- Видео 17
- Просмотров 29 849
Embee Research
Добавлен 6 май 2023
Sharing Educational Content in Malware Analysis, Reverse Engineering and Detection Development
Analysis Techniques For Beginners Getting Started With Ghidra
Demonstrating basic workflows that you can use in Ghidra to investigate suspicious indicators and validate functionality
SHA256:99986d438ec146bbb8b5faa63ce47264750a8fdf508a4d4250a8e1e3d58377fd
00:00 - Introduction
00:37 - Cross Referencing Strings
01:30 - Cross Referencing Variables
02:38 - Cross Referencing Entropy
04:35 - Cross Referencing Imported Functions
05:45 - Enabling Graph View
06:39 - Syncing with X64dbg
08:20 - Checking Memory Protections
09:20 - Resolving API Hashing
SHA256:99986d438ec146bbb8b5faa63ce47264750a8fdf508a4d4250a8e1e3d58377fd
00:00 - Introduction
00:37 - Cross Referencing Strings
01:30 - Cross Referencing Variables
02:38 - Cross Referencing Entropy
04:35 - Cross Referencing Imported Functions
05:45 - Enabling Graph View
06:39 - Syncing with X64dbg
08:20 - Checking Memory Protections
09:20 - Resolving API Hashing
Просмотров: 1 485
Видео
How To Decode Malware Loaders In CyberChef (Xworm)
Просмотров 1,2 тыс.9 месяцев назад
An overview and decoding of an Xworm loader found on Malware Bazaar. Leveraging CyberChef and Cscript to deobfuscate real world malware. The file can be found on Malware Bazaar with SHA256:f2b1bc7fa74260725740c52550586725c072078c7bd57f12401acfe744aab556 00:00 - Overview 01:05 - Echoing Output 01:40 - Obtaining Output With cscript 03:10 - CyberChef Decoding 04:30 - Final Payload Analysis
Advanced CyberChef Operations for Malware Analysis and Deobfuscation
Просмотров 5 тыс.10 месяцев назад
A demo of the longest CyberChef recipe that I've ever encountered. 22 operations covering Regular Expressions, AES Decryption, Register Management and Advanced Flow Control. 00:00 - Overview 00:50 - Registers 01:30 - Regular Expressions 02:10 - Forking 02:35 - Subtraction 03:35 - AES Identification 05:55 - Drop Bytes 06:00 - AES Decryption 06:50 - Identifying GZIP Compression 08:10 - More Regis...
Custom Obfuscation Analysis With CyberChef - StealC Malware Analysis
Просмотров 1,5 тыс.10 месяцев назад
StealC Malware Analysis and Manual Decoding Using CyberChef. Sample can be found on Malware Bazaar with SHA256: 9ffcbb79f453876587c2a46a1eb320dae890d548d8bfa3df0f58abaf748c6d77
Malware Decoding With CyberChef - Guloader
Просмотров 1,8 тыс.11 месяцев назад
Analysing a multi-stage loader related to Guloader. Leveraging Cyberchef and Regular Expressions to extract a 2nd Stage URL. SHA256:97fc3f69be8ead7567d409c43f074e6fecdc195b5dbdcad1142394d17857ce7e
Cobalt Strike Decoding and C2 Extraction - 3 Minute Malware Analysis
Просмотров 2,5 тыс.11 месяцев назад
Decoding a Cobalt Strike shellcode loader with CyberChef and Emulation. You can obtain the sample on Malware Bazaar with SHA256:acc23a776415d931b64e95919b3372562b17a7c2717e1d530b031a6f29404b94\ 00:00 - Overview 00:13 - Base64 Identification 00:25 - GZIP Identification 00:38 - CyberChef Decoding 01:23 - XOR Decoding 01:45 - ShellCode Emulation With SpeakEasy 02:15 - Identifying C2 Address
Defeating Multi-stage Malware with CyberChef and DnSpy (Xworm)
Просмотров 1,9 тыс.11 месяцев назад
Investigating and Decoding an Xworm Loader script. Leveraging CyberChef and Dnspy to perform AES Decryption and C2 Extraction. SHA256:e5dac6f6d2ab4c479c5c3e91064f335de141c8399bd93f8267e13f134c578c0f
Manual Malware Decoding With Procmon - Pikabot
Просмотров 1,3 тыс.11 месяцев назад
Decoding a Pikabot .js loader using Process Monitor (Procmon) The sample can be obtained from Malware Bazaar using the hash: SHA256:7808be7f2b92c775f6ef047ffc857d8731e75bf486a45fec1c4d199b43c5a6c2
DnSpy for Malware Analysis and C2 Extraction - (Xworm)
Просмотров 1,2 тыс.11 месяцев назад
SHA256:e4c179fa5bc03b07e64e65087afcbad04d40475204ebb0a0bc7d77f071222656
Cobalt Strike Shellcode Analysis and C2 Extraction
Просмотров 3,1 тыс.11 месяцев назад
Malware Bazaar SHA256:3e1aadef9e05b98e31fc7994dd3405a45da77fbb69632e31f7aa95d397201de0 Speakeasy: github.com/mandiant/speakeasy
VBS Decoding With Cyberchef (Nanocore Loader)
Просмотров 894Год назад
SHA256:2591a9311a86e838ae87d5bc29352907d99d4c83b5c83fa5853d969b0189a94e
Decoding Obfuscated Powershell and HTA Files (Lumma Stealer)
Просмотров 2,9 тыс.Год назад
Decoding a Lumma Stealer .hta script and extracting Encrypted Powershell commands. The file can be found on Malware Bazaar with SHA256:f0d9ef8b557debe5d94338cc84c89bdc54dda938d1b24b8c01cca42f468b1387
Simple Javascript Decoding and C2 Extraction (Redline Stealer)
Просмотров 1,1 тыс.Год назад
Malware Analysis - Decoding a simple javascript file related to Redline Stealer. SHA256:2bf3abafd3c5119d54aa9033d393851d3d9c90505d78e3ef62cffbd62c11e135
Unravelling a Powershell Trojan (Quasar Rat)
Просмотров 1,5 тыс.Год назад
Unravelling a Powershell Trojan (Quasar Rat)
I was just looking around for vids about how to analyze .eml files with cyberchef and I stumbled upon this. I didnt realize how much obfuscation played into the designing malicious code! You read through that so well!!
