They Say This Malware is INSANE

Поділитися
Вставка
  • Опубліковано 19 лис 2024

КОМЕНТАРІ • 76

  • @likebot.
    @likebot. Місяць тому +38

    the clue is in the wording "... we _kindly_ request..."

    • @nickcurrie303
      @nickcurrie303 Місяць тому +4

      Lol the real clue is in the fact that your IT team would not / should not email an executable out to users to execute - this would be scripted or deployed via other means.

  • @godliestous4658
    @godliestous4658 Місяць тому +16

    It's sooo interesting to watch these kind of videos where you reviewing the source code and see how malwares behave on infected hosts

  • @ft4jemc
    @ft4jemc Місяць тому +14

    Neat video. Yes. Yes you loose nerd cred for not knowing LoTR.

  • @lnstagrarm
    @lnstagrarm 9 днів тому +1

    But in my org if the mail is from other sources. It will say its external mail be cautious. Once i flagged genuine mail as phishing mail. My IT security team sent me a mail saying its genuine mail but we appreciate your action towards securing company.

  • @GodDamnitTwitch
    @GodDamnitTwitch Місяць тому +40

    the word "kindly" is like a dog whistle to me lol

    • @patricklechner190
      @patricklechner190 Місяць тому

      Would you kindly...😂😂😂

    • @AsmodeusMictian
      @AsmodeusMictian Місяць тому +1

      @@patricklechner190 lol beat me to it :D

    • @maalikserebryakov
      @maalikserebryakov Місяць тому

      @@patricklechner190saar please kindly do the needful and press this antiwirud script saaar

  • @technikschaf1574
    @technikschaf1574 Місяць тому +5

    "loosing a little bit of street cred" ? With a lot of luck there is a little bit left thanks to you at least recognising it as lotr.
    Thanks for taking us with you at this journey there and back again.

    • @RelemZidin
      @RelemZidin Місяць тому

      I legit thought was gonna say I've never sat (down and read them) oof

  • @edwardfildes2038
    @edwardfildes2038 Місяць тому +14

    You'd think anyone with the technical know-how to run JS files would also find the request to run one from IT highly suspicious.

    • @edwardfildes2038
      @edwardfildes2038 Місяць тому +1

      @northholdgames8596 ah fair play, I didnt know that

    • @bestcoolmanever
      @bestcoolmanever Місяць тому

      @northholdgames8596 he's saying that it's bizarre that someone fell for one of the most common and obvious "hey, run this file, it's totally safe!" phishing schemes to ever exist without even a single thought of double-checking anything. it's like getting a text from a random unaffiliated scammers number that says "it's me, your mom. send me $500, it's urgent!" while sitting a room away from your mom and still sending the scammer $500 anyways

    • @maalikserebryakov
      @maalikserebryakov Місяць тому

      @@edwardfildes2038i mean if u dont know that then what do you know

  • @threeMetreJim
    @threeMetreJim Місяць тому +1

    Not too bad at all. The insane rating was about right if you've never done this before. Be prepared for layers of obfuscation (in the scripting parts) in real malware, just to frustrate even more. Nice to see this test also having an encrypted part to extract.

  • @fdert
    @fdert Місяць тому

    Great education here digging into IDA. I'm just getting into this field and this is very helpful to see your process, thank you!

  • @cristiannunez372
    @cristiannunez372 Місяць тому

    How nice when the malware reads so clearly. You don't have to deal with software protection.

  • @ismayonnaiseaninstrument8700
    @ismayonnaiseaninstrument8700 Місяць тому

    This is probably the first in-depth digital forensics video I've sat around and watched, and honestly...thanks! I learned a helluva lot, and I'll be experimenting with those debug tools myself... (once I have a stronger foundation in assembly, mind you.)

