Async RAT - Batch Obfuscation

Рет қаралды 146,217

Күн бұрын

Check IPinfo online and sign up for free exploring any IP address you would like! ipinfo.io/
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/john...
E-mail: johnhammond010@gmail.com
Discord: johnhammond.or...
Twitter: / _johnhammond
GitHub: github.com/Joh...
If you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. www.kite.com/g... (disclaimer, affiliate link)

Пікірлер: 203

@liminal548 2 жыл бұрын

The Chinese chars is due to the first two characters in the script, it makes editors think its UTF-16 and thus messes up all the characters. While cmd.exe has no issue processing it.

@theimperious1 2 жыл бұрын

thats a neat trick

@sangamo38 2 жыл бұрын

this is exactly what my guess was.

@SadKris 2 жыл бұрын

I did not know this. Sounds fun

@rdil 2 жыл бұрын

Wow.

@andrewjehen5910 2 жыл бұрын

Tu fu fuf fufu CHINA wuhan bat virus NIH ECOHEALTH LAB LEAK

@dinoscheidt 2 жыл бұрын

Tbh not boring at all. As an engineer who seems to write more in word, excel and PowerPoint nowadays, I love to have your longer videos playing in the background while working. Much love from Berlin ❤️

@alexvidal821 2 жыл бұрын

One more in Berlin ❤️

@SpaceCatCat 2 жыл бұрын

2 more*

@paydayvideos4924 Жыл бұрын

@@SpaceCatCat still just 2

@Bobtb 2 жыл бұрын

Wasn't boring at all, watching you do your thing. I did learn a few new tricks today!

@mytube7473 2 жыл бұрын

Amazing. Never seen anyone break down malware before. very cool & smart.

@davidmiller9485 2 жыл бұрын

unless he's doing a CTF most of his content is a break down of malware.

@ivanboiko8975 2 жыл бұрын

Thank you John, we definitely need such so detailed videos about malware! So interesting, so useful!

@trapOrdoom Жыл бұрын

I love the long format vids. Even when they’re old, I feel like I’m talking with you.

@andydataguy 2 жыл бұрын

Awesome video! Just getting into programming and it's inspiring to see whats possible. I loved being able to see into your investigatory mind and thought processes as you faced problems

@NotFab 2 жыл бұрын

Hey John, thanks for the video! You probably noticed by now but at 44:48 you missed the function call to KnqbWpjtoveF around the base64 string, which is probably an AES-256 decode on the string and the reason why you were not able to base64 decode them.

@TagnumElite Жыл бұрын

Ah, great thing I read your comment. I can alteast now abandon this.

@MygenteTV Жыл бұрын

I had been following many youtubers for years but after finding your channel I don't even need to do it no more. your stuff is just crazy.

@BIGAPEGANGLEADER 2 жыл бұрын

Wow this was incredibly entertaining and educational, I can't believe youu were worried that it would be boring! I really hope you make more videos like this, seriously! This is really exciting to watch (as sad as that sounds haha). Would love to make a career out of this sort of analysis.

@applePrincess 2 жыл бұрын

"That's not bat! That's not BAT!" while you looking a bunch of Chinese characters made my day! nice video 👍

@bobmars8771 2 жыл бұрын

@Not Convinced 🤣🤣 Lol man

@LordRaven256 2 жыл бұрын

As pointed out before, the whole trick relies on setting UTF bits at the start of the file, making the text editor assume it UTF-16 or (8). You can get around this very easily by enforcing a specif encoding (before or after) opening the file. The editor I use (UltraEdit) can do this very easily and I assume most other (advanced) text editors can do the same. So this is not really a very effective obfuscation. The setting of the R variable and then using letters from it in the code is much more effective in my opinion. While easily turned back into valid commands by a PC, a raw text analysis will not find anything there.

@chrisclark5135 2 жыл бұрын

Excellent John! Not one bit boring man - thanks for all you do!

@Endzeitpanda 2 жыл бұрын

You the best, John! It was neither boring nor too quit or anything. Had a blast as always!

@readypubggo5650 2 жыл бұрын

This is it, the wait has finaly come to an end.

@Kurowe. 2 жыл бұрын

You keep saying "Echo" and my Alexa is set to respond to Echo and she's freaking out lmao xD

@Harrowthe12 2 жыл бұрын

I've waited for another one of these to come out very patiently. Worth it.

