The file size of the malware is 964kb so I made sure not to waste unnecessary time as this malware can be really tricky.
Infact the malware has some methods it use to check if it has made external connection.
So right now I'll try to use the Mitre Attack Framework to describe the malware.
MITRE ATTACK FRAMEWORK:
Resources Development: Acquired Infrastructure (T1583). The Lyceum APT acquire servers to launch there attacks.
Command and Control: Application Layered Protocol: DNS(Domain Name Server)(T1071) The Lyceum APT used DNS for there C2C servers.(lol)
Persistence: Scheduled Task (T1053). I am very sure that the milan.exe file has persistence mechanism embedded since this is a coordinated attack, the Lyceum APT will want there payload to have some level of persistence, this might be that the program executes upon system startup or at certain time intervals.

1st Image: IP address of the other domain name.

Summary
1. I found out the PDB path of the milan.exe malware on a typical windows operating system.
2. Found out a lot of useful metadata about the malware, like the creation date, obfuscation info etc.
3. Found out the known browser agent the malware might utilize to establish external connection.
4. Found out that the malware source code contain some hardcoded CMD command, one of such is that the malware fires up the CMD .
5. Found out domain names and IP address associated with the malware, this can be used for Incident Response.

6th Step: Finding out the C2C is very important.
For this WireShark came to the rescue, I found out some IP address(lol) and also the server name.
Infact the names where even available in the String output of the executable which I checked for cross validation.
And the server name are ....
1st Image: Server name (actually my analysis shows 2 known server name for this malware)
Armed with this information, I went to VT to check out this domain names and viola there are truly malicious.
2nd and 3rd Image: VT shows site as malicious

Okay progressing, I went to check out the IP address associated with this domain name.
4th Image: IP address of this domain names
The reason for getting the IP address is to ensure that the Incident Response team can effectively block connection with such IP address using a firewall.

My two main focus for embarking on the dynamic analysis of the malware is to find out how the file system changes overtime and to find out what the server/domain is.
5th Step I fired up Process Hacker (to do cover up background check) and Process Monitor (to mainly monitor process and events on my lab machine), as usual I was greeted with over 2 million events, but of particular notice is the fact that the malware tries to activate the CMD(Command Prompt)
1st Image: Process Monitor(Filtering for process)
2nd Image: Process Monitor (Filtering for TCP connection)
Although I later used WireShark to monitor and track outbound connection, well at the end of the day VirusTotal gave me a digestible information.

After some while playing around Process Monitor I took a detour to check out some registry samples other researcher found, and I found quite a lot.
3rd Image: The registry samples from other research work.

LikeAking:
Chai!

Whats all this for?

Stop suffering ur sef.

When something does not concern you learn to waka pass. It helps to mind ones business.
Have a good day.

Finally I completed the analysis today (Dec 20th).
I found out some filesystem and more importantly the C2C servers used.
I was surprised to figure that the some of the server used are located in Nigeria.
I think these might be VPN-enabled servers(I presume).
Tools Used
Process Hacker, Process Monitor, WireShark, CMD
Edited
My Reverse Engineering process was kind of easy as a lot of researchers had already gleaned into the sample, so I connected with them via Twitter to fast track my analysis process, but my main ish is to figure the servers located in Nigeria.

Later in the day I'll drop my findings here.

5th Step: Could this be the browser user agent the malware uses to establish external connection?
Well I noted it as well.....

Okay so I am done with everything static analysis, by tomorrow I'll dynamically analyze the sample to figure out the c2c servers/domain and then any filesystem attached with the malware.

4th Step: I found the pdb path of the malware on a typical Windows OS.
And the pdb path is .....
Error lol

3rd Step: I performed some static Analysis on the malware. I discovered a lot.
From pestidio I understood that the malware was actually written with C++ as against .NET. So milan.exe is a c++ executable.
Secondly I discovered that the malware was released on May 18 2021 by the Lyceum APT.
Similar information was what Detect It Easy presented me.

ahmthankgod:
Cool... When am done with this language am going to create a virus particularly because of a bank

.
I won't really advice that. Once you are track, INTERPOL will come for you.

ahmthankgod:
That's why i said when am done i mean fully done(expert) at that time i could implement so many features

Do what ticks you sir.

2nd Step: Downloaded tools to aid analysis and RE.
1st Image: Download RegShot for Dynamic Analysis
2nd Image: Download ProcDOT for Dynamic Analysis
3rd Image: Download FakeNet-NG to intercept c2c traffic that might be used by the malware.

