Blackhats: " For educational purposes only" Crypto traders/ scammers: "This is not financial advice " Police interrogators: "You have the right to remain silent"
Hey, at least the right to remain silent is something that they're legally forced to give you and need to inform the jury to not hold your silence against you (as well as judgements found to violate that clause getting thrown out entirely)
When he was trying to spam the web hook be found with the spammer, you can actually tell if it's working or not by looking at the status colulm. He kept getting 429 response codes, which means that he sent too many request to the discord API. Doesn't look like he was ever able to spam the viral webhook because he already spammed one of his own and discords API rate limited him. Waiting 3-10 minutes will resolve that.
@@User-kq3od by your logic operating systems like windows, macos, or linux shouldn’t be used because they could be used maliciously. your rational falls apart
You could have sent a DELETE request on that web hook URL, then the web hook would have been deleted and any other instances of the malware will not be able to send data to the attackers.
Synk (the sponsor of this video) has clearly stated in their ToS that they will store any project you'll send them indefinitely and they will not delete it if and when you decide to delete the project on Synk itself. Other than that they also require their customers to have their back no matter what. Just read this piece of text from their ToS: "You will defend, indemnify and hold harmless Snyk against claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with your use of the Services, the Platform, Service Data and/or Documentation other than in accordance with this Agreement." For me this is very severe and holds me from using the software at all. And it's a pity cause I think it could have been a good one.
You'd write that clause too if you were handling people's private repo data and wanted to be absolved from being sued by sue-happy corporate crooks. Not saying you should feel comfortable. I'm saying, there's a real-world reason for writing such language. Source: Have worked with data recovery and security companies. Many of them have similar language to this.
@@Zancb Sure there are reason for writing that. One of the reasons being you protect the company from ANY kind of lawsuit. If you one day discover that your private repo is being used by some corporation who's paid Synk big money to grab data from their servers, you could do literally nothing. If they decide to charge your subscription more than it was advertised without any notice whatsoever, you are required to just shut up and take it. There are several examples that might be even worse, but you surely get why I don't think it's a service anyone should ever use at all. I am not even sure that the paragraph is legally worth anything since imho it might make them avoid accountability for virtually anything a customer might experience on their platform. I do think that is not lawful and they can't just write in their ToS anything they want, the ToS has to respect laws too. But I am a developer, not a lawyer and I might have misunderstood when that paragraph might be used. Maybe it does not mean what I do think it means, I am not completely sure. If anyone here has a legal background and is willing to elaborate on that you are more than welcome to do so.
They legally cannot enforce any of that. It's there so that they aren't held liable if you use their software for illegal purposes (a catch-all, if you will). Plenty of software companies do this.
That is going to be in any TOS, its a cover your ass statement, all that second part means is effectively "If you're really shit at writing code, and our software doesn't catch every single last exploit, so it still gets exploited, that's not on us, and you can't say it is, you can't just rely on software to do your job" Any reputable company will have a clause like that if they are doing something similar to snyk, trying to protect you, I'd imagine nearly every last anti-virus would have a similar one too
@@ImTimmy228 Many do that, yes. But of the samples John pulled apart this is the only one I know of. And I've watched many of his videos and I've actually pulled apart some malware samples myself, this is the first one I know of that does protect itself against debugging.
I just want to say that I really appreciate that you have been putting the sponsors in the second half of the video. I don't properly know how to express it besides making the video more comfortable to watch but it has been great! Thank you, keep up the great work!
I don't think the webhook spam actually worked. The reason your Discord got broken is because *you* sent too many requests, so they started blocking every action from the IP address. You can even see the 429 response codes in the network log
@@_JohnHammond btw if you send a get request to the webhook url it tells you the guild and channel id it's set at not really useful for anything other than reporting though, and I've learned not to count on discord staff
I'm curious why they can't do this for cheaters in games, I have always said they should just block or in some other way limit the possibilities from a particular IP address when dealing with hackers in CoD etc.
@@lfcbproLike Checkium said, IP addresses are dynamic. Hardware bans are also ineffective, and can also lead to things like re-sale of HWID banned PC to someone who isn't a cheater, but they place the games the cheater is banned on. So essentially, innocent people wasting their money on a PC that they can't use for what they bought it for, because of the previous owner.
Unintended purpose of your video, but I just used the Py-Fuscate and your method of getting the information out to create a challenge for a CTF I'm running at my college in a month.
