For the frenzy of folks that are concerned YoOuUUuU LLEeeEAAaKKEEDdA TOOKKkKEKEENNNNN!N!N!N!!nn1n1hhbjgngn: No. If you got clever and looked at individual frames, the one you see returns an Unauthorized. Others have been obscured. Thank you for your concern. :)
If you stitch together the frames where the working token is visible, you can make out about half of a token. Just to be sure, i would advise changing your password as that generates a new authentication token and invalidates the old one. You wouldn't even have had to blur any tokens if you did that before releasing the video.
It's good to remember every video, especially when they're popular, will have a lot of new people that this is literally their first in depth look at malware analysis. So it's always worth explaining for the new guys.
A ban was placed on my Ticktok, PSN account which affected my score but all Thanks To #global_hackweiser1 i got all access to my banned accounts within some minutes which i summon the trust to work with him after i saw most of his good recommandations on You-Tube. You trully a Man of your word.💯
A ban was placed on my Ticktok, PSN account which affected my score but all Thanks To #global_hackweiser1 i got all access to my banned accounts within some minutes which i summon the trust to work with him after i saw most of his good recommandations on You-Tube. You trully a Man of your word.💯
I'm only 5 minutes in, but i feel its relevant to say I appreciate the "easy baby stuff" being reiterated for people like me. I'm learning python for data science. I don't know what all of these imports do. So when you explain every import or at least give basic descriptions of what they do, it really helps me follow along.
Ok well lol, if your actually learning python you KNOW what import does. Lmao think about the word for a moment…… hmmm do a little work looking up maybe? No? Just wait for someone to do it for you?
That ".il" file is actual CIL (Common Intermediate Language, formerly known as MSIL) code that C# and VB source code files are compiled down to before they're turned into executables.
I see them every day. Lots of the exploits people use “generators” for (python scripts you can find on GitHub) are electron related. So many ways to download files to other people’s computers and to crash other people’s computers.
JimTheScientist electron is a shit piece of software and I wish permanent annoyance on its devs and applications that use it. should not crash because of a video codec issue
I've been watching these deconstruction videos while i have free time at school. It's fairly interesting how easy it is to learn how viruses/malware act and what they look for. I barely know how to code, yet you make it so easy to learn how these things behave.
I hope more of you guys look into this Discord malware, a lot of this stuff is going undetected and creating a lot of headaches and some of these stealers have keyloggers, gets login sessions from your browsers etc.
This is going to be interesting. I’ve studied RCE attacks and Trojans on discord, as well as some more tame malware. I can say that discord is really bad in the security area, but it’s not much to worry about as there are few people who know how to do the attacks and how they work. Edit: I’ve started watching the video, and I’ve seen almost this exact same script before while moderating a server
Thanks for making it 'approachable'. I am a beginner in all of this and your quick description of the basic commands is extrememely helpful. It allows me to continue to follow what you are doing and also learn about a wide variety of commands. Of course, further real study is necessary but your presentation helps one broaden understanding of the overall field to be studied. Thanks.
Holy smokes, how can it be so easy to retrieve all your discord data without logging in essentially. I wouldn't have guessed that discord is saving these tokens as plaintext in your appdata folder. Very nice video! You've got another sub :)
ive learned allot from this and that says something because time enrolled in college for this and I feel like these breakdowns help immensely for someone like myself.
Recently stumbled upon some of your malware analysis videos and boy am I hooked! love your approach, you make things super easy to understand even for someone with little to no coding knowledge. I hope soon I can find some videos on your channel about learning to program in some of these languages that you work in with malware :) some more gamer-catered stuff would be awesomeee too! thanks John for some very entertaining videos!
Hey John a little off topic for this video, but your terminator vid, (among all the others!) really helped me pass the eJPT in less than 4 hours last week. Thanks for all great content man!
19:00 It's not stealing your passwords on the browsers, discord is literally just a browser and so is chrome/opera. So it is checking in the browsers for discord tokens;;
51:50 Hammond enters the freaking Matrix... xD You know a content creator is entertaining when you don't understand shit, and still watches until the end, entertained!
