Unraveling the IcedID Malware Stager & Phishing Email

Рет қаралды 78,129

Жыл бұрын

Learn even more malware analysis with 0ffset's Zero2Auto training! j-h.io/z2a And pre-register for their updated Beginner course! j-h.io/z2a-beginner
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
🐜Zero2Automated ➡ Ultimate Malware Reverse Engineering j-h.io/zero2auto
⛳Point3 ESCALATE ➡ Top-Notch Capture the Flag Training j-h.io/escalate
👨🏻‍💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk
🤹‍♀️SkillShare ➡ j-h.io/skillshare
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc

Пікірлер: 105

@luketurner314 Жыл бұрын

In my opinion, reading out the wacky variable names adds an extra layer of entertainment on top of the already great content

@CM-xr9oq Жыл бұрын

it was hilarious. John knew he was sounding crazy. "What kind of video IS THIS?!?"

@Lampe2020 Жыл бұрын

Was about to comment "It's next level entertainment to stubbornly keep reading out those variable names!"...

@nikopisker8902 Жыл бұрын

One day I'm gonna be on this level of CS

@c1ph3rpunk Жыл бұрын

You won’t if you think this is CS.

@123sleepygamer Жыл бұрын

@@c1ph3rpunk What is CS even a shortening for in this context? I'm very involved in the IT world and I've never heard of that.

@Charybdis47 Жыл бұрын

@@123sleepygamer i think he means cyber-security

@JoakimBB Жыл бұрын

It's either Computer science or Cyber security

@nikopisker8902 Жыл бұрын

@@c1ph3rpunk why not?

@laurenlewis4189 Жыл бұрын

Hey! It's time for my 15 minutes of fame! Thank you for these educational vids, and thanks for the emails acknowledging my email/letting me know you would make this video. I got about as far as John did 15 minutes into the video, and at the time my javascript knowledge was so tenuous I couldn't figure out what happened next. My apologies to you all for not getting far enough to download the DLL from the attackers' server. Since my coworker/boss/nemesis was a little more vigilant after a previous (less interesting) phishing attack (that had worked), they did not detonate this payload and we never saw the later stages. Given that Zero2Auto course is only about $200, I'm absolutely gonna look into that. This series is some of my favorite cybersecurity education, along with the videos teaching DIY lab setups and playing around with pentesting them, and I'd pay at least that much to learn how to do my own in-depth malware analysis. P.S. even if I had been a little more skilled, I probably still wouldn't have downloaded the DLL; it's my understanding that some of the variables set in the url identify the target and would probably result in my coworker getting more attention from future campaigns

@martin3009 Жыл бұрын

Would love more malware analysis / deobfuscation videos! They are really interesting and I'm absolutely hooked, even though I don't always completely understand how they're constructed. Hope you'll post more, even if we've seen the malware before

@pouyatoutounchy1238 Жыл бұрын

I enjoy this type of video, more of these, please! I receive millions of this type of malware in my email and I do go through them but the way you do it is fun and I like it a lot!

@peternavarroiii3944 Жыл бұрын

Love the way you unpacked the entire thing. Mind blowing lol. The amount of experience and skill it takes to get to this level.

@PenAce Жыл бұрын

I absolutely adore the methodical dissection of code and your method of stepping through it with the jokes. Legend!

@sharkking9679 Жыл бұрын

Thank´s so much for this kind of walktroughs. It made me wanna get more into this.

@dezwilliamz Жыл бұрын

Great work! You always come out with some really informative and educational videos! Love it!

@CM-xr9oq Жыл бұрын

Those variable and function names will drive anyone crazy. I was really hoping it would somehow end up with Opposite("Always coming from take me down")

@DarkFaken Жыл бұрын

This was so enjoyable to watch, thanks for sharing 😁

@willievandermerwe907 Жыл бұрын

Awesome content and well presented, well worth a watch

@scottch4444 Жыл бұрын

Love these kind of vids. Have you ever done similar videos with the samples from the malware traffic analysis site?

@kyputer Жыл бұрын

This video rocks. Thanks, John! :D

@moustafakashen3610 7 ай бұрын

Love the content John!

@gdr1174 Жыл бұрын

Very informative thanks 👍

@LinuxJedi Жыл бұрын

i love it when you do malware analysis

@Stroopwafe1 Жыл бұрын

Never thought that the technique I used as a kid to up my word count in word by changing the font colour would be used by malware, since it seems so obvious now as an adult

@TxRedneck Жыл бұрын

I did enjoy this one, thanks man!

@franzxawer4501 Жыл бұрын

I love it 👍 greetz from Germany

@phontric Жыл бұрын

Great Stuff John

@mollthecoder Жыл бұрын

As a JS dev, it hurt my soul when you got the window error

@dr.pentest5691 Жыл бұрын

Thank you very much for your valuable information

@guilherme5094 Жыл бұрын

Thanks John👍

@Mohitkumar-ug8jq Жыл бұрын

My favourite video of phishing

@xantochroi Жыл бұрын

thanks for the well made videos.

@NoportOfbot Жыл бұрын

thanks john, and again i learned something new :)

@JanRautiainen Жыл бұрын

I am just waiting to receive my first phishing attempt so I could also try to dissect my first malware for analysis

@paritoshbhatt Жыл бұрын

Insightful

@England91 Жыл бұрын

It's good that window defender caught and flagged this

@Jeeeee-in6hi Жыл бұрын

I love your videos! I also couldn’t stop laughing with the function names doorpowlove lovekarolpumps😂😂

@simplyydev Жыл бұрын

Okayy finna watch this before the majority hehe

@HuhnK0t Жыл бұрын

good day, enjoyed as always. is ooknibs still a thing?

