That VBA brute force method for removing worksheet protection is kinda interesting. My favorite technique for removing worksheet protection is to open it as a zip file and edit the sheet xml file to remove the sheetProtection key
This was another option in that article that I admittedly tried first, because I didn't think the VBA brute force method would be so fast. I tried to extract it as a ZIP, but for some reason it couldn't pull out the /xl/ folders and files within it. I should have kept that footage in 😅 Either way it is an awesome trick to know for the future!
Dear John, one of the fastest ways is to add the Developer tab to excel (file->options->customize ribbon then add it from the right list) and from there you can click macros and view all the embedded or stand alone macros edit: not as a workaround to unprotect, just to see all macros on all sheets, hidden or not. the vba brute force method was BRILLIANT, Loved it!
Another great Video John, I do enjoy when you don't know something and show us that you go to find it. It shows us that even the Pros need to look up stuff, and not to be hard on ourselves for not knowing something, so thank you again!!
Please make more videos like this! I love hearing about the latest malware news, and having you give us insight into how it actually works using demonstration is really helpful!
Great video! although I would love to see a dynamic anaylsis of it! don't be intimidated by making long videos, believe me we all kind of sad when the video ends quickly haha
Dude, I just discovered your channel today, and I can't stop watching. Yeah, you cover subjects I'm very into, but also your narration and depth of work really can keep my attention. Cheers from Poland, keep rocking, king!
Regarding bypassing the macro protection, in order to place files in the templates folder, you need to be admin (since the location is otherwise read only). Once the user is willing to perform dubious actions as an administrator for the malware author... there's not much you can really do to protect them. Raymond Chen would likely classify this as one of the "other side of the airtight hatchway" type of "exploit".
Man I had this running in the background and when John read the "Ivan is in need of some cash again so he went back to work." I said out loud, "True...wait" The whiplash I had when I realized John wasn't referring to me lmao
Just getting into info sec as an interest and got suggested this channel. This was really interesting to me. I remembered some of the basic programming you could do in XL from an intro level class I took some years ago. It's both surprising that it's being used this way and that it took so long for somone to try and abuse it (though I doubt this is all that new, just new to me). TL:DR thanks for the vid and the neat examples to go with the warnings.
I agree with some of the other commenters in that I'd love to see you do more lengthy deep dives in investigating these types of things. I don't believe I've ever watched any of your videos before, but have already subbed considering the value you provided in this video alone. But as someone who has always had an interest in learning more about cybersecurity and wanting to actually go into a cyber career field (I'm currently in IT networking & desktop support), those types of indepth videos will truly be beneficial for many of us who are looking at deepening our knowledge in the field, if that makes sense. Thanks and looking forward to seeing more videos from you!!
Extremely weird to see someone from my high school in my recommended, especially when the school was so small! I was a senior in drama when you were a freshman - fun to say I have an answer for the most famous person who went to my high school :)
@@_JohnHammond Haha! My name was Josh (Curtis) at the time, but it's Adrienne now. My career is in medical IT, but I do love content about the spicy stuff ;)
NOO! You cut some out one of my favorite arts of your videos, which is the deep dive investigations and playgrounds. Could it be possible you release a more lengthy version of these videos, as well as the shortened videos? Watching your investigation helps so much with all those hidden gems you reveal (example, "code written in excel cells but turned white and hidden" really helps formulate new ways of perceiving the situation, especially for us n00bs :P) great video!
Nice work mate :) Those old office formats are a nightmare. I remember they use some crazy compound binary file system that's a bitch to parse. MS-XLS Compound file. OLE. (google cached result are different to where M$ redirects to). There are some good resources online where people have poked into it more. I'm not a security researcher. I just needed to find the "Content Created" date (not the "Created Date") of all files on a filesystem at my workplace, a few years back (GDPR, blah blah blah). My weapon of choice was PowerShell. Easy with the newer formats, nightmare with the older formats. Absolute time drain looking into it. I did get it done though. Thank fuck for other people's research. Fascinating subject though! [/nerd]
After messing with this following your tutorial I am shocked they didn’t make use of the Macro command to create an alert. Prompting the user to save the file in the templates. Making it look like a windows alert.
