Update: Thanks to @Wikidude in comments for pointing this out. The "Mizu" address that I didn't do a good job of digging into is apparently a BTC address. Looking this up, it has over 2.5 MILLION dollars, with transactions in March of 2021. Absolutely crazy. www.blockchain.com/btc/address/1NSrjTotDiuK7S1xMm9yuppq4dr4Uf9saM

I just wanted to say. You have inspired me. I have officially enrolled in university again as a mature student finally and will be working towards a bachelors in Cyber security

39:05 this is in a language that I do not speak: Proceeds in realtime reading and translation from Italian to English with no issues

Excellent work, watching this helped me realize that this cyber security degree I am finishing up is something that is achievable and interesting. So much of our classes are report driven and it is great to see a real world example of what actual analysis looks like and the progression through it. Thank you!

The Threat Report PDF at 38:53 was in Italian and yes was a report about a similar malware Italiani facciamoci sentire :)

This video inspired me to get into ethical hacking. I literally watched over 20 hours of videos about hacking in the last 2 days. I haven't been this excited since I started programming 17 years ago. Just hacked into my Bose soundtouch 😂 Thank you for bringing back the fun and fire in me for computers 😁

Hey John, the BTC address (Mizu in the sample) that you didn't check properly on blockchain explorer, has received $2.5 Million. Should probably change the title. $2.560.000 looks better xD

It was an interesting dig and got spicier with those dollar numbers. Keep up the good work!!

Impressive how you managed to understand obfuscated italian though

Great work... love how fluent you are in this. Kudos to you John!

I know this video is a couple months old, but I'll still say that These videos are much better when you go through the malware for the first time, rather than explaining what you've found previously.

Man, i love this vids, you'r an absolute genius. I learn a lot

John thank you for the great video, I'm a complete newbie to software development, debug and analysis. I'm able to follow you perfectly, understand most of what is presented and am having a great time!

39:08 that is Italian :)

This malware analysis is nothing short of magical

I love that I found your channel! I want to get into cyber security so watching you go through code and explain things is fascinating! I do have one thing to say... why do you NOT use dark mode on EVERYTHING? It is so much easier on the eyes using Window's dark theme and any dark theme where sites allow it (like twitter...).

Good Job , John "MALWARE" Hammond , Lovely to See and Hear Your Enthusiasm For Malware Man you Nailed IT.👊👌🤚✌🔥🔥🔥🔥As Usual 🔥🔥🔥🔥👌✌👊👊

You rock, John! Thanks for the cool videos and for being such an inspiration to all of us aspiring info-sec pros, and for educating the general public! You're the man!

Man, I don't understand all of it but now I remind myself that I was supposed to do other stuff and 32 minutes gone like a slap, or wait what does suppose to mean? And yeah, it's really interesting stuff! John, you are a Legend! :D

That clipboard trick is really slick

57:11 once you make a cryptocurrency transaction, it's public, everybody can see it.

ammount of good advices and the fact you actually read them and use them is really creating that community vibe... me like it... also, i like it more when you come somewhat uprepared and research this like you would usual, sometimes it feels like you wanna make these videos to be explorations when they are clearly well prepared demonstrations, that feels more natural to me... and ofc tnx for all the good and spicy insides on how this is done! 👊

You have no Idea How much i love your videos ❤️

pls someone make something that looks like malware but in the end it gives you a youtube link to rickroll (and send this to him, pretending its crazy malware)

God, i learn so much from watching John's videos it literally takes me 3 days to digest one

You know I have searched extensively to see if anyone actually does anything like what you do for this malware/virus/ransomware/ect... No one displays it like you. This information digging explorer style of the software. Most try to show off a tool or explain how you can learn to go do this and how it benefits you career. But no one is doing what you're doing here. I can't get enough of it cuz it is incredibly awesome.

Yo Johnny!! I've been a fan of yours for the longest bruv! Malware analysis is a neat content twist👌🏽.. Looking forward to more bro. **Side note : PLEASE CREATE YOUR OWN MALWARE, AND UPLOAD A VIDEO EXPLAINING THE CODE AS WELL AS A DEMO USING IT.. PRETTY PLEASE!! 😭😍🔥🙏🏽

Exelente video!! Gracias por compartir

excellent stuff. Love your content. Keep it up.

The only thing me and you have in common is that we both speak English good, but man I love your content, style, etc. Thanks for doing this and please keep it up! Subscribed. And I watch until the end.

As someone who works as a Software Developer since 17 years I am suprised how trivial the malware is. What I like most is how creativ it is with the clipboard. Are there common malware patterns?

that pdf was in italian! c: very entertaining video :)

39:05 greetings from Italy ❤️

great job John fascinating stuff as always

So the whole script relies on people not checking what they paste when sending money?

