MALWARE ANALYSIS - VBScript Decoding & Deobfuscating
HTML-код
- Опубликовано: 9 фев 2021
- If you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. www.kite.com/get-kite/?... (disclaimer, affiliate link)
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: johnhammond010@gmail.com
Discord: johnhammond.org/discord
Twitter: / _johnhammond
GitHub: github.com/JohnHammond
I came to see what this was. Was going to watch for 5mins... stayed till the end and wanted more 😄
lol! same
Same, I even drug my wife in about 15 mins in and had to restart. Lol
Same, i clicked midway and watched a few seconds, then ran it to the beginning and watched it all thoroughly! Good content, John!
Lol! same. I thought it was just a boring schinzel about a code.
Sorry to hear that. The first 10 minutes of the video is a painful waste of time.
2:44 "I am running on Windows right now, so I don't think I can run a .vbs..." But right under: "Programs that can open VBE files". It runs on Windows.
I was so sorry for Mr. Hammond.
This video is just an artistic description of how much John hates tangent functions
I'm having to relearn trigonometry related stuff, because I'm studying computer graphics. Man, i forgot how I hated this part of geometry at school. Gotta stay on top of it though
I guess you could say this code kept going off on tangents...
interesting way to throw off virus detection... var random_int = 344; var tangent_of_random_int = Tan(random_int); var cotangent_of_random_int = 1 / Tan(random_int); over and over...
All of that was nonsense though... the real script was just stored as a string of ascII characters separated by a "@@@@@" delimiter.. and then that string was executed.. Once again a vulnerability exists where a script allows execution of string data as code... Mainly an issue for interpreted languages.. But I guess compiled languages could have this too but the compiler would also need to be included with the runtime, right?
@@tibettenballs4962 What is wrong with you?
Realising that entire ascii value-ish blob of nonsense was the actual malware, which was executed as string joins, has been a truly astonishing upload.
I've never expected this'd be my morning
That's very common with malware, most of everything else in this one was just to try not to be flagged by antivirus.
That's not astonishing at all.
That's how they escape getting detected by anti virus software. Becz the code is executed by another code all in the memory.
When he sad "Now we're getting to the real malware", that's when I started not understanding anything anymore
when he sad 😔
@@AkariInsko LOL
😂😂
Lol this kid still won't fix it XD
Yeah I was having fun watching him decode it, until he was actually reading the malware, then I was like oof I have no idea what's going on haha
Probably the tangent stuff was intended to send a malicious person on a tangent. This was fascinating to watch.
Haha my thoughts exactly.
Malicious programmer: and let's send them on various tangents , then declare a bunch of functionas, redefine them and never call them.
i was expecting the eval function to reference those variables for calculation
Thank god im not the only one what looks up these functions, reads the documentation, and the first words out of my mouth are "but wtf does that even mean"
"I'll secure my malware by obscurity". Nice
New variation on "security by obscurity" - sending the reader off on tangents...
That switch to dark mode killed me 😂 Google was like "HACKER MODE ENABLED"
That's big brother algorithm
“To the dark side”
I was actually hyped when I saw that. I've been waiting for that for years.
Bennyhack_ on IG just made my day,
All my files back like magic.. Thanks
"They're trying to save my eyeballs."
No, friend. They are trying to save THEIR eyeballs.
So in VB, you can have arrays that can indexed in anyway you choose, and this can be chosen per array. If you wanted, you could have an array that's valid indices were 5-10. The purpose of LBound and UBound is to determine what that range is for a given array. LBound(array) returns the lowest index while UBound(array) returns the highest index. This allows for a generic loop structure of
For i = LBound(array) to UBound(array)
stuff using array(i)
Next
Thanks, I hate it
@@actualFix at least they don’t start at 1.. not necessarily that is....
So basically VB Dev were like, hey let's creat this problem call it a feature and supply the solution by creating two functions
@@0xwhoami No, they where like "hey, lets give the programmer the flexibility of using whatever index they like, instead of creating an unnecessary problem of mapping the lower boundry to 0".
@@sanguchito7381
how is that a problem in any other lang like rust, python, c or java....etc
Those random, doing nothing functions such as the excessive amount of sleeps and tangent functions are to evade from anti virus sw, that checks for hashes and heuristics. Those are added progressively with each version of the virus.
That is really cool to learn. My thoughts were also to induce human error.
