Discovering C&C in Malicious PDFs with obfuscation, encoding and other techniques

hello everyone welcome aboard my name is felipes i'm so glad to be here to talk to you for you and today we're going to talk about discovering cnc and malicious pdf using some techniques like you know the sophistications encoding any others uh techniques that you we can see during this workshop during this conversation right so let me introduce myself so it doesn't matter and who am i but okay anyway i need to present some uh contact for me in the social medias right so i have this web page and uh you know let me show you here i have it in my um virtual machine here so if you'd like to open your your avatar machine to you know to

practice with me together so we can practice together during this workshop there is this conversation right so i have here this um simple kala linux so you can use in arcane linux or another linux resolution is it's you know for you you can use it what whatever you prefer right so this is my home page it's very simple web page you know statistical man page here's information about me and uh here's some open source projects that i have been participating i have been participating and uh some this project is very interesting because it's related to uh a security right so here's it's another relate to devops and to help the developers using you know the

this kind of projects using for example in a mobile project and web applications and whatever here's it's another difference works with uh different um cycles and something like that right so here some presentations some talks that i did that i made in some events probably in the future this workshop will be here in this website and here if you'd like to see some articles about about me but about some testing that i made that i did or you know whatever so here's some articles that was published right so let's return my presentations again i have been you know i used a lot twitter and github and uh and linkedin this is the main social medias that i have been working

right so i i have been working at security research and security advocate at supernovation it's a brazilian company and i'm advocating from this uh awesome project hack is not a crime because uh i would like to talk more about this for you it's um you know it's a very good project um initiative actually and the idea is to explain more about the people about this this thing and this concept right because hacking it's really not a crime it's a life cycle uh my life cycles are is a lifestyle right it's a creative mind when you see some software when you work with uh you know discover something and this is the focuses about this project right so i am as part

of the staff team of the dcg dcg 511 in sao paulo here in brazil by the way i am talking here from sao paulo in my small office here as you can see behind me is my balcony you know i have here some uh apartment buildings behind me and uh yes i am security research and instructor about the portuguese courses in the hacker security it's a brazilian company and i'm structure and the writer and reviewer for the three magazine and i have one course about the malware hunting right guys so let's talk about our summary today first of all i'd like to explain more details just a concept actually about the what is thread and after that we'll explain more

about them our analysis those first steps and i will talk about in the end of this workshop about the structure of the pdf and i will explain about the demo and i will open to you to answer some questions right so again uh if you'd like to open your virtual machine during this conversation during this conversation no my goodness during this conversation it was pretty cool right so what is threat first of all it's just a concept according this is it's not my definitions right it's a definition for this iso thread is defined as a potential what potential cause of an incident right so maybe you know it may cause harm to the system organizations

but it means why what flipping exactly it's a kind of softer attacks or maybe a death of intellectual intellectual property or maybe identity death right it's very common and the sabot sabotage and information distortions are example of the information security threats it means all those things it is threat right so uh everything is related to a software right so when you build something like you know some applications and apps for them to use in an ios or android it's uh it's a software right and if you have some hardware probably you have some uh a layer of the firmware or you know some application behind and a software if you have an appliance you have a software there

it means you know everything it's related to a software so when you have some at software attack is it is a threat right so and of course when you produce something when you is a software house for example and you have some tough intellectual property or if they death is related to a threat so all those thing is threat why i need to understand about that flip because when you see about that you need to understand when you receive some software or some artifact you need to understand if this software it was malicious or not in this case this is the first step right so the identification is stopped it's a simple uh life cycle uh of course it's just

one opinion and i see this a good life cycle from a friend a brazilian friend right so uh and you in this step it's very important because uh you can decide not decide you you need to understand if this artifact or this simple right is malicious or not in this case probably if is malicious you have a maor or maldot which means maori it's a softer malicious and maldoc it's obviously malicious document and after the identification step you can choose what the best strategy or method to apply in this analysis you can define is if we will use in a statistic analysis right or dynamic analysis and after that you can produce something very interesting then usually

