PowerShell CRYPTOSTEALER through DNS

Рет қаралды 55,041

Күн бұрын

j-h.io/snyk || Try Snyk to find vulnerabilities in your own code and applications FOR FREE ➡ j-h.io/snyk
🔥 KZbin ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware

Пікірлер: 73

@Ludasn Жыл бұрын

Powershell is so cool, you never have to worry about installation. Makes it easier

@rodricbr Жыл бұрын

yeah, I've never had much disposal to deep learn ps but it's really cool

@manisharrora9525 Жыл бұрын

Already stopped the same attack thanks for this. Also did the malware analysis of the .ps1 file.

@DS6Prophet Жыл бұрын

John, you are an amazing Fella who always makes AAA+ quality videos! Huge props to you!! 😊 I really have obtained lots of knowledge from your videos!

@Lampe2020 Жыл бұрын

18:35 That looks like someone actually modified the malicious DNS record instead of just removing it XD

@autohmae Жыл бұрын

yes, exactly

@allurbase Жыл бұрын

That UUID at the top of the script in the registry is probably to change the signature of the script.

@justinpinson8575 Жыл бұрын

Love this content! Thank you for the analysis as always ❤️

@bhagyalakshmi1053 Жыл бұрын

Sho talented person. translation master and brother.

@luketurner314 Жыл бұрын

13:01 and I'm here for it

@stopper0203 Жыл бұрын

Love these videos 😎!!

@mynamesaretakenwtf Жыл бұрын

How are they injecting and running the PowerShell? It feels like we’re missing the initial attack.

@Dakktyrel Жыл бұрын

Phishing or adware would be my initial thoughts.

@UnfiItered Жыл бұрын

Temp files/adware/malware. Unprotect your computer and visit as many fishy websites as you can. Then turn on your protection and watch it pick up a bunch of stuff in your temp folder.

@NederlandsPersoon Жыл бұрын

uuh, wtf. I found this on a pc two weeks ago, 3 PowerShell files with a name of 4 random characters with the exact same contents. I correctly identified it as a virus and did some research, after deleting it there still remained some other parts which I could not find (I am a noob on this), so wiped everything. Amazing to see a video on it

@NederlandsPersoon Жыл бұрын

I did think of sending it to you, just to see. But did not do it in the end, idk why

@theblankuser Жыл бұрын

Powershell stuff is interesting af

@VulcanOnWheels Жыл бұрын

3:23 Shouldn't that have been, "to be able to be *run*?"

@asbestinuS Жыл бұрын

How did you get to stage 2? Did I miss something? These ps1 scripts are just reading from registry and getting values. What values are they getting?

@UnfiItered Жыл бұрын

So after the first stage ran, it output a base64 code. He decode it and it shows a block of code. That code is the second stage.

@3WL2 Жыл бұрын

Stop fast forwarding through the video and you won't have to come to the comments to ask dumb questions.

@asbestinuS Жыл бұрын

@@BryanLu0 I see, thank you kind sir.

@hyklmcjger9232 Жыл бұрын

Great video! Almost went into the rabbit hole together with you :D

@averagejoe404 Жыл бұрын

yeah right

@Sestain Жыл бұрын

I had this too and not sure where I had gotten it.

@mattchub9887 Жыл бұрын

Do you ever go live??

@muhammadtaha2578 Жыл бұрын

love your videos sir

@khush1980 Жыл бұрын

Good stuff here.. thanks What editor is that please

@smtp4626 Жыл бұрын

sublime text bro

@pdkama Жыл бұрын

thanks

@DarkFaken Жыл бұрын

Thanks man!!

@raiddesu9687 Жыл бұрын

coolbase64 package for sublime would be useful for this kind of stuff since you do a lot of decoding ,you can just select and decode in sublime directly

@TechSY730 Жыл бұрын

For a moment there I thought scambot (EDIT: now banned and deleted) was doing a ^this style comment to reaffirm your suggestion. Which very well may be the first and only actually useful thing it did.

@bhagyalakshmi1053 Жыл бұрын

Great master

@demotedc0der Жыл бұрын

aaawesome !!!

@jpsl5281 Жыл бұрын

Why they store payloads as byte arrays?

@Sestain Жыл бұрын

Most likely harder to detect since it needs to be put back together

@muhammadtaha2578 Жыл бұрын

great

@htconex19062012 Жыл бұрын

This is so crazy 😂

@muhammadtaha2578 Жыл бұрын

nice

@bhagyalakshmi1053 Жыл бұрын

More videos also following master

@imyoubutbetter9951 Жыл бұрын

bro i m overwhelmed what programming languages do i need for cybersecurity?

@taureon_ Жыл бұрын

what are you attacking?

@imyoubutbetter9951 Жыл бұрын

@djr thanks man appreciate it also what can i do with java?

@animeworld4775 Жыл бұрын

What is crypto jacker

@thomas-wiki Жыл бұрын

It's JM

@animeworld4775 Жыл бұрын

@@thomas-wiki JM ?

@thomas-wiki Жыл бұрын

@@animeworld4775 Joe Mama

@logiciananimal Жыл бұрын

Ingress/egress by DNS is so brutally annoying!

@Meletion1 Жыл бұрын

Second view including him!!!

@brylozketrzyn Жыл бұрын

One more reason to analyze DNS traffic

@scrpiona Жыл бұрын

how to? any software or tips?

@brylozketrzyn Жыл бұрын

@@scrpiona Suricata + Elastic Security with Machine Learning module. Easiest, but needs ML license. Still few orders of magnitude more accessible, than some popular solutions

@chicoern Жыл бұрын

Mind-blowing how these files brutally murder PowerShell. Even if you think about creating a file that doesn't make sense, to help disguise the malware, these scripts are terrible.

@DiSiBijo Жыл бұрын

huh?

@keylanoslokj1806 Жыл бұрын

He tripped?

@ancestrall794 Жыл бұрын

I think he meant that the person who wrote the powershell script did a really poor obfuscation job

@bhagyalakshmi1053 Жыл бұрын

One 🕐 login all