Watching your videos has made me do a complete 180 on my life. Learning Python (Still very new) with the hopes of being a pentester. As a way of getting experience I was thinking of backend engineer to get my foot in the door but I am unsure and COMPLETELY overwhelmed with the amount of stuff to learn that's out there. Is there a roadmap for pentesting to kinda determine where I am and where to go next? Awesome video btw! I love the python malware analysis stuff
There is no roadmap at all, this industry doesn't have a laid out plan for what you should do and what you should learn. It doesnt fit the mindset of a pentester either. A pentester or even any one in the infosec industry should be by nature very curious and eager to learn anything.
@@boogieman97 That's crazy! But also really interesting thank you for clearing that up! I'm pretty eager to learn as much as I can I guess I just worry about all the time I wasted not getting into this industry at a younger age and want to "supercharge" my way to catch up if that makes sense? Anyways, I'll keep that in mind thank you!
@@Sl33pySage Trust me when I say you're not behind if you're starting at a young age, I started at 15 and am still working my way to being a good pentester. Just enjoy the journey as there is a lot to have in store. Lots of cool knowledge that makes you feel awesome when you pull it off! Welcome to the world of cybersecurity!
@@Sl33pySage not sure where you're at since this was almost a year ago, but it's really never too late. Almost 30 and starting a job with a cybersecurity application startup in 1.5 weeks. I'll still only be in support, but it's as an engineer so it's still its on the path! I started out in biotech, and hit a deadend there. After floating around not really knowing what to do, as you said I eventually pulled a complete 180 because of videos like from @_JohnHammond. If you're interested my path was the following: studied the Network+ and A+ (still don't have the certs for them tho 😬decided a degree was more important), did some side projects and self study, got a wfh support call center job as a temp, worked hard to be hired on full time to their implementations department, and used their tuition reimbursement to go to school a bit. Then the company started to act shifty so I applied to a bunch of new jobs, advertised my new skills and talking about the school and personal projects during the interviews, then that was that! I made it real clear in the interviews that I need to learn a bunch still, and they said that seems like what they're looking for, so I'm hoping with this I'll get much more familiar with the field and actually work closer to the tech than ever. Like boogieman97 said, there's no real set path, and yeah it's a great analogy for the hacker's attitude of making it work for you, so you could look at it as practice for that mindset :)
This is the first video of yours that i've watched. I gotta say, i dont understand a bit of what your saying but i can appreciate what your doing to help people. Subscribed.
My buddy got hit by this last year; dummy got hit up from a random discord user asking him to "try this game I created", easy 300 bucks to the scammer. Cool to see what the capabilities of the malware was.
If it was an exe, then it was a different malware. Python code packed into an exe doesn't come in script form, it comes as bytecode with it's own portable python.exe
They stole every password in my browser and stole my discord and the email for it, then started messaging my family and friends to get them to download the link too. The link was them telling me it was to test a game. When you click it, downlload the file, unzip and run, it asks for access to command prompt. Then nothing happens, no game, and then they have all your stuff.
16:54 line 1254 shows how much of a newbie the developer of the grabber is (("VMware" or "VBOX") will always evaluate to "VMware", so "VBOX" is just useless nor will it be detected)
13:49 wait... what if you were to rename any of those exe's to random stuff and then run them? would it not kill them, because the process name would be different? like when John has renamed calc.exe in other videos
@@daleryanaldover6545 if you have the webhook url, you can entirely control it, including changing the name and avatar of it. you can also just plainly delete it by sending a DELETE to the url, but that's less fun than spamming it to death
Wait, do people never check their addresss? Even when I know I don’t have the address, or I copy and paste I still make sure every letter is correct, just a fear of mine. But $400 in stolen money?
what i once did is i sent a link to invite a bot to "help the grabber", of course it was my dummy bot but the owners added it and i tracked down what server it was in.
John, I love all your content and it is really inspiring me to become a pentester. I was wondering if you could do a video on all the add-ins/extensions you use within your browsers? It would be cool to see what tools you use. THank you
one very funny thing is that the music he was listening to is soma extremely stereotypical french drill from an artist who is know to be an absolute liar in his tracks
So is there a way for someone to steal a discord token without using a link that the user must click on first? Any application or browser based exploits? Or is it as simple as 'don't click on links you don't trust' to remain safe from having your token or credentials stolen?
