One thing I think would be awesome, and super helpful, is how to setup a secure environment (lab) for testing viruses and malware. Things that would be interesting to hear from an expert (you) are... - How to protect your computer (use a VM hosted on non-personal use computer etc.) - How to protect your network (viruses can spread over networks to your personal computers, how do you prevent this?) - How to protect your home IP (external IP could be logged by hackers for later attacks, how do you prevent that?) - How to setup a demo VM like you have in this video (must have installs, etc.) Just a suggestion! Any information on how to setup a secure, safe, testing lab would be so cool as it could help people get started digging into these things!
thanks for the detailed suggestion, i will piece together a walkthrough of the various VM configs I tend to use and hopefully that will be of benefit. watch this space :)
I'm a networks guy , but your videos have opened up an entirely new facet of IT for me that I've never stopped to think about. Brilliant videos! Keep up the great work that you do.
Hi Colin, I come across your videos just only a few weeks ago, the contents just seem to get better each time. And there is always useful content. And also no pussy footing around for like 55minutes but you give simple direct straight forward information, I'm sure people appreciate this. What youtube should have more channels like this. just was a thank you message.
First video I've viewed of yours, seems like you got a bunch of quality videos here. I dabble in security so I enjoy these types of videos. Subscribed!
You seem to have a rather quick but efficient style to your delivery which is refreshing. You cut out all the B.S. and ramblings that some other channels are guilty of which lose my attention. You covered alot of ground in a short period of time but your info was easy to comprehend. Thank you! By the way, would you recommend Sandboxie at all for a home user running on a Win10 OS? I'm looking for a safe way to test downloaded software and browse the web while minimizing my risk for infection. Thanks!
hey thanks for the kind words. Sandboxie is for sure a good utility, i'm not sure it would give you all the versatility to analyse malware though, i'd probably recommend a dedicated VM for that which has all your favourite analysis tools.
Thanks for this, I only recently found your channel and I'm sure it'll come in useful over the coming years as I'm studying computer science and want to get into security afterwards.
Thank you for everything you do Colin!! your videos are incredibly interesting and always find myself learning new things.... I've been binge watching these for like 5 straight days now. Keep up the good work!!!
Just found this channel! Love it, working as a trainee in the IT field I was wondering if you could show us how to protect us from malware you've shown us so far? Something along the lines of how to set up an firewall to block x traffic or how to monitor for malicious traffic.
Colin, I've watched many UA-cam security channels, but I'm glad your covering real world material. Do you think you could do a walkthrough of a full detailed analysis of a piece of new malware? Like show how you would do that at a real world job?
Colin Hardy NotPetya maybe? I think it would be neat to see what's under the hood of a wiper malware that looks like a ransomware. Like I would like to know why some think it's a wiper malware, and not a ransomware, with using like a line of code that's in it as proof.
Maybe a more general video about how to safely test. Using a virtual machine but do mind that it can affect other systems in the network and so on. What your basic template (image) is, at leaste the mentioned tools.
Damn i must have been doing something when you mentioned that... Yeah it totally didn't work.. gotta rewrite it myself i guess... or just do something similar..
Hi, Just wanted to let u know, you inspire as a computer science student to study even harder to get on your level sometimes. DAMN you really know this stuff, keep it up please. Also I really love your voice it us so calm and really the right speed not too fast, not too boring. Have a nice day!
Thanks for a great tutorial mate, certainly very useful.In case you accepted request/ideas on any further tutorials it'd be more than awesome if you could prepare any material regarding safe setup of a virtual machine.
of course! I subscribed to your channel ;) please share more! it will help us all cyber security professionals to get a different point of views in analysis. -A
Colin Hardy I noticed you're doing this demo with networking enabled... does it matter if networking is enabled or disabled on the vm's? Will I see less IoC's if its disabled?
thats a great question. you'll find both situations quite often, take Emotet malware as an example. If you have networking enabled, the .doc file that is used to download the payload will hit a payload URL and go on with its business. However, switch off networking and you'll reveal all the fallback URLs that would have been attempted if the URL was not available. This saves you reverse engineering code, but its often a good idea to reverse the code to match your behavioural analysis.
Hey Colin. Could you please give us an overview about you and your education. You seem a knowledgeable person and I am really interested in knowing your background and how you became that professional in this field.
