John, you never fail to amaze me with your ability to decode and expose the malicious intentions behind these tricky scripts. Your dedication to educating and keeping us safe from cyber threats is truly commendable. Keep shining a light on the dark corners of the internet! 👨💻💡
Hey man, I don’t usually comment, but I just want to thank you for your videos. This is the second video that has helped my analysts wrap their heads around an incident we have had. Your excitement and ability to simplify what you are explaining while still keeping it technical is so awesome. I look forward to seeing more of what you come out with. Thanks John!
The part you called "randomness" in PowerShell was just some simple common PowerShell deobfuscation (pulling from essentially static items, like pulling portions of text from "Microsoft Windows" to deobfuscate), and then it compiled it to a C# code etc and it ran it with IEX near the end, alias for Invoke-Expression
@@gooniesfan7911 they will pull bits of text out of these strings in order to construct words that they can then reuse to make code to create more code and import things Like they might use the "d" from "Windows" as part of "dll" Or the "i" and "o" from "Microsoft" to be part of "invoke" If they do that with enough words, then nothing is hardcoded in their code, and it makes it much more difficult to automatically scan for
when you opened up the 40MB file, the extra nonsense is usually put to basically be to large for AV's to not detect it because they choke at large files.
This kind of stuff is really interesting to me. I don't quite have the dedication to learn all these little things and bits of knowledge, but it's always a fun watch to see someone break down how a piece of software functions. Keep it up!
@AtlasUltimate My Mate My Dear My Darling AAAH Just as i myself would like to phrase it.Well this kind of information technology stuff is really interesting to me. I also don't quite have the dedicationsince i myself been an Information Technology Graduate(thanks to my father decision :) to learn all these little nice technology thingys and bits of knowledge, but it's always a fun watch to see someone standup to the podium and magnificiently break down how a piece of software functions. Keep it up!
I did not understand a single word that was said in this video but it's very entertaining, also it makes me worried if I have any nasty malware on my pc
I just really like that at 11:52 one of the variables is called "women3". There's a bit of code that's "while(women3)". I don't know why this is so funny to me. I wonder if the variable names were randomly generated by an automatic obfuscator.
i just followed this channel. i feel like the western countries are oblivious to the fact Huawei is replacing ALL routers in Sri Lanka by selling it cheaper than anyone else(they are cheaper than other chinese routers) directly to ISP's. thought you should know
This is basically crawling through the computer to find certain file information. They're probably looking for a specific target but also gathering any useful bit of information that they can use in the future. Those web domain are probably host that will obfuscate things even more and send them somewhere else. Probably to another domain or through onions. It was pretty interesting to see it still kind of worked without a it's proper cwscript. Which it needed to grab from the first 3 web domain. Probably have it hidden in plain text and the first level of attack knows how to scrape the plain text and assemble it into a readable script while obfuscating it at the same time. I'm also talking out of my ass.
I'm just a regular PC user and most of that went over my head real quick, but you made it sound so interesting! I'm subscribing, maybe I'll actually learn something!
I understood "Control A" the rest was an alien language, when you executed the file I questioned "if I watch this will it spill over on my pc?" Wow this was entertaining, thank you Sir, AMAZING yet FREAKY.
Hey John, if I wanted to work my way through your playlists to build foundational, working knowledge towards becoming a cyber security professional, where would you point me to? Your channel is 10/10 you've done incredibly well.
This is so fun! The malware developer is really good at programming. Hope he or she does something good instead only evil. Such people are valuable for the society. They can make really good programs and have extensive knowledge about Windows API. The use of Javascript, Powershell with TLS 1.2 as outbound connection. Really awesome work, thanks John!
i got randomly recommended this video, and i got to say that youtube is on to something. i didnt even realize im interested in malware, but youtube did
I am always of the opinion you can see and hear when someone is skilled in their abilities even if you do not speak that language, and this dude is skilled
John. I don’t understand a damn word you’re speaking. As a matter of fact, I have no business watching this. I have no idea how or why I’m here, and I have no idea how or why I’m 23 minutes balls deep into this video. But you bet your ass I’m gonna see this through John. None the lesser. Right? I think. I don’t know. Seems worth it. For reasons, that I will someday know. Thank you?