Williams Robert Martin Deborah Johnson Laura
Why would u have the encryption key straight above the code u trying to hide xD
it needs that encryption in plain sight only to conceal itself from an antivirus monitoring. probably each instance of this malware has a different pair of encryption and payload URL, it's pretty much impossible for an AV to have a signature on all these possible bogus combinations.
Great video!
ruclips.net/video/QdPMnw_6Ro0/видео.html
loving, do you have trainings by yours ?
Thanks a lot for these videos, would you mind providing us with these scripts such that we can work on it as well, just to familiarise.
Would the beacon code that you are reversing be on the endpoint ?
My excelente!!
Excelente video!!
Hey speakeasy is not working? any alternative
that's insane
That's so cool. Thanks!
ok so i have a few questions: 1) why do you need this? 2) this helps you with what?
The main idea is to build something that can auto-decode similar samples. It saves time to automate the process of extracting IOC's and not have to manually decode each sample individually :) Normally you would do this in Python, but it's cool and helpful to prototype the logic in CyberChef.
Hello. Great videos. It would be helpful if you can make a video for setup malware analysis virtual machine. Thanks
Hey thanks! I'm hoping to make a video soon on setting up an analysis machine
@@EmbeeResearch thx
Great contents always
Thank you :)
I think you should make course on RE. it would be super helpful to people. nice explanation 👏
Hey thanks, that's something i'm considering :) If you haven't checked it out, i have a bunch of RE tutorials on my site www.embeeresearch.io
I feel that the Find & Replace, and adding new lines in powershell can easier be done within VSC. Otherwise, a great usage of CyberChef, love it.
embee done with cyberchef 🔥 John done with chepy ❤️. both are absolutely lit 💪.
How you mastered cyberchef? Any useful resources please do share. Thanks for awesome content
Very interesting, thanks!
Thanks for watching! :)
Brilliant
i am a line cook..you are truly a chef
I shall now refer to you as embee the cyberchef master 😍🤓 I did not know that cyberchef had addressable variables, now I do and it blows my mind that I did not know before 😂
What is the hash of the binary, dear?
befc7ebbea2d04c14e45bd52b1db9427afce022d7e2df331779dae3dfe85bfab :)
@@EmbeeResearch Thank you dear for sharing the knowledge. Keep going!
This is awesome! Any recommendations that you found useful for beginners trying to learn malware analysis?
awesome
What are you using to decode
i’m using regex and visual studio code :)
@@EmbeeResearch wtf!😂
Amazing stuff. Can we download manually this DLL and find the hash of this?
Thanks! I think the address is down but a dll is probably on VT somewhere :)
Great work
Thank you ☺️
Thx for the content, any plans to reverse the 2nd stage?
yea that woud be cool
Yes, Potentially in future :) I’d like to make some content on shellcode and this would be a good example
Nice work. Audio a little low.
Thanks :) Fixed up some audio issues, volume should be better on the 2 latest videos.
To the point explained, subscribed...
Amazing content!! Keep with your nice job!! One question, how do hackers hide themselves behind dns if this service requires identification, credit card number, name etc?
Thank you! I’m not 100% sure, but I would assume they use fake or stolen details to register the domains. They might also leverage the legitimate domains of machines/businesses that they’ve compromised :)
nicee
👋
Your content is great. I'm new to binary simulation things and loved it 👏
Thank you! ☺️
A great RUclips channel. I would only suggest to have a higher volume for your voice because i can not hear very well what you are trying to say even with max volume :)
Thanks for the feedback! I’m working on fixing the volume. Should be better for upcoming videos 😊
Great vids! Easy to follow, keep it up!🤙🏽
Thank you! 🥳
need more
Wow impressive!!
Glad youtube recommended me this channel :)
need more like this
More coming soon! 😊
Can please you do a video on how to setup your malware analysis vm's (networking, what bare metal your on, how you get samples onto the vm's with/without a NIC, etc)
Sure thing. I’ve been meaning to put something like that together. In general I keep networking off completely and use drag/drop for file transfers. Bare metal I use a base model Asus G14 Laptop. (7940hs and 16GB ram).
Great tutorial. Other than "FC" are there any other bytes to keep an eye out for?
Thanks! yes there are a few, I’ll put together a list and get back to you 😊
I was hopeful that you would download the DLL and analyze it
This one was an older sample so the dll wasn’t available anymore. Later i’ll pick a newer sample and show how I would download and analyse it ☺️
Thanks for the channel!!
Thank you for watching! ☺️
one of the most underrated youtube channels thanks for the goodwork
Thank you for watching. Glad to hear you enjoy it ☺️
Very interesting, plese use dark mode next time :)
Thank you. Noted, I'll try and use sublime or something with dark mode next time :)
Good video.
Thank you :)
www.youtube.com/@ProgrammationM good