Focus Mode
Youtube

02 – Performing Basic Triage Analysis and Unpacking with x64dbg

Youtube



Video Summary

Video Summary

The video discusses basic triage analysis and techniques for examining executables generated by the LockBit black builder, focusing on potential indicators of packing.

Key Points

  • Overview of the two primary executables generated: lb3.exe and lb3_packed.exe.
  • Importance of performing initial string analysis to identify packed versus unpacked binaries.
  • Use of various tools to observe differences and common patterns in binaries, including absence of strings and limited imports, which may suggest packing.
  • Discussion of entropy as a measure to detect packing; low entropy typically indicates unpacked code.
  • Analysis of different sections within binaries, including .text, .data, and .pdata, to understand executable structure.
  • Challenges with unpacked executables requiring passwords for full analysis; need for further exploration post-unpacking.
  • Instructions on how to set breakpoints for debugging and unpacking the binaries in order to analyze the core functionality.
  • Importance of understanding the context and structure to better analyze ransomware operations and unpacking logic.
  • Planning further videos to explore deeper analysis of the unpacked version and its functionalities.

Youtube Channel: Dr Josh Stroschein – The Cyber Yeti
Video Published: 2024-09-19T18:00:21+00:00

Video Description:
Part 02 picks up by spending a little time performing basic triage analysis on the resulting ransomware binaries that we produced from the builder in part 01. I rarely skip this step as it often yields important insights into what you may be considering reversing. In this video, we’ll use Detect-It-Easy to look at PE file characteristics and use entropy to identify signs of packing. We’ll then compare the obfuscated and unobfuscated binaries together and even go through dumping the obfuscated version using x64dbg and scylla.
,
Join this channel to get access to perks:
https://www.youtube.com/channel/UCI8zwug_Lv4_-KPT62oeDUA/join

🚨 WARNING! If you follow along by creating your own binaries, ensure you have a safe analysis environment. The builder produces the real Lockbit ransomware and can cause irreversible damage to your systems! 🚨

Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
🎓 Courses on Pluralsight 👉🏻 https://www.pluralsight.com/authors/josh-stroschein
🌶️ YouTube 👉🏻 Like, Comment & Subscribe!
🙏🏻 Support my work 👉🏻 https://patreon.com/JoshStroschein
🌎 Follow me 👉🏻 https://twitter.com/jstrosch, https://www.linkedin.com/in/joshstroschein/
⚙️ Tinker with me on Github 👉🏻 https://github.com/jstrosch
🤝 Join the Discord community and more 👉🏻 https://www.thecyberyeti.com

1:01 What do the strings tell us?
3:40 Viewing strings in the obfuscated version
4:13 Using DIE to view imports
7:13 Analyzing the obfuscated version
9:35 Comparing versions with IDA Pro
14:35 Unpacking the obfuscated version with x64dbg