Hey! It's time for my 15 minutes of fame! Thank you for these educational vids, and thanks for the emails acknowledging my email/letting me know you would make this video. I got about as far as John did 15 minutes into the video, and at the time my javascript knowledge was so tenuous I couldn't figure out what happened next. My apologies to you all for not getting far enough to download the DLL from the attackers' server. Since my coworker/boss/nemesis was a little more vigilant after a previous (less interesting) phishing attack (that had worked), they did not detonate this payload and we never saw the later stages. Given that Zero2Auto course is only about $200, I'm absolutely gonna look into that. This series is some of my favorite cybersecurity education, along with the videos teaching DIY lab setups and playing around with pentesting them, and I'd pay at least that much to learn how to do my own in-depth malware analysis. P.S. even if I had been a little more skilled, I probably still wouldn't have downloaded the DLL; it's my understanding that some of the variables set in the url identify the target and would probably result in my coworker getting more attention from future campaigns
Would love more malware analysis / deobfuscation videos! They are really interesting and I'm absolutely hooked, even though I don't always completely understand how they're constructed. Hope you'll post more, even if we've seen the malware before
I enjoy this type of video, more of these, please! I receive millions of this type of malware in my email and I do go through them but the way you do it is fun and I like it a lot!
Those variable and function names will drive anyone crazy. I was really hoping it would somehow end up with Opposite("Always coming from take me down")
Never thought that the technique I used as a kid to up my word count in word by changing the font colour would be used by malware, since it seems so obvious now as an adult
If only everyone knew shenanigans when they saw it... such as such a polite ask to enable all the doom from the file. It looks innocent enough if you simply didn't know any better.
Pre-watch prediction: houdini. The obfuscation method was interesting. Certainly confusing to read, but I imagine it would make it easier to detect based on signature. Prediction: :(
Hey John... maybe I'm late to the party and thinking something that goes without saying for others. I'm also not yet totally code-smart and running off of a kindof general analysis, but is it possible to re-examine this from the following angle: Is the while loop decrypting the long string in dowGirlDow, pointing back to the index within the doorPowNext string? Obfuscation via cipher, then use of the while loop to decipher a payload? Or am I off base? Or stating something obvious?
I don't understand why malware writers go to this effort to obfuscate their code. Do they think it'll bypass Windows Defender? It clearly doesn't, we saw it get caught right away. I feel like this is barely more effective at evading antivirus than if they didn't attempt at all. Am I wrong? It seems like "stages" are such a common theme in these videos, but what would prevent the DLL at the end of the video from being detected before it is run? What difference does it make how many steps they take before downloading and executing it if the buck stops there? Don't the stages just present more opportunities for detections of the various files created along the way? Wouldn't the obfuscation set off red flags for heuristic searches because of how obviously different from ordinary software they are with all the nonsense and gibberish?
The specific code(stages or DLLs) has to be recognized by AV first before it can be blocked. Hash-detection for i.e. the password-protected Word-document you receive or stages you download is broken by simply changing 1 character in the script and recompile it, which just takes seconds for the bad guys. If they're targeting specific high-value targets they can even make "different" payloads for each individual. What the malware-writers hope for is unrecognized code or PC's that do not have the latest patches for Windows or the latest signatures for AV. As soon as your AV is updated for this malware, it can and will block it. AV does not just block everything with i.e. eval and a download-function in it as those are legitimate functions for your PC. And that's also why you see the URLs where they download the next stages constantly change, AVs can only block URLs that they know are compromised, so there's always a small timeframe these URLs are not blocked by AV or firewalls.
In my opinion, reading out the wacky variable names adds an extra layer of entertainment on top of the already great content
it was hilarious. John knew he was sounding crazy. "What kind of video IS THIS?!?"
Was about to comment "It's next level entertainment to stubbornly keep reading out those variable names!"...
Hey! It's time for my 15 minutes of fame! Thank you for these educational vids, and thanks for the emails acknowledging my email/letting me know you would make this video.
I got about as far as John did 15 minutes into the video, and at the time my javascript knowledge was so tenuous I couldn't figure out what happened next. My apologies to you all for not getting far enough to download the DLL from the attackers' server. Since my coworker/boss/nemesis was a little more vigilant after a previous (less interesting) phishing attack (that had worked), they did not detonate this payload and we never saw the later stages.
Given that Zero2Auto course is only about $200, I'm absolutely gonna look into that. This series is some of my favorite cybersecurity education, along with the videos teaching DIY lab setups and playing around with pentesting them, and I'd pay at least that much to learn how to do my own in-depth malware analysis.
P.S. even if I had been a little more skilled, I probably still wouldn't have downloaded the DLL; it's my understanding that some of the variables set in the url identify the target and would probably result in my coworker getting more attention from future campaigns
Love the way you unpacked the entire thing. Mind blowing lol. The amount of experience and skill it takes to get to this level.
Would love more malware analysis / deobfuscation videos! They are really interesting and I'm absolutely hooked, even though I don't always completely understand how they're constructed.
Hope you'll post more, even if we've seen the malware before
I enjoy this type of video, more of these, please!
I receive millions of this type of malware in my email and I do go through them but the way you do it is fun and I like it a lot!
One day I'm gonna be on this level of CS
You won’t if you think this is CS.
@@c1ph3rpunk What is CS even a shortening for in this context? I'm very involved in the IT world and I've never heard of that.
@@123sleepygamer i think he means cyber-security
It's either Computer science or Cyber security
@@c1ph3rpunk why not?