the manager and the coordinators exactly it's like a lot right it means it's a report because you can present that with your leader right because when you make some analysis you can produce this report so after this report when your manager or your boss has um this report on the table you can do another actions what is the next steps step you can improve your defenses mechanism because if you see if you understand what is the real the real path about this artifact you can improve your defenses mechanism right because if for example this malware bypass some security sensor that you have you can make some adjustments in the settings or something like that right

if you have a a big company or maybe if you have a small company it's not a problem you can try you know to build this awesome idea this cyber threat intelligence right because you can use many different tools to in you know to automate this process to generate intelligence uh you know against threat that's the point here and of course you need to strengthening cyber resilience in your team in your environment because you know the threads are changing all the time so this is a simple life cycle about the mara knights the simple of course is not only the only module you can use another different it's not a problem but it just one simple idea for you right so let's

explain more about the statistical analysis it's very simple usually we began our exploration right of moral analysis with the statistical analysis which is often the first step in our studies why because the statistical analysis describe usually the process of analyzing a program code right or maybe a structure to determine its functions for example you have some code and if this code has some library and for example some library called some function inside your system operations right so the program itself doesn't run at this time you know of course depending on what the program you are using right so this makes the parsing process more you know safe because we aren't actually excluding it right so it means doesn't run

at this time because of this usually is the first step in mre study or using for amour analysts right so when you explain for a dynamic analysis for other hand is different it's based solely or only on behavior it means and in the interaction that malware has when it's executed or monologue or malware is used also known like run time and noise you see it's different because one of these tests or this analysis you uh use it in the runtime in an order it doesn't run at time it's different right it's very simple explanation but because it's it's very clear and it's not i don't need to explain more deeply because it's it's a simple definition

one of these you reside the mower and you see the behavior any other you don't you don't execute the malware you need to see the call the structure and you know and understand how this malware or maldoc or sample works right so it can be easily automated there are sites today that already performer analysis with the malicious artifact using you know the simple concept call it sandbox or maybe when you're is performing this simple in um web application uh scanning and uh actually it's uh antivirus is kind of like you know virustoto ustoto it's antivirus scanning when you put some sample inside or url inside inside of the zeros total anyways they could this and of course

you have many engines provide for many different security vendors inside of this uh jerusalem it's antivirus is scanning right so this is a uh is when you talk about the automated process or a dynamic it's kind of dynamic analysis right but it's very common when you use uh this kind of concept sandbox when you have the virtual machine with many engines and you can you know put the smallers inside of this virtual machine and then they could themselves and you can see and analyze the behavior right but of course in both of these analysis we need to understand about this basis it's very important during this conversation you need to understand about those phases it is

very important right guys so okay before to talk about the physical logical analysis we need to understand about this basis that i am talking right so let's see here about the identification step do you remember the life cycle this is the first step so if you have now a virtual machine you can open your terminal when you're bash you can execute this commands with me so first of all let's see here let's open the simple the zoo do you know this repository the zoo uh github you can write in this way click enter and after that you have here the let me okay here i think it's good the zoo repository of live mowers for

your your what your whatever okay you have here let's see live on our repository right so it's a project created to make the possibility of more analysis open and available to the public so pay attention here guys because all those mowers it is a real right it's not a fake mower so pay attention here when you manipulate this different uh mars you can execute all those models inside your bar but it's not necessary for now right but you can download after that it's not a problem and of course remember you need to make some settings in your network environment you know isolate your virtual machine it's very important to understand about that right so if you have some question

you can uh write me you know in the in a github or can send a message by you know a twitter on linkedin wherever you can send me a message if you need this understand about these configurations in your network right so you can click here in ours and after that you can click on binaries right and after that boom you have here the awesomes many different mowers right and then the right rod and the different attempts and but different samples right not samples in this case it's a real mower right the pitot locker and some rents over and let's see here the equation group you know it's an apt group and i don't know if you know