It's comforting to know that I use the same tools you use with the exception of capture.bat, I use a file and registry monitor. do you think capture.bat will come in a 64-bit version?
Hey Colin! Thank you so much for the awesome vids, I really enjoy your channel. I've been trying to get into malware analysis, followed your advice to somebody in the previous video to purchase Practical Malware Analysis book, still waiting for it to arrive though! I've got a question regarding CaptureBat. I've tried using the software before because it indeed seemed very useful. However, I couldn't get it to run, not even in admin mode. It just displays the message "WARNING - Filter driver not loaded (error: 800704fb)". Do you have any idea what might be the issue? Cheers, keep up with the great work!
Hi Colin, I like your video. But I encountered some issues. When I execute the CaptureBAT.exe as you do, the prompt gives me "FileMonitor: WARNING - Filter driver not loaded (error: 800704fb)" . Do you have any ideas? thanks:)
64bit. Oh, maybe I see... this .exe in its official website does not support 64bit well. I tried on my win7 and win8(all 64 bit), and it all failed. XP works well, and my XP is 32 bit.
I think Microsoft Message Analyzer is the new version of Network Monitor. It has more capabilities and is up to date. Quote Microsoft: "It is the successor to Microsoft Network Monitor 3.4 and Message Analyzer v1.3." So maybe give it a shot :)
So if I were to write a software for that I need to know how to monitor command lines and run it through the white list. If there is no match I notify the user: Add to white list Yes/No. Then I set this in the group policy you mention if the user clicks yes. What do you think of such program? It also needs a record option on a healthy system to add these to the white list and then a detect mode when the recording is finished.
Very informative. Recently setup my own lab for Malware Analysis. I was wondering how Malware Analysts discovers new malware propagation. Do they depend upon blogs/news or is there any specific setup which needs to be done in order to find new Malware in the wild.
i guess if you work in the field then you get to see campaigns from monitoring attacks against your environment and also through intelligence sharing with other companies. you can also follow various blogs / twitter feeds to pick up on the latest trends.
Hey Colin, keep up the good work! I want to some Malware Analysis, but I dont find any viruses for it ;( Where do u get ur stuff from (and can u maybe share your VirtualBox? Like uploading it somewhere huge thx)
Hey man,I've downloaded a file,and when I try opening it,it says "This File Is Unpacked" or something like that. If you can help me with this Thanks A lot man!
I notice you have very little process running in your VM to have less noise. Do you have a video/tutorial explaining how best to do this? Thanks for the upload!
i didnt do anything special tbh, although i am hiding the sub-processes of wininit.exe in process hacker which makes it easier to see the wood from the trees sometimes.
Great video! :D What about FlyPaper? Ive seen it in one of your videos but I cant find a good source with a working version of it... There is a wikileaks email with it but it doesnt work on my Windows 7 VM... :/
Colin Hardy Yeah. Is that the problem? Do you know other software which is light and has the same feature to stop closing windows? Ive tried to code it myself but it doesnt work with the malware i try to analyse.
Hey Colin i was curios is REMNUX actually private/secured in the VM or can the nasty virus still get access to your main machine hosting the os? wouldn't it be better to just host a RDP/XRDP server instead to fully analyst the code in the virus.
Hey, well there is probably malware that can escape a VM to the host, I dare say that's at nation-state level given the ramifications. On the whole though, analysing in a VM which is on it's own sub-net is generally the safest way to analyse malware.
Hi Colin, nice video... By the way, I would like to introduce you to another process monitor... It's called "yet another process monitor" and, of course, it's OSS It's my favourite process monitor Give it a look if u can :)
great work sir When I am opening procmon it says "failed to load device driver" What should I do? Should i re-install my windows? Please do answer as I am really facing issue
Wow Thanks! This would be handy. Btw can you make an analysis of what "fake" game torrents on pirates bay does to the system? I always wonder how much they pack inside a 300mb fake installer. Should be enough for a lot of malware and bloat-wares. It might act as a good warning for people who reluctantly download pirated stuff without knowing.
I use Process Monitor v3.31 Tried to include CreateFile filter, but it didn't work then i check the drop down menu, it doesn't even have CreateFile as a filter. but it does have a whole lot FASTIO_* filters I also tried newest version 3.33, same problem can you help me? thx
!! I was seriously hoping you would do a video JUST like this! Thank you!!!!