Meh, GH mods never delete repositories/accounts with malware, unless, of course, if request was from a large company. User/repo from video still active. Also I reported one user almost an year ago and he is still active...
I mean you can't really shut down someone's account for creating malware programs because it's not wrong to write them, just use them against people who have not given you explicit permission for such. Although ultimately it's up to Github themselves, and they do have the report option for it so I don't really know why they wouldn't.
user is still active as of today, March 9th. Github won't delete a user contributing to the security space. Malware is apart of that space and everyone needs to see how this malware works. Deleting it from GH would do nothing but harm as the owner still has the code on their local branches and now nobody can understand it to protect against if need be. The reality is. Users that get hit by it would probably never know and were never aware it could happen in the first place. Those that are aware are sophisticated users with some of them being us coming to watch hacking videos on youtube. We want to see that code. Not let it disappear.
I'm curious if it is wise to report users like that, is it not possible that if all of the github's are reported that host code like this, that it will be harder to find the code etc, like you showed, which will limit the ability to check for bad actors, as against researchers or documenters of malware?
I downloaded a file from an indian youtube channel, and i got a spyware from it,I only rebooted my pc without deleting the os and reinstalling it again, Am i safe? Thanks for helping me
@@rodricbr maybe python is easy to learn, but the code that was used to create this malware is not if you write it by yourself without using outside sources (which this person did not do)
these are very easy to make ive made one before people call them a "stub" its crazy how easy it is js one click of a button and paste ur webhook n boom js like that u have an exe file that takes all info passwords location ip etc
@@ohrayoe3858 Uh, you mean the webhook spammer? In case you created a webhook for your discord server you should just keep the webhook's URL to yourself and not give it to anyone else. Just like your discord token or of any bot you create.
If are to write such malware why upload it to Git public repository? This is ignorance at its prime, and thank God for that :) Good work, once again, Mr. Hammond.
Someone writing sophisticated code like this obviously didn't just upload it there with no reasoning behind it. They most likely genuinely want others to see it... AND use it. AND contribute to it to help make it more dangerous.
Unfortunately, the 429 indicates that your IP is being ratelimited by discord, so those messages likely never reached the stealer's webhook. That is why you could not delete any messages or do anything more in your testing channel; they were blocking you from using the API.
There's a way around their blocker tho, if I remember correctly, I think it's cloudflair. If you're using selenium, you can delete the cookies and cache. Doing so would bypass the block. That was for cloud flair, but I remember there was something for the discord API rate limiting as well for bypassing
@@_JohnHammond lol I was messing with discord apis and malware a while back and was totally baffled as to why none of my API calls would ever work. A month later I found out 🤣
bro i just had a total freak moment... im watching this and outta nowhere my cmd opened up for amdautoupdate... i thought i just got infected by a damn vid lmao
L john, you could have just deleted the webhook the guy made, even though blackcap is Dualhooked, and everything you're sent also gets sent to KSCHdsc. Reporting the actual repository wasn't necessary. if you are dumb enough to install an executable from someone you don't particularly know you deserve whatever happens to you.
Your spammer thingy is not working by the end of the video because it's sending requests from your personnal IP, you were the one that was blacklisted for spamming (429s), so no, they didn't get to the webhook
How can i know what server the webhook is joined in? And send me an invite to it i wanna know so i can troll the devs lol (Not for stealing others peoples data)
plenty of them out there. i dont see how all of these comments dont get the fact that Open Source is used to not only make things public, but also get CONTRIBUTIONS to the project. Looks like all of his dangerous projects are frequently updated weekly/daily. BlackCap itself has 5 authors, 4 contributors and it was created from forks of Hazard Grabber PirateStealer Wasp-stealer Builder by Luna token grabber VERY common thing going on here. Malware is software like everything else. Some tools on Kali Linux can be found on GH as well. Those tools are dangerous. "but but it's Kali... It's for good guy pentester" Yea. And Of course malicious hackers as well because the tools can be good and bad.
Yea, they came into the Discord, and posted here that they did it for educational reasons. It's just a shame that the malware is very potent (steals CC info and stuff). Would probably be a good idea to keep stuff like that out of the educational repos :P
I haven't used the marshal library before, but I did notice the red box in its Python documentation that says never to unmarshal code from an untrustworthy source. Running this on your host was risky!
