somehow my evening routine of lying on the couch and watching netflix changed to lying on the couch and watching john hammond do malware analysis... :)
@@bannedthricelol8799 step 1: install metasploitable somewhere step 2: buy an domain for metasploitable and show it somewhere so posible hackers try to hack it step 3: profit btw metasploitable may seem sus since it has a lot of vulnerabilities up to the point where it seems fake
04:05 $ mkdir Mozi $ ls Listing an empty freshly created directory shows you, that you are dealing with a professional. People who don’t do this are either noobs or psychopaths.
@@chillytheprogrammer Habits. Muscle memory. I belive John made a community post about this lol. edit: ua-cam.com/channels/VeW9qkBjo3zosnqUbG7CFw.htmlcommunity?lb=UgxZplo8gPKIFaDSPVN4AaABCQ I was right :D
RIP nano on the side over there, he served his purpose in his less than 5-minute life span, let's take a moment of silence to remember how he stored the file size in hex for 2 minutes and then died peacefully...
Dragging the spooky.elf into GHIDRA, it opens it just fine, and I should have tried that during the video. Embarrassing mistake, sorry. (And yes, I know that is by Fall Out Boy, not Green Day. I was just trolling ;P )
the default passwords may be for routers, people often forget to change them. there are sites that if you look up a router you can get a list of default passwords
@@dannygaming1216 no it's for ddos. It's mirai. All of those iptables block rules and deleting stuff is to stop other scanners running some exploits so they exclusively have the bot.
Even though this is a 2 year old video I just started watching your UA-cam channel a day or two or something like that but I like your content brother keep up your hard work I don't know if you do live on here or not but if you do I would love to see one of those live!!! If not keep it up I'll keep learning 😅😅 stay safe out there
John, I love it! This is exactly what I do too. I don’t know what I’m doing but it’s fun to just scroll through to see if you see anything and sure enough you do. You also learn so much just by poking around.
Thanks for your video :D They're all awesome! The strange part is that I just yesterday figured out how to cross compile code for MIPS-I for my router (it's exact the same elf type as this virus). I never heard about this architecture untill about a week ago and suddenly you upload the video with this malware intended for routers. Anyway, love the passion that you share in your videos, please keep doing it haha :D
I like to "customize" my UPX. Shuffle the fields of the header struct around and (binary)shift the content. XOR the compression algo by the C64 NOP and add 69 to exactly that file size shown in the video:P Also using the wrong endianess on purpose will promote hair loss. Thanks for the great video, John!:)
Just came across this video and I noticed at 27:01 there is some commands for cfgtool which also sets the TR-069 (CWMP) Access Control Server to localhost, which could do a whole lot of advanced configuration/diagnostics of the device including re-flashing the firmware of the device.
Is there malware that nestles in the router before ever getting to the user machine? Would downloading it be enough for it to deploy? Or could it target the router through the VM?
I think the 114 dns, that we saw, is just a normal Chinese based dns server; nothing malicious in nature about the dns itself. It could be there to add more "surface area" to the malware.
@John Hammond 28:53 That highlighted command is a trick to check whether or not busybox is installed I suppose. :) Keep that in mind John that all commandss like apt etc. etc. are in fact a bin finle that is stored in /bin directory, so I think this is a instruction for DD to look inside bin folder and look for busybox folder/check for its existance. :)
Happened to my entire apartment complex (close to 1k people) and is still ongoing. Mirai-type behavior. I've had to disable wifi entirely and use ethernet. My ISP, Cox, said they 'can't do anything about it. This started 2+ months ago and I have no choice but to contact the Feds. Our gateways aren't listed in the strings here; they're mostly Arris, Cisco, etc, yet they were all cracked either by some known Wifi exploits I've read or updated rainbow tables. Scary shit and it dropped RATs and miners on all LANs it broke in to. I've tried removing it on my Alienware laptop but it seems to have written to firmware and or BIOS. Maybe a new variant?
