Lol the real clue is in the fact that your IT team would not / should not email an executable out to users to execute - this would be scripted or deployed via other means.
"loosing a little bit of street cred" ? With a lot of luck there is a little bit left thanks to you at least recognising it as lotr. Thanks for taking us with you at this journey there and back again.
But in my org if the mail is from other sources. It will say its external mail be cautious. Once i flagged genuine mail as phishing mail. My IT security team sent me a mail saying its genuine mail but we appreciate your action towards securing company.
@northholdgames8596 he's saying that it's bizarre that someone fell for one of the most common and obvious "hey, run this file, it's totally safe!" phishing schemes to ever exist without even a single thought of double-checking anything. it's like getting a text from a random unaffiliated scammers number that says "it's me, your mom. send me $500, it's urgent!" while sitting a room away from your mom and still sending the scammer $500 anyways
Not too bad at all. The insane rating was about right if you've never done this before. Be prepared for layers of obfuscation (in the scripting parts) in real malware, just to frustrate even more. Nice to see this test also having an encrypted part to extract.
This is probably the first in-depth digital forensics video I've sat around and watched, and honestly...thanks! I learned a helluva lot, and I'll be experimenting with those debug tools myself... (once I have a stronger foundation in assembly, mind you.)
Hey john, i really like ur malware analysis videos. Can u sometimes showcase malware analysis of compiled PE that involves more things like dynamic analysis and decompilers such instead of just reading plain source codes? Something like hellokitty malware. I would really love that. Thank youu
This was tough to follow with my lab being totally internet blind :( I just want the cool f5 button John Edit: I got around by searching for text and then looking for the weird functions I found through pe studio and others, then just called a break after em and so on. The one thing that fawked my shorts up was the fact that this actually has to pull down from that fqdn that we had but meh. I’d rather not have my IP associated with ransomware and some samples might have server magic to dodge vpn connections/origins. Every lab setup has their drawbacks. In theory we could just try to replicate the network requests and observe what’s pulled down but still have that whole associating with ransomware and trying to fudge what you tell the attacker infra
windows pro includes a secure isolated ephemeral VM, it's called Sandbox. it's awesome for testing things. Also a good tip if using VMs is to take snapshots between steps, just in case ... lol. 35:46 it's reading the resource table on the .dll, not the .exe that's probably why the entropy was meh in the .exe resourrces
hi John, I'm getting into malware analysis, is it enough to just boot up a VM then run malware inside it ? cause I read there're types of malware that could escape and infect the host machine, given that I'm doing both static & dynamic analysis
Hey although it isn't impossible for malware to escape a VM it's highly unlikely, if your doing a lot of analysis maybe have separate hardware and network segregation just to make sure 😁
Seems someone is a Lord of the Rings fan lol. Finding Middle-Earth, bringing the god of everything Eru and then using the Palantir to get into Gondor haha!
Lord of the Rings is a great read over a year or so, but you may have missed an ideal age for it. It may come again, reading it with a grandchild after you've developed a love for language and folklore, through other means. This was quite a skillful trace through a lot of sneaky code. It's amazing how good the tools are these days.
Why dont as many of the malware coming out have vm evasion like how it spiked a few years ago? Or is it just that it's easier now to disguise a vm now?
@@74Gee So those were encrypted, for an average user, if it happened in their real computer, pretty much everything they have there. Riight LOL And so I have a clone of my OSs and data backed up multiple times elsewhere. That the ransomware transfers some of my data to the dark web, I won't be able to fix that. Just I will be one of millions other folks out there. A drop in an ocean. My data already is out there, from various hacks of databases...
Pretty cool demo, thank you. That was rated insane? Some sites I think would honestly rate that as Medium out of easy, medium, hard. Not all CTF sites are the same I guess.
Businesses. Have a codeword that accompanies official IT admin emails (in the subject line is good) that all employees are told to check before clicking on attachments or links. It could be changed monthly or weekly, and ensure your IT team get this out to everyone whenever it changes. Gamify this by running tests to check user understanding, and consider give employees a gift voucher if they spot and report dodgy emails. Codewords can be something simple like running through the planets in the solar system each month. You can even force a keyword check that must be removed before your mail server allows access outside the business. If this keyword is in all email footers (e.g. Keyword: “Internal-only”, the user has to deliberately remove it to send an email externally.