@@fubukii1891 il dit que jtai payé pour faire l'inject, alors que bon on s'est dit nous meme que c'etais un rewrite. Un gros rewrite certe mais bon faut pas pousser
Blackhats: " For educational purposes only"
Crypto traders/ scammers: "This is not financial advice "
Police interrogators: "You have the right to remain silent"
Hey, at least the right to remain silent is something that they're legally forced to give you and need to inform the jury to not hold your silence against you (as well as judgements found to violate that clause getting thrown out entirely)
@@xana3961 I just love the fact that they say that and then keep you for hours and still keep asking you questions.
@@xana3961 yeah but the crypto bros and blackhats won't shut off their body cams before handcuffing me and breaking both of my kneecaps
When he was trying to spam the web hook be found with the spammer, you can actually tell if it's working or not by looking at the status colulm. He kept getting 429 response codes, which means that he sent too many request to the discord API. Doesn't look like he was ever able to spam the viral webhook because he already spammed one of his own and discords API rate limited him. Waiting 3-10 minutes will resolve that.
It's always funny to me when they say it's for "educational" purposes when it's clearly malicious
@Michael DiGregorio really he is so stpid don't 😭
Hey i really made it for educationnal in the beggining
By your logic powershell and python as a language are malicious and shouldnt exist because they have the potential to be abused by its users. 🤦
@@User-kq3od by your logic operating systems like windows, macos, or linux shouldn’t be used because they could be used maliciously. your rational falls apart
@@majoryoshi that's not their point at all
You could have sent a DELETE request on that web hook URL, then the web hook would have been deleted and any other instances of the malware will not be able to send data to the attackers.
I tried, but somebody already deleted it lol
🧠
but first spam the webhook URL with "your webhook got thanos snapped" and GIFs of thanos doing fortnite dances
@@GateKeeper_Systems I saw ntts do that.
@@rodricbr same lol
Good GOD your sponsor break "Hang on!" frightened the life out of me 😂 I was too invested!
I read your comment and thought "It can't be that bad, can it?"
**a few moments later**
John: "Hang on!"
Me: **flinching** "Oh, it IS that bad!"
Same loool
As an old guy who did old computer things, I just love your videos and really enjoy them. Thank you for making these.
Synk (the sponsor of this video) has clearly stated in their ToS that they will store any project you'll send them indefinitely and they will not delete it if and when you decide to delete the project on Synk itself.
Other than that they also require their customers to have their back no matter what. Just read this piece of text from their ToS:
"You will defend, indemnify and hold harmless Snyk against claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with your use of the Services, the Platform, Service Data and/or Documentation other than in accordance with this Agreement."
For me this is very severe and holds me from using the software at all. And it's a pity cause I think it could have been a good one.
You'd write that clause too if you were handling people's private repo data and wanted to be absolved from being sued by sue-happy corporate crooks. Not saying you should feel comfortable. I'm saying, there's a real-world reason for writing such language.
Source: Have worked with data recovery and security companies. Many of them have similar language to this.
@@Zancb Sure there are reason for writing that. One of the reasons being you protect the company from ANY kind of lawsuit. If you one day discover that your private repo is being used by some corporation who's paid Synk big money to grab data from their servers, you could do literally nothing. If they decide to charge your subscription more than it was advertised without any notice whatsoever, you are required to just shut up and take it.
There are several examples that might be even worse, but you surely get why I don't think it's a service anyone should ever use at all.
I am not even sure that the paragraph is legally worth anything since imho it might make them avoid accountability for virtually anything a customer might experience on their platform. I do think that is not lawful and they can't just write in their ToS anything they want, the ToS has to respect laws too.
But I am a developer, not a lawyer and I might have misunderstood when that paragraph might be used. Maybe it does not mean what I do think it means, I am not completely sure.
If anyone here has a legal background and is willing to elaborate on that you are more than welcome to do so.
i think you would be hard pressed to find any tos that lacks that verbiage
They legally cannot enforce any of that. It's there so that they aren't held liable if you use their software for illegal purposes (a catch-all, if you will). Plenty of software companies do this.
That is going to be in any TOS, its a cover your ass statement, all that second part means is effectively "If you're really shit at writing code, and our software doesn't catch every single last exploit, so it still gets exploited, that's not on us, and you can't say it is, you can't just rely on software to do your job" Any reputable company will have a clause like that if they are doing something similar to snyk, trying to protect you, I'd imagine nearly every last anti-virus would have a similar one too
16:17 Hey, it's even protected specifically against you, it detects if the username is "John" or the PC name is "John-PC"!