The book you were reading was Volume 28 on Shelf 4 of Wall 1 of Hexagon: 0kro5a1299530gehm2g8v34iwb5tj57hjgzz6uenx95y9cp6928na05sms3k8chkmd1rlg38p75nczi9dibejq0wywxdh6dwbz04am7eqdyseuvinwrcyd9gjobgu9t3gb84gpm13sa4oynl9e67rl48q0iry1o5vsc3m8ljvnt84ugqwzv5hy9no4chl4cszt2546x74s03cqddy1coszk79eaupmmvidi6wz806kllixxs280147tgekoj66ne8l2vfcla4h6wtp4k2205xqs30wuzdbqvh7jnbkibrdpri3voqq80kjywgrwjj13ub71j7piis4nxibiv4i0flm0s4z2c8lf91p1qkpcw7txq24tijtt0fwdh5la9bm9y42t1uc33qlkltwshulaigr3bz2qk5zx5phoyyrvq9sos464jiq2702jfzf84xbwi8232jcj8kuzu1tvb61gu2qp8i1xjlsq56a8bnbiytjdvtn7p1kq5qknn4nksgxuvpyluk2zn4zg9oeptsx06gpf48h4ysned0d0na5mbjtlgejp9vv4psuiheg6695n9r6e10sbms56hebre76qamua32dfrdzueizhtnkfwke0wfwsr0tfrmeyixa09s5remtc4ikn3ciqirljgb87zl06l1kx5p92camrbykzjwyf3see3lvyd1upjkfkxfde0vxmiogf01dkdemypcep6m4g9i849kixc7vo1jc7th38s5uuyfd4v8mt5eo3v3o01ckaq6c62ixyac7c41ut2waohwmn6tgr8xkr71qbt3jqr0n55226n9hzgzeqe95epg34do2zhwwlm60ynqb7wjmnkym3adufrlqah35olcg4bvtgdbfof4tk8fiz1fi9hntdbrj3vh2ys5m5ffot0rkuz6jagwvvjja431025mwe1d8ps8ecm7xwkzttj52zgs55satbzg4k72ral9dkj9rzhhcyqmdte3qcll5ylwy804p7nvxxrfuvpy3s92eg6wluzv14j1tiseeiup66ckngfdudds934zx92myrag51o7vmawtu22nmxy0hd9dv6fth2pkb9ikchssardg49eyd0540op2a0xquuncdkkp57wit9gk1hn3w8rles6eyn33mnd87c39zhp49p01dcj9wr11ftnlf2uq2pgce7m866n1ayh8j8mlv3mrjjufk6hju3lebsfv5br6hehmuod5gqp3m9non8zsozbf45dooyugm0446vgihsbgmlazpfe3zyih7puts0utca1wdhcysixrx2dy7ctmjy8gzvq9frwrh0zhbw0w9c4cepwdyqvvhsq1imzzl9g5to012a8caek3x6c2ghxlrfeizz6ik9d4dy54m7mdzmkshuwv7cpe2awogc2jmxiqnvvq95lqo7t23qm9rjqmf277k2chjel98e9o2mrk5qmj6xp8qcat2b1eir4oqh4iojy33yvb8vcdacmb1nrhil8t9glnr7r5e875ycih3xk9sqf0u0zcfb12zbvr5ug4vh3cb6c6yx1ndtu931in73dfvcsiyzlebdorrmnqd12wsrrvydswk06nwpm6x2of9fypnla0n1vlblg3412xoyu17fxh55dlfs3a4n0ujy1z612hmeetqxsdz5kat70ylndwik34anufi91o4h5tlqw2andp26yv602feg2u2upreyu0rh5ed1m5utu1ne10fge535eacgtl6v7sskkhdzc4o7sttiwin72kxdpljflr9ym9w9bf3njoasqipumcfx7eukdcdj3fqww4um9mk8cho1ml5al9nejbfk8flyd4m383tq5lzmjgwzicqsnkhj8jwr59rc0jvym5ss7u6e3bu99x000sfbs6bwqcsglzky69k974ijd5lvlj3a4o10rp0w9np3syhp1zk5wnu85x78fjngfxem2cy6arqo5ypt7nvj1thodusp4wntjjt4hsf3nuya82sfyuwopozezqw0fzectg88f1i4irfrpb8y8i53rq78vr34ued4j5su3y80yb9lsqwpc5frtvbsip16qcq7g42bmmc2mwwf1inz4r06d6uhgc0r8fgwhqgujd6hm8759q8c3u6etqvkbhnlmp410c9sjzsyjmtmangrlwpibes9ca8ezz61qcyrvlra33nuerb4igtbpy2nex98w1qqzzooml94c1cvmb300kfb6y4v0pk8uvshpuppu5lj2vpcptnuyubaroid4eievyduwjzzecnc8ew4ixzu9fsanff39fp6kza3e2yi1dqxdyufgl7hb89jc3azcvhxynfa4q33muv78po8ycq79n490oq2yet8o4kgmjkqy5ny76d8aejy2r2eaw7bb3t6nd97wgbkorbuc6uxjd5f8qgpbomyk3aiq7ss3kjx8n6l44xrcdpg6ucpouio4bauoy79d5fr8wwx6ji7x6l5anlrhasvtcmbb5xjbqgcme6n3fu0beu10xm8e19ojmw3nty8ca294s873cz4m9hlg7gajirgw28e6162il0s0bmywgui9l1gzp8yp8ht9051pwdgmsmvnbqapn5osgyv5x8m6z6vxhiirf4p9gflkj8n2hr8qmh46getjipc260gyg59yqmltpwqb4v3oy7rgl6mo1ufecxbiukqvouuh5grqj0yzevkn8dttu2i5rekdenim9chzeelze8bru2vgxa20c9r48d2712o0xkzamvdu1upnmkn80v9eh18tm7moiza6gkpe8b0cw8d620upv9rm78jk1gzh5p74epeansl13rc9pv6sn7zqh8afup40uksorplonsjcbbq4mredsapmyg2bjig4qdzdpflzuaro0nvatzk41ec2qapd39l1dq4vn02un67ijym0c695iwoapdipr85nm6chjcwq2ygvj050uw7gnow5thucaojlkd1kg5iswkpgxor9v8zoazqv1jjhpai2dw5ao15yydn3rz1yfv1kqjfgbcdfh362aoytkusa3vtylrlaloftsnjlyptlbiz0y816dvx7wn81003596z37rl56fprdwmc52nrpxqoxtfh6z5hd1mzipjfcipglfxxigfj3mbtgda6tbznjeoejdfmdmfc95dk43y7v8v79p99ult1373audlng6gdyvagvc05mzaj7808l6w6fyzlru6ohqiazvs6kswlgnjh3snwv
