Mozi Malware - Finding Breadcrumbs...
Вставка
- Опубліковано 28 лют 2021
- If you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. www.kite.com/get-kite/?... (disclaimer, affiliate link)
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: johnhammond010@gmail.com
Discord: johnhammond.org/discord
Twitter: / _johnhammond
GitHub: github.com/JohnHammond
Dragging the spooky.elf into GHIDRA, it opens it just fine, and I should have tried that during the video. Embarrassing mistake, sorry.
(And yes, I know that is by Fall Out Boy, not Green Day. I was just trolling ;P )
No worries :)
@John Hammond this is a worm used to infect routers so they can monitor router data and etc
the default passwords may be for routers, people often forget to change them. there are sites that if you look up a router you can get a list of default passwords
@@dannygaming1216 no it's for ddos. It's mirai. All of those iptables block rules and deleting stuff is to stop other scanners running some exploits so they exclusively have the bot.
@@noobian3314 I've seen a worm that gets into the router to allow it to collect data to sell it or for blackmail and for ddos
"Please send me malware"
-John Hammond
Famous last wards...
"Welcome to Jurrasic Park"
- John Hammond
Cool trick “-fix-broken”
That’s why I like John’s videos even when he thinks he fails. I level up ⬆️
Or `-f` for short!
somehow my evening routine of lying on the couch and watching netflix changed to lying on the couch and watching john hammond do malware analysis... :)
Welcome brother 😂
Would love to see a mini series about setting up a honey pot and seeing what fun stuff comes through!
How would one do that?
@@bannedthricelol8799
step 1: install metasploitable somewhere
step 2: buy an domain for metasploitable and show it somewhere so posible hackers try to hack it
step 3: profit
btw metasploitable may seem sus since it has a lot of vulnerabilities up to the point where it seems fake
@@bannedthricelol8799 just make a honey pot its that easy
Yes!!! A malware Harvester🤩🤩🤩
It's worth it... Tpot - you can do that yourself. :)
04:05
$ mkdir Mozi
$ ls
Listing an empty freshly created directory shows you, that you are dealing with a professional.
People who don’t do this are either noobs or psychopaths.
Agree >_
Why is this?
@@chillytheprogrammer Habits. Muscle memory. I belive John made a community post about this lol.
edit: ua-cam.com/channels/VeW9qkBjo3zosnqUbG7CFw.htmlcommunity?lb=UgxZplo8gPKIFaDSPVN4AaABCQ
I was right :D
I do this all the time. Why? I have no idea.
mkdir is most tested software ever written.
RIP nano on the side over there, he served his purpose in his less than 5-minute life span, let's take a moment of silence to remember how he stored the file size in hex for 2 minutes and then died peacefully...
🤣
john killed him :((
Na no
nano lives matter
25:40 Tip: you can simulate a slower connection to see things clearer in the devtools by clicking the "Throttling" dropdown
nice info
Even though this is a 2 year old video I just started watching your UA-cam channel a day or two or something like that but I like your content brother keep up your hard work I don't know if you do live on here or not but if you do I would love to see one of those live!!! If not keep it up I'll keep learning 😅😅 stay safe out there
I have a computer science degree and can confirm I also have no idea what MIPS is.
its a RISC cpu by motorola. found on older systems and maybe routers
I see a lot of Mozi traffic requests at work. Usually targeting IoT nix systems, routers, and low hanging fruit exploits attempting to spread around.
I stumbled across your channel a couple of days ago, and have been binge watching ever since. Great job, and impressive resume.
I’m loving this series! Please do one explaining the methods you use.
John, I love it! This is exactly what I do too. I don’t know what I’m doing but it’s fun to just scroll through to see if you see anything and sure enough you do. You also learn so much just by poking around.
"Sugar we're going down swinging, by Green Day" 😭😭😭
Me, a Fall Out Boy fan: *my disappointment is immeasurable and my day is ruined*
Also Me, a John Hammond fan: I'm soooo happy there's a new video ^^
It made me sad too!