Well, unless I am not following, they wouldn't be able to invoke an alert, because they cannot run macros at that point? They would need the file moved to the Templates folder before they would be able to pop open a prompt asking them to put it in the Templates folder 😅
Yea you’re absolutely right 😅 lol I’m dumb and new to cybersecurity so if I can make excel docs execute stuff I get overly excited! Classic noob stuff here. 😂😂
Wheres the best place to download the malware? i've got a windows 10 box with a non functioning network card that would be cool to play with this. Especially as I swear every modern virus is an excel document with a bad config
This is a huge gem, a hidden niche.. You'll see tousands of walk-throughs videos setting up the Linux Desktop post-installer and WM's, yet I've never seen one how to do a fast install to get an InfoSec environment up and running, totally updated to get started. Given the number of global OpSec students, I'd say this will be a hit.
Fun video! Little thing though: You turned off your internet when you were looking inside de file, but it was turned on again when you executed the file... I don't think that was intentional.
64-bit time_t is a powerful integer. The integer overflow error will occur at 03:14:08 UTC on 19 January 2038. But various OS'es and language took various approaches to the problem so the specialists studying this Emotet beast since 2014 are more familiar with these type of programmatic innerworking of the blobs floating all over the internet. Programatically, a calc like this (E4 / E5) could make sense if you calc dates and times using 32-bit tm_year, so the logic will handle most architectures and scenario's. If it's an old feature, you'll probably see it transitioning along the crypto methods in use.
Wonder if Emotet is what's fucking my PC. Tronscript only kneecapped it. Eset, Kaspersky and MBAM can't figure out what's wrong and my c drive keeps filling slowly.
I assume that directory under Program Files etc. has its default ACL - Microsoft does say never to give world-write here, ever. So there's that. (Assuming Microsoft is eating their own dogfood here.)
I've spent nearly two years writing software just to compact this virus. If anyone is having a major problem getting spammed with emotet emails, DM me.
I wonder why most of them are being targeted towards Italians? Frattura means invoice. At first I thought it was also Spanish but no, they are all either in English or Italian. What does Ivan have against Italians? Or maybe the person that took Emotet is Italian?
lmao that's a lot of work to ask from an end user. "I gotta copy what now where??" *grandma adjusting glasses* This is like if someone said "please put your credit card number in this box 👉👈
I'm getting spam shares of documents in Google Drive and just delete them without opening them put people that don't understand fishing attacks and other malicious attacks might open them.
Holy shit my personal email that I rarely ever get out has been RAVAGED by spam for the last week. I was wondering what the hell was going on! Thanks god I know how to spot phishing but there are millions that can’t 😔
Copy Paste All Red Text, Throw in Notepad++, Then Remove All Spaces, Null Characters if any. It will slam all the code together. ....COME ON MAN.... ;)
this stuff is super annoying we have already HUGE I mean HUGE bot problems everywhere everything is super infested already sure they can do better they exploit even this HORRIBLE situations.
That VBA brute force method for removing worksheet protection is kinda interesting.
My favorite technique for removing worksheet protection is to open it as a zip file and edit the sheet xml file to remove the sheetProtection key
This was another option in that article that I admittedly tried first, because I didn't think the VBA brute force method would be so fast. I tried to extract it as a ZIP, but for some reason it couldn't pull out the /xl/ folders and files within it. I should have kept that footage in 😅 Either way it is an awesome trick to know for the future!
Never thought of unprotecting sheets. I usually just dump the contents with ssconvert (gnumeric) and do some regex to clean up the output.