@@zacay5717 Certainly not from my ISP. Win support forums (particularly bleepingcomputer), have been flooded with the same issue I've been having for 2-3 months now and I've yet to find anything that quite describes what this is and how to remove it. I'm 99% It goes: spreads via Wifi exploits, known passwords or brute forcing - or BOTs probing random Modems for vulnerabilities. Either way, once it gets access to a LAN with Wifi, it hijacks the Router and any wireless cares to scan and spoof nearby devices until, thorough another exploit, Deauth attack, It gains access to adjacent LANs and in theory could propogate very quickly. When I first noticed weird shit in Windows I scanned nearby networks for anything suspicious because I was also having frequent Wifi dropouts for about a minute. That lead me to research what could be causing the Wifi dropping and I eventually read about Deauth attacks. The day after I took my computers offline, I noticed maybe 3-4 suspicious Wifi behavior. Within a day or 2, every single Wifi device (50+) I could see within range was also auto-spoofing by raising transmit power super high to spoof other WAPS, then killing the transmit in about 30-60 second incriments. Also, I don't know much about MAC spoofing, but when a new Wifi signal pops up, very shortly afterwards a second signal would pop up with the aforementioned bahvarior with a signal MAC address digit changed. As far as it persisting through format/reinstalls with new drives, it must have written itself to firmware of at least one of the components. I've read of this being done with Drivers, but I didn't think they'd persist through a reinstall. It's a RAT and either miner or some sort of botnet, but it's very stealthy and most casual users wouldn't notice anything amiss. It's subtle things a proficient Windows user would notice aren't right. Single frame blacked-out DOS windows booting in to Windows, Windows RE, CPU usage dropping from very high to low-moderate immediately upon open task manager, a bunch of stange GUIDs in registry, some settings/directories not accessible as admin, suddenly being in a domain with GP restrictions on certain config settings. I thought maybe I was just mistaken and paranoid, until 2 months later I started gettings alerts that some of my data had been hacked. There's so many fucking variants of malware and attack vectors for Windows that it's extremely hard to narrow down. It seems to be a fullly automated attack from the IP probing to exploits, to Root exploits, to spreading over LAN/WAN. People called me a schizo when I first posted about this on /g/ 2 months ago, but I think maybe new is finally starting to break about it, I hope. Dell is currently making new emergency BIOS for like all their systems for some vulnerability that I'm not sure is related. AV didn't stop it when it happened, and it still can't detect anything even with a lot of IOCs and breadcrumbs all over the OS. It's definitely a P2P botnet as it runs services for that functionality. I'm 99% sure it sneaks by in powershell via obfuscation to do whatever the fuck it wants, as John has repeatedly demonstarted. The only concrete thing I found was a 'Spyeye' entry in I believe the registry. I have no idea how to fix my PCs at this point, Wifi is unusuable as neighbors are infected, and my family has been without PCs for just over 2 months now. After I got 'hacked', I started reading and I can not fucking believe just HOW many critical exploits there are for Windows and Intel. Things they claim to have fixed as STILL being exploited. I've been stressed and depressed for the past 2 months trying to figure out what I can even do until when/if this becomes mainstream news. I see identical reports of mine ALL over support forums yet, strangely, Windows and big AV/Tech security firms have been dead silent. From what I've seen I'm convined this was an extremely widespread attack (browsing through some code, I'm thinking Chinese origin) and Windows is trying to keep the lid on this until they come up with a 'fix'. What's worse though is that a 'fix may not even be possible. Good malware these days uses programs to check for certain exploits on individual networks/systems, and it's impossible to protect against that for 99% of users, if at all. Sorry I wrote a book, this is just all so surreal and a lot of supposdely knowledgable people say this isn't possible when I KNOW it is.
You can kind of think of MIPS like a simpler version of ARM. It's assembly code is so much simpler compared to say ARM or x86 that my University uses it to teach assembly basics and concepts of how a processor works. In my experience it's very common in SOHO networking and IoT devices.
Hi John love the videos! You think you could make a tutorial on setting up a safe environment to explore malicious programs? I know virtual environments, are a start, but I think getting a video template would help put some paranoia at bay. Thanks in advance and if you already uploaded this tutorial my apologies.
Maybe you already know that, but there is a nice Java based MIPS emulator called MARS. It is developed by the Missouri State University under the MIT license. It has some nice features like step by step execution and register editing. So if you at one point want to/need to work with MIPS, this is a great tool to assist you
Mozi is the name of a classical text in Chinese philosophy. "Master Mo", literally, and one that is argued to be the Chinese counterpart to Aristotle for inventing a philosophy of science and a logic. I'm no Sinologist, but in the recent English edition I find that part of the text to be incomprehensible. The rest is an interesting counterpoint to the official and conservative Confucians and the quietist Daoists.