@pqudah Жыл бұрын

Nice stuff, an absolutely entertaining series Is there a way to submit some malware I got for analysis?

@alexlefevre3555 Жыл бұрын

If only everyone knew shenanigans when they saw it... such as such a polite ask to enable all the doom from the file. It looks innocent enough if you simply didn't know any better.

@narayananr8650 Жыл бұрын

@John Hammond can you share a sample of the maldoc if possible ?

@bradley6727 Жыл бұрын

The tag is backwards and an hta file. Nice

@Zonumgolf Жыл бұрын

Hello. I’m completely new to the space of cybersecurity, like no background in IT at all. What would you recommend for a beginner like me.

@AnalogMonkey-dr1yw Жыл бұрын

Hey John... maybe I'm late to the party and thinking something that goes without saying for others. I'm also not yet totally code-smart and running off of a kindof general analysis, but is it possible to re-examine this from the following angle: Is the while loop decrypting the long string in dowGirlDow, pointing back to the index within the doorPowNext string? Obfuscation via cipher, then use of the while loop to decipher a payload? Or am I off base? Or stating something obvious?

@mandooooooo781 Жыл бұрын

hi john

@psychoSherlock Жыл бұрын

Him at 25:22 😂🤣😹 LOL

@HentaiNat Жыл бұрын

Why do they register domain names instead of using the static public ip of the server they hosted? Is using that "bad"? Or use some unmoderated pastebin alternative if such exists. Would it be possible for a script to download some kind of "onion site curl" and get the payload using onion sites instead, given that onion sites are harder to shutdown?

@guruhariroxz Жыл бұрын

Oh John, you read js source code better than a JS developer xD

@blinking_dodo Жыл бұрын

Nice stuff. Looks like stuff i could do too though... How much does this kind of work pay? 🙃

@louisrobitaille5810 Жыл бұрын

However much you can get out of people 🤡

@Bobbias Жыл бұрын

God I wish the obfuscated code I've come across was this easy to dissect.

@yakingvet6328 Жыл бұрын

🤘🏻🤘🏻

@gpdally-tupa Жыл бұрын

LoadsLikeVidieo 👍

@scottch4444 Жыл бұрын

But where did you get that shirt?

@vrushabhpatil2867 Жыл бұрын

why did you give such reaction on 25:22 timeline

@brianb5723 Жыл бұрын

Because his huge monitors flickered, a VM issue. Not related to the reversing

@user-ix1pn4xy4e 6 ай бұрын

❤

@heathbarnhart1092 Жыл бұрын

Pre-watch prediction: houdini. The obfuscation method was interesting. Certainly confusing to read, but I imagine it would make it easier to detect based on signature. Prediction: :(

@Sch8ill Жыл бұрын

[DISCLAIMER]: Video is too good...

@hassanaliraza78 Жыл бұрын

can u please share the copy of this file. need to experiment on it

@-stoner 5 ай бұрын

I love it when someone tries to understand my malware I DO NOT KNOW HOW TO CODE THIS IS NOT MY MALEARE ALL JOKS

@violetwtf Жыл бұрын

feel like these are acronyms, doorLikeLike = DLL?

@frofro7355 Жыл бұрын

Couldn't you just replace that eval with console.log?

@m.m.m.c.a.k.e Жыл бұрын

Arch nemesis 😅

@deancrypto5939 Жыл бұрын

RIP VK

@Asiegrist92 Жыл бұрын

The first comment about a bot farm pushing what looks like an investment scam is very entertaining.

@HTWwpzIuqaObMt Жыл бұрын

Just close your eyes and listen to "doorPowDow"

@darkcasterx4628 9 ай бұрын

bro these function and variable names got me confused as a mf

@killnme6212 3 ай бұрын

May I ask why you chose windows 10? I was assuming you’d use a Linux. I also assumed that most malware would be created on Linux. I’m a noob

@killnme6212 3 ай бұрын

Never mind I get it. Duh?!? Lol but I still thought you’d use a super coded Linux something. Still real cool thanks!

@tomysshadow Жыл бұрын

I don't understand why malware writers go to this effort to obfuscate their code. Do they think it'll bypass Windows Defender? It clearly doesn't, we saw it get caught right away. I feel like this is barely more effective at evading antivirus than if they didn't attempt at all. Am I wrong? It seems like "stages" are such a common theme in these videos, but what would prevent the DLL at the end of the video from being detected before it is run? What difference does it make how many steps they take before downloading and executing it if the buck stops there? Don't the stages just present more opportunities for detections of the various files created along the way? Wouldn't the obfuscation set off red flags for heuristic searches because of how obviously different from ordinary software they are with all the nonsense and gibberish?

@ThaKinGuiN Жыл бұрын

The specific code(stages or DLLs) has to be recognized by AV first before it can be blocked. Hash-detection for i.e. the password-protected Word-document you receive or stages you download is broken by simply changing 1 character in the script and recompile it, which just takes seconds for the bad guys. If they're targeting specific high-value targets they can even make "different" payloads for each individual. What the malware-writers hope for is unrecognized code or PC's that do not have the latest patches for Windows or the latest signatures for AV. As soon as your AV is updated for this malware, it can and will block it. AV does not just block everything with i.e. eval and a download-function in it as those are legitimate functions for your PC. And that's also why you see the URLs where they download the next stages constantly change, AVs can only block URLs that they know are compromised, so there's always a small timeframe these URLs are not blocked by AV or firewalls.

@damuffinman6895 Жыл бұрын

A simple Google search would answer every single one of your questions.