Ex he’s deleting tangent function code and then accidentally deletes essential code but doesn’t realize it after deleting them so many times
To quiet a few annoying trolls, in this video I mistakenly said "I can't run a VBScript file because I'm running Windows right now". If I were on Windows, I could certainly execute the VBScript. I should have said "I'm running Linux" because I am clearly using Linux for this showcase. (You can still partially run VBScript code with Wine on Linux, but your mileage may vary)
trolls be clueless lollll
Someone pointing out you made a mistake without first reading each and every comment is not a "troll" my dude. Don't go diluting the meaning of the word by applying it to everything.
does that mean you dislike trolls? realy? why? are they not cute?
@@Asdayasman People tend to call everyone they disagree with, especially their political opponents, trolls nowadays. Just accuse whoever you don't like of being disingenuous and you have a _valid reason_ to not argue the point anymore.
im so annoyed you havent google that regexpression yet
"I swear I've done this before."
- Famous last words
If the hacking action in hollywood movies are "real" like this, those movies would take hours before finish
Imagine an episode of Mr Robot - 44 minutes of coding and 1 minute of action/plot.
@@Auriflamme I love writing tools to make more tools just to watch them all do the work.
Wolverine could do it. “NEED MORE TIME!!!!”
Oh shit
Definitely 😅
"Lol. Let's just copy paste some random function a couple hundred times. There. Obfuscated. I'm a genius."
-some bad guy, probably
HAHAHAAHHA accurate
I mean, to be fair, John actually explains why they have so many of these tangent operations, which is to fool any external system trying to analyze the code or predict any specific behavior, they'll just think the code is doing random math stuff, while in practice the math stuff is completely useless, it's just used as a "mask"
@@LaughingShinoo I was referring to the constant declarations of the same functions with exactly the same variable names, content and operations below the actual code.
Not copy pasted, they clearly had some form of generator for this
Or he used alrread known by antyviruses script and did that to change its pattern and avoid detection.
Just when I was saying "he is wasting his time, this code is just a troll joke" you made the @@@@@ magic and BOOM! you found the cake! ^_^
Thanks for sharing your skills John! Really appreciated
As soon as i saw @@@@@ with numbers In between i knew that was were the virus was
@@nothingnothing1799 Yeah, blob of nonsense almost made John fool...
I thought the guy was a fool who didn't know what he was doing and some how made a virus. But the blob_of_nonsense was decided and BAM I instantly gained +100 respect for who wrote the code. I don't know how common this trick is but it is smart anyway.
I love learning with you! It’s always interesting and I feel like I’m learning along side you rather than being taught.
Will you be making more Malware Analysis videos?
It would be awesome! I like it
That would be fantastic! I'm trying to get into a security job, and knowing what malware looks like and how it works would be super super helpful, even if I don't use that knowledge in my interview or internship
This is my favourite john Hammond video so far ;) Dude you definitely need to do more of this stuff 👍
I agree, this teaches a lot about how mental people can get.
More please :)
I really enjoy these kinds of videos; fast-paced unnedited breakdown of malware
ur a legened
This was a great work-through! I loved watching your process! As a soon-to-graduate CS student, this brought a lot of stuff into focus, especially on how to work through these kinds of problems!
If i remember correctly, those tangets were called 'sandpiles', random piles of odd maths with completly randomized variables, was used to hide the first steps to decode stuff.
Me: Uh wow that's a long video. Let's watch it for 10 minutes and save it later.
40 minutes later -
*subscribes*
This reminds me of a situation that happened at a client I was consulting at in the late 90s (it might have been ILoveYou, but I can't remember). An e-mail with an attached .vbs file was running rampant on user's machines. They finally stopped it, but they had no idea what it was doing. Since I had VB experience, I was asked to dive in and see if I could figure it out. The code was obfuscated in many ways similar to what Hammond runs into in this video, but I finally figured out what the code was doing....and it was pretty nasty.
What was it doing?
@@headblockheadIIRC, basically deleting images from every directory it could find on the user's machines, including mapped network folders....which included corporate product images....that weren't backed up either 😮.
@@JasonBock Did people in the 90s already think about backing up stuff?
@@JasonBock Wow. That’s horrible!
Oh I remember that virus
I always enjoy seeing your thought process in malware analysis. Good stuff!
Just here to say you should definitely do more of these
Interesting how the code was hidden behind some random garbage.