Cool! glad you enjoyed :) plenty more to come and suggestions welcome.
One thing I think would be awesome, and super helpful, is how to setup a secure environment (lab) for testing viruses and malware. Things that would be interesting to hear from an expert (you) are...
- How to protect your computer (use a VM hosted on non-personal use computer etc.)
- How to protect your network (viruses can spread over networks to your personal computers, how do you prevent this?)
- How to protect your home IP (external IP could be logged by hackers for later attacks, how do you prevent that?)
- How to setup a demo VM like you have in this video (must have installs, etc.)
Just a suggestion! Any information on how to setup a secure, safe, testing lab would be so cool as it could help people get started digging into these things!
thanks for the detailed suggestion, i will piece together a walkthrough of the various VM configs I tend to use and hopefully that will be of benefit. watch this space :)
Simply outstanding. Boring? More like fascinating. Bring on more videos!
thanks! :)
I'm a networks guy , but your videos have opened up an entirely new facet of IT for me that I've never stopped to think about. Brilliant videos! Keep up the great work that you do.
thanks Duncan! glad you enjoy the content.
Thanks for educating me in the morning 4 o'clock.
Binged all your content and recommended you to all my friends (who are interested in computers to any degree). Love the content, keep it up!
thanks!! glad you like.
Hi Colin, I come across your videos just only a few weeks ago, the contents just seem to get better each time. And there is always useful content. And also no pussy footing around for like 55minutes but you give simple direct straight forward information, I'm sure people appreciate this.
What youtube should have more channels like this.
just was a thank you message.
awesome! thanks for taking the time to comment :)
You're great, millions of likes for you, huge respect !!
kind words, thanks!
First video I've viewed of yours, seems like you got a bunch of quality videos here. I dabble in security so I enjoy these types of videos. Subscribed!
cool! welcome to the channel :)
I was looking the Internet for videos like you have here, and I feel so wonderful with your content!!
hey Colin. Thanks for this vid. Was waiitng for this, since I saw ur first video. Appreciated.
no probs, glad you enjoyed :)
You seem to have a rather quick but efficient style to your delivery which is refreshing. You cut out all the B.S. and ramblings that some other channels are guilty of which lose my attention. You covered alot of ground in a short period of time but your info was easy to comprehend. Thank you!
By the way, would you recommend Sandboxie at all for a home user running on a Win10 OS? I'm looking for a safe way to test downloaded software and browse the web while minimizing my risk for infection. Thanks!
hey thanks for the kind words. Sandboxie is for sure a good utility, i'm not sure it would give you all the versatility to analyse malware though, i'd probably recommend a dedicated VM for that which has all your favourite analysis tools.
My favorite channel at the moment! Please keep it up!
awesome! glad you're enjoying the content as much I enjoy making it.
DUDE I was just about to ask you to share your tools on one of your other videos, THANK YOU!
no probs :)
Great video. and the fact you replied to every comment show thats you are a great person.
thanks! glad you like the content and thanks for taking the time to comment.
Thanks for this, I only recently found your channel and I'm sure it'll come in useful over the coming years as I'm studying computer science and want to get into security afterwards.
awesome - one my mottos in life "always be learning" :)
Thank you for everything you do Colin!!
your videos are incredibly interesting and always find myself learning new things.... I've been binge watching these for like 5 straight days now. Keep up the good work!!!
haha - awesome! im glad you like. :)
love it. you should show off your setup, really wanna see it
i will cover that for sure.
Great Job!! Packed what would normally be an hour+ in 15 minutes!!
Thanks ALOT for this useful tutorial mate! =))
No worries glad you liked
Just found this channel! Love it, working as a trainee in the IT field I was wondering if you could show us how to protect us from malware you've shown us so far? Something along the lines of how to set up an firewall to block x traffic or how to monitor for malicious traffic.
great suggestion, thanks! and welcome to the channel.
Colin, I've watched many UA-cam security channels, but I'm glad your covering real world material. Do you think you could do a walkthrough of a full detailed analysis of a piece of new malware? Like show how you would do that at a real world job?
thanks for the feedback. any samples in mind?