@debarghyamaitra 2 жыл бұрын

John always the best reverse engineer

@kajoma1782 2 жыл бұрын

You could go to *Preferences* > *Network* > Click the plus icon on the right side of the window. In your virtual machine settings you could set the network interface to "NAT Network". Do this so that you don't have to bridge to your *real* network.

@wnathanielw 2 жыл бұрын

I absolutely love these! Please don't stop doing them

@ambrosiahasnevertastedthis3673 Жыл бұрын

adhd normally does not let me sit through such long videos without getting bored. i was sad when this video ended

@victorcascallar6745 2 жыл бұрын

Dude, how can you talk for pretty much an hour straight and say you were quiet? Amazing, very fun. I'm starting to learn Linux because of you :) I'm a little bit old (almost 30 now), and idk why but going thru the command line reminds when I was a kid with the new and hot windows 98. The whole experience is new to me.

@Ged325 2 жыл бұрын

50 minutes: This is the same code pattern as seen in your snip3 crypter/Rat video. (about an hour in). Essentially it first decodes the base64 string. Then uses the WF function to decrypt the decoded strings.

@jackchan5635 2 жыл бұрын

Love it! really enjoy watching your malware analysis👍

@albertsaeznunez8875 2 жыл бұрын

I love that KZbin bitrate compression when he is looking at the obfuscated Chinese bat file

@ByteBurstShorts 2 жыл бұрын

I like the fact that he is also experimenting in his video, and is not straight up tutorial video.

@jacklee1612 2 жыл бұрын

This is such a rich content, not boring at all !

@csongorszecska 2 жыл бұрын

Pooth. Btw %0 is the file being executed in batch and %~F0 will expand to the full path of the file

@jimvincentmartinez7485 2 жыл бұрын

Not boring at all. Finished the video without skipping.

@MisterK-YT 2 жыл бұрын

This was riveting to me. Seeing this process in real-time from A → Z as you yourself figure it out is the most educational way this could’ve possibly been conveyed (to me). Thanks!

@JustSomeAussie1 2 жыл бұрын

I came across a batch file with Chinese in it once, all i had to do was change the character encoding in sublime text and it fixed it

@tecra3toshiba149 2 жыл бұрын

Thank you! Just following along. Reminded me of some weird things from yrs ago.

@Autokey_Security_Services 2 жыл бұрын

As I have taught myself many things in life I hope to some day be able to write software and disassemble software.. I remeber buying c++ books when I was a kid but It never got my attention.. Hopefully soon I will possess this knowledge I just don't know where to start.. It so cool how all that code was hidden in a little batch file...

@CJMAXiK 2 жыл бұрын

John: oo, I've found a python bat deobfuscator in the obfuscated code, neat! Also John: _proceeds to manually deobfuscate the code anyway_

@user-zt5bq9tf2z 2 жыл бұрын

there was only an obfuscator and no deobfuscator...

@daleryanaldover6545 2 жыл бұрын

it's night time here as well, watching as I sip my coffee ☕

@Intuitronix 2 жыл бұрын

Great video! I love these deep dives.

@qqb0t 2 жыл бұрын

Sick video ! More like this please ! :)

@yassinebellal1671 Жыл бұрын

Thanks a lot John, i learned some new tricks

@b.tulsirao7724 2 жыл бұрын

wow...amazing video...Thanks a lot for all this knowledge shared with us.

@laurenlewis4189 2 жыл бұрын

Sleepytime Malware Analysis is my favorite ASMR channel on KZbin

@CrowTheArchfiend 2 жыл бұрын

I have to wake up in 7 hours. Make that 6 now. I love this content. I actually want to just jump into doing stuff like this myself

@sordavie 2 жыл бұрын

Thanks for making these videos John.

@moom8254 2 жыл бұрын

amazing video! always loved your work!

@logiciananimal 2 жыл бұрын

Note that K. only detects the origina because it is obsfucated batch, not anything more specific.

@Yuki-bk2my 2 жыл бұрын

the variable names at 16:25 made me laugh because they are what i use when im testing something and need a quick variable name

@joefawcett2191 2 жыл бұрын

poggers

@alnoiseplaysmc Жыл бұрын

Find someone who loves you as much as John loves his malware

@Deathyss 2 жыл бұрын

At 44:40, when you looking at the base64 stuff.. They call an other method with the result of base64, and after changing the Encoding. Thats prolly why only getting the base64 from the string didnt do a lots for you. I guess...