57:32 that's batman voice noice

Love your content, John. I've learned a lot just listening while I work. I have applied a bunch to using Linux and have implemented your techniques starting Hack the Box. Just bought a shirt from ya👍. Keep up the good work. It would be cool if sometime you could make a mini series specifically about writing little tools, but I know your videos often contain python scripts you write on fly (which is really dope btw).

dude you are doing really cool stuff, keep going!

Great job... I've learned so much... plz continue with this... cya

I have one question, this script changes your clipboard with another BTC/ETH address right? But do they hope you immediately send btc after that or something? What happens when you ctrl C something else, will it overwrite? I don't get that part.

I do not know why this came up in my feed ... I understand absolutely nothing of what I'm watching ... Good work to get a subscriber who has no idea what he is subscribing to. and yes the text is with Google translate ;-)

Love em. keep em coming

53:51 Has he made a video on the minecraft malware??

Would have been interesting to see this part @51:45 via Burp suite :)

Great fun again John. Great work

have u deobfuscated a pyarmor obfuscated script? (python) a video on that topic would be interesting, thanks!

Is there a Windows policy that will just disable this pattern "Function(string)()"?

On the POST - the server doesn't have to answer - it could be doing nothing visible to avoid another IOC. Also, for all we know it could have been compromised itself, partially taken down by intelligence or law enforcement, etc.

where do you find these?

Hey John, base64 decoding multiple js comment blocks as one base64 string will certainly not work out. First split up the different /* ... */ blocks and decode them separately.

love your videos john keep it up!

Another great video. Keep it up!

I'm curious what infection vector they use to get this into a victim machine and executed.

I love how self-remove is "UnMonk"

I actually use ESET several years now and for me looks good, also not expensive, sure have some things that can take it down but mostly gets a lot of things

Stage 1: beautified Stage 2: beautified Stage 3: beautified Stage 4: beautifiee Stage 5: BEAUTIFIER

How does this malware author get it installed in victim machines?

Amazing as always!

LIGHT MODEEEE AHHHHHHHHH MAKE IT STOPPPPP, and then you beef me for JavaScript.. low blows dude low blows xD Na for real keep it up dude these viddies are great

many thanks for content, man

line 220 in 4:51 it's variable but without name 🤔

Microsoft Defender better watch out

I think the simplest thing would simply be to rewrite the "eval" function to print instead. it would also be somewhat more secure since it might be called from other places as well.

Where can I get the original sample? :(

When does this actually trigger? When does it hijack the clipboard?

What if the maker of this scripts is watching this video xD "oh shiiiiii"

Very Good my teacher 👨‍🏫

0:30 onions aren't spicy, John 🤦‍♂️

Is wscript enabled by default in win 10?

why did the developer used the "new function()" syntax in the first layers instead of an eval? it is an evasion technique?

It feels good and sad to see that these guys put so much efforts to obfuscate and encrypt the code, and you can just remove the eval function and let the computer decode all of it for you ^^

Could you try the notpron riddle - see how far you get?

do you have a discord server?

How they make people to download and run this script ?

Why to file Wi-Fi hack the handling.

I would be interested in building something that automatically beautifies. We could use Go and an API call. Thanks for the content.

John, where do you get your malware samples from?

hey John, i am new to cybersecurity ..just subscribed

hey everyone I was asking me one question, how can we get tha kind of Jscript/VBS/VBE/... files can someone help me thanks for your answers

I love how languages over lap -- di comando e controllo

great video 😉

Thanks John. You really inspired my to sit on my lazy ass and continue watching your videos!

Your the best men 🔥❤

I am surprised only eset detected it

i don't even understand it but I still keep watching. I don't know why.

I was laughing so hard as it went further and further down the loophole and when it got to stage 6 I was dying

I enjoy your videos because of the not-so-awkward silent moments.

I am once again asking you to beautify the code

Thanks 🙏

Now if only it was this easy to find their current physical address. I'd go say hello to them, and introduce their backend to a soft viper.

I've heard of similar malwares that have a whole dictionary of addresses bundled with them, and will sub in the one that most closely matches the real one they're replacing. Spooky scary. Always check your addresses thoroughly, not just the last couple digits!

Is there some tl;dr for this video?

Don't mind me, just keeping up the engagement.

Any plan to do the Wreath network? Would love another super long livestream like Throwback going through the whole thing.

I'm still thanking everyone who recommended *4matic_hack_* here, you all are the real Life savers,my business account is back finally with his help.

In other words: Don't use js for malware...and also don't use other languages for malware

Why write a tool to unpack it? Write a tool from the parser/processor and list/breakpoint when functions happen. You run the code, it tells you it tried to access these methods, this many times. Skip a ton of obfuscation possibly and get more to what it's actually trying to do. When it tried a shell.run, print the commands, when it tries a sendhttp, don't and print the request.

its march 10th 2020

Wait, so is there a way to report your stolen btc, or do these people simply get away with it?

1:15 almost slipped out a BULLSH**