1st Step: I got the cryptographic hash of the malware sample.

Disclaimer: The purpose of the thread is to document my experience and meant for educational purpose. I am not liable to any misuse of this information.

Some months back the ngCERT made public a know threat/malware targeting Telcos and ISPs.
https://nairaland.com/6851878/iranian-hackers-targeting-telcos-nigeria/
These malware are Shark.exe(.NET) and Milan.exe together known as James.

During the time the news was made public, I had not really polished my analysis and reverse engineering skills.

During the past few days, I setup my lab to be part honeypot and part analysis lab, yesterday I got a sample of milan.exe(although the actual name on my lab is MsNpENg).

What I did was to get a feel of what the sample really is.

Dec 16, 2021: Paging and CMOS

Before I go deep into Paging, it is note worthy that Virtual Address are address that takes paging into account. When paging is enabled, virtual address gets translated to physical address. We can then infer that once paging is enabled on a processor, linear address become virtual address which then gets translated to physical address.
Why the term paging?
It is termed paging because physical memory is divided into fixed size parts called pages
Effects of Paging
1. As a result of paging, memory access becomes virtual in that there is no one to one correspondence between linear address and physical address. eg high linear address may map to low physical address and vice versa.
2. As a result of paging, redundant memory can or may be removed from RAM and transferred to say the Hard Drive or Solid State Drive, and that's why there is the saying that "the RAM is paged out to disk". When a new process is fired up and there is limited memory, the OS can pull out the memory back into RAM.
[b[Benefits of Paging[/b]
Paging allows the OS behave as if it has more RAM than present, and this allows redundant memory to be paged out and retrieved once needed. You can then run multiple processes on your machine without much issues.

toby345:
though I am in Elect Elect in the University

Then try take up CS50, it will help you.
I have the certificate and I can root for it any day any time.

Dec 15, 2021: Crafting my write up on Paging and the CMOS concept. Tomorrow I'll drop the write-ups.

Dec 14, 2021: Taking a deep delve into Segmentation.
Segment Registers in Intel
There are six Segment Registers in Intel namely:
CS - Code Segment
SS - Stack Segment
DS - Data Segment
ES
FS
GS - The above 3 are extra data segment registers
Each of these Segment Registers contains a 16-bit Segment Selector
Segment Selectors
There is more to the fact that the six segment registers contain segment selector.
In every segment selector (16-bits), there is a visible part and a hidden part, so these means that every 16-bit selector has 2 parts.
Details of the Segment Selector parts
* Hidden part: This part contains cache of information from lookup table(more on this in a moment), as a user you cannot directly access the hidden part.
* Visible Part: The visible part is what can be changed to point to different entry in the look up table.
Segment Selectors in action
I am going to provide a technical analogy of how the segment selectors works on Intel processors(32bit or 64bit)
First of important note in 64-bit Intel processor (according to the Manual), the CS, SS, DS, ES registers in the Hidden part all have a Harcoded Base of 0 and a Hardcoded Limit of 2^64 -1, but the other segment register have the liberty to set hardcoded base to whatever is gotten from the lookup table.
Now to the analogy.
Register CS(visible part) has a Table Indicator of 0 this means it will point to a table called Global Descriptor Table. When the index is 3, then it will select a Data Structure at 3rd index in the GDT. Access from table information is then stored in the hidden part of CS register.
Register FS(visible part) has a Table Indicator of 1 this means it will point to the Local Descriptor Table. When the index is 1, then it will select a data structure at 1st index in LDT. Access from table information will go to the hidden part of the FS register.

Note that the above is just an analogy (sample), in real life it may point at different index, the Table Indicators might change.
Segmentation Review
The Intel manual says the a processor's addressable memory space can also be called linear address space
To locate a byte on a particular segment a logical address or far pointer must be provided.
What is this Logical Address?
Logical Address = Segment Selector + Offset
What this means is that on 32-bit Intel processor a logical address is 47-bits in size.
While on 64-bit Intel Processor a logical address is 79-bit in size.
So in lay man English a logical address is telling the Intel processor , "I want this segment and offset
In an orderly chain, the Logical Address translates to Linear Address, as a result of Paging Linear Address translate into Virtual Address, VA translates into Physical Address(RAM).
How does this translation occur?
1. Segment Selector does Table Lookup (whether GDT or LDT)
2. Each table has a description of each segment.
3. The description is what is used to locate where the base of a segment is, and then the offset will be added to the base of the segment.
4. Once step 3 is completed, a linear address is gotten.