Hey John, nice video and analysis as always! Just curious, did you ever go back to those UserAssist reg values to see what they were? Any persistence perhaps? I don't think the mandiant and redcanary articles mentioned them.
Wow. I love how you just fly through this and make it look as easy as taking candy from a baby. And relatively speaking, I'm like...what is malware?!?!?
These videos always inspire me. I kept getting emails that got past my Gmail spam subject just random letters etc opened it into a VM. Turns out just linked to some website that linked to a few bitcoin addresses with billions worth of coin based in Russia
Рік тому+9
Great informative video. I barely understand any of this but it's still interesting how the process of analysis goes and what tools are used. I probably unconsciously learned something here. 😋
I think the malware *posts* cookies to the websites linked. I dont know anything of code, but i do know it posts information to the websites because it only accepts POST.
Not sure if you're aware, but piping grep to cat is redundant. You can just use your grep flags/args followed by the filename and it will do the same thing.
Just a couple of notes about parsing the diff: - You _do not_ need to `cat | grep`, as grep accepts a file as an argument (grep 'expression' file) - While maybe not great for a video, sed or awk would be better suited here - sed: `sed -n '/^-.*/p;s/^-//' difference > bad.js` - awk: awk '/^-.*/ { print substr($0, 2) }' difference > bad.js
Why don't you work with backup images like Acronis, if you are worried about infecting your VM? You can already have all your tools baked in to the image and flatten your testbed once you are done. Then there is no problem connecting to the internet.
The insane number of characters in the interactions design.js was just to bloat the file so the anti-virus didn't check it right? edit: lol nvmd I just had to get to the end of the video
Great work as usual. Probably dumb nbee question but would there be a way to set up a locally connected server with one of the domain names called out in the code to see what the exfiltrated info is and /or what other connections are established?
I have a feeling the randomness of the Interaction Design.js is likely because it's hosted on a platform that is unable to virus scan large files like the google platform will refuse to scan large files, The feeling I have is if it makes the file big enough it can't scan it
Having used in-editor prettifiers for decades that just format code on a single key shortcut or on save, i can't express how much it pains me to see you use online prettifiers or doing it by hand 🙈
I remember i looked up poop in my file search (i am a big child) because i thought it would be funny. There were some stuff like pngs from games and then there was just "poop" and internet shortcut, i have no idea where it lead to or anything about it. I left it kinda weirded out and a few weeks later i remembered it and wanted to know where it went but when i looked it up again it was just gone.
