Dude the most valuable point to this video for me, that keeps me watching and wanting more, is that you show your process and explain your reasoning as well as the deductions for each stage. Feels like a master class or high level university lecture, but without the typical boredom or theory.
I don't know if he's better at naming variables necessarily, but he's certainly better about picking one and moving on instead of agonizing about a better name.
Thanks John for hosting this stuff, diving into it, and giving the constant reminder that it's OK to use your brain and nerd out about really complex IT problems.
34 mins into the video, and I am just mind blown how deep this embedded code goes... Absolutely amazing job refactoring and de-obfuscating. Some of the best i've ever seen.
Just wanted to say thank you for the time and effort you put into your content. For a young guy in IT, you’ve made this stuff super accessible, and I can’t wait to attend the upcoming Snyk CTF! You’re a goddamn inspiration John! ❤️
Every time you went "this is getting awfully long" or "I know this might not be all that interesting" I was like... Doooooooooooood no this is da stuff. Good one John :)
This is my new favorite RUclips channel. Can't believe I hadn't come across this sooner. Very competent and thorough analysis and deobfuscation in these videos. Really quality stuff.
You actually taught me a ton. I guess because you are also learning that it makes the process easier for me to grasp? Or maybe because I know everything you are saying now. Years ago I was very clueless but I had never seen the fileless process outlined so simply. A world of gratitude from this girl.
Really appreciate the lengthy videos. This is a fantastic dive and great way to get into your headspace. Very easy to follow your thought process here.
As someone with next to no experience in malware and very little in programming in general, i find that you make these super easy to understand and teaches at the same time
John John John.... I just discovered your channel few days back and I am totally hooked... Your Content is brilliant captivating and very well presented. Thanks for your Obviously incredible hard work that you put into this!
Super interesting video! Being a Linux guy wanting to get into Malware analysis, I always learn a ton from your videos. Thank you! It takes a lot of confidence and skillz to do this (mostly) live while working through the challenge and still looking like the expert that you are. Keep up the great work.
I initially mistakenly read the title as "Flawless Persistence in Registry," but after completing the video am thinking that misread title is actually applicable. Snyk is awesome though, and I'm actually happy to see the section near the beginning about it explicitly. I really want to see this field of study gain popularity, because it's still unfortunately relatively overlooked IMO.
Malware analysis is overlooked? Not really, I know dozens of folks that do it. Snyk is decent at the dev stage, and especially for containers, but they’re only 33% of a solution.
John, have you looked into using a beautify extension when working with malicious JavaScript? It saves a lot of time and allows you to dig into the functionality of the code much faster instead of manually removing the minification.
This is so, so interesting . I learn a lot from watching you, David Bombal, darknet diaries and network chuck . It’s great to see your process, learn important terminology and techniques as I am at the start of my cybersecurity journey. This is amazing to see how you guys solved this mystery ! Thanks ☺️
Wow, I didnt think investigating malware could give same engaged feeling like CSI or other crime shows.... John has talent explaining things with captivating tone of voice.
KOVTER always brings me back, no AV would ever find it, easiest way to find it was do a string search on the reg for ";eval" and just killing every reg entry.
@@Demoralized88 I too have a very persistent RAT and no idea who to hire how to hire etc. I really wish I was as skilled at this. I find it fascinating.
@@AnjewTate I tried everything, including brand new drives and known clean W10 ISO USB. It had persistence below the OS level. Still not sure how or what, but I got called a schizo for thinking it. Recently, security researchers are now uncovering UEFI and other FW malware. It started when my home network got attacked, and most people in my apartment complex are affected. We only have one ISP option: COX. This all started around May, and have switched to Chromebooks and Linux on Ethernet until something is figured out. Symptoms of a Miner/Infostealer, but pretty subtle rather than sustained 100% usage. It's been a long saga my dude.
The PE file you got from Caleb is corrupted (more specifically the e_lfanew value in the DOS Stub) and cannot run. That value affects how the file type gets parsed. That's why no AV detects it.
I had a mini heart attack when you decided to run the stage 2 JS directly and almost missed the second eval... and my friends call me a risk-taker for clicking links aimlessly, haha. Great video as always, thank you John :)
it's been years since i've seen Delphi even mentioned. Back in the late 80's early 90's i used it to write programs to use with Web Compass (note here: web compass back then was a crawler, not malware. It was actually a decent one considering we really didn't have search engines online back then) for my business. Talk about memories.
I really want to get started in this field and help people that are in over their heads like I am currently. I just have no idea what tools and who to pay to help or how to get ahold of them. Is there a list of tools you use or recommend? I read a lot about your exploits on the news and your RUclips channel is proof of prowess. Keep up the good work and any fileless bots or RAT coverage would be a godsend, maybe someday I'll find out what pluages me for about two years now.
i love this stuff. i give my full attention understand everything john says and does and try to create links but it seems there are nearly endless things to learn. i think reverse engineering is really cool.