.

CUMIN:



I'm already learning PYTHON what other things should I learn to be job ready.

Back end frameworks like Django/Flask, but not much of such jobs in Nigeria, but plentiful in UK.

BigDawsNet:
We can generate you the answer here
But the questions is...

Are we going to be covering your ass everyday when you giving a task to complete...

Like you said ..after learning digital skills...all you need is a physical intern job to learn some meaningful experience that will help u stand alone ... Try and ignore this job or give it to someone else if possible...find an intern job and learn for few months
Goodluck

OP please this is a real legit advise, please get internships first, it will help.
Supreme145

PeaceJoyLove:

It is not easy to get a job. From the responses you have gotten so far, you know what to expect.

Entry jobs arent without experience on linkedin. In fact middle experience is like 3 years experience on the job. So entry is someone who is grounded.

You may want to consider going for internship. Some are without pay while some are with. With this, you can gain experience.

Actually getting jobs take time. You need a lot of experience. I laugh the way those guys pit it as if it's easy to just learn web development and get job. Lol. It is not that easy. The competition is really high there. From my investigation, some of those guys srent working but pretending they have online jobs. Lols.

I am.happy you brought this out here. Imagine competing with Indians and middle east guys in web development. Lol. In fact, Europe and Middle East are where the opportunities can come from cos to get from Asia is slim. Lol.

Well, reflect on everything. You may have to get an intern job ....even with intern, you need experience to get it. Web development is highly competitive. This is the truth which they wont tell you, but it is doable. It is achievable. You just have to study hard and get experience anyhow to make more money

Now this is a legit advise, infact what OP should be focusing on now is internships whether paid or unpaid.

Like me for example, I just started being active into CyberSec, though little knowledge of past, but instead to be aiming high, I am starting low.
I am connecting with top guru in the industry, tapping real world knowledge from there. It hasn't been easy though, but we just dey grind join.

OP my most sincerest advise to you:
1. Get internships, no CAP.
2. Starting building professional networks, even if you are a gig worker, don't underestimate the power of refferals.
3. As someone said before, if you can contribute to opensource.
4. Take care of you health (especially mental health).
Wishing you all the best. More wins to you.

Supreme145:

I've been applying for internship positions but no luck so far

I hope your portfolio, CV are ready sir?
Check out this opening (internship)
https://jiokcareers.com/job/frontend-developer-internship/?utm_campaign=google_jobs_apply&utm_source=google_jobs_apply&utm_medium=organic
Official website of the company.
https://whipafrica.com/

Wishing you the best boss.

bb6xt:

Please can you give me skills endorsement?
I want to expand my moves.

webm:
Software Jobs are usually by connections. Someone has to recommend you and to recommend you, they have to know your ability.

If you want to work for a foreign country, get to work with those working abroad. How do you do that? Contribute to open source!!!

If you find an open source tool you love, pour yourself I to it and rise in the leaderboard. You'll rush you.

A lot of open source softwares are run by startups on the side and every company is searching for the best match in their business.

Contributing to the software that powers their system is the fastest way to get hired.

No one has blacklisted Nigerians. No one is going to give you access to their to their finances when you're working remote

GBAMSOLUTE

jesmond3945:
Thats why you have to sell yourself and work extra hard in doing that. Create a good profile and put good stuff. Big companies don't care where you come from.

Seconded

boookworm:


This is just the truth. Indians have overpopulated the market. Indian webmasters outnumber that of Nigeria by 6 to 1.

I think people should just stop thinking that venturing into IT means work will come looking for u, well maybe like 7-8 years ago but now the market is saturated. And more and more people are venturing into IT by the minute

LIES
Saturated kor staphylococcus ni.

CSTRR:

This is actually the problem.

Indians have saturated the foreign market

And then add the bad reputation of Nigerians.

Explain this, before wuna go dey write things anyhow.
There is no saturation anywhere, Nigerians still getting jobs.

CSTRR:

Nigerians are still getting jobs, of course.

But you have to be very very competent.
The threshold for trust is very high.
Most of the jobs are going to Senior engineers.

They would rather trust an Indian junior developer than a Nigerian junior dev.

And there are millions of Indian junior devs prowling for jobs.