Even the tangent functions make some sense now
@TruCrime interesting !
the main reason to obfuscate is to make it unreadable and hard to approach. even renaming all your variables and functions to random strings and base64 encoding everything will make quite a lot of people trying to read your code go "nah, this mess isn't worth my time"
What lifeOverflow has taught me: if you see a long string, there must be some decoding going on. So ignore the junk code and go straight to the decoding loop. Then you can get the return value of that decoding loop (or just the value you end up with when the decoding is done) and go around with it. Removing all of those /Tan functions is time wasteful
Agreed, seems this is providing beginners a general approach to understanding and breaking down code. Indeed once you’ve done an exercise like this a few times, there’s no additional benefit and in fact is slower.
@@EliotLu ⁷
I just got into learning IT and im very interested in coding. As I search more about coding, youtube recommends me videos like this. So You really got my attention by that caption. You got me even more hyped up about this all and you just earned another follower!
Fascinating stuff - thank you. Makes me realise now why I switched my brain off to learning coding when I was young. Just crossing my fingers that my yearly purchase of Bitdefender can cope, or that I remember to back up my drive very often!
The way you un-obfuscated that code was inspiring.
As someone starting to work in the coding/IT field, it blows my mind that someone made something this thorough.
Theres even more insane stuff out there, look up the NSO Group iMessage GIF zero click vulnerability. These guys used the GIF preloader of iMessage to load a GIF that in turn loaded a PDF which in turn used a broken decompression algorithm that has a classic integer overflow, which in turn they used to program virtual logic gates into the RAM, which then was used to build NAND gates (which are the basic building blocks of modern processors) and then build a VIRTUAL SOC with it, that could search the RAM for keywords and relay the information back to their servers, without you noticing.
EDIT: The GoogleProjectZero Blog has the most thorough analysis about it.
This was REALLY awesome to see you dive into this. Definitely would love to see more of it. :)
Loved the video man. Also a lot of the comments were really helpfull on getting a better understanding of what was going on with the first huge piece of code!!!
Him fighting the ragex is literally me, tears roll down my face everytime.
regex = "rage x", am I right? :D
Hearing him say "do I need that to be greedy?" and replacing * with + just hurts...
Cant blame him for not comprehending regex. I followed a minor where I learned parsing (and with it regex) and it was *brutal*.
Totally worth my time to learn though.
@@NostraDavid2 The worst offender is that different programs and languages uses regex differently so you must learn it all over again every time.
why did I just watch all of this and enjoy all of it...
I'm really realizing how little I know about computers now
Watching this video brought me back to my days of studying for the OSCP. I enjoyed this a lot more than I thought I would.
I did not expect to watch as much of this as I did! Great video!
It may sound a bit weird, but I love seeing you struggle with some things. Thanks for recording the whole thing. What matters the most to me is to understand your thought pattern and how you resolve the problems you encounter.
Same. I have only done a minimal amount of programming, mostly JS+CSS but I loved watching John dismantle and assess the code. The way he explained his methodology helped me better understand what I was seeing, and as soon as I saw the clear human coding, I knew exactly what I was looking at! Thanks for posting the whole thing!
In education terms, we call what he's doing a "think-aloud protocol." It makes one's thinking audible, which is very handy.
That first tag said "HAAAAA" because it was mocking you. It realized that it actually managed to stop you from reading the file
It got real juicy after second stage. I loved this video way more than I thought I would. Keep up the good work man!
I found it very cool that you were figuring it out as you recorded the video and showed all the troubleshooting though processes.
I'm only about 20 minutes in, but it's interesting to see this idea of a program obfuscating it's own code, then during it, possibly rebuilding it so that it can bypass virus detection. If that's what this thing is doing it's kind of brilliant if that's even possible. It seems like it has strings of characters that it's joining together, recursively. If, after all of that it used that newly made string for something devious, that's pretty interesting.
Yes, it's a clever idea, however that idea is (one year) older than the first computer virus (1948 vs 1949)
That was interesting! Thank you, I had a lot of fun
Only 10min into the video and i already like it. I enjoy how you explain everything step by step!
Randomly popped in my recommendations and I enjoyed every second of it! great job :) subscribed
I almost died of pain in the RegEx part.