I'm sure you know this but in Sublime Text you can press Ctrl+d with a variable highlighted and it will select the next one in the file. This saves you from doing ctrl+f on every var :)
I will admin I thought the numbers in the shellcode were ip addresses since they ran up to 255 but not higher. Aside from that I have been thoroughly entertained, seeing this kind of analysis and also the wrap up including Virustotal, bringing it back to the "end user experience" as far as using common ways of checking for vulnerabilties without digging into the code yourself.
Thank you Mr Hammond this has been very very interesting and also may explain some of the problems I've had in the past with memory usage and registry creep. I'm thinking that I would like to know what kind of registry scanners would locate these types of malware?
The first time I watched this video, I was so bored that I left before even the deob started. I just watched the hta to powershell video and it, code was also extracted from reg. That's why I was able to push throught the early part because I was fascinated by the same technique used here. :D
حفظ الله الداعية اياد و الشيخ العدوي و الشيخ الكملي وكل علماء السنة و لا عزاء للأذناب الذين يريدون التسلق على ظهورهم ....تسمعون للأحمق لايفرق بين توحيد الالوهية والربوبية أتى بمقطع للشيخ الحويني يستهزأ به عندما قال أن المشركين كانو يقرون بتوحيد الربوبية و الأمثلة كثيرة...حفظ الله تامر اللبان جلادك وكاشف تدليسك
Will definitely check you out on Twitch. I just started streaming there as well. Games for now so I can just chill :P Awesome video as always! Thanks :)
Fileless malwares are the most advanced types of dangerous malwares for which each and every antivirus and security software companies needs to give serious attention and improve there detection and removal capabilities and mechanism
Most APT use fileless vectors, a lot of antivirus products have mechanisms such as memory scanning to counteract. Registry scanning is a basic mechanism also. Many products run real-time heuristics to detect malware regardless of how it persists, based on what it is doing. Some processors even employ technology such as Secure Enclave to provide platform level resiliency against malware, but ironically there is malware that can compromise some of these platforms... so viruses that persist in the CPU of some computers.
@@GrumpyGrebo Yes big antivirus companies like Norton, Kaspersky,Bitdefender,Eset, Avast, McAfee,AVG,Sophos,Fortinet needs to focus and give more importance on Zero Day Behavioral Analysis both on cloud and off cloud so that fileless malwares are detected much more efficiently, also daily frequency of virus signature and database updates needs to be more frequent so that detection and removal capabilities can be improved much better
Hey John, would you consider making a video re: the setup that you use to safely acquire and dissect malware files like this? It's something I've always wondered about...
I don’t quite seem to understand the beginning. To me it seems like this is basically malware that already exists un the registry and only has to be executed. What am I missing?
I don’t think you’re missing anything. I think this is an already infected box that John is then dissecting and taking a long at what the malware has been doing and how it was hiding.
Well, I was kind of missing the fact that this is an infected box. I was wondering why there would be malware randomly lying around in the registry of a perfectly fine PC just to be triggered by one line of code. This basically explains everything I didn’t understand about the video. I still don’t know how I didn’t see that but at least I do now. Thanks!
here's an idea: rather than outputting directly to a stage2.js, you could create a malware.js file and just replace any evals with whatever code you find in the eval. alternatively, you could create a dynamic analysis engine with fake Windows API calls and a fake JScript environment. that's the fallacy of scripting languages: if everything is redefinable, you can fake the whole environment to be virtually anything.
WAIT? They offer CTF competitions outside of just colleges? I only got to do this for one year during my college years, and really wanted to do more, but didn't think it was open to the public (I know this video is a year old, but now I know I can look out for them). (When I competed, More Smoke Leet Chicken was the best at these)
Wow those powershell comments in the shellcode were really sneaky haha! I also thought they were ascii bytes powershell decided to decode and give us like python does sometimes...
I've been watching your videos for quite a while now and I thought you were quite a Malware Analysis genius. Then I saw Caleb's help and contribution to fully analyze that piece of code. He's the genius, finally you're Not THAT good ! I'm joking of course, please forgive me 🤭 Thanks for your great Work, very inspiring ! And thanks John for the hosting and the montage. Ahahah Cheers Mate !
We saw that Kovter is extremely "polymorphic" - could it be that the engines can't follow that through yet? Might be a slight variant from the 2018 version?