I wonder if backloading that one .js file with junk code is an attempt to make the file unreadable to the average user, through either attempting to crash the text editor, or just increasing load time to a point where the average user would go "it's probably fine".
12:10 crap is likely to skip scanning by windows av. Software like that have limits to not freeze your machine while scanning your 50GB wedding video, and that's why its likely that this bs at the end is to disguise it as some file to big to be scanned.
You opened Task Scheduler, but you never went INTO the Task Library, you could have looked at the Scheduled Task there without messing with the dummy .exe file.
12:04 "it ends with a semicolon"... well, at least the gibberish is politely syntaxed btw, I think anyone who likes watching this sort of thing would like the documentary "Zero Days (2016)" about the story behind the amazing global Stuxnet virus
Thx for this analysis. But actually i miss a very important part. How can we protect our windows machines so that in case a dumb user in our company tries to run the malware it is not executed? How can i prevent that javascript code is executed? Thx for any comment.
Dynamic analysis?! The easy way isn't always the best or most fun. My upcoming intermediate malware analysis course will show students how to plain text this payload in under an hour.
Been working on EDR evasion techniques recently, specifically around attack surface rules and in one of the tests we did similar randomness before or after the malicious code and it executed just fine with the asr rule for obfuscated javascript being set to block. Perhaps this is a similar technique being used here? I dont know! Curious is all.
i wonder if chatgpt can do anything helpful, like trying to name all variables after the function they serve or finding malicious lines or giving you a summary of what the code does, it has done that for me before but I don't know how reliable it might be for that purpose
John, you never fail to amaze me with your ability to decode and expose the malicious intentions behind these tricky scripts. Your dedication to educating and keeping us safe from cyber threats is truly commendable. Keep shining a light on the dark corners of the internet! 👨💻💡
😮-)😊9
That was a really interesting idea, to have extra malicious code in between the "real" code. Great Video!
Not as innovative as you believe
@@ShinigamiAnger well I took a big break from coding and malware stuff so I don't know how innovative or how smart it is. Sounded pretty smart to me!
@@tomasofficial. that's pretty common, but yeah the concept is really interesting!
I thought of this idea lol or just put the malware at the bottom
@@whathaveicreated1197 that's even older (and worse compared to blending and distributing it into actual code)
Hey man, I don’t usually comment, but I just want to thank you for your videos. This is the second video that has helped my analysts wrap their heads around an incident we have had. Your excitement and ability to simplify what you are explaining while still keeping it technical is so awesome. I look forward to seeing more of what you come out with. Thanks John!
The part you called "randomness" in PowerShell was just some simple common PowerShell deobfuscation (pulling from essentially static items, like pulling portions of text from "Microsoft Windows" to deobfuscate), and then it compiled it to a C# code etc and it ran it with IEX near the end, alias for Invoke-Expression
This really doesn't look like much except an email-style malware dropper like I have been seeing since 2014, easy
This comment needs more likes. Thanks for the clarification!
@@gooniesfan7911 they will pull bits of text out of these strings in order to construct words that they can then reuse to make code to create more code and import things
Like they might use the "d" from "Windows" as part of "dll"
Or the "i" and "o" from "Microsoft" to be part of "invoke"
If they do that with enough words, then nothing is hardcoded in their code, and it makes it much more difficult to automatically scan for
You literally know every single shortcut ever, shortcuts, libraries to help you and regex, what a skill set! Keep it up man!
when you opened up the 40MB file, the extra nonsense is usually put to basically be to large for AV's to not detect it because they choke at large files.
This is exactly the reason why
Shows how shit your average AV is
@@biscuit715You mean most if not all, as almost all Anti-Virus's struggle to or won't read bigger files
This kind of stuff is really interesting to me. I don't quite have the dedication to learn all these little things and bits of knowledge, but it's always a fun watch to see someone break down how a piece of software functions. Keep it up!
@AtlasUltimate My Mate My Dear My Darling AAAH Just as i myself would like to phrase it.Well this kind of information technology stuff is really interesting to me. I also don't quite have the dedicationsince i myself been an Information Technology Graduate(thanks to my father decision :) to learn all these little nice technology thingys and bits of knowledge, but it's always a fun watch to see someone standup to the podium and magnificiently break down how a piece of software functions. Keep it up!