Not sure the xml method still works. 😅
wait a minute, you can hack protected worksheets? That's where I keep all of my passwords 😳😳
Love the title, king of malware, from imhotep to emotet. :D
LEO! Didn't know you watch him. Nice to see you here.
I'm too new to understand this
@@jony9867 understand what?
the joke
GREAT TO SEE YOU MY FRIEND, thank you for the support!
The E4 and 5 are short for epoch 4 and 5. They are the specific botnets used for the campaign.
Dear John, one of the fastest ways is to add the Developer tab to excel (file->options->customize ribbon then add it from the right list) and from there you can click macros and view all the embedded or stand alone macros
edit: not as a workaround to unprotect, just to see all macros on all sheets, hidden or not.
the vba brute force method was BRILLIANT, Loved it!
IS THIS WHY EVERYONE ALWAYS TELLS YOU TO BE CAREFUL WITH DEVELOPER OPTIONS??
Another great Video John, I do enjoy when you don't know something and show us that you go to find it. It shows us that even the Pros need to look up stuff, and not to be hard on ourselves for not knowing something, so thank you again!!
Yes and do it day to day basis 😐
@@affiliateanimalistic9607 🤨
@@affiliateanimalistic9607 lol
Please make more videos like this! I love hearing about the latest malware news, and having you give us insight into how it actually works using demonstration is really helpful!
I would love a follow up video with some more digging.
I like how the placement of your mic changed your T-shirt's logo from WARNING to WANG
Great video! although I would love to see a dynamic anaylsis of it! don't be intimidated by making long videos, believe me we all kind of sad when the video ends quickly haha
Dude, I just discovered your channel today, and I can't stop watching. Yeah, you cover subjects I'm very into, but also your narration and depth of work really can keep my attention. Cheers from Poland, keep rocking, king!
Regarding bypassing the macro protection, in order to place files in the templates folder, you need to be admin (since the location is otherwise read only). Once the user is willing to perform dubious actions as an administrator for the malware author... there's not much you can really do to protect them. Raymond Chen would likely classify this as one of the "other side of the airtight hatchway" type of "exploit".
Amazing video John, great way to show us the concept as well as some cool techniques about the password protected sheets.
Man I had this running in the background and when John read the "Ivan is in need of some cash again so he went back to work." I said out loud, "True...wait"
The whiplash I had when I realized John wasn't referring to me lmao
I read this as you had emotet running in the background lol
I absolutely love your videos. The way you explain things to make them simple to understand is amazing.
A little brute force password cracking VBA script.
Isn't that one of the cutest things you have ever seen?
Thanks for the awesome insight, as a malware analyst by trade I actually ran into some of these new samples yesterday.
Just getting into info sec as an interest and got suggested this channel. This was really interesting to me. I remembered some of the basic programming you could do in XL from an intro level class I took some years ago. It's both surprising that it's being used this way and that it took so long for somone to try and abuse it (though I doubt this is all that new, just new to me).
TL:DR thanks for the vid and the neat examples to go with the warnings.
I agree with some of the other commenters in that I'd love to see you do more lengthy deep dives in investigating these types of things. I don't believe I've ever watched any of your videos before, but have already subbed considering the value you provided in this video alone. But as someone who has always had an interest in learning more about cybersecurity and wanting to actually go into a cyber career field (I'm currently in IT networking & desktop support), those types of indepth videos will truly be beneficial for many of us who are looking at deepening our knowledge in the field, if that makes sense. Thanks and looking forward to seeing more videos from you!!
Thank you for that showcase! Very interesting...
Thanks, Turbo! Good video. Would have enjoyed see you dive in a little deeper though.
Extremely weird to see someone from my high school in my recommended, especially when the school was so small! I was a senior in drama when you were a freshman - fun to say I have an answer for the most famous person who went to my high school :)
Oh dang, now I need a hint as to who you might be :) I was doing theatre right there with you!!
@@_JohnHammond Haha! My name was Josh (Curtis) at the time, but it's Adrienne now. My career is in medical IT, but I do love content about the spicy stuff ;)
Awesome to see TheAnalyst getting a shout out!