  • @herlambangrafliwicaksono6436
    @herlambangrafliwicaksono6436 24 дні тому

    Hey john, i really like ur malware analysis videos. Can u sometimes showcase malware analysis of compiled PE that involves more things like dynamic analysis and decompilers such instead of just reading plain source codes? Something like hellokitty malware. I would really love that. Thank youu

  • @noamrozen7891
    @noamrozen7891 Місяць тому

    Amazing video!! Keep up with the hard work

  • @shodannonymous9359
    @shodannonymous9359 Місяць тому

    I'm probably gonna try this box with your guide, thanks as always John

  • @josemariolladomarti4935
    @josemariolladomarti4935 Місяць тому

    awesome work man

  • @Rostol
    @Rostol Місяць тому +5

    windows pro includes a secure isolated ephemeral VM, it's called Sandbox. it's awesome for testing things. Also a good tip if using VMs is to take snapshots between steps, just in case ... lol.
    35:46 it's reading the resource table on the .dll, not the .exe that's probably why the entropy was meh in the .exe resourrces

  • @kwgm8578
    @kwgm8578 Місяць тому

    Lord of the Rings is a great read over a year or so, but you may have missed an ideal age for it. It may come again, reading it with a grandchild after you've developed a love for language and folklore, through other means.
    This was quite a skillful trace through a lot of sneaky code. It's amazing how good the tools are these days.

  • @ogunikitty
    @ogunikitty Місяць тому

    Wow. Learnt a lot today. Thanks john

  • @aidengoiangos4577
    @aidengoiangos4577 Місяць тому

    Another john hammond classic

  • @mitospha
    @mitospha Місяць тому

    Pretty cool demo, thank you. That was rated insane? Some sites I think would honestly rate that as Medium out of easy, medium, hard. Not all CTF sites are the same I guess.

  • @MultiDark2012
    @MultiDark2012 Місяць тому +1

    Even though I could see the info on screen, I was still w8ing for John to say LTT. 😂😝

  • @redisbluegaming6696
    @redisbluegaming6696 Місяць тому

    Nice channel, love learning from you

  • @logiciananimal
    @logiciananimal Місяць тому

    Nicely done - I didn't know IDA Free had a debugger. I don't do much RE, I guess.

  • @JPerridew
    @JPerridew Місяць тому

    Great video! It was great to sit shotgun and learn!

  • @crudmonkey
    @crudmonkey Місяць тому

    Great video John! Love these reverse engineering videos

  • @draconic5796
    @draconic5796 Місяць тому +4

    Seems someone is a Lord of the Rings fan lol. Finding Middle-Earth, bringing the god of everything Eru and then using the Palantir to get into Gondor haha!

  • @zerodoinkthirty0
    @zerodoinkthirty0 Місяць тому

    W PowerShell investigation

  • @QuantariousBitsoniTalvanen
    @QuantariousBitsoniTalvanen Місяць тому

    Why dont as many of the malware coming out have vm evasion like how it spiked a few years ago? Or is it just that it's easier now to disguise a vm now?

  • @AUBCodeII
    @AUBCodeII Місяць тому

    Hey John, let's get OSEE+ right the flipp now

  • @dav1dw
    @dav1dw Місяць тому

    Nerd cred would be to read Lord of the Rings, not just watch the movies.

  • @zakzak24
    @zakzak24 Місяць тому

    hi John, I'm getting into malware analysis, is it enough to just boot up a VM then run malware inside it ? cause I read there're types of malware that could escape and infect the host machine, given that I'm doing both static & dynamic analysis

    • @GarethBaddams
      @GarethBaddams Місяць тому +1

      Hey although it isn't impossible for malware to escape a VM it's highly unlikely, if your doing a lot of analysis maybe have separate hardware and network segregation just to make sure 😁

  • @shingareom
    @shingareom Місяць тому +2

    They ?

  • @jesperwall839
    @jesperwall839 Місяць тому +21

    Is this a 57 minute commercial? Been to many of those lately, and I don’t want to waste my time.

    • @Twoshoes22Jason
      @Twoshoes22Jason Місяць тому

      Yes. For HackTheBox

    • @TotesCray
      @TotesCray Місяць тому +11

      I mean... it's a commercial showing HTB's sherlock exercises, but the "how it's solved" is great learning info regardless of the original source

    • @capability-snob
      @capability-snob Місяць тому +2

      ​@@TotesCraycoolest username ever, well done. Must have used freon.

