Man I am obsessed with these videos

Hacker mission: find as many ways as possible to sneakily hide IEX

That was very interesting. I really enjoyed watching you take this whole thing apart. It never ceases to amaze just how far malware creators go to conceal and drop their payloads into people's machines.

Don't mind me, just sharing the absolute love for these malware analysis videos.

I'm so excited for this. After watching your first Malware analysis I was HOOKED! I've watched all 4-5 videos multiple times. It's gotten to the point where I can recite your words exactly. It's so exciting watching you go through the code, peeling back layers, and going off on a tangent trying to look something up. Seriously John, I'm addicted at this point. I kinda wish I would've stumbled upon your channels 5 years from now, because then there would've been a catalogue to fill my desires. Oh well, at least I can add this video to my repeat cycles, and watch it 10 times over, just like the other ones.

Man.. idk how got to view this channel, but now it's on my Top-Tier list channels to watch, quite addicting :D

I'm sure you already know this, but 128 bytes is the length of a digital signature for a 1024 bit modulus. Converting those 128 bytes (+1 for padding) using base64 encoding gives you 172 characters. Also 0x010001 is a commonly used exponent for RSA parameter sets.

These videos are incredible. Loved seeing another one being premiered today! Keep up the good work Hohn Jammond

I have been waiting for more malware analysis in my life..

judging by the amount of spam in this comment section I'd hazard a guess and say that you're been hit by, you've been struck by, an automated system that goes only off title keywords

If you want to replace single letter variables, you can use the word-boundaries from regex: \< (start of a word) and \> (end of a word). So you should be able to replace $d\> with $data

Hello John! I actually learned something new for myself, so thank you :) This video has helped me a lot!

I've been absolutely devouring your videos over the past weeks. Keep them coming!

John, my friend. 7:30am, I'm still dreaming that I am Chris Hemsworth. So early lol.

20:20 I guess john never heard of "soft wrap" or "word wrap"😂‎

I watched every second of this and have literally no idea what is happening. good stuff!

this is your best video imo, so funny, and informative.

you know it's super cheezy to have that cmatrix background for your website when it contains no useful data

came across this video while researching Lemon Duck, a Great breakdown and walkthrough. Can you recommend any solutions on how to remove the malware from an infected machine?

5:30 If you're going to do that rather than just deleting all backticks, maybe use `([^abnt"']) instead of `(.)

Thank you a lot John Hammond. I always learn something new in your videos and I really appreciate your content! Hope to see more of this powershell obfuscation!

Loved the breakdown, thx for the tasty recepty John!

This is a fantastic video. Well done, sir.

Love watching these on my way into work ☺️

I dont have a pc and pretty much no backround in IT stuff but i really enjoy watching this

Between these unpeeling videos, and your deep dive into the dark web, this is more fun than watching Mr. Robot.

I love all the malware analysis video so much ! thanks !

These videos are awesome, keep up the great work!!!

Great Video! I love it!!! keep it up.

11:14 he checked date on hand watches even though he he has it in the top right corner on screen

Sadly everyone is so much smarer at computers, BUT! I feel at home in analysis, because John Hammond is my go to with my morning coffee.🌻

Always Enjoy Your Vids

John "I could just replace this with nothing, but I'd rather do some fancy RegEx expression" Hammond. Rolls off the tongue!

Can u give me a guide step by step about reverse engineering. like i want to enter in malware analysis and cracking software so where i should start beginning to advance

The whole reason this script looks at the graphics card (and hash rates) are because if those exist, it wants to use them. You can generate more hashes (earn more money) with a graphics card vs a cpu. Not sure if you pick up on this later, only 41min in lol.

Please configure your sublime that it automatically wrap the text. It would be easier for the viewers

Hi John I really enjoy your videos. You are awesome! Am really hoping you are using somekind of the proxy when checking if the malicious domain is still up. You can hide your IP in the video, but you cannot hide it from the server owner logs...

Love how you break these down

just a advice. Start the malware at the end of the video to see what's going on :)

39:19 43669 is an azure thing to collect data i tihnk

wouldn't surprise me if the attacker is keeping an eye on connections to the URL, after so many hits or if certain probing command come in it probably turns off to hide itself

16:59 I did that mistake luckily for me it was only targeting phones

getting iex outta comspec was the aha moment for me :D thanks john for feeding us regularly with nerd bites

What if you were to curl the jsp file with the lemon-duck header?

Hi, John! I heard they ported PowerShell to MacOS and GNU/Linux too. I can't say why exactly they think it'd be important to have it somewhere else than on MS Windows, still they did it. Probably to allow OS-independent malware, lol. Thanks for the videos, liked them a lot.

what's the point of the malware code being hidden? why does it matter if the code is going to execute anyways?

how much preparation you make on video before recording I mean what you do with the sample you downloaded before recording

Damn this is a good video. I like to see more malware analysis tutorials (walkthroughs)

Stupid question but why doesn't the (.) create a copy of the character in front of the '? Like ob'ject to objject?

You shouldn't be getting a cached page if you already are including random data in the query. Maybe the date serves another purpose.