I personally love how UPX was created for/by the Warez scene wayyy back in the day, and it's still one of the best packers out there. Pity it's so tied into the malware scene and often viewed as malicious.
I wonder if antivirus software actually unpacks UPX binaries itself, we know they're capable of lifting virtual machines from proprietary packers like VMProtect, should be easy to unpack UPX and analyze the "real" malware sandboxed on runtime.
![The State of Cybercrime [2024]](/img/n.gif)
wow speaking of cool things go to jh.live/training for hands-on stuff and jh.live/newsletter for stuff in your inbox
"Please send me malware"
-John Hammond
Famous last wards...
"Welcome to Jurrasic Park"
- John Hammond
Cool trick “-fix-broken”
That’s why I like John’s videos even when he thinks he fails. I level up ⬆️
Or `-f` for short!
somehow my evening routine of lying on the couch and watching netflix changed to lying on the couch and watching john hammond do malware analysis... :)
Welcome brother 😂
Seems like you could benefit from some behavioral analysis of your code. Defender isn't as good as people say
Would love to see a mini series about setting up a honey pot and seeing what fun stuff comes through!
How would one do that?
@@bannedthricelol8799
step 1: install metasploitable somewhere
step 2: buy an domain for metasploitable and show it somewhere so posible hackers try to hack it
step 3: profit
btw metasploitable may seem sus since it has a lot of vulnerabilities up to the point where it seems fake
@@bannedthricelol8799 just make a honey pot its that easy
Yes!!! A malware Harvester🤩🤩🤩
It's worth it... Tpot - you can do that yourself. :)
04:05
$ mkdir Mozi
$ ls
Listing an empty freshly created directory shows you, that you are dealing with a professional.
People who don’t do this are either noobs or psychopaths.
Agree >_
Why is this?
@@chillytheprogrammer Habits. Muscle memory. I belive John made a community post about this lol.
edit: ua-cam.com/channels/VeW9qkBjo3zosnqUbG7CFw.htmlcommunity?lb=UgxZplo8gPKIFaDSPVN4AaABCQ
I was right :D
I do this all the time. Why? I have no idea.
mkdir is most tested software ever written.
RIP nano on the side over there, he served his purpose in his less than 5-minute life span, let's take a moment of silence to remember how he stored the file size in hex for 2 minutes and then died peacefully...
🤣
john killed him :((
Na no
nano lives matter
25:40 Tip: you can simulate a slower connection to see things clearer in the devtools by clicking the "Throttling" dropdown
nice info
Dragging the spooky.elf into GHIDRA, it opens it just fine, and I should have tried that during the video. Embarrassing mistake, sorry.
(And yes, I know that is by Fall Out Boy, not Green Day. I was just trolling ;P )
No worries :)
@John Hammond this is a worm used to infect routers so they can monitor router data and etc
the default passwords may be for routers, people often forget to change them. there are sites that if you look up a router you can get a list of default passwords
@@dannygaming1216 no it's for ddos. It's mirai. All of those iptables block rules and deleting stuff is to stop other scanners running some exploits so they exclusively have the bot.
@@noobian3314 I've seen a worm that gets into the router to allow it to collect data to sell it or for blackmail and for ddos
People: "What do you do for a living?"
John: "I look at malware-strings no matter how long they are."
Even though this is a 2 year old video I just started watching your UA-cam channel a day or two or something like that but I like your content brother keep up your hard work I don't know if you do live on here or not but if you do I would love to see one of those live!!! If not keep it up I'll keep learning 😅😅 stay safe out there
0:00 John Hammond == John Hammond == John Hammond
I’m loving this series! Please do one explaining the methods you use.
John, I love it! This is exactly what I do too. I don’t know what I’m doing but it’s fun to just scroll through to see if you see anything and sure enough you do. You also learn so much just by poking around.
I stumbled across your channel a couple of days ago, and have been binge watching ever since. Great job, and impressive resume.