Colin Hardy NotPetya maybe? I think it would be neat to see what's under the hood of a wiper malware that looks like a ransomware. Like I would like to know why some think it's a wiper malware, and not a ransomware, with using like a line of code that's in it as proof.
awesome! thanks for the tool tips!
pleasure :)
Colin, so cool. been making a list of tools I need. now building my test environment. hope you know you are my mentor.thanks for doing this, ayodele.C
awesome! thanks for the kind words and i love to hear your feedback and suggestions on videos also. cheers!
Ask and ye shall receive.
You've been asked a lot for this, and BAM, you deliver. Great video!
:) glad you enjoyed.
Maybe a more general video about how to safely test. Using a virtual machine but do mind that it can affect other systems in the network and so on. What your basic template (image) is, at leaste the mentioned tools.
good idea. i'll do a setup video shortly. thanks
I love the topics you cover, keep going!!
thanks!
Loving your content !! Keep UP !!
thanks!
Love your videos and the knowledge you give in them. Keep up the great work!
thanks! glad you enjoy.
Fascinating. I'd love to learn more about this.
This is soooooo helpful! Not only in malware analysis :) Thanks Colin!
Great job Colin! Great Channel!
thanks!
Thank you very much for the suggestions, Colin!
pleasure :)
bench tails
Been looking forward to a useful software list like this!
plenty more to come too :)
Love your videos!!!
Why didn't you mention IDA pro in this video??? I've seen you use that in a few of your other videos
this video was about behavioural analysis, IDA would be more for static analysis. i plan to do videos covering that too :)
Colin Hardy Ok, cool. I look forward to all your videos. Can't wait :)
This video reminded me that i should download CaptureBat. Great video btw :)
thanks. capturebat is cool - just a shame it doesnt work on a 64 bit machine. wish someone would re-write it!
Damn i must have been doing something when you mentioned that... Yeah it totally didn't work.. gotta rewrite it myself i guess... or just do something similar..
That is a great top 5. I use these a lot. Awesome !
What an amazing video and a nice explanation on the logs. I suubed. hope you will make more videos like this.
your videos are awesome! what vm you use?
Thanks! Here i used a Windows 7 32-bit VM using VMWare Fusion on my Mac.
vmware
Excellent video yet again much appreciated !!!!
appreciate the comment and the feedback, thanks!
No problem man setting up a phishing environment in work and will certainly be recommending your channel for reference. Keep up the great work.
Keep the vids coming Colin!
thanks - will do, suggestions welcome.
Hi,
Just wanted to let u know, you inspire as a computer science student to study even harder to get on your level sometimes. DAMN you really know this stuff, keep it up please.
Also I really love your voice it us so calm and really the right speed not too fast, not too boring. Have a nice day!
awesome! glad you enjoy the content and thanks for taking the time to comment.
Thanks for a great tutorial mate, certainly very useful.In case you accepted request/ideas on any further tutorials it'd be more than awesome if you could prepare any material regarding safe setup of a virtual machine.
Just noticed that you have addressed that certain topic already, silly me :|.
Thanks for sharing your knowledges Colin ! :)
pleasure!
Colin this is awesome! Thanks for sharing!
pleasure, thanks for commenting :)
of course! I subscribed to your channel ;)
please share more! it will help us all cyber security professionals to get a different point of views in analysis.
-A
Great video!
Very informative.
thanks! appreciate the feedback.
a program i like is regmagik, its an enhanced version of regedit, and you can run it when regedit is blocked etc
cool! thanks for sharing.
Really interesting overview!
thanks!
@colin hardy great video! wondering... is there an alternative to capture bat for 64 bit systems?
not that i know of tbh
Colin Hardy I noticed you're doing this demo with networking enabled... does it matter if networking is enabled or disabled on the vm's? Will I see less IoC's if its disabled?
thats a great question. you'll find both situations quite often, take Emotet malware as an example. If you have networking enabled, the .doc file that is used to download the payload will hit a payload URL and go on with its business. However, switch off networking and you'll reveal all the fallback URLs that would have been attempted if the URL was not available. This saves you reverse engineering code, but its often a good idea to reverse the code to match your behavioural analysis.
Hey Colin. Could you please give us an overview about you and your education. You seem a knowledgeable person and I am really interested in knowing your background and how you became that professional in this field.
feel free to check out my website for my education profile colin.guru enjoy!
sir, may i know what you use in 3:09 to reverse back the state?