For hexedit
: go to start/end of the file
I found your channel yesterday and have been bingewatching hardcore. Ur vids are great!
Even if I am barely understanding what is going on I found your videos very entertaining and educational! Thumbs up!
I just found your channel and couldn't be happier. Great energy, looking forward to digging in.
Love the Malware Analysis videos! And the commentary is entertaining man! Keep uploading and I'll keep watching! Thanks for the great content.
I've discovered your channel recently and i really like it !
You are very inspiring, thank you for this amazing content !
People: "What do you do for a living?"
John: "I look at malware-strings no matter how long they are."
The particular characters mean the exactly the same thing as the English title, but in Chinese. That site probably just translated it
Idk why it made me laugh so hard when you dragged your cam out of the window 😂😂😂😂
At 25:24 the text scanned by Google translate is: "-先进的比特币矿池"
And the translation provided by it was: "-Advanced Bitcoin mining pool"
These videos are getting better and better ! Can't wait for what's next !
Really loving the Malware analysis videos. My morning routine is now watching these videos over reading a news paper 😂
BRO THAT OUTRO MUSIC GAVE ME SOME FLASHBACKS AND NOSTALGIA
Thank you for making these videos John!
This’ll be a good one, see you all here
I like to "customize" my UPX. Shuffle the fields of the header struct around and (binary)shift the content.
XOR the compression algo by the C64 NOP and add 69 to exactly that file size shown in the video:P
Also using the wrong endianess on purpose will promote hair loss.
Thanks for the great video, John!:)
Thanks for your video :D They're all awesome! The strange part is that I just yesterday figured out how to cross compile code for MIPS-I for my router (it's exact the same elf type as this virus). I never heard about this architecture untill about a week ago and suddenly you upload the video with this malware intended for routers. Anyway, love the passion that you share in your videos, please keep doing it haha :D
Ah yes, it might be late but every hour is cyber hour.
Just came across this video and I noticed at 27:01 there is some commands for cfgtool which also sets the TR-069 (CWMP) Access Control Server to localhost, which could do a whole lot of advanced configuration/diagnostics of the device including re-flashing the firmware of the device.
MIPS is usually found on routers and this is targeting routers in beginning allowing the attacker to get into the network (hence the iptables allow)
Is there malware that nestles in the router before ever getting to the user machine?
Would downloading it be enough for it to deploy? Or could it target the router through the VM?
Awesome content. Thanks for putting up the video 👍🏻
Dawg this is the most entertaining shit to watch, man. I listen to you like a podcast, I could actually listen/watch you all day.
Lol he says he aint educated yet rips through anything thrown at him 🤣 😂
I think the 114 dns, that we saw, is just a normal Chinese based dns server; nothing malicious in nature about the dns itself. It could be there to add more "surface area" to the malware.
I just want to let you know that I'm screaming at you : "it's UPX packed ! why do you keep searching for string ? unpack it already !"
This guy is a gem. Liking and commenting for the UA-cam algorithm
0:00 John Hammond == John Hammond == John Hammond
god damn so much like!! i like these break downs! they are awesome!
Yay another one!
thank you for your great work.
I like catching these premieres. It's fun to watch, but lot's of it is over my head at this point.
When you’re so early that john’s hearted every comment
Big fan John! Always loved your content!
Awesome, thanks for more malware content!
37:35 John, you have to "import file" (i) not "Open filesystem" (ctrl+i)
Do you know the difference between the two? What was Ghidra trying to do with .elf with the ctrl+i option which failed? :o
Loving the malware analysis vids John - keep repping the blue team :)
I got a cool one at work that was a phishing attempt through a Google Drive. Instantly made me think of your deconstruction videos.
@John Hammond 28:53 That highlighted command is a trick to check whether or not busybox is installed I suppose. :) Keep that in mind John that all commandss like apt etc. etc. are in fact a bin finle that is stored in /bin directory, so I think this is a instruction for DD to look inside bin folder and look for busybox folder/check for its existance. :)
John Hammond is amazing. I watch him and I dont know what he does most of the time
I had you in the background, and as soon you mentioned netgear i was like, oh mips and netgear, he is in router infections.
appreciate you brother. keep teaching us please.