I absolutely adore the methodical dissection of code and your method of stepping through it with the jokes. Legend!
Thank´s so much for this kind of walktroughs. It made me wanna get more into this.
Those variable and function names will drive anyone crazy. I was really hoping it would somehow end up with Opposite("Always coming from take me down")
Never thought that the technique I used as a kid to up my word count in word by changing the font colour would be used by malware, since it seems so obvious now as an adult
As a JS dev, it hurt my soul when you got the window error
I am just waiting to receive my first phishing attempt so I could also try to dissect my first malware for analysis
It's good that window defender caught and flagged this
Love these kind of vids. Have you ever done similar videos with the samples from the malware traffic analysis site?
This video rocks. Thanks, John! :D
i love it when you do malware analysis
Great work! You always come out with some really informative and educational videos! Love it!
If only everyone knew shenanigans when they saw it... such as such a polite ask to enable all the doom from the file. It looks innocent enough if you simply didn't know any better.
I love it 👍
greetz from Germany
Very informative thanks 👍
Awesome content and well presented, well worth a watch
This was so enjoyable to watch, thanks for sharing 😁
My favourite video of phishing
I love it when someone tries to understand my malware
I DO NOT KNOW HOW TO CODE THIS IS NOT MY MALEARE ALL JOKS
good day, enjoyed as always. is ooknibs still a thing?
The tag is backwards and an hta file. Nice
Great Stuff John
Love the content John!
hi john
Pre-watch prediction: houdini.
The obfuscation method was interesting. Certainly confusing to read, but I imagine it would make it easier to detect based on signature.
Prediction: :(
Okayy finna watch this before the majority hehe
Nice stuff, an absolutely entertaining series
Is there a way to submit some malware I got for analysis?
Thanks John👍
God I wish the obfuscated code I've come across was this easy to dissect.
I love your videos! I also couldn’t stop laughing with the function names doorpowlove lovekarolpumps😂😂
Hello. I’m completely new to the space of cybersecurity, like no background in IT at all. What would you recommend for a beginner like me.
@John Hammond can you share a sample of the maldoc if possible ?
thanks for the well made videos.
Thank you very much for your valuable information
I did enjoy this one, thanks man!
thanks john, and again i learned something new :)
Nice stuff.
Looks like stuff i could do too though...
How much does this kind of work pay? 🙃
However much you can get out of people 🤡
Oh John, you read js source code better than a JS developer xD
Hey John... maybe I'm late to the party and thinking something that goes without saying for others. I'm also not yet totally code-smart and running off of a kindof general analysis, but is it possible to re-examine this from the following angle:
Is the while loop decrypting the long string in dowGirlDow, pointing back to the index within the doorPowNext string? Obfuscation via cipher, then use of the while loop to decipher a payload?
Or am I off base? Or stating something obvious?
But where did you get that shirt?
[DISCLAIMER]: Video is too good...
why did you give such reaction on 25:22 timeline
Because his huge monitors flickered, a VM issue. Not related to the reversing
I don't understand why malware writers go to this effort to obfuscate their code. Do they think it'll bypass Windows Defender? It clearly doesn't, we saw it get caught right away. I feel like this is barely more effective at evading antivirus than if they didn't attempt at all. Am I wrong?
It seems like "stages" are such a common theme in these videos, but what would prevent the DLL at the end of the video from being detected before it is run? What difference does it make how many steps they take before downloading and executing it if the buck stops there? Don't the stages just present more opportunities for detections of the various files created along the way? Wouldn't the obfuscation set off red flags for heuristic searches because of how obviously different from ordinary software they are with all the nonsense and gibberish?
The specific code(stages or DLLs) has to be recognized by AV first before it can be blocked. Hash-detection for i.e. the password-protected Word-document you receive or stages you download is broken by simply changing 1 character in the script and recompile it, which just takes seconds for the bad guys. If they're targeting specific high-value targets they can even make "different" payloads for each individual.
What the malware-writers hope for is unrecognized code or PC's that do not have the latest patches for Windows or the latest signatures for AV. As soon as your AV is updated for this malware, it can and will block it.
AV does not just block everything with i.e. eval and a download-function in it as those are legitimate functions for your PC. And that's also why you see the URLs where they download the next stages constantly change, AVs can only block URLs that they know are compromised, so there's always a small timeframe these URLs are not blocked by AV or firewalls.
A simple Google search would answer every single one of your questions.
feel like these are acronyms, doorLikeLike = DLL?
Insightful
LoadsLikeVidieo 👍
Couldn't you just replace that eval with console.log?
The first comment about a bot farm pushing what looks like an investment scam is very entertaining.
can u please share the copy of this file. need to experiment on it
Him at 25:22 😂🤣😹 LOL
Just close your eyes and listen to "doorPowDow"
bro these function and variable names got me confused as a mf
Arch nemesis 😅
It says windows user in russian so… Russian virus? 10:50
Doc language is also set to Russian
RIP VK
❤
🤘🏻🤘🏻
I have Parrot OS Security Edition I Can Hack useing Ready Scripts
Yo dude , malware creator is Russian speaking person
😂☠️🎃👎🏆🎖️🏅🥉🥈🥇🥇😂😂😂😂👎👎🥴🥴🥴🥴🥴🥴🥴🥴🥴🥴👏👏👏👏👏👏👏👏
why are you pronouncing copeland as "copelagen"? 😅😅
enough with the ads. this makes for cringe content and i don't want to watch anymore.
yes my g