Actually, most of malwares do that, to bypass sandboxes like Triage, Anyrun, VirusTotal.
If name is like John, it will NOT execute malware
@@ImTimmy228
Many do that, yes.
But of the samples John pulled apart this is the only one I know of. And I've watched many of his videos and I've actually pulled apart some malware samples myself, this is the first one I know of that does protect itself against debugging.
I just want to say that I really appreciate that you have been putting the sponsors in the second half of the video. I don't properly know how to express it besides making the video more comfortable to watch but it has been great! Thank you, keep up the great work!
I don't think the webhook spam actually worked. The reason your Discord got broken is because *you* sent too many requests, so they started blocking every action from the IP address. You can even see the 429 response codes in the network log
This is true, I borked it when I tested it against myself.
@@_JohnHammond btw if you send a get request to the webhook url it tells you the guild and channel id it's set at
not really useful for anything other than reporting though, and I've learned not to count on discord staff
I'm curious why they can't do this for cheaters in games, I have always said they should just block or in some other way limit the possibilities from a particular IP address when dealing with hackers in CoD etc.
@@lfcbpro Changing your IP address is easy, and many people may share the same IP address. It's just not worth it.
@@lfcbproLike Checkium said, IP addresses are dynamic. Hardware bans are also ineffective, and can also lead to things like re-sale of HWID banned PC to someone who isn't a cheater, but they place the games the cheater is banned on. So essentially, innocent people wasting their money on a PC that they can't use for what they bought it for, because of the previous owner.
Unintended purpose of your video, but I just used the Py-Fuscate and your method of getting the information out to create a challenge for a CTF I'm running at my college in a month.
AWESOME CTF challenge idea!!! 🔥🤩
Watching your videos has made me do a complete 180 on my life. Learning Python (Still very new) with the hopes of being a pentester. As a way of getting experience I was thinking of backend engineer to get my foot in the door but I am unsure and COMPLETELY overwhelmed with the amount of stuff to learn that's out there. Is there a roadmap for pentesting to kinda determine where I am and where to go next?
Awesome video btw! I love the python malware analysis stuff
There is no roadmap at all, this industry doesn't have a laid out plan for what you should do and what you should learn. It doesnt fit the mindset of a pentester either. A pentester or even any one in the infosec industry should be by nature very curious and eager to learn anything.
@@boogieman97 That's crazy! But also really interesting thank you for clearing that up! I'm pretty eager to learn as much as I can I guess I just worry about all the time I wasted not getting into this industry at a younger age and want to "supercharge" my way to catch up if that makes sense? Anyways, I'll keep that in mind thank you!
@@Sl33pySage Trust me when I say you're not behind if you're starting at a young age, I started at 15 and am still working my way to being a good pentester. Just enjoy the journey as there is a lot to have in store. Lots of cool knowledge that makes you feel awesome when you pull it off! Welcome to the world of cybersecurity!
@@Sl33pySage not sure where you're at since this was almost a year ago, but it's really never too late. Almost 30 and starting a job with a cybersecurity application startup in 1.5 weeks. I'll still only be in support, but it's as an engineer so it's still its on the path! I started out in biotech, and hit a deadend there. After floating around not really knowing what to do, as you said I eventually pulled a complete 180 because of videos like from @_JohnHammond.
If you're interested my path was the following: studied the Network+ and A+ (still don't have the certs for them tho 😬decided a degree was more important), did some side projects and self study, got a wfh support call center job as a temp, worked hard to be hired on full time to their implementations department, and used their tuition reimbursement to go to school a bit. Then the company started to act shifty so I applied to a bunch of new jobs, advertised my new skills and talking about the school and personal projects during the interviews, then that was that! I made it real clear in the interviews that I need to learn a bunch still, and they said that seems like what they're looking for, so I'm hoping with this I'll get much more familiar with the field and actually work closer to the tech than ever.
Like boogieman97 said, there's no real set path, and yeah it's a great analogy for the hacker's attitude of making it work for you, so you could look at it as practice for that mindset :)
16:34 I'm relieved to see it won't detonate on "JOHN-PC"
Best defense from now on is making sure that your main OS is looking like a virtual machine. Perfect.
or just using a VM at all times
That's pretty funny actually. QubesOS reasonably secure indeed.
the funny thing is you can just disguise your machine as a VM and it won't run
lmao
Pretty common, actually. It's an anti-analysis technique.
