Some incredible folks in the Discord (shout out to you, @db!) helped fill me in that this is actually the "sLoad" malware family. Good links for further reading and exploration: svmvzypnse2tk4cg4e4l32t6oy-adwhj77lcyoafdy-cert-agid-gov-it.translate.goog/news/malware-sload-sfrutta-pec-[…]alevolo-annidato-in-doppio-zip/ twitter.com/luc4m/status/1331550804990373890 www.microsoft.com/security/blog/2019/12/12/multi-stage-downloader-trojan-sload-abuses-bits-almost-exclusively-for-malicious-activities/

I think there's a happy medium that you can find between this and your normal long form videos. I think the way this was done would be fine occasionally, but I do enjoy going on the adventure of the long form videos.

I really like the educational style of the normal videos. Doing it on the fly and taking a look into your thought process is really entertaining

This malware had a disturbing lack of tangent functions

the "Try Harder" sticker above you while slamming your head into the door fits perfectly. love these shorter style videos, don't always have the time to watch your full 1h+ long videos. The editing style was refreshing too

I didn't expect you to make such a funny video, I always thought you'd just make very professional videos, no big jokes, just get the malware into pieces. Very nice to lighten that up with some jokes!

We do like older style as well :), going through slowly, trying different things to get over

Just wanted to help the algorithms a bit, also wanted to let you know you've been a big inspiration for me. I went from watching your videos and not understanding anything, to now running my own kali machine and having lots of fun!! Thanks for the content, keep it up!

Did you just blow up in subscribers? Well done man, deserved!

I like getting to see your creativity come through some more with the editing, but also still personally prefer the long-form (less edited) videos just as personal preference. I'm watching either way.

This video really made me laugh! I'm normally more a fan of the videos where you go in blind to understand your thoughtprocesses but that editing was great. A good mix would be awesome!

For the algorithm: I just found this channel. It's fascinating even though I didn't understand any of it. I read a couple of "Visual Basic for Beginners" books and wrote a little app for myself. I know what declaring a variable is and what a function is. So, I understood about 4 sentences herein (without understanding the specific significance or context). Still a cool channel. Subbed. As for long-form vs short form, I'm too new and too inexperienced to offer any meaningful feedback. That said, *generally,* I like long-form on technical, exploratory/problem-solving subjects (i.e. not meant to be a tutorial or introduction to a subject). It seems to help to pick-up contextual clues as a thought process is being developed in real-time.

I liked this style. Still had the educational parts which are cool yet was more condensed for easier viewing. Good job on the editing :D

While we are on the topic of Rick and Morty Malware: Apparently there is a video file with an episode (or what claims to be) of rick and morty, which is actually a coin miner. That might be interesting to look at. Also, I really enjoyed the edited style

I very much enjoyed this style of video. This is much nicer to actively watch while I let the other long videos mostly run on a side screen when doing chores or workouts.

Watching your videos on inspecting code helped me a great amount in my first hacking competition held by the National Cyber League. Thanks John! I found out its important to stay up to date on zero days, and other exploits being found and your videos are helping me keep up with things......ps your video on the sudo vulnerability was gold!!!

3 whole days in a row of malware analysis. This is amazing.

Love both this edited video and your usual style! But your usual style in which you go through the code 'with us' is more educational and informative, I think. But, man, love me some memes!

Someone on r/cissp mentioned your name the other week. Started watching your vids to see what's up, now you are a part of my morning routine. Love your stuff, helps me be a better admin

Third in a row nicee, getting an evening routine

Super informative and funny, cant ask for much more in regards to keeping viewers engaged!

It was a great vid but honestly I really enjoy the raw videos and walking through the thought process with ya. so if it cuts hours off your day, Raw all the way man

the editing on this one is IMMACULATE

Have you tried querying the servers with different user agent strings like the one used by BITSAdmin (Microsoft BITS/7.5)?

I enjoyed this format. Made it a lot easier to find time to watch this

Honestly... I'd really suggest setting up a 'network cache/proxy' for a entirely shielded VM, and running the methods & seeing what the calls end up being & what ends up being sent & received. -- it's kinda how I captured several PS3 game installations to be stored ( that I legitimately owned ) I know it's kinda reckless.. but perhaps a dedicated machine of windows 10.... behind a proxy cache server w/ a very strict in/out through said proxy only might be a good way to capture the raw files & data flying back & forth... and to see if any... which tricks are used.

Love your work man! You inspire me to try harder! Can't wait!

Hi! I am thankful for your videos and this one as well. However like other commenters already said, I'm personally more a fan of the longer videos where you find stuff with your initial reaction and then following your thought process. They are already very entertaining for me (I work in IT but more as the Windows Administrator) and honestly I'm pretty shocked what is possible. But it's very interesting! Also I wanted to praise your Hafnium Exchange Server analysis, very good!

I’m sure someone has suggested this already but It’s possible there is a key used in the code somewhere that passes to the GET request in the headers. Might use a Basic auth method.

I came cause it was a suggested link for Rick and Morty. I subbed cause it was a great breakdown. Love the format. If it's a large time consumer, maybe cut down the frequency of the fun stuff, but was enjoyable.

I really love this method. It's funny and informative. I hope you continue. :)

Wish I could wake up early enough to watch the premier

it was a fun video! I liked the style. I like the shorter video format, but I don't mind a 2 hour long video from time to time in the weekends.