I have a computer science degree and can confirm I also have no idea what MIPS is.
its a RISC cpu by motorola. found on older systems and maybe routers
Even if I am barely understanding what is going on I found your videos very entertaining and educational! Thumbs up!
I see a lot of Mozi traffic requests at work. Usually targeting IoT nix systems, routers, and low hanging fruit exploits attempting to spread around.
Idk why it made me laugh so hard when you dragged your cam out of the window 😂😂😂😂
These videos are getting better and better ! Can't wait for what's next !
Thanks for your video :D They're all awesome! The strange part is that I just yesterday figured out how to cross compile code for MIPS-I for my router (it's exact the same elf type as this virus). I never heard about this architecture untill about a week ago and suddenly you upload the video with this malware intended for routers. Anyway, love the passion that you share in your videos, please keep doing it haha :D
Lol he says he aint educated yet rips through anything thrown at him 🤣 😂
I found your channel yesterday and have been bingewatching hardcore. Ur vids are great!
I just want to let you know that I'm screaming at you : "it's UPX packed ! why do you keep searching for string ? unpack it already !"
"Sugar we're going down swinging, by Green Day" 😭😭😭
Me, a Fall Out Boy fan: *my disappointment is immeasurable and my day is ruined*
Also Me, a John Hammond fan: I'm soooo happy there's a new video ^^
It made me sad too!
Ah yes, it might be late but every hour is cyber hour.
At 25:24 the text scanned by Google translate is: "-先进的比特币矿池"
And the translation provided by it was: "-Advanced Bitcoin mining pool"
I like to "customize" my UPX. Shuffle the fields of the header struct around and (binary)shift the content.
XOR the compression algo by the C64 NOP and add 69 to exactly that file size shown in the video:P
Also using the wrong endianess on purpose will promote hair loss.
Thanks for the great video, John!:)
Dawg this is the most entertaining shit to watch, man. I listen to you like a podcast, I could actually listen/watch you all day.
For hexedit
: go to start/end of the file
This’ll be a good one, see you all here
Just came across this video and I noticed at 27:01 there is some commands for cfgtool which also sets the TR-069 (CWMP) Access Control Server to localhost, which could do a whole lot of advanced configuration/diagnostics of the device including re-flashing the firmware of the device.
The particular characters mean the exactly the same thing as the English title, but in Chinese. That site probably just translated it
MIPS is usually found on routers and this is targeting routers in beginning allowing the attacker to get into the network (hence the iptables allow)
Is there malware that nestles in the router before ever getting to the user machine?
Would downloading it be enough for it to deploy? Or could it target the router through the VM?
Really loving the Malware analysis videos. My morning routine is now watching these videos over reading a news paper 😂
BRO THAT OUTRO MUSIC GAVE ME SOME FLASHBACKS AND NOSTALGIA
I think the 114 dns, that we saw, is just a normal Chinese based dns server; nothing malicious in nature about the dns itself. It could be there to add more "surface area" to the malware.
This guy is a gem. Liking and commenting for the UA-cam algorithm
Love the Malware Analysis videos! And the commentary is entertaining man! Keep uploading and I'll keep watching! Thanks for the great content.
37:35 John, you have to "import file" (i) not "Open filesystem" (ctrl+i)
Do you know the difference between the two? What was Ghidra trying to do with .elf with the ctrl+i option which failed? :o
This is going to be great!
Thank you for making these videos John!
@John Hammond 28:53 That highlighted command is a trick to check whether or not busybox is installed I suppose. :) Keep that in mind John that all commandss like apt etc. etc. are in fact a bin finle that is stored in /bin directory, so I think this is a instruction for DD to look inside bin folder and look for busybox folder/check for its existance. :)
John Hammond is amazing. I watch him and I dont know what he does most of the time
I've discovered your channel recently and i really like it !
You are very inspiring, thank you for this amazing content !
god damn so much like!! i like these break downs! they are awesome!
OOOh im excited for this one
Video title: "breadcrumbs" (also a new box on hackthebox )
Me: should definitely watch this
I had you in the background, and as soon you mentioned netgear i was like, oh mips and netgear, he is in router infections.
5:37 this reaction is a gold xD
John hammond: Please send me malware.
Me: John hammond is hungry for malwares.