I am a complete novice in the software field, but listening and watching you go through this malware has been fascinating
I love watching you parse through these sort of scripts. It always looks like so much fun
I can help you to retrieve your hacked account
I did not understand a single word that was said in this video but it's very entertaining, also it makes me worried if I have any nasty malware on my pc
I just really like that at 11:52 one of the variables is called "women3". There's a bit of code that's "while(women3)".
I don't know why this is so funny to me. I wonder if the variable names were randomly generated by an automatic obfuscator.
lol, i saw the same thing, was also caught off guard by a var called "+pee"
ive seen 'd01t_pusi' a few times looking at wierd code
i just followed this channel.
i feel like the western countries are oblivious to the fact Huawei is replacing ALL routers in Sri Lanka by selling it cheaper than anyone else(they are cheaper than other chinese routers) directly to ISP's.
thought you should know
This is basically crawling through the computer to find certain file information. They're probably looking for a specific target but also gathering any useful bit of information that they can use in the future. Those web domain are probably host that will obfuscate things even more and send them somewhere else. Probably to another domain or through onions. It was pretty interesting to see it still kind of worked without a it's proper cwscript. Which it needed to grab from the first 3 web domain. Probably have it hidden in plain text and the first level of attack knows how to scrape the plain text and assemble it into a readable script while obfuscating it at the same time. I'm also talking out of my ass.
I'm just a regular PC user and most of that went over my head real quick, but you made it sound so interesting! I'm subscribing, maybe I'll actually learn something!
Top notch cyber forensics content. This may not be my field of word but I enjoy watching these videos. Thanks for your work.
the part where you said would take a long time, and how you just want to see it explode, that's the part that is actually interesting to watch.
I understood "Control A" the rest was an alien language, when you executed the file I questioned "if I watch this will it spill over on my pc?" Wow this was entertaining, thank you Sir, AMAZING yet FREAKY.
Keep up the amazing work. Hope you don't get hurt by youtube's evil attempt to push shorts.
outside of YT's greed, shorts are a great feature imo
Evil? People who use hyperbole casually are super annoying.
Very nice to see the tear down of this. There's a ton of obfuscation!
WOW, I came here from the interview with David Bombal and this is the first video I see. I am absolutely amazed at what is happening.
Hey John, if I wanted to work my way through your playlists to build foundational, working knowledge towards becoming a cyber security professional, where would you point me to? Your channel is 10/10 you've done incredibly well.
He got me on his computer 😳
Please dont extract me…
0:00
Really nice. Like how you pull this apart in an easy and understandable way. Waiting for the next one.
John,
I would recommand you to stop using sysinternals tools bc new malware are checking process to know if you are running sysinternals
And run what other tools in their place?
This man could really decode dino dna himself, no dr. Wu needed. Great video, did not follow it but man a crazy trip.
You've probably heard this a million times but I'll say it anyway: You don't need to pipe cat into grep ;)
12:05 "At the very top, there is stuff." The only thing I understood during the whole video. Jesus this looks complicated.
Some AV tools will avoid large payloads, eg some inline firewalls with a/v security and other options may not have enough ram to look at everything.
This is so fun! The malware developer is really good at programming. Hope he or she does something good instead only evil. Such people are valuable for the society. They can make really good programs and have extensive knowledge about Windows API. The use of Javascript, Powershell with TLS 1.2 as outbound connection. Really awesome work, thanks John!
I think people turn rouge because of less opportunities or personal grudges.
i got randomly recommended this video, and i got to say that youtube is on to something.
i didnt even realize im interested in malware, but youtube did
I am always of the opinion you can see and hear when someone is skilled in their abilities even if you do not speak that language, and this dude is skilled
Honestly I was expecting him to run it on a vm and title it "Downolading random files until my pc dies part 69"
John. I don’t understand a damn word you’re speaking. As a matter of fact, I have no business watching this. I have no idea how or why I’m here, and I have no idea how or why I’m 23 minutes balls deep into this video. But you bet your ass I’m gonna see this through John. None the lesser. Right? I think. I don’t know. Seems worth it. For reasons, that I will someday know. Thank you?