You can kind of think of MIPS like a simpler version of ARM. It's assembly code is so much simpler compared to say ARM or x86 that my University uses it to teach assembly basics and concepts of how a processor works. In my experience it's very common in SOHO networking and IoT devices.
Hi John love the videos! You think you could make a tutorial on setting up a safe environment to explore malicious programs? I know virtual environments, are a start, but I think getting a video template would help put some paranoia at bay. Thanks in advance and if you already uploaded this tutorial my apologies.
still new to your videos, I am thinking of starting my pentesting journey again, you may have motivated me fellow ginger
Nice video. Can't wait for the next one! :)
Hey John! love your content! Just a quick question. How do you CTF creators hide text in images? What tools do you use?
There are loads of Steganography utilities, my favourite is Outguess!
There's also jphide & seek and steghide, they're good ones too!
Thank you!
Good stuff, love this content man
I Think reversing Malware Is fantastic I have learned so much from watching this Ty
30 mins in, my "they're trying to bot routers" radar starts going off...
Happened to my entire apartment complex (close to 1k people) and is still ongoing. Mirai-type behavior. I've had to disable wifi entirely and use ethernet. My ISP, Cox, said they 'can't do anything about it. This started 2+ months ago and I have no choice but to contact the Feds. Our gateways aren't listed in the strings here; they're mostly Arris, Cisco, etc, yet they were all cracked either by some known Wifi exploits I've read or updated rainbow tables. Scary shit and it dropped RATs and miners on all LANs it broke in to.
I've tried removing it on my Alienware laptop but it seems to have written to firmware and or BIOS. Maybe a new variant?
@@Demoralized88 yayiks dude ! Any updates since ?
@@zacay5717 Certainly not from my ISP. Win support forums (particularly bleepingcomputer), have been flooded with the same issue I've been having for 2-3 months now and I've yet to find anything that quite describes what this is and how to remove it. I'm 99% It goes: spreads via Wifi exploits, known passwords or brute forcing - or BOTs probing random Modems for vulnerabilities. Either way, once it gets access to a LAN with Wifi, it hijacks the Router and any wireless cares to scan and spoof nearby devices until, thorough another exploit, Deauth attack, It gains access to adjacent LANs and in theory could propogate very quickly.
When I first noticed weird shit in Windows I scanned nearby networks for anything suspicious because I was also having frequent Wifi dropouts for about a minute. That lead me to research what could be causing the Wifi dropping and I eventually read about Deauth attacks. The day after I took my computers offline, I noticed maybe 3-4 suspicious Wifi behavior. Within a day or 2, every single Wifi device (50+) I could see within range was also auto-spoofing by raising transmit power super high to spoof other WAPS, then killing the transmit in about 30-60 second incriments. Also, I don't know much about MAC spoofing, but when a new Wifi signal pops up, very shortly afterwards a second signal would pop up with the aforementioned bahvarior with a signal MAC address digit changed.
As far as it persisting through format/reinstalls with new drives, it must have written itself to firmware of at least one of the components. I've read of this being done with Drivers, but I didn't think they'd persist through a reinstall. It's a RAT and either miner or some sort of botnet, but it's very stealthy and most casual users wouldn't notice anything amiss. It's subtle things a proficient Windows user would notice aren't right. Single frame blacked-out DOS windows booting in to Windows, Windows RE, CPU usage dropping from very high to low-moderate immediately upon open task manager, a bunch of stange GUIDs in registry, some settings/directories not accessible as admin, suddenly being in a domain with GP restrictions on certain config settings.
I thought maybe I was just mistaken and paranoid, until 2 months later I started gettings alerts that some of my data had been hacked. There's so many fucking variants of malware and attack vectors for Windows that it's extremely hard to narrow down. It seems to be a fullly automated attack from the IP probing to exploits, to Root exploits, to spreading over LAN/WAN. People called me a schizo when I first posted about this on /g/ 2 months ago, but I think maybe new is finally starting to break about it, I hope. Dell is currently making new emergency BIOS for like all their systems for some vulnerability that I'm not sure is related. AV didn't stop it when it happened, and it still can't detect anything even with a lot of IOCs and breadcrumbs all over the OS.