but it's an apt group it's a simple of course of this mars let's see anothers here linux chopros encoder as you can see here it's an elf it's a different of the pe portable executable in this case it's for a linux platform and here to aos in this case it's natural uh sam mowers right it's a mac os and let's see here oh nice many ram servers to manipulate be i know again be careful to this version because it's totally real so let's see here another treasure i don't know if you are hearing but i have a truck here next to my apartment now and uh the guy probably talking some you know promotions like that or

you know whatever i'm sorry for that guys but this is the pandemic you know it's a new real life unfortunately and but we have here another difference uh take a look at this win3 apt 28 20 32 and another zip right you can download whatever you want right so let's see another here another very interesting repository just right in the in the google maw bazaar here and click enter and uh and after that you have here let's see maura bazaar our sample exchange click here and after that you have here the mower bazaar by abuse ch you can click here in our bazaar database and take a look where and see here another awesome project inside

our environment not in our environment it's a repository right you can and see many different powers here again be careful because here we have many uh mower you know and of course you can try during your you know tests your improvement your acknowledgement you have here and pe executable you have here it's a document right xls and here you have a doc and zip you can download many different let's see another here if you have here and a pdf click search and uh hit f i don't know if this syntax is correct and uh okay tag uh let's see here pdf again let's see search and uh yes searching now and okay it's here let's see here

another pdf if you'd like to see more deeply you can download all those samples and pe and oh man take a look at this philip it's me right guys you can click here if you'd like to download my not myself actually it's actually it's a mower that i will explain during this conversation there is during this um presentations right so when i uploaded this mower inside of this platform i lived in poland in that time but now i'm leaving and i'm talking from brazil and okay you can download this and you can make your testings during this workshop right so let's return my virtual machine here let me list all those samples that i have here

inside of my machine then which don't mind much oh my goodness that i have inside of my virtual machine and i have here the amazon amazon doc docx bl doc pdf invoice.pdf linux without extension uh pdf it's a directory it's a folder and redpo.cso probably it's a it's a it's a different it's um it's another code to make uh if you're using gcc to create an elf file and resume pdf and sample pdf here folder with a wing uh it's a vf portable inside of this let's check here so okay let's understand what the first step that i can as a good themself here in my environment and uh maybe i am using the file because it's a

good tool or good com command to as a good right so let's see amazon first of all let's see what happened here i can identify the microsoft word 2007 plus right and another is a file an amazon doc docx yes it's it is okay okay it's obviously maybe and let's see another bill my friend view let's see here my friend bill i like this guy view it's a it's a pdf document perfect so let's see here another invoice.pdf file and maybe you are asking you about so i need to execute this command in all those files yeah this is the identification step you remember i need to understand what it is or what is exactly the binary

right so let's see again file let's see linux talk text it's a text oops in this case it's not a text take a look at this it's a elf it's a it's a cootable right so it's different but take a look this here is the extension in this case it's doctest but it's not this case is different it's elf take a look at this it's very interesting here because here it's the base i need to understand how this command works how this file works and after before or before i execute any whatever comment i i can as i could in this virtual machine or in my environment i need to understand how this exactly worked so i can set for

example my file let me looking inside of this commandment file how this works exactly and oops let's see here okay so man file it's what it is this tools actually determine a file type take a look this then of course maybe you understand you know about that but you need to understand how this exactly works so the manual page document verse 5.39 on a file comment okay here's some flags or comments that you can set when you execute this file and okay so why you are show us this philippines this is a good cash question because here we have some interesting information the magic tests are used to check for files with data's in particular fixed

formats so perfect so these tools presenters exactly different or not different but exactly particular fixed fixed formats right so the canonical example okay of this a binary executable program do you remember about the thread it's a software but when you have some software some software we have a software compiler right uh it means changing this program to a compiled program perfect so r a dot 8 file was format is defined in an elf dot h so it means here maybe you have and there's interesting information here so let's see here let me cop elf.h to understand more about this information let me open another split vertically okay let me open here and let me find this not find the locate

