They Say This Malware is INSANE

Рет қаралды 22,893

John Hammond

Күн бұрын

Пікірлер: 64

@GodDamnitTwitch Күн бұрын

the word "kindly" is like a dog whistle to me lol

@patricklechner190 5 сағат бұрын

Would you kindly...😂😂😂

@godliestous4658 Күн бұрын

It's sooo interesting to watch these kind of videos where you reviewing the source code and see how malwares behave on infected hosts

@likebot. Күн бұрын

the clue is in the wording "... we _kindly_ request..."

@nickcurrie303 Күн бұрын

Lol the real clue is in the fact that your IT team would not / should not email an executable out to users to execute - this would be scripted or deployed via other means.

@edwardfildes2038 Күн бұрын

You'd think anyone with the technical know-how to run JS files would also find the request to run one from IT highly suspicious.

@northholdgames8596 Күн бұрын

in windows it is just a simple double click or "run". it doesnt require any skill

@edwardfildes2038 Күн бұрын

@@northholdgames8596 ah fair play, I didnt know that

@bestcoolmanever Күн бұрын

@@northholdgames8596 he's saying that it's bizarre that someone fell for one of the most common and obvious "hey, run this file, it's totally safe!" phishing schemes to ever exist without even a single thought of double-checking anything. it's like getting a text from a random unaffiliated scammers number that says "it's me, your mom. send me $500, it's urgent!" while sitting a room away from your mom and still sending the scammer $500 anyways

@fdert Күн бұрын

Great education here digging into IDA. I'm just getting into this field and this is very helpful to see your process, thank you!

@ismayonnaiseaninstrument8700 Күн бұрын

This is probably the first in-depth digital forensics video I've sat around and watched, and honestly...thanks! I learned a helluva lot, and I'll be experimenting with those debug tools myself... (once I have a stronger foundation in assembly, mind you.)

@technikschaf1574 15 сағат бұрын

"loosing a little bit of street cred" ? With a lot of luck there is a little bit left thanks to you at least recognising it as lotr. Thanks for taking us with you at this journey there and back again.

@RelemZidin 2 сағат бұрын

I legit thought was gonna say I've never sat (down and read them) oof

@ft4jemc Күн бұрын

Neat video. Yes. Yes you loose nerd cred for not knowing LoTR.

@shodannonymous9359 Күн бұрын

I'm probably gonna try this box with your guide, thanks as always John

@jesperwall839 Күн бұрын

Is this a 57 minute commercial? Been to many of those lately, and I don’t want to waste my time.

@Twoshoes22Jason Күн бұрын

Yes. For HackTheBox

@TotesCray Күн бұрын

I mean... it's a commercial showing HTB's sherlock exercises, but the "how it's solved" is great learning info regardless of the original source

@capability-snob Күн бұрын

@@TotesCraycoolest username ever, well done. Must have used freon.

@draconic5796 Күн бұрын

Seems someone is a Lord of the Rings fan lol. Finding Middle-Earth, bringing the god of everything Eru and then using the Palantir to get into Gondor haha!

@MultiDark2012 Күн бұрын

Even though I could see the info on screen, I was still w8ing for John to say LTT. 😂😝

@Rostol Күн бұрын

windows pro includes a secure isolated ephemeral VM, it's called Sandbox. it's awesome for testing things. Also a good tip if using VMs is to take snapshots between steps, just in case ... lol. 35:46 it's reading the resource table on the .dll, not the .exe that's probably why the entropy was meh in the .exe resourrces

@josemariolladomarti4935 Күн бұрын

awesome work man

@redisbluegaming6696 Күн бұрын

Nice channel, love learning from you

@ogunikitty Күн бұрын

Wow. Learnt a lot today. Thanks john

@ChemicalShots 34 минут бұрын

All of this malware would be stopped easily with true zero trust.

@threeMetreJim Күн бұрын

Not too bad at all. The insane rating was about right if you've never done this before. Be prepared for layers of obfuscation (in the scripting parts) in real malware, just to frustrate even more. Nice to see this test also having an encrypted part to extract.

@logiciananimal Күн бұрын

Nicely done - I didn't know IDA Free had a debugger. I don't do much RE, I guess.

@aidengoiangos4577 Күн бұрын

Another john hammond classic

@h4ckh3lp Күн бұрын

If we weren't already aware, the "WinHTTP" autofill in IDA shows you've prepared this walkthrough which is fine, but I for one would find exponentially more value in the footage of you when you're first running through it. Because to see how you go about figuring shit out when things don't work as you would expect them to would be a lot more informative imo.

@IJH-Music Күн бұрын

Yes and no. John does some things live and you get to see him go through problems in real time. For a video like this, that style of video would be impractical.

@h4ckh3lp Күн бұрын

@@IJH-Music You'll never see his first go at a box, even the "live" shit is scripted (or at least outlined). I don't care if it took 6 hours instead of less than 1, if you can show me HOW TO FIGURE OUT how to figure out the unknowns, this would be greatly more valuable than showing me how to complete a challenge. But for the same reason the crowd boos when the fight is painstakingly being grappled on the ground, youtubers will forever be playing the youtube game more than providing truly meaningful information at the advanced levels.

@mitospha 22 сағат бұрын

Pretty cool demo, thank you. That was rated insane? Some sites I think would honestly rate that as Medium out of easy, medium, hard. Not all CTF sites are the same I guess.

@crudmonkey Күн бұрын

Great video John! Love these reverse engineering videos

@zerodoinkthirty0 Күн бұрын

W PowerShell investigation

@dav1dw Күн бұрын

Nerd cred would be to read Lord of the Rings, not just watch the movies.

@shingareom Күн бұрын

They ?

@AUBCodeII 15 сағат бұрын

Hey John, let's get OSEE+ right the flipp now

@hoosiercrypto9955 Күн бұрын

They 😳

@QuantariousBitsoniTalvanen Күн бұрын

Why dont as many of the malware coming out have vm evasion like how it spiked a few years ago? Or is it just that it's easier now to disguise a vm now?

@viv_2489 18 сағат бұрын

If chat gpt is capable and can be used to learn this obfuscated code?

@D.von.N Күн бұрын

So what happened at the end? Did you encrypt your VM or something else?

@74Gee Күн бұрын

Nah, the encryption only acts on a few folders and a few filetypes within those folders so it's mostly benign. See 41:33

@D.von.N Күн бұрын

@@74Gee So those were encrypted, for an average user, if it happened in their real computer, pretty much everything they have there. Riight LOL And so I have a clone of my OSs and data backed up multiple times elsewhere. That the ransomware transfers some of my data to the dark web, I won't be able to fix that. Just I will be one of millions other folks out there. A drop in an ocean. My data already is out there, from various hacks of databases...

@zakzak24 Күн бұрын

hi John, I'm getting into malware analysis, is it enough to just boot up a VM then run malware inside it ? cause I read there're types of malware that could escape and infect the host machine, given that I'm doing both static & dynamic analysis

@GarethBaddams Күн бұрын

Hey although it isn't impossible for malware to escape a VM it's highly unlikely, if your doing a lot of analysis maybe have separate hardware and network segregation just to make sure 😁