Function .+[\s\S]*End Function
Would do it
i kept yelling "use square brackets!" at the screen
I don't think anything would have done it. If you read the status line it says the regexp is running out of stack space trying to pattern match the enormous file.
yeah, but this regex will not select each function separately like that ^Function.+(
.*?)+End Function$
@@dieregierung9388 ok now I can't even read it with my eyes anymore
In regards to the stack one, possesive quantifiers could've fixed it: So, "^Function(?:.*
)*+End Function$"
Houdini, he's the creator of H-worm an Arabic developer specifically from Algeria
Or en.wikipedia.org/wiki/Harry_Houdini - an escape artist !
yes i know the real houdini but we are talking about the hacker behind this worm his nickname is houdini
www.dev-point.com/vb/threads/411850/
The website is registered in Paris, France
@@AhmetMurati sounds about right for france lmao
yeah more of these, this video I really enjoyed and it was suspenseful, funny. Great workflow how you rename the functions to map a picture
this is so satisfying to watch I was like I'm going to go watch an episode of a serie and than change my mind like nah I'm just going to watch a short RUclips video and sleep but here I'm at the end of the video.
I just love how he stares into the void for a bit before he starts talking
You're like if Seth Rogen was a computer guy instead of an actor
So he scams his workers and spergs out on twitter on a regular basis saying hateful comments about whites?
I can see that
@@DMalenfant1 can you be a troll somewhere else?!
@@DemonDante1000 I am pointing out a fact. Don't be such a sensitive tnuc.
Well I'm glad I wasn't the only one to immediately think this!
I'm addicted to these videos. I learned more here than many other places. Keep it up bro!
I've seen these obfuscated vbscipts before, even deconstructed them a bit (but not to it's conclusion like you did ). Never thought I would see parsing a vbscript on RUclips, this was fun!
Those tan functions and the weird functions at the end did just what they were supposed to; you spent twice as long messing around with those puzzles than it took to figure out the core code! :D
Oh, Houdini! I remember having to deal with some variants of it before! It wasn't prevented by AVs back then. Luckily, they *did* block the extra downloads, so the infection wasn't too serious, but every USB drive ended with all files hidden and links to the VBE added, posing as the files. They did open your files after reinfecting your machine, so did not know anything was happening at all. The first couple times I had to deal with it I did manual cleanups of the systems and the drives, then more variants started coming in so I exploited the infection check and local update mechanism to make my own fake infection for our machines. The script thought it was running and that my version was newer than the ones it knew, so it did not replace it.
EDIT: And most new "re-releases" of Houdini or Dunihi are pretty much the exact same script with a different hostname and a different packing added to mess with its signature.
Its refreshing watching a professional break down a malware code into understandable code ; Great content man
This was fun to watch and I enjoyed seeing your process of "un-obfuscating" the code
At 29:56 you can see it's using windows new line which is 2 characters
and
(CR & LF) (Linux is only
), so in your regular expression you should have used
. Also, in vb you can declare arrays from any index to any index, so you can make an array like "Dim my_array(10 to 20) As Integer". LBound will return the lower bound = 10, and UBound returns upper bound = 20
Always use
?
and you're never wrong.
I was in physical pain watching him struggle lol
The last man using sublime text
Hey John! I'm currently in school for CyberSecurity. Your videos are always interesting and I enjoy watching them in the background while helping myself code.
Thanks for the content man :)
I genuinely enjoyed this video!! Tbh this video got me motivated to learn more programming so that I can analyze malware. Can't wait to see more !!
"Hashtag, at sign, tilde, karat, *haaaa*"
why is this so funny
The author was basically calling either himself or his code evil. Look at the numbers under those symbols. 32~6 you don't go from 32 to 6 you step up by one so 33~6 or in other words three sixes 666 ha ha ha, or twice as evil given the two instances of 3. There is also a secondary joke here in that ~^ is a euphemism for dangling a carrot on a stick. Presumably for downloaded additional coding that makes the end user think everything's been fixed only to pop up again and again and again. It's actually kind of clever really.
this was somehow even funnier than every meme channel combined
new to this channel but already learning a lot.. just combine John's content with memory forensics and you have your own forensics course. Great John. Please keep the spirit up.
I saw this right before going to bed at 11PM, stayed up watching pretty much the whole video, thank you xD
It's just crazy how many people stay here because they relate to what you're doing :D. I love your content and I'm actually amused by watching something close to what I do every day.
The premiere is perfect for this format of video. Feels live, but I think you as the creator can concentrate on chat + the hacking at the same time 👍🏻👨💻
I may steal this for my let's hacks instead of editing them for 8 hours 🤣
This was a really awesome video, John! Thanks for always giving great content!
very good walk-through, please do more video like this. Very informative
I prefer to let the code decode itself and then just pulling out what you need from hooking API calls or memory, but manual deobfuscation can be fun every so often.