Thank God you said something LEGIT, once you are competent, you will get jobs, but otherwise no shi-shi for you.
Secondly there is no saturation anywhere, you just have to be good.

tensazangetsu20:


Pewdewpie and linda ikeji are the one percent. What does the average blogger with like 500 subscribers make compared to the average programmer. If you want to compare pewdewpie to programmers then you should call guys like mark zuckerberg and sergey brin.

Oga sir okay case closed, please can you please endorse my C skills on LinkedIn.
Since everybody wan dey catch cruise, make me sef catch small cruise.
"Nah jobs / gigs wen choke I wan dey apply to now!!! LOBATAN"
https://www.linkedin.com/in/olotu-praise-jah-9701b7162/

walkbrazil4k:
To make it very fast in Brazil it's simple work hard and stay clean, stay away from friends that don't believe in hard work and honest jobs.
Like I said before I have just 2 friends in the whole of Brazil and I intend to keep it that way, so work hard, stay clean and keep a very small circle of friends,

.
Well said, I think this Philosophy applies everywhere in the world.
Regarding friends ehn, a lot of FRENIMIES around now.
One gatz shine one's eye.

Mariangeles:
Happy birthday to you!!! More wins!
December born are born leaders!

While November borns or Scorpio are LEGEND!!!! #FACT

chim14:
Learning is one side, programming for survival is a whole other story. You can imagine when your food, rent depends on you finishing a project for a client.

Programming is a headache career cuz I have been in it for some years now daily bread. Bugs, debugging, cracking your head to figure a way around sumtin are the main headaches of programming.

In terms of earning, I bet you, some non programmers like youtubers, instagramers, tiktokers, bloggers earn more than programmers.

I thought it is only me that have this mentality, but that is the fucking truth. Look at them PewDiePie, or Linda Ikeji, but at the end of the day God nor go shame us.
The truth to the matter is Programming/Software Dev is kind of like the fastest way to start bagging in big cash, but other profession bags even bigger cash than programming.
Remember say Wizkid made a reported 5.2billion from O2 in 3 days, if I code from now till next year, I fit nor smell 1billion.

Job Title: Malware Analysis / Incidence Response
Role: Internship (preferable paid) or Entry - Level
Portfolio/CV: https://praiseolotu.github.io/Olotu-Praise-Jah
LinkedIn: https://www.linkedin.com/in/olotu-praise-jah-9701b7162/
Why I believe I am a better candidate: Experience with reverse engineering, malware analysis, Forensic Analysis and MITRE ATTACK Framework.
Relevant Certification: GREM(GIAC Reverse Engineering Malware (In View)
cc davide470
cc uboma
cc mukina2
cc Seun
Please help me push this to front-page.

remi1444:
This is a worthy read. It's obvious that I'm the only one not earning yet from this tech thing. But again most people don't share their struggling stories. All we hear about is mostly their "winning" tales.

Don't give up boss, even the girl said it was until July 2020 before she got a job, that was about 2 years after she started. The journey is rough, but perseverance and commitment will make you win.
As you said nobody will share there low times, so don't compare yourself please, just keep up the good work and las las you go smile.

Dec 6, 2021: Learned about System Calls

The major reason why system call is necessary is simply to provide a mechanism for interaction between kernel and user mode. Prior to x86-64 CALL GATE and Interrupts where used to achieve system calls. A stable API also know as System Call Interface is what exposes useful functions from kernel to user mode.
To elaborate better let me use this very simple example.
In the Kernel there is a function called NTWriteFile(), in the user mode there is a provision for the function WriteFile(), now the Kernel provides this function to the user mode because it knows the user mode will need this functionality. So the System Call Interface exposes this function to ensure a 2 way communication from kernel to user mode.
The SCI available to x86-32 processor (Intel) is the assembly instruction SYSENTER/SYSEXIT.
SYSENTER: This SCI(System Call Interface) transition from user mode to kernel.
SYSEXIT: This SCI moves back to user mode.
The SCI available to x86-64 processor is the assembly instruction SYSCALL / SYSRET and they work similar to the 32 bit version just name changed

Dec 5, 2021: Other things occupying my time, no time for study today. By tomorrow I'll try upload what I've learned.

I must really commend OP for this, any time I come on Nairaland I make sure I read your articles.
Learnt a lot about beautiful Brazil. Especially there girls, hulala!!
OP please post on how to be friends with em Brazilian girls, and I hope they don't have same mentality as our Naija girls ooo.
Thanks.