In the VM checker it had ‘John PC’ think there getting wise to you 16:25
This is the first video of yours that i've watched. I gotta say, i dont understand a bit of what your saying but i can appreciate what your doing to help people. Subscribed.
I was hacked with exactly THIS Malware, The Hacker grabs all of token Email Adresses, Codes, Passwords etc etc. I was locked out of my own Privacy
Me too, me too !! I am dealing with this now.
@@maybemolly237 u're struggling?
You can send a DELETE request to the webhook url to delete it!
from another comment it looks like someone has already deleted it
"It worked on my host" his youtube channel turns into a crypto channel in a week.
@15:34 Wow, they're not even listing Firefox. Wonder if that's because it doesn't use Chromium or because they think it's too small to be relevant.
My buddy got hit by this last year; dummy got hit up from a random discord user asking him to "try this game I created", easy 300 bucks to the scammer. Cool to see what the capabilities of the malware was.
If it was an exe, then it was a different malware. Python code packed into an exe doesn't come in script form, it comes as bytecode with it's own portable python.exe
@@nordgaren2358 You can definitely package a Python script into a single-file exe, I've done it before.
In the future if you get a discord webhook you can actual curl it and it will tell you its server info and you can report it to discord
you can also add webhook in the url bar and it'll show you the same result as cUrl
@@ChrisTheCringe true
Hey IDK if you saw john, but they put your name in it also. At 16:29 It looks like anyone who might try to look what it does....
Half of the time I don't know what's going on but I still enjoy these videos
It's always a good morning when John Hammond uploads a new video!
They stole every password in my browser and stole my discord and the email for it, then started messaging my family and friends to get them to download the link too. The link was them telling me it was to test a game.
When you click it, downlload the file, unzip and run, it asks for access to command prompt. Then nothing happens, no game, and then they have all your stuff.
Subscribed + Like material. UA-cam content that are put like this are great! Keep up the good work.
I appreciate your support. TANK YOU.
I love your videos, it’s just a nice feeling when I’m eating a snack watching you dissemble viruses.
john hammond's definitely been working out
That Py-fuscate script is pretty cool
As always, love watching how you work. Great content John. Nice breakdown and explanations.
16:54
line 1254 shows how much of a newbie the developer of the grabber is
(("VMware" or "VBOX") will always evaluate to "VMware", so "VBOX" is just useless nor will it be detected)
You can easily check, if a webhook is active, if you just open the link in a browser.
Some of those ips / computer names are virustotal machines and stuff.
18:18 couldn't you look at the response discord gives you see if the webhook is still working
13:49 wait... what if you were to rename any of those exe's to random stuff and then run them? would it not kill them, because the process name would be different? like when John has renamed calc.exe in other videos
Yes, but the average person is not going to think of that
@@mongmanmarkyt2897 It's actually a very common technique for reverse engineers, which is the average person who would be reverse engineering malware.
John Hammond, help me, I fell for this malware, but I'm not sure if I was infected, I disabled a bootable that was created and uninstalled discord
Being open source you can basically add ways to mitigate the methods they steal info
Is it ethical / "pythonic" to run that os.system('pip') to install all dependencies? Feels illegal
no
but script kiddies don't know any better
*I'm here for "Educational Purposes"
I belive you can actually delete discord webhooks, not just spam them
Yeah, I'm pretty sure ntts showed a website where you can get the webhooks deleted.
@@imnotmarbin he did
@@imnotmarbin You don't need that. just open your terminal and do a 'curl -X DELETE'.
@@Serpensin wait, without authorization header? interesting
@@daleryanaldover6545 if you have the webhook url, you can entirely control it, including changing the name and avatar of it. you can also just plainly delete it by sending a DELETE to the url, but that's less fun than spamming it to death
Quick everyone change their pc name to John-PC
This was really educational.
You taught me how the \something\ part works.
i love reverse engeneering, did it called that way?
Wait, do people never check their addresss? Even when I know I don’t have the address, or I copy and paste I still make sure every letter is correct, just a fear of mine. But $400 in stolen money?
New upload, I'm happy now.
what i once did is i sent a link to invite a bot to "help the grabber", of course it was my dummy bot but the owners added it and i tracked down what server it was in.
