings here. So you can Find a non-packed version of this file already. That's certainly easier than trying to unpack this one Yeah, so this smother And at this point I could already stop instead of, you know setting up everything with a new Windows version and hoping that it works Yeah, and for the user mode Sample What they're awesome was a match on one of my younger rules now the rule looked something like that I'm gonna write it really quick. It was something like This program that's a DOS sub message you say You say this one was Exhaught with some key that's between those values So you exclude a non-exhaught DOS sub message If the key would was zero it would just not be Encrypted so and the condition is just Something like this. So you say this is a yaro yara signature No, I don't want to save it in here, but on the desktop. So save it now This was one of my I have a huge yaro is set with similar Rules where you where I just find interesting things and files because it also saves time And now the memdamp, that's the one we just created, right? Yeah, here it is That's the memdamp and also here you have another File that the again the most interesting files the largest one in this case, which is this So let's put it here And we gonna run yara on that with all of my roots. Let's pretend these are all of my roots. Yeah And you get a match on pexort on this memdamp. So Um Now you want to know where this is you put minus s and you see, okay, it's it's at this location So you can just open this file in the hex editor say go to this location And that's the x or this program So we we may assume that like if you cut out this part and try to Decode it with some some x or tool You will get a Portable executed by out of it that is packed inside this file and you will also realize just so Um, you see this signature does not work on the user mode sample. So It actually unpacked something here in memory The emulator and so for this sample, it's very useful For others, it might not work. So it really depends Um, but I think it's worth trying. It's better than having to set up everything and Yeah So That's it already for today. Uh, thanks for watching and see you next time