If we weren't already aware, the "WinHTTP" autofill in IDA shows you've prepared this walkthrough which is fine, but I for one would find exponentially more value in the footage of you when you're first running through it. Because to see how you go about figuring shit out when things don't work as you would expect them to would be a lot more informative imo.
Yes and no. John does some things live and you get to see him go through problems in real time. For a video like this, that style of video would be impractical.
@@IJH-Music You'll never see his first go at a box, even the "live" shit is scripted (or at least outlined). I don't care if it took 6 hours instead of less than 1, if you can show me HOW TO FIGURE OUT how to figure out the unknowns, this would be greatly more valuable than showing me how to complete a challenge. But for the same reason the crowd boos when the fight is painstakingly being grappled on the ground, youtubers will forever be playing the youtube game more than providing truly meaningful information at the advanced levels.
the clue is in the wording "... we _kindly_ request..."
Lol the real clue is in the fact that your IT team would not / should not email an executable out to users to execute - this would be scripted or deployed via other means.
It's sooo interesting to watch these kind of videos where you reviewing the source code and see how malwares behave on infected hosts
Neat video. Yes. Yes you loose nerd cred for not knowing LoTR.
"loosing a little bit of street cred" ? With a lot of luck there is a little bit left thanks to you at least recognising it as lotr.
Thanks for taking us with you at this journey there and back again.
I legit thought was gonna say I've never sat (down and read them) oof
the word "kindly" is like a dog whistle to me lol
Would you kindly...😂😂😂
@@patricklechner190 lol beat me to it :D
@@patricklechner190saar please kindly do the needful and press this antiwirud script saaar
@@patricklechner190 ❤
But in my org if the mail is from other sources. It will say its external mail be cautious. Once i flagged genuine mail as phishing mail. My IT security team sent me a mail saying its genuine mail but we appreciate your action towards securing company.
How nice when the malware reads so clearly. You don't have to deal with software protection.
You'd think anyone with the technical know-how to run JS files would also find the request to run one from IT highly suspicious.
@northholdgames8596 ah fair play, I didnt know that
@northholdgames8596 he's saying that it's bizarre that someone fell for one of the most common and obvious "hey, run this file, it's totally safe!" phishing schemes to ever exist without even a single thought of double-checking anything. it's like getting a text from a random unaffiliated scammers number that says "it's me, your mom. send me $500, it's urgent!" while sitting a room away from your mom and still sending the scammer $500 anyways
@@edwardfildes2038i mean if u dont know that then what do you know
Not too bad at all. The insane rating was about right if you've never done this before. Be prepared for layers of obfuscation (in the scripting parts) in real malware, just to frustrate even more. Nice to see this test also having an encrypted part to extract.
This is probably the first in-depth digital forensics video I've sat around and watched, and honestly...thanks! I learned a helluva lot, and I'll be experimenting with those debug tools myself... (once I have a stronger foundation in assembly, mind you.)
Great education here digging into IDA. I'm just getting into this field and this is very helpful to see your process, thank you!
Amazing video!! Keep up with the hard work
awesome work man
Great video! It was great to sit shotgun and learn!
Hey john, i really like ur malware analysis videos. Can u sometimes showcase malware analysis of compiled PE that involves more things like dynamic analysis and decompilers such instead of just reading plain source codes? Something like hellokitty malware. I would really love that. Thank youu
I'm probably gonna try this box with your guide, thanks as always John
This was tough to follow with my lab being totally internet blind :( I just want the cool f5 button John
Edit: I got around by searching for text and then looking for the weird functions I found through pe studio and others, then just called a break after em and so on.
The one thing that fawked my shorts up was the fact that this actually has to pull down from that fqdn that we had but meh. I’d rather not have my IP associated with ransomware and some samples might have server magic to dodge vpn connections/origins. Every lab setup has their drawbacks. In theory we could just try to replicate the network requests and observe what’s pulled down but still have that whole associating with ransomware and trying to fudge what you tell the attacker infra
Even though I could see the info on screen, I was still w8ing for John to say LTT. 😂😝
Another john hammond classic
windows pro includes a secure isolated ephemeral VM, it's called Sandbox. it's awesome for testing things. Also a good tip if using VMs is to take snapshots between steps, just in case ... lol.