John, I love all your content and it is really inspiring me to become a pentester. I was wondering if you could do a video on all the add-ins/extensions you use within your browsers? It would be cool to see what tools you use. THank you
Penetration Tester
@Thawne penetration tester (white hat hacker basically)
one very funny thing is that the music he was listening to is soma extremely stereotypical french drill from an artist who is know to be an absolute liar in his tracks
Which music?
so an edgy french skid? gotcha
So is there a way for someone to steal a discord token without using a link that the user must click on first? Any application or browser based exploits? Or is it as simple as 'don't click on links you don't trust' to remain safe from having your token or credentials stolen?
Meh, GH mods never delete repositories/accounts with malware, unless, of course, if request was from a large company. User/repo from video still active. Also I reported one user almost an year ago and he is still active...
You cannot report open source malware 🤨 it genuinely is educational and not illegal at all
I mean you can't really shut down someone's account for creating malware programs because it's not wrong to write them, just use them against people who have not given you explicit permission for such. Although ultimately it's up to Github themselves, and they do have the report option for it so I don't really know why they wouldn't.
user is still active as of today, March 9th. Github won't delete a user contributing to the security space. Malware is apart of that space and everyone needs to see how this malware works. Deleting it from GH would do nothing but harm as the owner still has the code on their local branches and now nobody can understand it to protect against if need be. The reality is. Users that get hit by it would probably never know and were never aware it could happen in the first place. Those that are aware are sophisticated users with some of them being us coming to watch hacking videos on youtube. We want to see that code. Not let it disappear.
What in the half life cmd was that
i wish you could use the webhook to join the server
please credit exyl for using his art in your thumbnail
All credit to exyl for art in the thumbnail :)
I'm curious if it is wise to report users like that,
is it not possible that if all of the github's are reported that host code like this, that it will be harder to find the code etc, like you showed, which will limit the ability to check for bad actors, as against researchers or documenters of malware?
I agree, and also reporting code seems crazy to begin with
There's already plenty of detection tools for stuff like this, it's unnecessary to keep it up.
i dont see any credit to exyl for his discord logo in the thumbnail from his video PING!
Credit to exyl for discord logo in the thumbnail from his video PING! :)
@@_JohnHammond wow, fast response.
I downloaded a file from an indian youtube channel, and i got a spyware from it,I only rebooted my pc without deleting the os and reinstalling it again, Am i safe?
Thanks for helping me
15:29 and not one for gecko based browsers
So if you want to stay safe, you need to make your pc look like an virus analyzer...
200 iq move
Great Video. Fire!!!!!
most of this guys code is skidded/taken from other people.
obviously
yeah... even python that is easy to learn
No.
@@rodricbr maybe python is easy to learn, but the code that was used to create this malware is not if you write it by yourself without using outside sources (which this person did not do)
@@radon-sp thanks Joswel
John how can I contact you ! I need to inform you something. It's seriously important for cyber Crime perspective. Can I dm you ?
hey john i'd credit Exyl for the thumbnail image of the red discord logo which was created by him for his Discord call sound effect remix
I put it in the description just now. Thanks for the reminder! - Nordgaren
@@nordgaren2358 danke
these are very easy to make ive made one before people call them a "stub" its crazy how easy it is js one click of a button and paste ur webhook n boom js like that u have an exe file that takes all info passwords location ip etc
Any ideas how to prevent something like this from being used on you?
Yes, do not visit links that you do not trust and do not ever download any type of file unless it is from a verified and trusted source.
@@Wwinstar so that i get, but how would i stop what John Hammond did at the end with the bot spam?
@@ohrayoe3858 Uh, you mean the webhook spammer? In case you created a webhook for your discord server you should just keep the webhook's URL to yourself and not give it to anyone else. Just like your discord token or of any bot you create.
@@Wwinstar oh, ok. Thank you very much.
rename your PC to John-PC
Yeah in fact. You have to install python to run it ;)
If are to write such malware why upload it to Git public repository? This is ignorance at its prime, and thank God for that :) Good work, once again, Mr. Hammond.
Someone writing sophisticated code like this obviously didn't just upload it there with no reasoning behind it. They most likely genuinely want others to see it... AND use it. AND contribute to it to help make it more dangerous.
@@Infamous159 hes a skid. "trying to help the world out". he can't code at all.