@@deidara_8598 same xd that's a lot faster
@@deidara_8598 As root ;-)
@@deidara_8598 That is definitely one way to get the payload. :)
Tools like any.run are really useful to analyse network/system calls without decoding the payload!
This works if you know what you're doing and have the dedicated infrastructure for it.
I love how @25:00 he is the embodiment of "if you have a problem you are trying to solve with a regex you now have 2 problems"
Saw this as a random recommendation and midway through I already knew where it would go (eval + garbage code) but stayed for the whole thing. Thanks for making this.
This was highly entertaining and enlightening!
I'm taking a programming training course for the next few months, and having a glimpse into the wonderful world of cybersecurity like that, especially since it doesn't seem too complicated to decode, was really nice :)
Subscribed! Cheers!
This is surprisingly fun for me
Learned a lot from this video. Please do more of these videos!
Good stuff John.
I would really love to see more videos like this. Botg instructive and fun...
You got my subscription with this one.
I learned a lot from you man, thank you very mush
and thank to the community
The regex for getting the line to work would've been [\s.]* ([] For characters to recognize, \s for any space character, . For any other char)
I don't think anything would have done it. If you read the status line it says the regexp is running out of stack space trying to pattern match the enormous file.
But . already includes whitespaces? After his initial
(which was fine) he just needed a "(.+
)+End Function"
Oh wait. Does
count as whitespace?
@@NostraDavid2
does count as whitespace. `.` usually doesn't include
unless you set the flag for it
@@ericvandertoorn6178 right. Thanks!
this is more interesting than a suspense thriller movie
I'm in the process of changing careers and learning how to code. This was so fascinating to watch and really really inspirational watching the analysis with use of logic and knowledge of syntax across languages. It might seem easy to some people watching, I'm not sure lol. But to me this is magical to watch, I loved every second. I hope I can be this good some day.
Nice. I'll need to watch some more, i like your way of conveying information
Could the tangent lines be written to literally send you on a tangent as sort of a play on words
Yes, one of the key components of good obfuscation is "red herrings" which make reverse engineering much more time consuming. Obfuscation is not about hiding functionality (can still be disassembled with static analysis for example) but making it not worthwhile to determine how it does it, and thus identifying ahead of time if it is a threat/how to counteract it. "You" predominantly being heuristic AV software; AV software usually has a limited window of opportunity within which to give something a red flag or a green flag, otherwise it slows down performance and people leave it Norton 1 star reviews. If you can survive the gauntlet, you're through one of hopefully many secure doors in a multi-layered security solution, onto the next level.
Man I laughed so hard when you were trying to beautify the VB code. My company still maintains some VB6 code , its like a blast from the past. VB studio does not even allow wheel scrolling.
There is a little program you can download for free called "VBScroll.exe". If you run it before running vb6 you can use the mouse wheel to scroll the editor window.
@@Saboteur709 Yeah, I know. I just wanted to point out how terrible an experience the "old" VB languages and IDEs are.(Vb.net is ok)
i think i remember having to that issue trying to scroll in vb6
That was impressive, thanks for showing us the setp-by-step process !
John! Glad to see you diving into malware analysis/maldoc
I love how he describes his interaction with this vbs script as if he and it danced together.
comment: "nice vid"
purpose: "algorithm"
I had nearly no hope for this to be an interesting video but I was bored senseless. Yet you delivered! Well done, I subscribed for more.
As soon as you stopped yourself to go back and explain the keyboard shortcut, I subscribed. Keep up the good work.
More malware analysis please!!!
9:09 It's always satisfying to find some actually humanly readable source code stuff 😅
I have a cursory understanding of programming. Not enough to write a program myself, but enough to sort of follow along. I'm 20 minutes in, and this is great. Why is this so interesting?!
I have been wondering what Malware Analysis is like, This video is awesome. Thank you for sharing!
25:19 was my every regex experience ever.
Doing RUclips algorithm 'things' and expanding it.
Fuking brilliant. Order of ops is where I'm SO slow and you have a serious polish. Fun to watch.
100% no bs I wrote that comment at 29ish min. So befor the payoff.
I love that you sound so professional
and you also are
"More tangent functions, DIE" AHAHA
pretty cool.
These are LOTS OF KNOWLEDGE AND FUN ... new big fan here!!
Thanks for showing us the Analysis, is very interesting.