I would advise you to use solid colored bars instead of pixelation since there is currently a promising tool in development that can reverse pixelation to some extend.
Reversing pixelation requires context and information, now I haven't actually seen the pixelated part in this video but unless the pixelated content is unambiguously readable as any character, an algorithm won't know either, I bet you'd be able to get an approximation of what it could look like but that may just be as unreadable as it already is, but less pixelated
If you open the webhook URL you can identify the name of the webhook, the Guild ID and Channel ID. That information is kinda basic but might help when reporting to Discord
it could be the location for discord tokens in those browser since discord uses electron which uses chromium which chrome and a lot of other browsers also use, so it might be that cookies are stored there.
After 15 years I ran into my first virus. Now what virus or what it was i do not know, i do know i downloaded a script from a discord for FiveM. 2-3 hours later things started to go spooky. 1. Programs became slow, some were not responding. 2. When the game (FiveM) refused to close (Alt -F4) did not work or F8 quit < neither responded. 3. Ctrl + Alt + Delete not responding never opened up. 4. CMD - Administrator did not work at all BUT regular CMD did work. 5. I then did normal CMD start, did command "net user" >>>> i then saw i no longer had "Administrator" a new user was active and mine was no longer active < 6. At this point I got shit scared and pulled my internet as a first step. Then I tried to start my “Firewall” as I had it turned off for millions of reasons. I could no longer turn it on . Im guessing because of the lack of “Administrator” privilege i lost 7. I held in Shift - clicked restart < in order to try to start the computer in “safe mode” not even that worked. 8. I ran a full system check with the windows, first It came with 0 warnings or nothing, but then about 10 min later a windows pop up window came up saying 2 timestamps where 2 major threats had been discovered. I then realized what It was, and it was not possible to remove them as I already guessed. 9. I luckily had a Malwarebytes program on my USB drive. Keep in mind any download did not work at this point. The USB worked, I ran a system check, and found some files it could remove. 10. Now I thought well if I can at least maybe delete the program it uses to attack and gain access i may be able to stop and save the files. But then I thought if I lost the Administrator, I guess it would be possible for him/her to port forward through the internet without the current malware he/she used right? Anyways…….i did not take the chances and i ended up with pulling out all of my harddrives, connected my “Wavlink Docking Station” and deleted everything from scratch. I do know some malware may survive….but i then also ended up and decided to make a full reinstall on the windows. I did research and heard it is POSSIBLE for malware to still be in the system...if anyone can give me an idea of how rare that is please give me a comment. 15 years….never experienced anything like this. I am not an expert nor an IT person. Simply computer interest and a gamer over many years. My question is to any of you experts here. Is there ANYTHING more I could have done in this scenario? Did I do anything wrong? Wish i had Johns expertise, best regards Simon
Someone attempted to scam me with this script with mild differences. They were targetting a programmer discord server where most people would have python installed and double clicking the script they gave you would actually run it if you installed python to execute with IDLE. He sends the script with the first lines as if he needs help with discord bot programming. The first few lines show up in discord but the rest wont thats how he tricked people into downloading and running it. EDIT: The script would send this information through a Discord Webhook to their discord server. Already reported it
YT buried my comment from 21 hours ago, but at 1:50- will it run? Yesterday I found I have two Python apps installed from the Windows apps store dating back to 2019. File handler was not enabled though
Sometimes you make me really nervous, John. No, not the tokens, the clumsiness in the shell:P echo %LOCALAPPDATA% ... or cd %APPDATA% jFYI But never mind, thanks for the video :)
Hey never say your stupid you are smarter than I am 💯 on that iv learned more with you explaining what you are talking about so keep it up have a good day or night brother
I'm pretty sure the password cache of Chrome etc. uses your Windows user creds to encrypt the passwords, so accessing them would at least require some user action.
Do you prefer Virtual Box over Hyper-V manager or other softwares? And if you have some spare time, I would love to know the reason behind your choice of Virtualization software! Kind regards.