@Alex-nq5nz 2 жыл бұрын

You and Mr. Bombal are my inspiration!

@notafurrysogoaway Жыл бұрын

What's updog? Also, why do you use separate 'cd' commands in cmd? 'cd Desktop/batch' works fine too, cd takes a relative path.

@brock_-1542 2 жыл бұрын

39:43 malware analyst moment

@johnpathe 2 жыл бұрын

nah, "did i just dox my[self/company]?" moment

@user-ll8hy1lv5l 2 жыл бұрын

thnx men, you are great, gave me a bunch of ideas

@froststorm77 2 жыл бұрын

This was intersting, watching whole hour.

@gnastyg7798 Жыл бұрын

Good Stuff John!!

@lucien5112 2 жыл бұрын

unironically says updog

@chrisbitus1328 2 жыл бұрын

HOHN JAMMOND - see I obsfucated his name ;) Classis substitution cipher technique that even the most recent malwares deploy.

@maryalison1321 2 жыл бұрын

Hi Chris 👋 I hope my comment didn't sound as a form of privacy invasion your comment tells of a wonderful woman with a beautiful heart which led me to comment I don't normally write in the comment section but I think you deserve this complement. If you don’t mind can we be friends? Thanks God bless you….

@TealTunic 2 жыл бұрын

Most underrated yt channel. Love the videos, man! ❤

@trunovmichael 2 жыл бұрын

Port 9001 is commonly used on TOR. Perhaps that's why you did not find clear host destination.

@Trezc0 2 жыл бұрын

Hey John, thanks so much for the content, quality was just fine - also ty for the ipinfo ad! I saw the video yesterday and actually had a great use case for the API just today at work for some attack analysis lol. Btw just wondering, how would one go about sending you a "juicy file"? Someone sent me a very obvious Node.JS RAT from a compromised discord account pretending to be a game, and thought this could be interesting for you, looks pretty powerful.

@lightningdev1 2 жыл бұрын

You can dm it to him on Discord

@viat8711 Жыл бұрын

it's amazing videos. thx for it

@gigabitestudios 2 жыл бұрын

at 49:02 it get the lenth of one and it it deosent have .length its 0 (.len = 1, no .len = 0)

@amirmohamed8748 2 жыл бұрын

Waww , really hilarious , you are on another level . U r the best . Hope i'll reach this level .

@paxdriver 2 жыл бұрын

That's some wicked poor lol great vid thanks man. Audio fine

@viv_2489 2 жыл бұрын

"I hate this part of the video" 😂 John at his best 😂, nice content 👌🙏

@sylvainrocca-serra3402 2 жыл бұрын

the base64 strings are probably aes encrypted then base64 encoded so it's printable, and the random next network stuff got me thinking of fast flux dns resolution to connect to a C2C server that keeps changing it's dns. maybe, maybe not i just though id share my thoughts, nice video as usual :) quite interesting piece of malware

@LinuxJedi 2 жыл бұрын

" i didn’t write it down " john forgets he’s recording 🤣

@MrRobertX70 2 жыл бұрын

Fascinating bat file.

@krokodaun Жыл бұрын

15:13 yes it does set name = whatever 123 variable echo %name %

@sendlocation8476 Жыл бұрын

@John Hammond Which RAT do you recommend? I am using NJRat at the moment. Also which open source Crypter do you recommend and where can I get it from? Need to undetected on Windows 10/WinDefender/AV

@albaniaiptv8335 2 жыл бұрын

you should run part of code to get the output encoded strings

@TheJustinist 2 жыл бұрын

One thing you could have done is write a script to parse the file for %r:N,n (case insensitive) and replace the matches with the correct value in the seed value

@RandomytchannelGD Жыл бұрын

13:54 THE CLS IS THERE BECAUSE ITS ECHO OFF NOT @ECHO OFF

@ishaankapoor933 2 жыл бұрын

Please Give us more of such unedited videos

@bobbychingchang8811 2 жыл бұрын

Can't wait for this video

@Alex-nq5nz 2 жыл бұрын

ALWAYS great contents!!!