For very long episodes I really really love the summary! Though for sure most will want to have very interesting stuff full 'verbose' of these interesting sections (especially those that you haven't covered already with your other videos)!

I LOVE this new approach and style, i hope you do more of these

I like how your youtube skillz are growing!! thanks for all the great content (even for a noob like me!)

Love the edited format. Great video as always

Yooo, i love the new editing style, keep it up

Awesome video man, I enjoyed the new approach, entertaining and moved along at a good pace! Also very funny!

Now this is my kind of malware 😎

Personally, I like it when you figure it out on camera, but whatever helps you keep putting out content works for me. I'd be interested to know: for people who want to start examining Malware the way you do, what steps should be taken to stay safe-ish? I realize doing it in a VM is a must, but any other major points?

I like the new style of video, but I love the normal ones you always do more ! This was very fun though :-) Thank you!

Love this segment and the style of made it fun as well as informative

The meme editing was hilarious!😆

28:16 ... enhance.. Enhance... ENHANCE *CSI Zoom Enhance*. Great video John keep it up!

2:17 that INSTANTLY jumps out at me as c:\windows\

The montage level of this video is hilarious and fricking awesome. Thanks a ton o/ ... The content is also good :)

Ahaha love this new editing! ❤️

that video was well cutted, good one john

Nice editing my man. Made me laugh out loud several times.

I will never be able to view the plumbus the same after this one

i LOVE this new style of videos Keep it up, it's excellent !

You could check if they implemented an UserAgent check. If i want to limit access from spiders/robots or normal browsers i would implement a check for the UserAgent

Pretty neat the new style of video. Loved it.

Yo this was a neat video, not too fast, not too slow. I like it a lot.

This was oddly fun and satisfying. I'm really bad at powershell and vbs, but this gives me an itch to learn it :)

“Morty, I’m a drunk - not a hack!” ~Rick Sanchez, season 3 episode 4

New channel logo is great !

About the video style and format.., I think We'll still watch ur videos either it's a 30 min video or more than an hour xD just do whatever makes u feel comfortable xP

Like the mix of edited and live :D

That was nice, a little bit easier on the time and overall digestibility, but I think it makes it feel more real when we experience it as you go and see the thought process behind. Maybe you could do twice the content, one livestream of the long style and one edited like this one? What do you think?

I really liked the long format

I stand by my point you are making great vids each time better

Did you try setting user agent and referrer for the curl? Dunno what if any bits admin uses.

After watching your malware analisis videos i decided to disable VBScript on my machine. I also overwrote Invoke-Expresion cmdlet in powershell. Seriously, if there at least a single malware, which uses powershell and doesn't use IEX?

Well you video is awesome. I love your content. I do hope that you do not keep spending more and more time editing and then get burnt out.... Please dont burn out :)

i REALLY like those VBScript malware debunking vids great content keep it up

6:47 I have no idea why that made me laugh so hard.

this style is fun but i think the old one is more valuable as a learning resource

feedback: the editing is nice and funny

i like this video very informative and entertaining at the same time very nice

John, Thank you for everything that you do! I'm new to this space and was curious about the URLs you find in malicious code. This could be my lack of understanding about how curl works and if it is I'm sorry, but aren't you worried about your public IP address being captured by these servers? This is assuming you're not using some kind of proxy in the background we don't know about. Thank you again for sharing the knowledge.

Hey John, love you content man - dont ever change, you insipre me and give me drive, so thank you ❤

I like this new style of video!

great video, love the new editing style too

Video editing is amazing!!

This was awesome please keep it up John, thanks!

Let's boooost this channel into everyone's recommend videos!

this style is so much better :)

Hah some fun editing this time, I like it.

Dude I will watch all your videos

These vids keep delivering😍😍

Maybe look at the request bitadmin creates when it runs with that option. Maybe the web server is expecting something in the headers, like user-agent

Sir, great video as always. Btw can you please decompile the infamous kmspico, I've used that stuff a long time ago and I want to know how it works logically. That would be awesome.

As you saw a Certificate: Maybe its using Client-Certificate authentication with an nginx config like ssl_verify_client optional; if ($ssl_client_verify != "SUCCESS") { return 403; }

I love this format! gosh!

It was good, IDK if it is worth the time to edit. I just want it cut down some from the normal vids

@ 5:40+ Dude, that is funny :)

You can try using requests in python I am no expert but you can try making a post request with the json argument and put random things in it. Also we dont know if there's a specific header needed or something. But in my opinion woth a try. Would highly recommend using jupyter or #%% in vscode to do so. If not you can try using postman.

Love your videos but this one was gold couldnt stop laughing

Wow I l

Super! Thank you!

You can use client certificates as an authorization method, maybe that's the $Encrypted stuff, You should try adding that in the request headers.

Really wish this video was done live. That being said, I still love your vids. But you scrambling around, trying to figure out the try-catch issues, would actually have been very interesting.

he did very serious research there

holy jesus another video, lets go

30:08 ah yes, I see it too

Nice new style ... I can feel the effort and hard work on this video. Well done :)

Man I love your videos!!!!

I like this vid but if I had to choose between this style and the one before this. I definitely prefer the other one