sorry i can use find too but i prefer using uh let me pass here okay in the beginning here uh user include let me check this important thing here because here in the explanation of the do you remember and the in the in the middle of the fire we have here the good explanation about this extensions take a look at this here about the here whose format is defined so here in this file maybe i have some format defined but what kind of maybe it's a elf because the material the explanation it's about that flat check here uh it's uh i use nano you know lit to read and take a look what i am

seeing here in this moment in this file take a look this user include dash user usr dot include.alph.h of this file defined is standard elf type take a look at this of course this conversation this workshop is related to a pdf but when you talk about the malwares you can you need to understand about the elf you know you need to understand about the pe portable executable you need to understand about the different docks uh like you know dock or an xls powerpoint whatever and uh and of course the pdf so here we have a good example when you read the manual buddy i flip i don't like to read the manual i know maybe i don't like to but it's

very important why because here you have a types and structure and macros right so let's see behind here let's move here you have the structure of the byte so 16 bytes quantity about the elf and a half an award and and the next word maybe all those explanations it's very cool for another talk but okay because we don't have a time to explain all those details now and here the elf file header this appears at the start of every elf file take a look at this this is the elf file header one of this part of the elf structure but philip this conversation is about elf it's about pdf no or just to understand something about

demand right so the first idea when you talk about the header you have this array what array this in the first array we have this identity when you have this array and a 16 bytes do you remember take take a look at this they structure the first you have 60 bytes in this structure right so this is the identity structure in the header of what information do you have in the identity structure you have a magic number and others information but what that means magic number flip take a look at this one second i will explain more about the magic number but you have here others information so okay let's return our uh man because i didn't finish the here okay

okay let's continue the explanation possib possible uh as exact.he in the standard included directory okay this file but these files has a what a magic number what it is exactly storage in a particular place near the beginning of the file that tells the unix operation system that the file is a binary executable and each of the several types uh theoretic the concept of magic has has been applied by extension to data files it means you have a magic number in all those files in a particular place in the beginning right so it means you usually you always have the magic number so it means all those bios has a magical number i feel if i

i already know about that so no worries but probably we have some people now watching this video people didn't know nowhere but every people now uh know now right so take a look at this the information identifying this here the identification this file is ready from what atc magic and the compiled magic file and user share misc dash slash magic doc mgc it means you have all those informations compiled here in your system operations right but i need you and i would like to explain more details about that right about this kind of concept so uh let me close here again let me close here this uh okay uh is it okay and uh here take a look at

this i download this the real file code to understand more deeply about this simple code the simple comment the simple base right so let's see here cd file and um magic it's a magic i don't remember let's see here uh it's uh okay magic magic magic magaziner take a look at this magazine and what i have here so take a look at this i have all those magic numbers for many different bios like you know enough pdf here i have from vmware or i have here another from let's see another elf here you know here take a look at this and uh on windows we have here windows too let's see what is the windows here it's

windows take a look at this and web assembly and uh we have a pideon might say where is python here take a look at this uh it's here piden i don't know i lost but i lost python my anyway we have python here but i don't know exactly here it's python okay so let's see uh uh javascript javascript javascript inside of this uh it's a database of this many different uh magic numbers so as you can see here you have some rules to understand when the file comment we will identify you know what is exactly that file of these fire right so let's see here this is when you have the beginning do you remember in the beginning

of the particular place in the beginning do you remember the explanation here when you have this information in the beginning you have what a node.js script executable right so let's see other and maybe a python right in here maybe python we have a different rules many rules by the way take a look at this and there's some reject some strings here take a look at this okay and um the same case here take a look there's a final script perfect okay let me manipulate something let me create here nano uh malware very creative.text perfect and the malware is malicious malicious let's save here and um okay yes save and okay let me i will create this sample right so it's

a text take a look at this i have to put the file command and that that the tools uh performance in this uh file and the file understand how this matching numbers work so let me manipulate this file now so first of all let me put for example let me return here and uh okay no let me see about the javascript because i really don't remember okay it's a binging there's a a simple let me copy here and i completely forgot being slash note it's very simple but i forgot sorry for that let me manipulate now let me paste here slash you know being bash x not being bashed b note actually let me save here and like