holy fuck.....the way you work is inspiring. bro ive never seen any one use a computer like you do..,to me this is impressive
The book you were reading was Volume 28 on Shelf 4 of Wall 1 of Hexagon: 0kro5a1299530gehm2g8v34iwb5tj57hjgzz6uenx95y9cp6928na05sms3k8chkmd1rlg38p75nczi9dibejq0wywxdh6dwbz04am7eqdyseuvinwrcyd9gjobgu9t3gb84gpm13sa4oynl9e67rl48q0iry1o5vsc3m8ljvnt84ugqwzv5hy9no4chl4cszt2546x74s03cqddy1coszk79eaupmmvidi6wz806kllixxs280147tgekoj66ne8l2vfcla4h6wtp4k2205xqs30wuzdbqvh7jnbkibrdpri3voqq80kjywgrwjj13ub71j7piis4nxibiv4i0flm0s4z2c8lf91p1qkpcw7txq24tijtt0fwdh5la9bm9y42t1uc33qlkltwshulaigr3bz2qk5zx5phoyyrvq9sos464jiq2702jfzf84xbwi8232jcj8kuzu1tvb61gu2qp8i1xjlsq56a8bnbiytjdvtn7p1kq5qknn4nksgxuvpyluk2zn4zg9oeptsx06gpf48h4ysned0d0na5mbjtlgejp9vv4psuiheg6695n9r6e10sbms56hebre76qamua32dfrdzueizhtnkfwke0wfwsr0tfrmeyixa09s5remtc4ikn3ciqirljgb87zl06l1kx5p92camrbykzjwyf3see3lvyd1upjkfkxfde0vxmiogf01dkdemypcep6m4g9i849kixc7vo1jc7th38s5uuyfd4v8mt5eo3v3o01ckaq6c62ixyac7c41ut2waohwmn6tgr8xkr71qbt3jqr0n55226n9hzgzeqe95epg34do2zhwwlm60ynqb7wjmnkym3adufrlqah35olcg4bvtgdbfof4tk8fiz1fi9hntdbrj3vh2ys5m5ffot0rkuz6jagwvvjja431025mwe1d8ps8ecm7xwkzttj52zgs55satbzg4k72ral9dkj9rzhhcyqmdte3qcll5ylwy804p7nvxxrfuvpy3s92eg6wluzv14j1tiseeiup66ckngfdudds934zx92myrag51o7vmawtu22nmxy0hd9dv6fth2pkb9ikchssardg49eyd0540op2a0xquuncdkkp57wit9gk1hn3w8rles6eyn33mnd87c39zhp49p01dcj9wr11ftnlf2uq2pgce7m866n1ayh8j8mlv3mrjjufk6hju3lebsfv5br6hehmuod5gqp3m9non8zsozbf45dooyugm0446vgihsbgmlazpfe3zyih7puts0utca1wdhcysixrx2dy7ctmjy8gzvq9frwrh0zhbw0w9c4cepwdyqvvhsq1imzzl9g5to012a8caek3x6c2ghxlrfeizz6ik9d4dy54m7mdzmkshuwv7cpe2awogc2jmxiqnvvq95lqo7t23qm9rjqmf277k2chjel98e9o2mrk5qmj6xp8qcat2b1eir4oqh4iojy33yvb8vcdacmb1nrhil8t9glnr7r5e875ycih3xk9sqf0u0zcfb12zbvr5ug4vh3cb6c6yx1ndtu931in73dfvcsiyzlebdorrmnqd12wsrrvydswk06nwpm6x2of9fypnla0n1vlblg3412xoyu17fxh55dlfs3a4n0ujy1z612hmeetqxsdz5kat70ylndwik34anufi91o4h5tlqw2andp26yv602feg2u2upreyu0rh5ed1m5utu1ne10fge535eacgtl6v7sskkhdzc4o7sttiwin72kxdpljflr9ym9w9bf3njoasqipumcfx7eukdcdj3fqww4um9mk8cho1ml5al9nejbfk8flyd4m383tq5lzmjgwzicqsnkhj8jwr59rc0jvym5ss7u6e3bu99x000sfbs6bwqcsglzky69k974ijd5lvlj3a4o10rp0w9np3syhp1zk5wnu85x78fjngfxem2cy6arqo5ypt7nvj1thodusp4wntjjt4hsf3nuya82sfyuwopozezqw0fzectg88f1i4irfrpb8y8i53rq78vr34ued4j5su3y80yb9lsqwpc5frtvbsip16qcq7g42bmmc2mwwf1inz4r06d6uhgc0r8fgwhqgujd6hm8759q8c3u6etqvkbhnlmp410c9sjzsyjmtmangrlwpibes9ca8ezz61qcyrvlra33nuerb4igtbpy2nex98w1qqzzooml94c1cvmb300kfb6y4v0pk8uvshpuppu5lj2vpcptnuyubaroid4eievyduwjzzecnc8ew4ixzu9fsanff39fp6kza3e2yi1dqxdyufgl7hb89jc3azcvhxynfa4q33muv78po8ycq79n490oq2yet8o4kgmjkqy5ny76d8aejy2r2eaw7bb3t6nd97wgbkorbuc6uxjd5f8qgpbomyk3aiq7ss3kjx8n6l44xrcdpg6ucpouio4bauoy79d5fr8wwx6ji7x6l5anlrhasvtcmbb5xjbqgcme6n3fu0beu10xm8e19ojmw3nty8ca294s873cz4m9hlg7gajirgw28e6162il0s0bmywgui9l1gzp8yp8ht9051pwdgmsmvnbqapn5osgyv5x8m6z6vxhiirf4p9gflkj8n2hr8qmh46getjipc260gyg59yqmltpwqb4v3oy7rgl6mo1ufecxbiukqvouuh5grqj0yzevkn8dttu2i5rekdenim9chzeelze8bru2vgxa20c9r48d2712o0xkzamvdu1upnmkn80v9eh18tm7moiza6gkpe8b0cw8d620upv9rm78jk1gzh5p74epeansl13rc9pv6sn7zqh8afup40uksorplonsjcbbq4mredsapmyg2bjig4qdzdpflzuaro0nvatzk41ec2qapd39l1dq4vn02un67ijym0c695iwoapdipr85nm6chjcwq2ygvj050uw7gnow5thucaojlkd1kg5iswkpgxor9v8zoazqv1jjhpai2dw5ao15yydn3rz1yfv1kqjfgbcdfh362aoytkusa3vtylrlaloftsnjlyptlbiz0y816dvx7wn81003596z37rl56fprdwmc52nrpxqoxtfh6z5hd1mzipjfcipglfxxigfj3mbtgda6tbznjeoejdfmdmfc95dk43y7v8v79p99ult1373audlng6gdyvagvc05mzaj7808l6w6fyzlru6ohqiazvs6kswlgnjh3snwv
