@@micha7863 Thanks so much and thanks for being here 🙏

@@Jarvx Stahppppp 🥰 Seriously thanks for watching and being here 🙏

Yeah I think we’ll be due for another game-based video soon as many people (myself included) have so much fun with those, and they are great for learning the basics while keeping things fun. Thanks for the suggestion!

@@wittingsun7856 Great suggestion! I wanted to start with the basics, but I think a follow-up video with more advanced techniques is called for, too. I’ll add that to the list :-)

@@jeFF0Falltrades I'm happy to hear this, it definitely can't miss 😎

@@M3STERL3G3ND So glad you think so ❤️ Really appreciate you watching, and the kind words

@@moshedo7975 Do you mean is it possible to see network traffic using just Burp?

@@jeFF0Falltrades im asking in case that I followed your configuration in this vid is there a chance to see actual decrypted HTTPS traffic in burp?

@@moshedo7975 If you follow the configuration in the video, then you will be able to see HTTPS traffic in Burp, yes! You would see the same traffic - and more than HTTPS - logged in INetSim as that’s our primary network logging on the Remnux box. You could intercept traffic in Burp as well, but you would have to configure multiple proxies and also keep INetSim or some other service running to forward the requests to. EDIT: The traffic would be in Burp under Proxy->HTTP History by the way

@@jeFF0Falltrades So I messed up somehow because I don't see that

@@moshedo7975 Okay, we can troubleshoot: Are you able to do a simple ping from your Windows VM to your Remnux VM? If so, can you pull a web page on the Windows VM while INetSim runs on your Remnux VM?

@@xiaonguyen6693 Great question! Some families might have “stoplists” of processes they might monitor for and stop working if they detect them running written into the malware program, as an anti-sandbox measure. But it’s very easy to bypass this as the analyst: In fact, there’s a blog post on Medium by Mohammed Dief that’s a good example of this where he just changes a few attributes of the procmon executable to bypass a video game (of all things) program that checks for procmon as an anti-debug measure. So what I would say is: If it looks like a piece of malware is not running fully or you’re not getting results you expect, either throw it in a debugger like we do with Royal ransomware here to find out more OR, more simply, just experiment with your monitoring tools to see if closing one of them changes the behavior of the malware. That’s the benefit of using a hands-on lab, vs. a fully automated one. Thanks and good thinking!

@@ihacksi Hint: Don’t just look for static imports - look for things loaded dynamically. One of the tools in this video might provide a shortcut 😉 Great work! Get your name on that wall! Come on back if you get stuck, but I think you’ll get it.

@@jeFF0Falltrades Question 2-3 still remains, went and tried all the dlls imported in runtime but no luck. Is the crackme doing something different in your environment? I tried with network/no network and procmon output only reveals two file activities you asked in the later questions.

@@ihacksi I will say this: The crackme executable does NOT adhere to the typical DLL loading you see in C/C++ binaries...so if you are looking at typical calls to APIs that you're used to seeing when looking for loaded DLLs, you probably won't turn up much in this particular case. But there is a DLL there. Perhaps something else could help in finding it.

@@jeFF0Falltrades Thanks, I found the dll using the tool mentioned on video. So procmon only lists the known dlls called from the disk/system then? In memory executions are stealthy.

@@ihacksi I believe it’s because procmon monitors for the same few calls to known system DLLs (LoadLibrary, GetProcAddress, etc.) to monitor for DLL activity, whereas this binary uses a different implementation to load the DLL into memory, so it flies under the radar of many tools. Great work! I see your name on the wall now!!!

You are absolutely correct - thanks for reporting this! It was a validation typo. Good news is 1) It's fixed now and 2) This must mean you are among the first to get the crackme completed!

There it is! Congratulations and well done!!!

@@jeFF0Falltrades thank you! It was really fun solving the challenges!

@@lukefidalgo8154 Glad to hear it! I'm always nervous leading up to a release b/c I have a lot of fun making them and testing them out, and there's always the "Ah damn, is this going to be something that's just fun for *me*?" X-D So glad you enjoyed!