Awesome video. A quick question. Where do I get a copy so as I would like to go though the process myself.

Talos always have great and comprehensive reports.

1st rule of business - add ; into everything to thwart easy line detection :D

Love your videos sir.

19th? ouch, so it takes around 10 days/video?

test1 could come from an earlier IEX? I'm learning a lot from your unpeelings, keep up the good work!

jus kernt more aabout regexp then ever knewed ! thxu, again ;]

I’m new to Cub Sec and I’m doing it as a hobby. How do you get your hands on the payload without it executing so you can break it down?

Isn't it possible the jsp page need a parameter value set to do anything?

Watching your videos is making me want to learn Python, not to mention get more experienced in Linux.

Regular expressions for your Ruby details in more starting beginning explain in the regular expressions.

If only these bad actors commented their code :)

Whonder where you get this "bad stuff". I want to practice too :(

So interesting !! Would be interesting if you talk about who could do such malware. Do you think a single person could have developed it? Or is it more likely a team? How long would it take for a single person to develop such complex malware?

Omg so cool! I want that sneak skill. It's like make IEX out of someone's computer

>deadbeef "i've beaten a dead horse"

Great deobfuscation walkthrough! IEX still the way to go so it seems

How to check this wion what defryint login looking. That's wonderful icai this woinder exl explain powerful

I'm gonna take a 4 hour nap I guess

that o0knib tho...

55:48 THE RETURN OF MEMECATZ ༼ つ ◕_◕ ༽つ

In reference to replacing the back ticks... Can't you just replace them with an empty box? That would remove them.

I'd say the idea of a crypto worm is nothing new to the whole idea. The thought of even attaching backdoors not mainly to alter information but to sap the hardware capabilities of a targeted system. Computer evolved over the conception of increased amounts of stress testing, that being said insights that the machine can handle more task automated by services and regulated thru the registers. The service of a crypto miner is to solve calculations of equations that maintain the blockchain's structure. Which it's self a symbolic link to a hash dump of data (bytes, ints, func, etc); The direction of a numeral scale of which character is switch with another cryptic character to a chain of undifferentiated value. Which holds meaning of the reason a coin hold limited capacity due to the different, individual, and separate values, in example if a blockchain was a configuration of hybals 0000 - 1111 it would only hold 16 coins. Then we divide the value by 2 which in turn increase capacity of 32 different values but only 1 coin will equal the concurrent value of 2 different values. The worm purpose is to grow. Hermaphrodism, self-replicating which in turns is in meaning of a manifestation of a virus, yet the worm needs data to consume so the data is the blockchain itself but to a signature of grasp, drop, split and divide like a middleman within the transaction of transferred bitstreams that identify the blockchain.

always a blast !!

I'm a simple man I see a John Hammond video I click like

What’s the new setup looking like?

How is this vírus spread? ANd gratulation for this video!

I understand like 5%, but I love it!

here we go again :D

I don't know about yall but when someone brings Ooknib 6mook to the hootenanny in my town, everybody's goin hogwild

I dont really see the point of the obfuscation lol there's always some simple way to deobfuscate since they will have to eval or iex... you just end up pinpointing where that is and voila.

I was just about to analyse on thia

Games incorporate lemon into code to then get hash rate from all users discretely

Fox push 43669? what subject litr

when i saw to thumbnail i thought it said "demon luck" lol

Can I ask a real stupid newbie question... I have watched entire thing with long pauses in between to absorb and integrate... far as I can deduce bad guys plant a miner into the host system. It's what it says on John's title. I trust John. What I don't understand is where's the part that points to the perp's wallet??? Am I wrong to assume that if you're a smart systems security specialist guy there's more money to the Light side than just client's commissions? Also, secondary noob question... since anti malware software is mostly trained to go after specific code patterns flagged as malicious through the hard work of people like John... is it really worth it to go to such lengths to obfuscate code like this, with nonsense padding strings and similar cheap parlor tricks, which could have been much easier re written to fly under the radar from the beginning? I am a total noob and still it wouldn't take me more than a couple of days to decode the entire thing I watched on this video... I guess what I am asking ie is there any other way for anti malware software to distinguish between the traffic that a game I play online or a million little applets running on a modern home system touching base to get weather updates or some bs like that creates from that of the miner phoning to send money home, unless a guy like John working IT somewhere puts it on a list...?

great video! more... MORE.

I actually had this on my computer good to know what it was doing.

Ah shite here we go again

What to do John master ow, to my job ,fik power sell axin 😭

Epic Games Launcher looked like a valid at Port 43669, maybe they wann do stuff with it

Disliked for the horribly indention style at 4:46 Never put the opening and the corresponding closing bracket not on the same column or line.

when John Hammond will quit reverse engineer malwares and will do reverse engineering of dinosaurs DNA?

This things got more layers than an onion😂

nice vid!

Limin duck bust what install docker. Talos ? Ceco ? Assembly code file's

I love these

I think maybe you need to try curl the a.jsp and report.jsp with user agent lemon duck

I want this Malware sample all the domains got taken down :( damn

Edureka master jon hamthe yes.