Pastebin actually deny Wayback Machine in their robots.txt file: User-agent: ia_archiver Disallow: / Shame - maybe Google webcache might work for finding deleted stuff since they disallow /raw but do allow the paste ID path
I believe it is grabbing also grabbing Chrome, Opera and Brave tokens. The file structure generated by get_tokens seem to also work for those other directories listed
For the frenzy of folks that are concerned YoOuUUuU LLEeeEAAaKKEEDdA TOOKKkKEKEENNNNN!N!N!N!!nn1n1hhbjgngn:
No. If you got clever and looked at individual frames, the one you see returns an Unauthorized. Others have been obscured.
Thank you for your concern. :)
Very nice video
I feel like I was called out on this, lol
Dosent tokens change with time
If you stitch together the frames where the working token is visible, you can make out about half of a token. Just to be sure, i would advise changing your password as that generates a new authentication token and invalidates the old one. You wouldn't even have had to blur any tokens if you did that before releasing the video.
Yes, passwords were changed before releasing the video ;)
Please don't stop explaining the simple stuff, I've learned loads thanks.
same
Then why did you see these kind of videos
John Hammond thanks for this video😍😍
It's good to remember every video, especially when they're popular, will have a lot of new people that this is literally their first in depth look at malware analysis. So it's always worth explaining for the new guys.
same here
I don't think I have ever heard anyone say "please send me malware" before
it's all over Twitter if you follow at least one malware analyst
A ban was placed on my Ticktok, PSN account which affected my score but all Thanks To #global_hackweiser1 i got all access to my banned accounts within some minutes which i summon the trust to work with him after i saw most of his good recommandations on You-Tube. You trully a Man of your word.💯
A ban was placed on my Ticktok, PSN account which affected my score but all Thanks To #global_hackweiser1 i got all access to my banned accounts within some minutes which i summon the trust to work with him after i saw most of his good recommandations on You-Tube. You trully a Man of your word.💯
@@recommendastra_hack_zoneon709 y spam.exe
tbh I said that to someone who was infected with this malware so then I can report the links
I'm only 5 minutes in, but i feel its relevant to say I appreciate the "easy baby stuff" being reiterated for people like me. I'm learning python for data science. I don't know what all of these imports do. So when you explain every import or at least give basic descriptions of what they do, it really helps me follow along.
Lol yup. Never assume our knowledge base. Those that already know python can easily skip forward that part if they want.
Ok well lol, if your actually learning python you KNOW what import does. Lmao think about the word for a moment…… hmmm do a little work looking up maybe? No? Just wait for someone to do it for you?
@@cedricvillani8502 not only are you pretentious, you also can't read. That's astounding.
@@cedricvillani8502 yes. Feel free to lose your mind over this fact
Well said, I think that's probably the reason I like this guy's videos. Clear, comprehensive step by step instructions and explanations.
That ".il" file is actual CIL (Common Intermediate Language, formerly known as MSIL) code that C# and VB source code files are compiled down to before they're turned into executables.
thanks man
thanks david frisk neck
@@THEbraylonbarnes lmaoo
@@THEbraylonbarnes Its german: David Fresh-Knight
Omg..can’t wait for this I started seeing a lot of discord trojans in the news last year and I would love to here more in depth analysis.
This will blow up. So many script kiddies on DS
I tried to make this as cl1ckb@!t as possible 😎
@@_JohnHammond i think youve succeeded in making it that
I see them every day. Lots of the exploits people use “generators” for (python scripts you can find on GitHub) are electron related. So many ways to download files to other people’s computers and to crash other people’s computers.
@@JimTheScientist lol hey jim, fancy seeing you here!
JimTheScientist electron is a shit piece of software and I wish permanent annoyance on its devs and applications that use it. should not crash because of a video codec issue
I've been watching these deconstruction videos while i have free time at school. It's fairly interesting how easy it is to learn how viruses/malware act and what they look for. I barely know how to code, yet you make it so easy to learn how these things behave.