@googleuser298 2 жыл бұрын

how can I start doing stuff like this? IS there a site that has a path for reverse engineering like this?

@gregoryjones4539 2 жыл бұрын

Love the video as i am a recovering addict and looking in to going in to it not sure which part yet looking at a little of everything any advice on where to start as a novist/ beginner thanks for the video

@sioonhho 2 жыл бұрын

babe wake up, new malware analysis video

@willk7184 2 жыл бұрын

"That did not like ... whatever was happening." 😂

@lfcbpro Жыл бұрын

I'm curious, this obviously takes a lot of time to write, and to implement, with a lot of skill, what do they get out of it? where is the profit? Is it just to take over someone's computer? Or are they after doing more once they have control?

@kQle 2 жыл бұрын

Very interesting stuff mah gai

@hoodmanager 2 жыл бұрын

Try using dnSpy instead of IlSpy, it's way better!

@Lei_Wong 2 жыл бұрын

Very entertaining episode

@iddqds 2 жыл бұрын

i know nothing about what he does but very interesting to watch for sure. i try to put things in order in my mind but still don't understand anything. what does that thing do, how can he know all this thing and etc. hey john i wonder where do you think i should start as complete beginner? i have some free time and would love to spend on what you do.

@CZghost 2 жыл бұрын

Would be good to investigate which protocol connects to the IP address. Obviously that address is stored somewhere in the encrypted data, including the port. Reverse shell lets the computer at the other side control your computer. What if the process could be reversed? Now you have the IP address, their reverse shell server has to be exposed to the public somehow. Anyway, it would be good to report for authorities.

@Jm7wtf 2 жыл бұрын

I’m confused of those %%r:~-15 So can someone explain, wth are those

@aksvan 2 жыл бұрын

Please do videos on PE malware analysis.

@_hackwell 2 жыл бұрын

very interesting video ! learnt a lot as I'm not used to Windows stuff. anyway do you plan making videos about SANS hhc 2021 ? Would be interesting by comparing our different approaches

@Vaampz 2 жыл бұрын

You do not need to make such faces to get views. you are better than that.

@aksvan 2 жыл бұрын

lmao

@owenswabi Жыл бұрын

Soyface need not be applied

@ytg6663 Жыл бұрын

@@AG-ur1lj where is it wtitten ?? how ca you say that ??

@astralgames5535 Жыл бұрын

He does what he wants

@greyburns6170 6 ай бұрын

I only watched this video because of the face he made

@user-em2kf6ff4v 11 ай бұрын

?Need a Tutor in this field so that I can get a walk through. I just enrolled in Salem University???

@azizutkuozdemir 2 жыл бұрын

whhhaaaattt batch obfuscationnnn ! youuu shinanigenssss

@torf1746 2 жыл бұрын

why do they keep writing malware in C#? wouldn't it be way harder to detect and reverse-engineer in C++?

@stefanscicluna2799 2 жыл бұрын

Defender still doesn't have self defense in 2022? Subbed btw

@shepardcd 2 жыл бұрын

Hey its the silentclean UAC bypass at 25min

@bobnoob1467 2 жыл бұрын

I dont know if im going crazy but I can't find your resume video anymore haha

@Jonas-qr8mn 2 жыл бұрын

What I think would be cool is looking up a obviously fake hack and tearing it apart to see how its made

@MrPing-jh4tl 2 жыл бұрын

Nice video Hammond

@IkarusKommt 2 жыл бұрын

How that thing is supposed to work? Do people generally use an administrator account with UAC turned off?

@eanglyroeurn8255 2 жыл бұрын

Passed any cert from him such ejpt ecppt and oscp 😍😍

@TalkL3ss Жыл бұрын

Y don't you pip the output of the echo to clip, it will be much faster

@constroyanonymous7830 2 жыл бұрын

Hey John I wanted to ask this which course are you studying from for your malware analysis?

@sorry7704 2 жыл бұрын

Hey mr Hammond, have you ever omg mr Hammond you have to meet my friend skittles at apple, He’s amazing he use to be a hacker for the navy he taught all over the place

@sorry7704 2 жыл бұрын

You two would love each other. Your 2 brains would launch cyber security into the next dimension. Also bionic chips.. rofl poor Siri is hackable just by teaching the bionic chil dyslexia and I changed Siri name to Alexa it’s hilarious