"johnhammond
Hey John, nice video and analysis as always!
Just curious, did you ever go back to those UserAssist reg values to see what they were? Any persistence perhaps? I don't think the mandiant and redcanary articles mentioned them.
this is why we should nerf genji
That video was amazing thanks for that exploration John!
Wow. I love how you just fly through this and make it look as easy as taking candy from a baby. And relatively speaking, I'm like...what is malware?!?!?
These videos always inspire me. I kept getting emails that got past my Gmail spam subject just random letters etc opened it into a VM. Turns out just linked to some website that linked to a few bitcoin addresses with billions worth of coin based in Russia
Great informative video. I barely understand any of this but it's still interesting how the process of analysis goes and what tools are used.
I probably unconsciously learned something here. 😋
bro knows sublime like the back of his hand jeez
as a malware enthusiast these videos are so amazingly entertaining
in patch files, the lines that start with - are the ones that got removed, and the ones starting with + are the ones that got added
I think the malware *posts* cookies to the websites linked. I dont know anything of code, but i do know it posts information to the websites because it only accepts POST.
Not sure if you're aware, but piping grep to cat is redundant. You can just use your grep flags/args followed by the filename and it will do the same thing.
That strange file is blowing my mind 🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯
John post the file-hash so we can follow along if needed.
Awsome as ever. But do not pipe a file into grep with cat, when you can just use grep without it. ;o)
Just a couple of notes about parsing the diff:
- You _do not_ need to `cat | grep`, as grep accepts a file as an argument (grep 'expression' file)
- While maybe not great for a video, sed or awk would be better suited here
- sed: `sed -n '/^-.*/p;s/^-//' difference > bad.js`
- awk: awk '/^-.*/ { print substr($0, 2) }' difference > bad.js
Why don't you work with backup images like Acronis, if you are worried about infecting your VM? You can already have all your tools baked in to the image and flatten your testbed once you are done. Then there is no problem connecting to the internet.
That maltebauer site is some type of movie review blog that was seemingly commandeered.
The insane number of characters in the interactions design.js was just to bloat the file so the anti-virus didn't check it right?
edit: lol nvmd I just had to get to the end of the video
Great work as usual. Probably dumb nbee question but would there be a way to set up a locally connected server with one of the domain names called out in the code to see what the exfiltrated info is and /or what other connections are established?
Aside from using tcpdump and nmap?
Meld is my favorite diff tool. Works great for git repositories
Yep, started watching this video, and was under attack the second it started. I think we have some bad actors that must be out of work.