uh click yes and uh save here and again file mower take a look at this it's not a you know take a look this is not a text more it's an ojs you know and uh if i try to read here it's it's you know but it's not exactly javascript because the extension is different you remember when i execute this file command in another text it was f file do you remember we'll take a look at this let me manipulate again file it's a nano okay i will put here just a simple comment here let me that here and uh let me save and yes what what happened here file mower it's a python take a look at this

because this is the do you remember what the name it's a magic number because i'm manipulating the magic number here right okay so let me let me do another last manipulation mower uh or the final material text okay no it's not i need to put the correct name it's uh it's different here okay now it's okay perfect let me put here what uh that money putting percent pdf and one doc one doc or six let me save here what happened because i don't know how the file works in this case let's see here catch mower i have here person pdf and i have here uh from a pilot script and here the text so let's see what

works here file malware.txt it is a pdf document take a look this why because if you see a pdf here take a look this they string in the beginning exactly a string that i wrote right so why i explain all those things to you because you need to understand about those basis it's very very important right so we need to understand how this tool works it's not a simple comment right so another simple example let me return here root and uh malware and yes okay so let's see here i have different uh files linux files here linux okay so let's see for example uh file linux 32 okay linux 64 and [Music] take a look at this if i execute this xd

xd let me check here in xd or xd okay xd uh dash any 32 and the linux 32 take a look this i have here the extra decimal information right and here i have what i have string here right so let me put here another thing like [Music] not 32 bytes i will put all those uh not let me put in the pipe class here because i'm using the terminator here and uh you know i don't have a good buffer to show let me like less okay so take a look at this i have here that the all those strings here and take a look this okay not different informations here just say strings right so

let me turn here and i will explain one thing about that i have here the string in the beginning right if you are using here the strings strings strings yes a uh it means all right and i put here the linux 32 5 last take a look what happened so i should i should see this information right because it's as a string right so when you click enter take a look this went where the place is start right so i can't see the elf information right take a look at this let me explain another thing using in a different way a different parade so let me go to a windows folder i have here windows file

i have a simple one with cool very cool simple it's uh this is a p it's a p let me check who is it's another pe okay let me put here in uh xd and again lex the aminos nominal sorry and the dash uh went forward and put here

sorry oh my goodness okay perfect take a look at this in the beginning of the file we have the mz information which means this is the one of this magic number of the pe right and here we have another string so let me put again but no informations about the the limitations of the bytes and i will put pipelast here because i would like to see many strings here so mz and this program cannot be run in dos mode and wherever here the pe signature it's it's here right and let's see oh here the session dot text another session uh or data right so uh in usually it's uh not usually not so related really only it's or

all data it's data it's another session each session or src usually related to an image or you know or something like that and many other strings rear here but if you as i could hear these strings take a look this is strings such all please so what should be the first letter the first thing string mz right but does it happen why it's a good question but yeah you need to understand about the what none of these three oh my goodness i don't like to read them off philly it's a totally it's not a guys you need to understand about that right so strings what print the sequence the sequence of the printable characters in files right so for each file given

you know strings prints the printable character sequence that are at least what at least four characters long because of this don't show or don't appears the mz because it's two characters and elf because it's three characters that is the key right so i even understand those ways i just like to as i could some or perform some comments or using some tools but is i know maybe it's useful but it's useless when you don't know about the basis right so because of this union we need understand about the base so let me return about my presentations here and when you talk about the pdf is different you understand about the structure because the structure is

almost different not almost it's a similar of course but maybe it's uh maybe it's a maybe similar or not but in general pdf has a four parts right first of all it's a header it's almost the same when you have another different full files and you have a body it's a different because you have many information content inside of this body you have a cross reference table and you have a trailer in the end of the fire right so it means is you can see in this way in the beginning you can see the header usually you can see the version of the number you see the body with the pages image font and bookmark and formulas

object because you know pdf it means uh it's a not a text it's a text file but with many polar or maybe you know good images did you know i'm joking but you know you have here the interesting informations cross reference table it's very interesting because you have a locations of the objects if in the file for a random access right so location of the certain objects eating the body and locations of the cross reference table in the file it means all those cross reference table it's is referenced in another object so for example let's suppose you have uh 20 objects inside so many of these objects it is a reference themselves right uh itself in in this