It's comforting to know that I use the same tools you use with the exception of capture.bat, I use a file and registry monitor. do you think capture.bat will come in a 64-bit version?
hopefully if someone re-writes it :)
Great content! Please do more like this ;)
thanks!
Great one! Thank you for this! Checking these out
thanks :)
Hey Colin!
Thank you so much for the awesome vids, I really enjoy your channel.
I've been trying to get into malware analysis, followed your advice to somebody in the previous video to purchase Practical Malware Analysis book, still waiting for it to arrive though!
I've got a question regarding CaptureBat. I've tried using the software before because it indeed seemed very useful. However, I couldn't get it to run, not even in admin mode. It just displays the message "WARNING - Filter driver not loaded (error: 800704fb)". Do you have any idea what might be the issue?
Cheers, keep up with the great work!
it sounds like you're running on a 64bit OS. Capturebat only works on 32bit.
ps, thanks for the comment :) glad you're enjoying the content
Well, that's what skimming through the website instead of reading everything carefully got me :P
Thank you for the help!
Thanks Colin, If you can create a video on Automated Dynamic Malware Analysis like setup of Cuckoo Lab on linux with windows host.
interesting idea, thanks!
Colin Hardy I have just created one in my home lab.. this will benifit your audience .. thanks for all the good work.
Hi Colin, I like your video. But I encountered some issues. When I execute the CaptureBAT.exe as you do, the prompt gives me "FileMonitor: WARNING - Filter driver not loaded (error: 800704fb)" . Do you have any ideas? thanks:)
77 caikiki are u on 32 or 64 bit machine?
64bit. Oh, maybe I see... this .exe in its official website does not support 64bit well. I tried on my win7 and win8(all 64 bit), and it all failed. XP works well, and my XP is 32 bit.
yup, you guessed it, 32 bit only :)
great vid, I would like to know what software was used to roll back/restore the Os to an earlier state?
I use VMWare Fusion on a MacBook Pro. It's awesome!
I think Microsoft Message Analyzer is the new version of Network Monitor. It has more capabilities and is up to date. Quote Microsoft: "It is the successor to Microsoft Network Monitor 3.4 and Message Analyzer v1.3."
So maybe give it a shot :)
Hi colin 1 video on the adware please...
in procmon u can create a filter "contains" and string "file"
it captures all events that are associated with file
nice.
Nice video..where I can found malware samples
can you do a similar video but for mac osx & unix? best tools for debugging other OSes
interesting suggestion, let me see what I can come up with.
haw did u set this information on the desktop? like IP/DHCP name etc ?? is there any tool for that ??
i use "backgrounds" from sysinternals. another of my favourite tools :)
this is great cause alot of maluare hide themselves the second task manager is opened
Wow process hacker is sick!
sure is!
What do you use to run your VMs?
Hey Colin, what about IDA Pro free? Do you have any website where I can download it from?
www.hex-rays.com/products/ida/support/download.shtml
Great video :)
thanks!
Great!!
Someday I would like to be as good as you!
Thanks!
nice comment, thanks.
thats a really informative video
Thank you for the video
Is there a software that can ask the user if he/she wants to allow a certain command line to be run. Sort of creating a white list?
this is likely something that can be configured through application whitelisting in Group Policy.
So if I were to write a software for that I need to know how to monitor command lines and run it through the white list.
If there is no match I notify the user: Add to white list Yes/No.
Then I set this in the group policy you mention if the user clicks yes.
What do you think of such program?
It also needs a record option on a healthy system to add these to the white list and then a detect mode when the recording is finished.
Very informative. Recently setup my own lab for Malware Analysis. I was wondering how Malware Analysts discovers new malware propagation. Do they depend upon blogs/news or is there any specific setup which needs to be done in order to find new Malware in the wild.
i guess if you work in the field then you get to see campaigns from monitoring attacks against your environment and also through intelligence sharing with other companies. you can also follow various blogs / twitter feeds to pick up on the latest trends.
Thanks a lot for the suggestion.
Hey Colin, keep up the good work!
I want to some Malware Analysis, but I dont find any viruses for it ;(
Where do u get ur stuff from (and can u maybe share your VirtualBox? Like uploading it somewhere huge thx)
Virus Total and Hybrid Analysis are good sources of info :)
Hey man,I've downloaded a file,and when I try opening it,it says "This File Is Unpacked" or something like that. If you can help me with this Thanks A lot man!
depends :) what is the file hash so I can download from Virus Total and review.