NOO! You cut some out one of my favorite arts of your videos, which is the deep dive investigations and playgrounds. Could it be possible you release a more lengthy version of these videos, as well as the shortened videos? Watching your investigation helps so much with all those hidden gems you reveal (example, "code written in excel cells but turned white and hidden" really helps formulate new ways of perceiving the situation, especially for us n00bs :P)
great video!
Nice work mate :) Those old office formats are a nightmare. I remember they use some crazy compound binary file system that's a bitch to parse. MS-XLS Compound file. OLE. (google cached result are different to where M$ redirects to). There are some good resources online where people have poked into it more.
I'm not a security researcher. I just needed to find the "Content Created" date (not the "Created Date") of all files on a filesystem at my workplace, a few years back (GDPR, blah blah blah). My weapon of choice was PowerShell. Easy with the newer formats, nightmare with the older formats. Absolute time drain looking into it. I did get it done though.
Thank fuck for other people's research.
Fascinating subject though! [/nerd]
Interessting thx für thus great explain video!👍
After messing with this following your tutorial I am shocked they didn’t make use of the Macro command to create an alert. Prompting the user to save the file in the templates. Making it look like a windows alert.
Well, unless I am not following, they wouldn't be able to invoke an alert, because they cannot run macros at that point? They would need the file moved to the Templates folder before they would be able to pop open a prompt asking them to put it in the Templates folder 😅
Yea you’re absolutely right 😅 lol I’m dumb and new to cybersecurity so if I can make excel docs execute stuff I get overly excited! Classic noob stuff here. 😂😂
I like the part where your shirt says "WANG" due to the mic hiding some letters.
Brilliant vid. Learnt so much
E4 and E5 are Epoch 4 and 5 and are seperate botnets, they could be separate factions or the same faction running multiple generations of software
Like the trail and error playarround tinkering video's :-). Hope you will go further with this dll "unpacking" you just showed us. Great stuff
Wheres the best place to download the malware? i've got a windows 10 box with a non functioning network card that would be cool to play with this. Especially as I swear every modern virus is an excel document with a bad config
Great video, thank you so much for sharing!
SeeDosRun is the "fix-all"
Thanks John👍
Why do we still allow anyone and everyone to register a domain without any form of formal identification?
or email adress...
@@MattRose30000 don't they? Doesn't the email come up on a whois request?
This is a Diamond 💎, Great Sir 👏🏻👏🏻
Any chance you deobfuscate this in another video? I love your malware analysis vids
I would love a video of how you set up a fresh Kali VM
This is a huge gem, a hidden niche..
You'll see tousands of walk-throughs videos setting up the Linux Desktop post-installer and WM's, yet I've never seen one how to do a fast install to get an InfoSec environment up and running, totally updated to get started.
Given the number of global OpSec students, I'd say this will be a hit.
Top Jack ryesider video John is one that using On me right now
He is the only guy that brings something mind blowing.🤩
Thought this was going to be about Limewire!
Does excel still not have an option to just view all macros in a sheet?
Finally, upgrade! Shure SM7b 😎
This was really awesome, thanks John
Great video! Thanks!
How do I get rid of malware installed by state actor?
Fun video! Little thing though: You turned off your internet when you were looking inside de file, but it was turned on again when you executed the file... I don't think that was intentional.
Lmao I died on the reading of the random folder!!!
Emotet never went away John!
It's still prevalent.
I believe E4 vs E5 varients are based on the type of Excel macro is being used. (Excel 4 vs Excel 5)
E4 / E5 == Epoch 4 / Epoch 5... it's botnet specific.
64-bit time_t is a powerful integer. The integer overflow error will occur at 03:14:08 UTC on 19 January 2038.
But various OS'es and language took various approaches to the problem so the specialists studying this Emotet beast since 2014 are more familiar with these type of programmatic innerworking of the blobs floating all over the internet.