30 mins in, my "they're trying to bot routers" radar starts going off...
Happened to my entire apartment complex (close to 1k people) and is still ongoing. Mirai-type behavior. I've had to disable wifi entirely and use ethernet. My ISP, Cox, said they 'can't do anything about it. This started 2+ months ago and I have no choice but to contact the Feds. Our gateways aren't listed in the strings here; they're mostly Arris, Cisco, etc, yet they were all cracked either by some known Wifi exploits I've read or updated rainbow tables. Scary shit and it dropped RATs and miners on all LANs it broke in to.
I've tried removing it on my Alienware laptop but it seems to have written to firmware and or BIOS. Maybe a new variant?
@@Demoralized88 yayiks dude ! Any updates since ?
@@zacay5717 Certainly not from my ISP. Win support forums (particularly bleepingcomputer), have been flooded with the same issue I've been having for 2-3 months now and I've yet to find anything that quite describes what this is and how to remove it. I'm 99% It goes: spreads via Wifi exploits, known passwords or brute forcing - or BOTs probing random Modems for vulnerabilities. Either way, once it gets access to a LAN with Wifi, it hijacks the Router and any wireless cares to scan and spoof nearby devices until, thorough another exploit, Deauth attack, It gains access to adjacent LANs and in theory could propogate very quickly.
When I first noticed weird shit in Windows I scanned nearby networks for anything suspicious because I was also having frequent Wifi dropouts for about a minute. That lead me to research what could be causing the Wifi dropping and I eventually read about Deauth attacks. The day after I took my computers offline, I noticed maybe 3-4 suspicious Wifi behavior. Within a day or 2, every single Wifi device (50+) I could see within range was also auto-spoofing by raising transmit power super high to spoof other WAPS, then killing the transmit in about 30-60 second incriments. Also, I don't know much about MAC spoofing, but when a new Wifi signal pops up, very shortly afterwards a second signal would pop up with the aforementioned bahvarior with a signal MAC address digit changed.
As far as it persisting through format/reinstalls with new drives, it must have written itself to firmware of at least one of the components. I've read of this being done with Drivers, but I didn't think they'd persist through a reinstall. It's a RAT and either miner or some sort of botnet, but it's very stealthy and most casual users wouldn't notice anything amiss. It's subtle things a proficient Windows user would notice aren't right. Single frame blacked-out DOS windows booting in to Windows, Windows RE, CPU usage dropping from very high to low-moderate immediately upon open task manager, a bunch of stange GUIDs in registry, some settings/directories not accessible as admin, suddenly being in a domain with GP restrictions on certain config settings.
I thought maybe I was just mistaken and paranoid, until 2 months later I started gettings alerts that some of my data had been hacked. There's so many fucking variants of malware and attack vectors for Windows that it's extremely hard to narrow down. It seems to be a fullly automated attack from the IP probing to exploits, to Root exploits, to spreading over LAN/WAN. People called me a schizo when I first posted about this on /g/ 2 months ago, but I think maybe new is finally starting to break about it, I hope. Dell is currently making new emergency BIOS for like all their systems for some vulnerability that I'm not sure is related. AV didn't stop it when it happened, and it still can't detect anything even with a lot of IOCs and breadcrumbs all over the OS.
It's definitely a P2P botnet as it runs services for that functionality. I'm 99% sure it sneaks by in powershell via obfuscation to do whatever the fuck it wants, as John has repeatedly demonstarted. The only concrete thing I found was a 'Spyeye' entry in I believe the registry. I have no idea how to fix my PCs at this point, Wifi is unusuable as neighbors are infected, and my family has been without PCs for just over 2 months now. After I got 'hacked', I started reading and I can not fucking believe just HOW many critical exploits there are for Windows and Intel. Things they claim to have fixed as STILL being exploited. I've been stressed and depressed for the past 2 months trying to figure out what I can even do until when/if this becomes mainstream news. I see identical reports of mine ALL over support forums yet, strangely, Windows and big AV/Tech security firms have been dead silent. From what I've seen I'm convined this was an extremely widespread attack (browsing through some code, I'm thinking Chinese origin) and Windows is trying to keep the lid on this until they come up with a 'fix'.