35:46 it's reading the resource table on the .dll, not the .exe that's probably why the entropy was meh in the .exe resourrces
Nice channel, love learning from you
Wow. Learnt a lot today. Thanks john
hi John, I'm getting into malware analysis, is it enough to just boot up a VM then run malware inside it ? cause I read there're types of malware that could escape and infect the host machine, given that I'm doing both static & dynamic analysis
Hey although it isn't impossible for malware to escape a VM it's highly unlikely, if your doing a lot of analysis maybe have separate hardware and network segregation just to make sure 😁
Seems someone is a Lord of the Rings fan lol. Finding Middle-Earth, bringing the god of everything Eru and then using the Palantir to get into Gondor haha!
Lord of the Rings is a great read over a year or so, but you may have missed an ideal age for it. It may come again, reading it with a grandchild after you've developed a love for language and folklore, through other means.
This was quite a skillful trace through a lot of sneaky code. It's amazing how good the tools are these days.
Why dont as many of the malware coming out have vm evasion like how it spiked a few years ago? Or is it just that it's easier now to disguise a vm now?
So what happened at the end? Did you encrypt your VM or something else?
Nah, the encryption only acts on a few folders and a few filetypes within those folders so it's mostly benign. See 41:33
@@74Gee So those were encrypted, for an average user, if it happened in their real computer, pretty much everything they have there. Riight LOL
And so I have a clone of my OSs and data backed up multiple times elsewhere. That the ransomware transfers some of my data to the dark web, I won't be able to fix that. Just I will be one of millions other folks out there. A drop in an ocean. My data already is out there, from various hacks of databases...
Nicely done - I didn't know IDA Free had a debugger. I don't do much RE, I guess.
Great video John! Love these reverse engineering videos
Pretty cool demo, thank you. That was rated insane? Some sites I think would honestly rate that as Medium out of easy, medium, hard. Not all CTF sites are the same I guess.
W PowerShell investigation
They ?
If chat gpt is capable and can be used to learn this obfuscated code?
Hey John, let's get OSEE+ right the flipp now
Nerd cred would be to read Lord of the Rings, not just watch the movies.
They 😳
You have to saybhackTheBox are a sponsor. You didn't say it.
Who is they? What does INSANE mean? Could we tone down the hyperbole?
Watch the video and find out
They is HTB, Insane is the difficulty rating.
Also welcome to UA-cam.
Man's gotta play the youtube game. Chill.
Everybody asks "who is they?!" but no one asks "how is they?"
Businesses. Have a codeword that accompanies official IT admin emails (in the subject line is good) that all employees are told to check before clicking on attachments or links. It could be changed monthly or weekly, and ensure your IT team get this out to everyone whenever it changes. Gamify this by running tests to check user understanding, and consider give employees a gift voucher if they spot and report dodgy emails. Codewords can be something simple like running through the planets in the solar system each month. You can even force a keyword check that must be removed before your mail server allows access outside the business. If this keyword is in all email footers (e.g. Keyword: “Internal-only”, the user has to deliberately remove it to send an email externally.
does this sherlock challenge retired?
No
Maybe
13:54: 'Mining bitcoin cash" -?
Is this a 57 minute commercial? Been to many of those lately, and I don’t want to waste my time.
Yes. For HackTheBox
I mean... it's a commercial showing HTB's sherlock exercises, but the "how it's solved" is great learning info regardless of the original source
@@TotesCraycoolest username ever, well done. Must have used freon.
We are the microsofts
all your files are belong to us
If we weren't already aware, the "WinHTTP" autofill in IDA shows you've prepared this walkthrough which is fine, but I for one would find exponentially more value in the footage of you when you're first running through it. Because to see how you go about figuring shit out when things don't work as you would expect them to would be a lot more informative imo.
Yes and no. John does some things live and you get to see him go through problems in real time.
For a video like this, that style of video would be impractical.
@@IJH-Music You'll never see his first go at a box, even the "live" shit is scripted (or at least outlined). I don't care if it took 6 hours instead of less than 1, if you can show me HOW TO FIGURE OUT how to figure out the unknowns, this would be greatly more valuable than showing me how to complete a challenge. But for the same reason the crowd boos when the fight is painstakingly being grappled on the ground, youtubers will forever be playing the youtube game more than providing truly meaningful information at the advanced levels.
how am i here so fast
lee epik
❤❤❤❤❤❤❤
😊😅😮