THC For (4) L(ife)
9-TetraHydroCannabinol (THC) is a chemical component in Weed and Hasj.
Probably a smoker.
nice vid btw, Learned a lot!
I hope more of you guys look into this Discord malware, a lot of this stuff is going undetected and creating a lot of headaches and some of these stealers have keyloggers, gets login sessions from your browsers etc.
This is going to be interesting. I’ve studied RCE attacks and Trojans on discord, as well as some more tame malware. I can say that discord is really bad in the security area, but it’s not much to worry about as there are few people who know how to do the attacks and how they work.
Edit: I’ve started watching the video, and I’ve seen almost this exact same script before while moderating a server
More advanced scripts add malicious js to discord core modules it allows the malware to keep persistence while having a low detection rate
That's ok, only a few people know how these attacks work
@@DM-qm5sc only the RCE are private but the scripts are well public
oh hey jim fancy seeing you here
@@tlocto hello
Thanks for making it 'approachable'. I am a beginner in all of this and your quick description of the basic commands is extrememely helpful. It allows me to continue to follow what you are doing and also learn about a wide variety of commands. Of course, further real study is necessary but your presentation helps one broaden understanding of the overall field to be studied. Thanks.
Holy smokes, how can it be so easy to retrieve all your discord data without logging in essentially. I wouldn't have guessed that discord is saving these tokens as plaintext in your appdata folder. Very nice video! You've got another sub :)
Late comment, but they're finally releasing a beta tests that encrypts your tokens... and it only took them a few years
@@ayva1106 And even then it's still compromised. People found out malware that circumvented it and managed to reverse engineer it for documentation.
Great video John, would love to see you de-obfuscate that JavaScript!
This is much better, John. You’ve dissect each components and explained thoroughly. Rather than rushing always.
one of your most easy to understand videos yet. well explained. learned a lot. thank you John!
cant wait for 200k so excited !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I am eagerly waiting .
I love these kind of videos, fun new channel to nerd out to. :) Joined the Discord as well! :p
i'm not gonna lie to you bro, the way you teach is excellent and i appreciate your videos more than you could ever imagine... ever...
Learning new stuff with you is always great. You always manage to draw my attention for a whole hour.
Was doing exchange patching a week ago and they reference @john Hammond gist love it
Honestly I've not watched a full malware analysis vid from you but this one rly interesting and honestly very well written
The delay is to prevent maxing out discord API requests so it's maximum efficiency
I literaly saw this on my youtube feed and inmediately went to make popcorn!!
ive learned allot from this and that says something because time enrolled in college for this and I feel like these breakdowns help immensely for someone like myself.
You always have great videos!
Love your content, John! It's really fun to step through code with you.
Great content! Thank you for your contribution and for taking the risk of exposing yourself. Very informative.
Recently stumbled upon some of your malware analysis videos and boy am I hooked! love your approach, you make things super easy to understand even for someone with little to no coding knowledge. I hope soon I can find some videos on your channel about learning to program in some of these languages that you work in with malware :) some more gamer-catered stuff would be awesomeee too! thanks John for some very entertaining videos!
25:51 uid and avatar are both public values so there's no need to censor them
You are the best! Thank you for explaining also for the beginners.
200k! good job man you deserve it :)
Hey John a little off topic for this video, but your terminator vid, (among all the others!) really helped me pass the eJPT in less than 4 hours last week. Thanks for all great content man!
You're making it happen John ! :) BigUps . Learned lot from you my Guy !! Hopefully more to come. Peace
I thought it was clickbait, but DAMN!! legit content
19:00 It's not stealing your passwords on the browsers, discord is literally just a browser and so is chrome/opera. So it is checking in the browsers for discord tokens;;
20:20 MFA might be safe, but the tokens it makes, really aren't. From my experience they don't re-generate new ones.
@@swpq_ your token changes 100% when your password does and maybe when you change your username.
@@uslph. yeah buddy i know
Congrats on 200k!
ayy congrats on 200k John!