It's definitely a P2P botnet as it runs services for that functionality. I'm 99% sure it sneaks by in powershell via obfuscation to do whatever the fuck it wants, as John has repeatedly demonstarted. The only concrete thing I found was a 'Spyeye' entry in I believe the registry. I have no idea how to fix my PCs at this point, Wifi is unusuable as neighbors are infected, and my family has been without PCs for just over 2 months now. After I got 'hacked', I started reading and I can not fucking believe just HOW many critical exploits there are for Windows and Intel. Things they claim to have fixed as STILL being exploited. I've been stressed and depressed for the past 2 months trying to figure out what I can even do until when/if this becomes mainstream news. I see identical reports of mine ALL over support forums yet, strangely, Windows and big AV/Tech security firms have been dead silent. From what I've seen I'm convined this was an extremely widespread attack (browsing through some code, I'm thinking Chinese origin) and Windows is trying to keep the lid on this until they come up with a 'fix'.
What's worse though is that a 'fix may not even be possible. Good malware these days uses programs to check for certain exploits on individual networks/systems, and it's impossible to protect against that for 99% of users, if at all.
Sorry I wrote a book, this is just all so surreal and a lot of supposdely knowledgable people say this isn't possible when I KNOW it is.
@@Demoralized88 you have piqued my interest. I am going to look into this.
Video title: "breadcrumbs" (also a new box on hackthebox )
Me: should definitely watch this
Destroyed and annihilated the bell! Great content!
5:37 this reaction is a gold xD
was reading up on some botnets using Twitter formatted messages yesterday and this video now the timing confirms John get out of my computer!
A very entertaining analysis
This is going to be great!
These videos are so good!!!!!
OOOh im excited for this one
John, I just thought of a Tag Line for this type of video for you. “Down the Rabbit Hole with John Hammond” 😁
Shout out from the Philippines!
John hammond: Please send me malware.
Me: John hammond is hungry for malwares.
JOHN I WANT TO YELL AT YOU FOR ...
Creating a great video 🤪
Thanks for the great video. I would like to be like you as a professional in virus analysis.
30:40
John, that's Huawei... The IT arm of a certain party
it's nice to know how that things work ;)
Sees John posted another malware analysis: Likes the video. Simple as.
Maybe you already know that, but there is a nice Java based MIPS emulator called MARS. It is developed by the Missouri State University under the MIT license. It has some nice features like step by step execution and register editing. So if you at one point want to/need to work with MIPS, this is a great tool to assist you
Thank you so much
Awesome video! Keep it up!
Very interesting!
Love this videos!!!
I all-time following you sir
your videos are very entertaining and you get to learn a lot. What else is needed???
Bro I am completely beginner. Thanks a lot for best strings
hey john , whats up with you and Korean Ip or malewares? love your content brother
This one is doing a lot, really a lot of stuff, might even do rat, great video
I hope you will continue with reversing malware 4ever
I'm bummed out that Ruxcon seems to be over. Would have been cool to have met you in Oz some time John.
Any advice for learning how to start deconstructing and creating malware, I have a decent knowledge of c++, python, but mostly Java
I enjoy the pronunciation of Huawai as Huwai'i :P
Love your energy
Great video
Seems like the content is a mix of Linux, html/js, and a bunch of other cs stuff. What topics to you recommend to learn what you do?
I personally love how UPX was created for/by the Warez scene wayyy back in the day, and it's still one of the best packers out there. Pity it's so tied into the malware scene and often viewed as malicious.
I wonder if antivirus software actually unpacks UPX binaries itself, we know they're capable of lifting virtual machines from proprietary packers like VMProtect, should be easy to unpack UPX and analyze the "real" malware sandboxed on runtime.
"sugar we're goin' down" is Fall out boy. Not green day. Lol. You're the man Hammond!
a good tool is miranda , for MIPS systems