What's worse though is that a 'fix may not even be possible. Good malware these days uses programs to check for certain exploits on individual networks/systems, and it's impossible to protect against that for 99% of users, if at all.
Sorry I wrote a book, this is just all so surreal and a lot of supposdely knowledgable people say this isn't possible when I KNOW it is.
@@Demoralized88 you have piqued my interest. I am going to look into this.
Awesome content. Thanks for putting up the video 👍🏻
Yay another one!
thank you for your great work.
I got a cool one at work that was a phishing attempt through a Google Drive. Instantly made me think of your deconstruction videos.
You can kind of think of MIPS like a simpler version of ARM. It's assembly code is so much simpler compared to say ARM or x86 that my University uses it to teach assembly basics and concepts of how a processor works. In my experience it's very common in SOHO networking and IoT devices.
Hi John love the videos! You think you could make a tutorial on setting up a safe environment to explore malicious programs? I know virtual environments, are a start, but I think getting a video template would help put some paranoia at bay. Thanks in advance and if you already uploaded this tutorial my apologies.
JOHN I WANT TO YELL AT YOU FOR ...
Creating a great video 🤪
Awesome, thanks for more malware content!
Now this is good entertainment! :D
appreciate you brother. keep teaching us please.
When you’re so early that john’s hearted every comment
Maybe you already know that, but there is a nice Java based MIPS emulator called MARS. It is developed by the Missouri State University under the MIT license. It has some nice features like step by step execution and register editing. So if you at one point want to/need to work with MIPS, this is a great tool to assist you
Destroyed and annihilated the bell! Great content!
This looks like a web-based RCE scanner for routers. Perhaps to drop a ddos script or something later.
A very entertaining analysis
Loving the malware analysis vids John - keep repping the blue team :)
John, I just thought of a Tag Line for this type of video for you. “Down the Rabbit Hole with John Hammond” 😁
I Think reversing Malware Is fantastic I have learned so much from watching this Ty
Thank you!
was reading up on some botnets using Twitter formatted messages yesterday and this video now the timing confirms John get out of my computer!
That list looks like a list of router makers/models
Hey John! love your content! Just a quick question. How do you CTF creators hide text in images? What tools do you use?
There are loads of Steganography utilities, my favourite is Outguess!
There's also jphide & seek and steghide, they're good ones too!
Nice video. Can't wait for the next one! :)
I like catching these premieres. It's fun to watch, but lot's of it is over my head at this point.
Shout out from the Philippines!
I all-time following you sir
Mozi is the name of a classical text in Chinese philosophy. "Master Mo", literally, and one that is argued to be the Chinese counterpart to Aristotle for inventing a philosophy of science and a logic. I'm no Sinologist, but in the recent English edition I find that part of the text to be incomprehensible. The rest is an interesting counterpoint to the official and conservative Confucians and the quietist Daoists.
I personally love how UPX was created for/by the Warez scene wayyy back in the day, and it's still one of the best packers out there. Pity it's so tied into the malware scene and often viewed as malicious.
I wonder if antivirus software actually unpacks UPX binaries itself, we know they're capable of lifting virtual machines from proprietary packers like VMProtect, should be easy to unpack UPX and analyze the "real" malware sandboxed on runtime.
Big fan John! Always loved your content!
I wonder what the firewall in front of that camera showed?
it's nice to know how that things work ;)
I hope you will continue with reversing malware 4ever
Good stuff, love this content man
25:15 - pause it and go frame-by-frame using comma and period
These videos are so good!!!!!
still new to your videos, I am thinking of starting my pentesting journey again, you may have motivated me fellow ginger
Sees John posted another malware analysis: Likes the video. Simple as.
Thank you so much
30:40
John, that's Huawei... The IT arm of a certain party
I enjoy the pronunciation of Huawai as Huwai'i :P
I have no fucking idea why I am watching this. But damn man your vids are entertaining me!
at 25:17 there's your answer
Love your energy
Hello UA-cam its your Boy john hammond John Hammond and John Hammond
Someone found a killswitch and has effectively neutered Mozi in August
Very interesting!
oo another malware analysis
i still cant believe ed sheeran does coding and such in his spare time!!!!
I'm pretty sure it makes a difference in hopper what cpu arch you dissassemble as, 35:46 you're opening it as a x86 and not mips