way right so i'll explain more in in a demo now so not here okay so let me explain about that so i will show you i have a folder here i have a sample here i have a file that i i didn't have is this file it's malicious or so i do execute this first tool pdf id provided by dj steven by the way so here as you can see the header you know percent pdf and you have object 15 right you have a streaming two and you have a cross reference table and take a look this is a very interesting information here because usually these tools when probably when dj steven created this tool

during he understood about the structure of the pdf makes sense for you and then after that he can create these tools to scan some informations inside of the pdf right so these uh tools as they put some scanning inside of the pdf and they can find for example the name of the object if the pdf has some e-stream usually when the attacker like to put some a malicious software they use they stream to put some alicia things inside of the stream right okay so this is these tools um you can uh or this this tool uh got to find information inside the uh the pdf right and take a look this dash page that script

encrypt dash slash not dash slash right so slash object stream javascript js javascript a a open actions and another information here so when you see this slash it means that all those informations are inside of this main information here right so we don't have to see more about the man okay of the pdf id but you can see you can read you need to read after this workshop these conversations right so let's continue to see the video take a look this we have five javascript inside of this pdf make sense to you and here we have another interesting information open action what is mean what do you mean filipino connection inside of pdf it's here it's very

very important informations

and when you have some open action inside of pdf it means that the user just needs to download a file right and after that when the file is downloaded in your environment the pdf can as a good themselves inside of your environment because they have this open action action right this uh this action defining inside of the fire right heath and the fire perfect so if you when you will analyze some pdf and you see some open action or a a it's mean the same meaning right so the pdf just the user just need to as to download the file inside of the the machine and after that the pdf will execute themselves right so okay let's continue to analyze so

after that all knowing this knowing this information i execute another common pdf dash parser it's another tool provided by dda steven i execute this with dash that's run it's been i view the idea here is to collect all those random informations inside of this pdf okay perfect let me understand about this uh those results so here the header take a look this and after that i have object one and take a look this object one referring what referring object true object three object four object five six and seven but in the beginning when i we started analyze this file we had a 15 we remember so but i just can't see here seven but i have 15.

you know don't forgot don't forget this number right so and i have here an object one reference to the javascript and take a look at this javascript and i have here open action oops take a look this interesting thing i have an open action and and there is a good dysfunction inside of this bitcoin machine take a look what action performance performing or performing this action performed inside the victim machine is some action related a what related to some javascript right so we can see you can understand this okay so let's continue to analyze but i need to unders i don't understand the code but i know that is javascript because i am seeing here

so okay let me return here sorry okay so i have here the object two three and take a look this here in four or i have reference object eight and object nine guys okay so now i have eight and nine object right so we need to see more deeply take a look this oops object seven take a look what appears here the object tn but in inside of the or eating the objecting we have a what i have a javascript so i have one the first javascript on the first but i have javascript inside that object 10. perfect let's continue to see here oops object nine i have a reference to object four right because represent object four

reference object nine perfect but have here another object eleven do you remember an explanation of the structure all those objects are referenced in themselves right so oh let continues here the object 10 do you remember we have a javascript okay and i have javascript but i have another referencing object 12. oh i need to see there but take a look this a different information in object 11 we have a what we have not referenced but i have what information we have here contains a stream it means i have here something inside of this stream but i i don't know what this means in this case but i need to investigate right so and when i have another interesting

information flat decode means i need to decode this information inside of this string but i have here the left the remember the left is it's really it means it's it's related to a size right so but the size is at 36 it's not too much it's bigger it's not bigger it's it's more very very small but have here a object 12 you remember but another reference oh my goodness it's 13 okay but here guys take a look at this in object 13 i have a streaming flat the code but take a look this is the sizing it's too big so i need to see more deeply inside of this maybe here i have some suspicions i have