51:50 Hammond enters the freaking Matrix... xD You know a content creator is entertaining when you don't understand shit, and still watches until the end, entertained!
I would advise you to use solid colored bars instead of pixelation since there is currently a promising tool in development that can reverse pixelation to some extend.
hollywood isnt real bro
Reversing pixelation requires context and information, now I haven't actually seen the pixelated part in this video but unless the pixelated content is unambiguously readable as any character, an algorithm won't know either, I bet you'd be able to get an approximation of what it could look like but that may just be as unreadable as it already is, but less pixelated
@@eericjacobson neural networks exist, and they've been in use for years.
you are genius, you are exceptional tutor, thank you, thank you so much, i got a project idea from this vid.
YOUR explanation is Osm!!!🖤🖤🖤
by the end of the premiere you're gonna have 200k.
true
i dont think but i hope
199K NOOOOOOOOO
@@slonkazoid Just miss :(
@Jocelyn M's Alice are you ok?
If you open the webhook URL you can identify the name of the webhook, the Guild ID and Channel ID. That information is kinda basic but might help when reporting to Discord
Great video John! Many thanks :-)
Great Video, and learned a bunch!
This is going to be an amazing video!
Instant pressed like, as I saw the Triforce. :)
Absolutely fantastic content!
Awesome content as always, John 👏🏻
Love your videos sir .Hope you have a great day.
it could be the location for discord tokens in those browser since discord uses electron which uses chromium which chrome and a lot of other browsers also use, so it might be that cookies are stored there.
The path has leveldb which is a nosql db where chromium stores it's cookies and local storage
I Love you John. Great video again, interpreted languages is cool to reverse. Congratz on the 200k :)
Oh wow! I'm impressed.
Only importing that actually used functions, not the whole libraries.
Love ya work chap! Sub'd
"NSFW_allowed: "yes" " 25:57
Nice, John
yes i am interested in more discord stuff
and yes it is bad, but it's good to see and know what is actually out there
By no means the most advanced malware i've seen, like it does rely on a lot of user error to work, but still nice breakdown
Awsome video man. I appreciate it a lot
Props to this guy managing to get a discord nuker/token logger to 1 hour
@@recommendastra_hack_zoneon709 hope it gets banned again, tiktok does not deserve users
@@aty4282 Its a bot, he is so shit and one of the worst people ngl (the person running the bot)
@@IkeVoodoo goddamn, cant believe that i fell for the classic ones
really good explication, please keep this up
Great video, man. As always :)
After 15 years I ran into my first virus. Now what virus or what it was i do not know, i do know i downloaded a script from a discord for FiveM.
2-3 hours later things started to go spooky.
1. Programs became slow, some were not responding.
2. When the game (FiveM) refused to close (Alt -F4) did not work or F8 quit < neither responded.
3. Ctrl + Alt + Delete not responding never opened up.
4. CMD - Administrator did not work at all BUT regular CMD did work.
5. I then did normal CMD start, did command "net user" >>>> i then saw i no longer had "Administrator" a new user was active and mine was no longer active <
6. At this point I got shit scared and pulled my internet as a first step. Then I tried to start my “Firewall” as I had it turned off for millions of reasons. I could no longer turn it on . Im guessing because of the lack of “Administrator” privilege i lost
7. I held in Shift - clicked restart < in order to try to start the computer in “safe mode” not even that worked.
8. I ran a full system check with the windows, first It came with 0 warnings or nothing, but then about 10 min later a windows pop up window came up saying 2 timestamps where 2 major threats had been discovered. I then realized what It was, and it was not possible to remove them as I already guessed.
9. I luckily had a Malwarebytes program on my USB drive. Keep in mind any download did not work at this point. The USB worked, I ran a system check, and found some files it could remove.
10. Now I thought well if I can at least maybe delete the program it uses to attack and gain access i may be able to stop and save the files. But then I thought if I lost the Administrator, I guess it would be possible for him/her to port forward through the internet without the current malware he/she used right?