I notice you have very little process running in your VM to have less noise. Do you have a video/tutorial explaining how best to do this? Thanks for the upload!
i didnt do anything special tbh, although i am hiding the sub-processes of wininit.exe in process hacker which makes it easier to see the wood from the trees sometimes.
So most malware won't execute a file from wininit?
not necessarily, just in this instance it was easier to filter it out as it wasnt the case
Great video, thanks!
no probs, thanks!
you are amazing,, thank you so much,,
I was pausing the previous video and look at the icons in your desktop hahaha
:) glad you liked, thanks for the comment.
awesome dude
Hi, are these tools open source!? If not, could you do a video on open source alternatives to get a similar job done? Your videos are helpful.
Great video! :D What about FlyPaper? Ive seen it in one of your videos but I cant find a good source with a working version of it... There is a wikileaks email with it but it doesnt work on my Windows 7 VM... :/
is it 64 bit?
Colin Hardy Yeah. Is that the problem? Do you know other software which is light and has the same feature to stop closing windows? Ive tried to code it myself but it doesnt work with the malware i try to analyse.
once again a very informative session. thank you :)
could you share flypaper :)
Hey Colin i was curios is REMNUX actually private/secured in the VM or
can the nasty virus still get access to your main machine hosting the
os? wouldn't it be better to just host a RDP/XRDP server instead to
fully analyst the code in the virus.
Hey, well there is probably malware that can escape a VM to the host, I dare say that's at nation-state level given the ramifications. On the whole though, analysing in a VM which is on it's own sub-net is generally the safest way to analyse malware.
oops, I have a question, bro is there a way to leave prosshack undetected so that other programs don't see it and close it?
once again a very informative video :) Thank you !!
Could you share flypaper :)
thanks! tricky for me to share it, its online if you google hard enough tho :)
Is there a similar VM tool for Windows, or do VMWare and Oracle already support this kind of super quick snap-shotting?
VMWare works well under windows and supports snapshots also yes.
Colin do you have a valid link for Flypaper or could upload somewhere please?
You can find some in the comments. I dont want to be the source of software sharing tbh, I'll leave that up to you guys to find.
Hi Colin, nice video...
By the way, I would like to introduce you to another process monitor...
It's called "yet another process monitor" and, of course, it's OSS
It's my favourite process monitor
Give it a look if u can :)
thanks, will check it out :)
great work sir
When I am opening procmon it says "failed to load device driver" What should I do? Should i re-install my windows?
Please do answer as I am really facing issue
im not sure tbh, but perhaps this will help superuser.com/questions/211759/process-monitor-fails-to-load
Wow Thanks! This would be handy.
Btw can you make an analysis of what "fake" game torrents on pirates bay does to the system?
I always wonder how much they pack inside a 300mb fake installer. Should be enough for a lot of malware and bloat-wares.
It might act as a good warning for people who reluctantly download pirated stuff without knowing.
process hacker and process monitor and process explorer are nearly the same ??
process hacker and process explorer are very similar. process monitor is very different.
I use Process Monitor v3.31
Tried to include CreateFile filter, but it didn't work
then i check the drop down menu, it doesn't even have CreateFile as a filter.
but it does have a whole lot FASTIO_* filters
I also tried newest version 3.33, same problem
can you help me? thx
thanks!
pleasure :)!
I recommend using 7-zip over WinRAR. It's free and open source.
thanks - i use both as it happens, winrar just so happens to be the default app for compressed files on my vm
How to deal with problem that some virus and malware are trying to escape running in VM?
+Kasaki John its a risk for sure.
Can most of this be automated? Instead of combing through different programs and processes.
There are sandboxes which will automate a lot of work, but always good to compare their output to human analysis.
Wow its still in 360p, will that get changed soon?
i guess youtube is still catching up, it only uploaded a few mins ago - appreciate your speedy view :)
Ah, I see. Btw, great informative video, thanks for uploading :)
no probs :)
Hey Collin, I'm well, you?
good thanks :)
Process Hacker looks like Process Explorer from Sysinternals.
very similar indeed.
where do i get the malware
virus total, or other such malware sharing sites.