  • @viv_2489
    @viv_2489 Місяць тому

    If chat gpt is capable and can be used to learn this obfuscated code?

  • @klex3905
    @klex3905 Місяць тому

    You have to saybhackTheBox are a sponsor. You didn't say it.

  • @grant-is
    @grant-is Місяць тому +72

    Who is they? What does INSANE mean? Could we tone down the hyperbole?

    • @orderandchaos_at_work
      @orderandchaos_at_work Місяць тому +14

      Watch the video and find out

    • @pan_golin
      @pan_golin Місяць тому +34

      They is HTB, Insane is the difficulty rating.
      Also welcome to UA-cam.

    • @arthurbruel5545
      @arthurbruel5545 Місяць тому +14

      Man's gotta play the youtube game. Chill.

    • @FirstnameLastname_official
      @FirstnameLastname_official Місяць тому +30

      Everybody asks "who is they?!" but no one asks "how is they?"

    • @Frustratedfool
      @Frustratedfool Місяць тому

      Businesses. Have a codeword that accompanies official IT admin emails (in the subject line is good) that all employees are told to check before clicking on attachments or links. It could be changed monthly or weekly, and ensure your IT team get this out to everyone whenever it changes. Gamify this by running tests to check user understanding, and consider give employees a gift voucher if they spot and report dodgy emails. Codewords can be something simple like running through the planets in the solar system each month. You can even force a keyword check that must be removed before your mail server allows access outside the business. If this keyword is in all email footers (e.g. Keyword: “Internal-only”, the user has to deliberately remove it to send an email externally.

  • @hoosiercrypto9955
    @hoosiercrypto9955 Місяць тому +3

    They 😳

  • @D.von.N
    @D.von.N Місяць тому

    So what happened at the end? Did you encrypt your VM or something else?

    • @74Gee
      @74Gee Місяць тому

      Nah, the encryption only acts on a few folders and a few filetypes within those folders so it's mostly benign. See 41:33

    • @D.von.N
      @D.von.N Місяць тому

      @@74Gee So those were encrypted, for an average user, if it happened in their real computer, pretty much everything they have there. Riight LOL
      And so I have a clone of my OSs and data backed up multiple times elsewhere. That the ransomware transfers some of my data to the dark web, I won't be able to fix that. Just I will be one of millions other folks out there. A drop in an ocean. My data already is out there, from various hacks of databases...

  • @h4ckh3lp
    @h4ckh3lp Місяць тому +3

    If we weren't already aware, the "WinHTTP" autofill in IDA shows you've prepared this walkthrough which is fine, but I for one would find exponentially more value in the footage of you when you're first running through it. Because to see how you go about figuring shit out when things don't work as you would expect them to would be a lot more informative imo.

    • @IJH-Music
      @IJH-Music Місяць тому

      Yes and no. John does some things live and you get to see him go through problems in real time.
      For a video like this, that style of video would be impractical.

    • @h4ckh3lp
      @h4ckh3lp Місяць тому

      @@IJH-Music You'll never see his first go at a box, even the "live" shit is scripted (or at least outlined). I don't care if it took 6 hours instead of less than 1, if you can show me HOW TO FIGURE OUT how to figure out the unknowns, this would be greatly more valuable than showing me how to complete a challenge. But for the same reason the crowd boos when the fight is painstakingly being grappled on the ground, youtubers will forever be playing the youtube game more than providing truly meaningful information at the advanced levels.

  • @user_Esq
    @user_Esq Місяць тому

    13:54: 'Mining bitcoin cash" -?

  • @ARIFF861
    @ARIFF861 Місяць тому

    does this sherlock challenge retired?

  • @stefan-viorelnagy5181
    @stefan-viorelnagy5181 Місяць тому

    how am i here so fast

  • @paulmurgatroyd6372
    @paulmurgatroyd6372 Місяць тому

    We are the microsofts
    all your files are belong to us

  • @SPOOKEXE
    @SPOOKEXE Місяць тому

    lee epik

  • @darshanakhare6676
    @darshanakhare6676 Місяць тому

    ❤❤❤❤❤❤❤

  • @Sjajodia
    @Sjajodia Місяць тому

    😊😅😮