Wrangle with Hangul - Analysis of a malicious hwp document
2,354
Published 2020-11-09
Thanks to a friendly-follower for highlighting this sample to me; you know who you are.
SHORTCUTS
==========
Intro to the sample - 00:00
What is Hangul? - 00:58
Structured Storage Viewer (SSView) - 02:57
OLE Object Example - 03:38
Dumping OLE Streams and ZLIB inflating - 04:40
Carving files from OLE10Native Streams - 07:10
Using pestudio - 08:18
Decoy PDF Carving - 10:10
Carving .lnk file - 10:55
LNK file basic analysis - 12:55
DLL Analysis in x64dbg - 14:28
Dumping .rdata section - 16:10
Base64 Decoding - 16:57
VBScript De-obfuscation using CyberChef - 17:55
VBScript basic analysis - 19:15
Duplicating DLL Exports - 20:58
Injecting the DLL into a process - 21:42
Summary & Close - 22:30
LINKS
=====
www.virustotal.com/gui/file/07dfb10d2a849d7bb3f9cb…
en.wikipedia.org/wiki/Hangul_(word_processor)
twitter.com/RedDrip7/status/1318123634670538752
THANKS
=======
If you liked the video, please give it a THUMBS UP. If you loved it, please SUBSCRIBE.
FOLLOW
=======
Also, feel free to follow me on twitter.com/cybercdh
All Comments (17)
-
Whilst I know Colin personally. Each time I watch his videos like this from Col’ I’m just amazed how deep his technical knowledge is. Great work Col’ you really know your stuff. D.
-
Nice and swift as always. Thanks Colin.
-
Well, explained breakdown Colin, So much of valuable tips and techniques shared. Spending my annual vacation on your channel :D. really worth it! Thankyou!!!!
-
never stop these videos! awesome as always! thanks!
-
Thank you very much, very interesting sample and analysis! As usual :)
-
Excellent work, I really like the flow of your analysis. Keep it up.
-
Awesome vid as always Colin!
-
Awesome Colin! Thanks man!
-
Great analysis - really enjoyed following along :-)
-
thank you Colin !!
-
nice one Colin
-
wow, that was cool !! thanks.
-
nice!
-
In the end Colin what does its maliciously do ie: keylogger, camera voyeur, data thief or ransomware money. If I had that on my machine what would it do. Cheers
-
that was ineradicable thanks ! quick question tho, how do u forward all the traffic thought burp ? , like its not like a webpage that have settings where u can set up a proxy. thanks !
-
Awesome video, can you make video for analyzing ThanOS ransomware?