Unfortunately, the 429 indicates that your IP is being ratelimited by discord, so those messages likely never reached the stealer's webhook. That is why you could not delete any messages or do anything more in your testing channel; they were blocking you from using the API.
There's a way around their blocker tho, if I remember correctly, I think it's cloudflair. If you're using selenium, you can delete the cookies and cache. Doing so would bypass the block. That was for cloud flair, but I remember there was something for the discord API rate limiting as well for bypassing
This is true, I borked it since I had tested it against myself beforehand. :)
@@_JohnHammond lol I was messing with discord apis and malware a while back and was totally baffled as to why none of my API calls would ever work. A month later I found out 🤣
@@mastercodeon42 *proxie
@@skhdbsfdb Nah, I don't think a proxy solves their API rate limiting, but I could be wrong tho
bro i just had a total freak moment... im watching this and outta nowhere my cmd opened up for amdautoupdate... i thought i just got infected by a damn vid lmao
discord is a privacy nightmare. as I type this comment on youtube which is worse lol
de astea faceam eu la TIC in generala
People who made this are watching this tutorials to find there's vulnerability 😂
Oh thats how its always went. Its a constant race
@@elvingearmasterirma7241 yes bro
where is script link?
This is some real skid malware 💀
you could have spammed the shit out of that webhook and then send a delete request
L john, you could have just deleted the webhook the guy made, even though blackcap is Dualhooked, and everything you're sent also gets sent to KSCHdsc. Reporting the actual repository wasn't necessary. if you are dumb enough to install an executable from someone you don't particularly know you deserve whatever happens to you.
Your spammer thingy is not working by the end of the video because it's sending requests from your personnal IP, you were the one that was blacklisted for spamming (429s), so no, they didn't get to the webhook
This is true, I borked it since I had tested it against myself beforehand. :)
How can i know what server the webhook is joined in? And send me an invite to it i wanna know so i can troll the devs lol
(Not for stealing others peoples data)
did they seriously make a PUBLIC repository?
plenty of them out there. i dont see how all of these comments dont get the fact that Open Source is used to not only make things public, but also get CONTRIBUTIONS to the project. Looks like all of his dangerous projects are frequently updated weekly/daily. BlackCap itself has 5 authors, 4 contributors and it was created from forks of
Hazard Grabber
PirateStealer
Wasp-stealer
Builder by Luna token grabber
VERY common thing going on here. Malware is software like everything else. Some tools on Kali Linux can be found on GH as well. Those tools are dangerous. "but but it's Kali... It's for good guy pentester" Yea. And Of course malicious hackers as well because the tools can be good and bad.
Even if the webhook wasn't deleted I would be immune to it as my pc name is on the list of ones it won't run on lol
It really seems to be for education, I guess they are french students learning malware analysis
Yea, they came into the Discord, and posted here that they did it for educational reasons. It's just a shame that the malware is very potent (steals CC info and stuff). Would probably be a good idea to keep stuff like that out of the educational repos :P
at 16:31 there is a username JOHN-PC so that he can't analyze the malware. :):
ive heard the owner KSCH wanted to talk to you
KSCH came to the Discord, and they talked!
The account stills up, i also reported it!
its all good when its for educational purposes.
I haven't used the marshal library before, but I did notice the red box in its Python documentation that says never to unmarshal code from an untrustworthy source. Running this on your host was risky!
if they were savvy they could have used a magic method to auto execute the code, avoiding extra exec calls. he is lucky that skids aren't savvy
You are definitely more genuine than him :D
Import os
Okay, where done here
Thanks John!
Oh my god..this is the first time I’m being first for a video!
I think this guy strap out code from others and blend all together, maybe he don't know if works for real
careful discord does not think anyone can steal your token..... just saying that is what they told me 2 years and and last week XD
a 3:00 i could already tell if you remove 1 more function from it the marshal and leave decode it should kinda work ;)
its black cap grabber
fun fact, the injection isn't even made by him lmao, its one of my friend who did it and got paid
bruh i work with "dialz"
i paid it for a "rewrite" not a write
@@kilopopyt you still paid for injection lmao
@@kilopopyt eh?
@@fubukii1891 il dit que jtai payé pour faire l'inject, alors que bon on s'est dit nous meme que c'etais un rewrite.
Un gros rewrite certe mais bon faut pas pousser
Do some mobile malware analysis
INTERESTING❗