Programatically, a calc like this (E4 / E5) could make sense if you calc dates and times using 32-bit tm_year, so the logic will handle most architectures and scenario's. If it's an old feature, you'll probably see it transitioning along the crypto methods in use.
I’m here for the example samples 😂
what would you say the risk of this malware is? low risk, medium or high risk? and why? thank you
Does anyone know where it is possible to download the malware file for analysis?
Now I completely understand why we shouldn't click random Offices file
Wonder if Emotet is what's fucking my PC. Tronscript only kneecapped it. Eset, Kaspersky and MBAM can't figure out what's wrong and my c drive keeps filling slowly.
This gonna work on linux.?
I assume that directory under Program Files etc. has its default ACL - Microsoft does say never to give world-write here, ever. So there's that. (Assuming Microsoft is eating their own dogfood here.)
Yup! Good.
that was so cool, in a bad way !
thanks
Regulators what master volume hie please
The analyst has a fire profile pic
I heard that Microsoft was going to disable xlsm or xlsxm files. when is that supposed to happen?
I've spent nearly two years writing software just to compact this virus. If anyone is having a major problem getting spammed with emotet emails, DM me.
The King Of Malware has woke again!
please cover the SpinMaze virus
how did he create a shortcut copy of that excel file so quickly?
1: select file, 2: control+c = copy , 3: control+space = deselect, 4: shift+f10+p
I don't understand anything. Where to begin?
I wonder why most of them are being targeted towards Italians? Frattura means invoice. At first I thought it was also Spanish but no, they are all either in English or Italian. What does Ivan have against Italians? Or maybe the person that took Emotet is Italian?
Think Ivan implies a leader of a country in a 'special military operation'?
Oh, that’s interesting.
Those search suggestions for "unprotect..."
great vid keep it up
Trying to read your 👕: WARNING
_Cyber Security Proposition 65_ ...code...
What does the rest say and what does it mean?
Dude it’s 2022, wtf is XLS malware doing!
lmao that's a lot of work to ask from an end user. "I gotta copy what now where??" *grandma adjusting glasses*
This is like if someone said "please put your credit card number in this box 👉👈
Commenting for the algorithm
I'm getting spam shares of documents in Google Drive and just delete them without opening them put people that don't understand fishing attacks and other malicious attacks might open them.
Holy shit my personal email that I rarely ever get out has been RAVAGED by spam for the last week. I was wondering what the hell was going on! Thanks god I know how to spot phishing but there are millions that can’t 😔
Copy Paste All Red Text, Throw in Notepad++, Then Remove All Spaces, Null Characters if any. It will slam all the code together. ....COME ON MAN.... ;)
can you build another jurassic park with better security
Why Emotet is the King Of Malware?
That's why you don't give your employees Admin rights unless you know they have at least some basic security literacy.
personally i would just use google sheets
Love videos like this
I just wonder why Templates shouldnt use protected view. Why this is even a "feature"
this stuff is super annoying we have already HUGE I mean HUGE bot problems everywhere everything is super infested already sure they can do better they exploit even this HORRIBLE situations.
it’s called Eulen
I'll be honest. I heard the title, and saw your name john. I thought john mcafee had come back from the grave.
Windows, Excel, is that even still a retro thing? Next thing we’ll see floppy disk viruses make their come back..
Dude do you have a side gig as a DOTA caster? Me trippin' FR
Skydoesminecraft has changed
Awesome!
jokes on you i dont even check my email
So windows defender is useless then?
Windows is just like just pulled a robocop .-.
yeah, but xcopy wasn't supported in robocopy.
wait what do you mean “emotet” isn’t short for the emo rock band quartet known as My Chemical Romance
Boeing (child company jeppesen) was hit with a ransomware attack on the 4th.. related?
The Sheet-Password is just a joke, look into the detais
done
i need you to analyze a largely used .exe file