object 14 and 15. okay so next steps to see what the 13 object because i have here the stream right a big stream and i really could this pdf the cup because you can use to compress for a pdf inside but i i will use another thing to uncompress because if i can use the compress i can uncompress the idea here is to uncompress all those informations inside of this pdf so i do as i could this output in this output is done text and take a look so i can find here wow pretty cool take a look at this streaming and the size i uncompressed the code and i have here the first techniques

technique i found here the javascript obfuscated so i need to what there's a forescape of this code to try and understand more deeply what this code means needs exactly in my environment or in this case indeed in the with my machine right so next step i will cop this and i called payload.html white because i do remember i'm talking to uh javascript so sometimes your javascript is related to a web application so imc i know and see i saw some evil parameters and i ch is changing this parameter to try uh watch this information in some uh document right in a in a browser right and if you see here take a look these different colors by the way

probably i have something here inside and after that i can investigate more that but as you can see here the two already identified some different colors here so i am putting the document right because i will write this information in a web browser and take a look what happened i am i save here the payload.html right perfect and i will give the permission to execute themselves in the web browser and i will open this in uh okay everything it works wow take a look this is what i am found a payload you know what what that means it's very simple here we have a package responsible to downloading the hitman machine and this package and this part of this

code is responsible to call back to the commanding controller from the attacker you see so inside of this java javascript obfuscated i found a payload responsible to call to the cnc from the attacker you see so but here if you see yeah maybe you need to understand more about that i am season percent here and a very uh you know common behavior not behavior but it means maybe make sense to investigate more about that right so the next step that i did in this or that i am doing i do and oh my goodness i have some problem with the verb you know but the next step is i will cop this code because i will try

to continue to investigate because i am see the behavior so i'm setting this nano again and i i will put i i i put the real payload right and i pass this i save the folder right and after that take a look what i did i set this the set because i am cut this percent and i will then my idea is to just see this real information here take a look this this simple encode because here we have another technique the encode technique do you remember you can use different encodings to like you know um uh let me another in this case i'll be using unicode based in in two bytes it's different but you

can use an and basic uh basis 64 baby 16 baby you know 32 encrypting the encrypt you can use in different encoding in this case the attacker uses an older technique it's encoded based on ec2 based on unicode it means and it's explained uh you know it's low because it's it's uh oldest it's older it's it's older this kind of technique because it's based on ec2 ec2 what pays it in only code is not any in an ascii right it's different it based on unicode because it's too bad as key it's on one byte right so here i have the unicode okay but maybe you are asking uh if you are asking for example philip

you just show us about the you know linux platform but i will go i like to work with them or analysis with a windows environment in the works i have another thing to you i knew i used in this case mozilla by blobby it's a very cool platform i passed here the same same code take a look at this the same percent and i cut this percent of this information take a look this and i generate what i generate a x-file doc binary because my idea is is to generate this binary because do you remember the a called technique using the ec2 by [Music] unicode right so i generate in this casing using this platform in mozilla the x

file binary and in the end what i did i use short search from the dairy stevens again to try and find what uh inside of this file x file binary if i found some http request and what and take a look this what i found here the server from the attacker because this code it is using this unicode right so this uh command controller it was in estonia in that time right so i found the commanding controller for for the attack right so if you have now question guys i am hoping to talk to you but just to finish up my presentations here our conversation during this workshop the point here is you need to understand

about those ways that i explained during this conversation and during this workshop and another point here take a look i found the file pdf file inside this pdf has a javascript do you remember do disrupts just this javascript it was uh using the obfuscation techniques we remember inside of this pdf we had the open action it means just the user needs to download the file and after that this open action will execute this javascript that is obfuscated inside of this javascript we found the payload responsible to uh connect uh to the cnc right the callback to the vitamin machine from the cnc the commanding controller using what using a unicode techniques technique to encode the information of

the eyepiece or the eyepiece of the ip from the attacker it was in estonia europe right so guys thank you so much for being here with me thank you for having me this event and again hear my contact on social media so if you have any question please let me know and you know keeping hockey and if you need something count everything on me not everything actually you can count on me always