Anyways…….i did not take the chances and i ended up with pulling out all of my harddrives, connected my “Wavlink Docking Station” and deleted everything from scratch. I do know some malware may survive….but i then also ended up and decided to make a full reinstall on the windows. I did research and heard it is POSSIBLE for malware to still be in the system...if anyone can give me an idea of how rare that is please give me a comment.
15 years….never experienced anything like this. I am not an expert nor an IT person. Simply computer interest and a gamer over many years.
My question is to any of you experts here. Is there ANYTHING more I could have done in this scenario? Did I do anything wrong?
Wish i had Johns expertise, best regards Simon
Seriously the best content creator out there. Love the videos. Keep them coming.
that sever crasher is probably allowing the person to join servers and spam the server with that users token
I definitely want to see your deobfuscuate that js code :D
Someone attempted to scam me with this script with mild differences. They were targetting a programmer discord server where most people would have python installed and double clicking the script they gave you would actually run it if you installed python to execute with IDLE.
He sends the script with the first lines as if he needs help with discord bot programming. The first few lines show up in discord but the rest wont thats how he tricked people into downloading and running it.
EDIT: The script would send this information through a Discord Webhook to their discord server. Already reported it
This seems very intresting. Can't wait to see it
Thanks for this video sir
25:09 leaked invalid ("unathorized") token
Looked like that first sketchy website at 33:50 was a peertube instance. It was probably a community dedicated for malware videos.
Oh its a fun series keep it up!
I was thinking if i should like this video - then you pointed out your TLOZ shirt. You win
yikes. .. follow up on what more you learn about this for sure lol.
dropped a like. already subbed.
54:55 I was kind of expecting a "it's bad mmmkay?"
Hey John, love the Malware stuff. Would love to see some Dynamic Analysis with some ransomware or something , cheers
YT buried my comment from 21 hours ago, but at 1:50- will it run? Yesterday I found I have two Python apps installed from the Windows apps store dating back to 2019. File handler was not enabled though
Sometimes you make me really nervous, John.
No, not the tokens, the clumsiness in the shell:P
echo %LOCALAPPDATA% ... or cd %APPDATA% jFYI
But never mind, thanks for the video :)
35:05 The twitter account was contained in the pastebin before it was removed
amazing content john
you have a new sub
keep it up.
For the Browsers It takes The Tokens From Them, Because Some People Log into to them. Like you said :)
Hey never say your stupid you are smarter than I am 💯 on that iv learned more with you explaining what you are talking about so keep it up have a good day or night brother
And as a phone guy that watch your videos keep it up
I love how the token stealer disguises as a token stealer 🤣
Time to scream at you to continue to decode the javascript horror
wow Ed Sheeran into malware xD
Love from India vro
ah yes.. john.. john hammond does it again.
thank you posting a topic of choice.
I liked at the Zelda shirt. Thanks!
Yooo Hammond cool haircut 👌
I'm pretty sure the password cache of Chrome etc. uses your Windows user creds to encrypt the passwords, so accessing them would at least require some user action.
nope, Chrome uses window's CryptUnprotecData() if i remember correctly (i believe it is from windows.h file).
Yeah nvm, as long as you are signed in you can call CryptUnprotecData, and dumping the passwords can easily be done in python, lol.
John! Do the thing!
Ok, seeing this premiere I think I can do two unfair bets right now. 1. Bet I'm subscribing here. 2. There's something malicious on my son's PC.
Depends if he downloaded it...
Ok John I stopped at second 0:36 as I have one question before I continue....What is the best Zelda game ?
Do you prefer Virtual Box over Hyper-V manager or other softwares? And if you have some spare time, I would love to know the reason behind your choice of Virtualization software! Kind regards.
I am entertained way more than watching LiveOverflow
Great video!
Pastebin actually deny Wayback Machine in their robots.txt file:
User-agent: ia_archiver
Disallow: /
Shame - maybe Google webcache might work for finding deleted stuff since they disallow /raw but do allow the paste ID path
I believe it is grabbing also grabbing Chrome, Opera and Brave tokens. The file structure generated by get_tokens seem to also work for those other directories listed