Fascinating from both sides.
12:25 Theres alot of nonsense to maybe prevent amateurs from opening / virus scanning it.
Since notepad will definitely crash..
Rather than doing: cat FILENAME | grep '^-'
and then trimming the leading hyphens in your editor, you can do: grep '^-' FILENAME | cut -d'-' -f2-
Crazy reverse enginering !!.. 🎉
They probably padded the .js with random garbage at the end so that AVs would be less likely to scan it due to the file size.
I was looking for the Jurassic Park John Hammond but this is good enough
I have a feeling the randomness of the Interaction Design.js is likely because it's hosted on a platform that is unable to virus scan large files like the google platform will refuse to scan large files, The feeling I have is if it makes the file big enough it can't scan it
All executable file attachments get deleted here. Same for all ZIP, RAR, MSI, CAB, etc.
Having used in-editor prettifiers for decades that just format code on a single key shortcut or on save, i can't express how much it pains me to see you use online prettifiers or doing it by hand 🙈
I remember i looked up poop in my file search (i am a big child) because i thought it would be funny.
There were some stuff like pngs from games and then there was just "poop" and internet shortcut, i have no idea where it lead to or anything about it.
I left it kinda weirded out and a few weeks later i remembered it and wanted to know where it went but when i looked it up again it was just gone.
Man with how many itch games I download I could just have a zip like that sitting in my downloads folder... Time to do a check
This is so awesome - learning so much.
I wonder if backloading that one .js file with junk code is an attempt to make the file unreadable to the average user, through either attempting to crash the text editor, or just increasing load time to a point where the average user would go "it's probably fine".
12:22
The hilarious part and I love it XD
12:10 crap is likely to skip scanning by windows av. Software like that have limits to not freeze your machine while scanning your 50GB wedding video, and that's why its likely that this bs at the end is to disguise it as some file to big to be scanned.
DAMN BRO UR CRACKED. I love watching this. I subbed
been needing this kind of info. epic.
If a file doesant delete press alt + shift + delete and then press delete
Thank's john, keep it up!
You opened Task Scheduler, but you never went INTO the Task Library, you could have looked at the Scheduled Task there without messing with the dummy .exe file.
Was about to comment the same thing: You need to actually click the entries in the tree to see the tasks that are scheduled.
12:04 "it ends with a semicolon"... well, at least the gibberish is politely syntaxed
btw, I think anyone who likes watching this sort of thing would like the documentary "Zero Days (2016)" about the story behind the amazing global Stuxnet virus
Everyone gangsta until powershell opens itself
Please don't use cat | grep - either do "grep whatever filename" or "grep whatever < filename"
I suspected you didn't know what you were doing when you cat | grep'ed and the rest of the video proved me right.
Seth Rogen made a guest appearance at 18:33 🤣
Are you using administrative access to Windows? How is the script able to modify registry key?
That was really cool to watch!
so how do we protect ourselves from this?
Thx for this analysis. But actually i miss a very important part. How can we protect our windows machines so that in case a dumb user in our company tries to run the malware it is not executed?
How can i prevent that javascript code is executed? Thx for any comment.
Malwarebytes
Dynamic analysis?! The easy way isn't always the best or most fun. My upcoming intermediate malware analysis course will show students how to plain text this payload in under an hour.
It also sends itself to every connected device... sigh
Anyone else remember a drive by download called "your mortgage payments"?
This was really interesting. Very informative. Never knew such devils things.
Been working on EDR evasion techniques recently, specifically around attack surface rules and in one of the tests we did similar randomness before or after the malicious code and it executed just fine with the asr rule for obfuscated javascript being set to block. Perhaps this is a similar technique being used here? I dont know! Curious is all.
Csc.exe is the visual c command line compiler. Still wonder what it is compiling tough, maybe the random dats in the file?
i wonder if chatgpt can do anything helpful, like trying to name all variables after the function they serve or finding malicious lines or giving you a summary of what the code does, it has done that for me before but I don't know how reliable it might be for that purpose
Didn’t know Seth Rogan was this adept at cybersecurity
Interesting!!, Thanks John
i understand nothing but its interesting to watch
A lot of times that random junk that you saw is not actually junk but encrypted code.
You just get this in your reccomended 💀💀
please take video some fileless persistence methods
I have 4gb of old viruses and malware. Analysed a few of them under DOS using debug. Burger virus, parity 411 etc.
Very educational for , thank you!