I wouldn't be surprised if several of the unused variables or even the comments in the code are used in some way by the final executable. It's doing all kind of direct memory access and manipulation, so one very straight forward thing in building up some keys would be to load a memory address holding a variable or even a comment. It probably can't really know the exact address, but if it is searching for one of the "random" content in its process memory, then it should know the offsets for the other variables and even for the comments. I'm not sure whether this would always work, but I guess it's close enough to be placed next to each other by powershell, javascript etc. unless the whole memory is used and everything gets fragmented. I mean, this was my first thought, because even though there is a massive amount of obfuscation, most of it is subtle reused to generative something predictive and individual in memory. And one of the "advantage" of working with the script languages is that they don't optimize away such "meaningless" code like a c/c++ compiler would do and that these scripting languages work very predictable even over different computer architectures (or here, different windows versions etc). [Programming languages used for webserving like Python or Perl are randomizing memory layout for exact this reason to make memory address guessing harder, but I doubt Powershell is doing it and dunno, but JScript maybe also not] The fun fact here is that the way Kovter individually encrypts each important variable/section with a different key also not directly hold in memory, is something most real applications with sensitive data, really should also do. The current status is that the keys are usually hold in memory (not further encrypted) and even the content is only rarely ad hoc encrypted but most of the time once encrypted and then kept so in memory (or maybe freed, but then it's not safely overwritten). So every attacker who manages somehow to be able to read out memory content can just do something like strings on itself and filter for readable text (to see some free content) and for something with very high entropy what will either be the plain text keys or the encrypted content. And then an attacker just have to try which combination of that will decode it for him or her. That obviously does not work in the slightest here with Kovter, so it's not only a lection in malware, but also in protecting sensitive data :D
Great video, thank you! I have one question, though. Is it actually possible to execute this if you're not an administrator? At what point did the code change into an actual malware? I'm guessing GetProc-commands or something isn't something a non-administrative user could run? Also, could you please do something regarding the PrintNightmare vulnerability, pretty please? :) Thank you!
GetProcAddress is a Windows API procedure that is used by any program that wants to call a procedure in a DLL, so that's pretty standard stuff, and doesn't require privileges. I don't think anything this did required administrative privileges. While I'm not actually sure when exactly you'd say that it "caused damage to a computer or network" (which is what malware is), it is certainly though, _bad_, because of the fact that it used your computer to do stuff without you knowing, and without authorisation from you - so that's probably when it "changed." A remote-controlled click-bot is probably a nefarious thing for it to be without your permission!
Dude the most valuable point to this video for me, that keeps me watching and wanting more, is that you show your process and explain your reasoning as well as the deductions for each stage. Feels like a master class or high level university lecture, but without the typical boredom or theory.
These videos are very close to what I do everyday for work. I love it!!!
We all underappreciate how good this man is at naming variables.
Let's call it 'please subscribe' 😜
I don't know if he's better at naming variables necessarily, but he's certainly better about picking one and moving on instead of agonizing about a better name.
@@petevenuti7355TT combin b think
Malware Analysis is literally my favorite playlist on RUclips. Never watched anything more interesting/entertaining, keep up the awesome work!
Could you suggest more channels that showcase malware analysis
@@FahyGB I'd recommend OALabs, MalwareAnalysisForHedgehogs
John says: "sorry for the long video"
Me: " MAKE IT LONGER, I WANT IT!"
Thanks John for hosting this stuff, diving into it, and giving the constant reminder that it's OK to use your brain and nerd out about really complex IT problems.
34 mins into the video, and I am just mind blown how deep this embedded code goes... Absolutely amazing job refactoring and de-obfuscating. Some of the best i've ever seen.
You have a brilliantly clear mind! It's a pleasure attending your lectures.
Just wanted to say thank you for the time and effort you put into your content. For a young guy in IT, you’ve made this stuff super accessible, and I can’t wait to attend the upcoming Snyk CTF! You’re a goddamn inspiration John! ❤️
Every time you went "this is getting awfully long" or "I know this might not be all that interesting" I was like... Doooooooooooood no this is da stuff. Good one John :)
Really appreciate you taking the time to explain the shortcuts here John!
This is my new favorite RUclips channel. Can't believe I hadn't come across this sooner. Very competent and thorough analysis and deobfuscation in these videos. Really quality stuff.
You actually taught me a ton. I guess because you are also learning that it makes the process easier for me to grasp? Or maybe because I know everything you are saying now. Years ago I was very clueless but I had never seen the fileless process outlined so simply. A world of gratitude from this girl.
Really appreciate the lengthy videos. This is a fantastic dive and great way to get into your headspace. Very easy to follow your thought process here.
As someone with next to no experience in malware and very little in programming in general, i find that you make these super easy to understand and teaches at the same time
That was indeed a long video, but also quite interesting to watch how you do this. I keep learning from your videos, thanks for sharing John!
John John John.... I just discovered your channel few days back and I am totally hooked... Your Content is brilliant captivating and very well presented. Thanks for your Obviously incredible hard work that you put into this!
Super interesting video! Being a Linux guy wanting to get into Malware analysis, I always learn a ton from your videos. Thank you!
It takes a lot of confidence and skillz to do this (mostly) live while working through the challenge and still looking like the expert that you are. Keep up the great work.
I initially mistakenly read the title as "Flawless Persistence in Registry," but after completing the video am thinking that misread title is actually applicable. Snyk is awesome though, and I'm actually happy to see the section near the beginning about it explicitly. I really want to see this field of study gain popularity, because it's still unfortunately relatively overlooked IMO.
Malware analysis is overlooked? Not really, I know dozens of folks that do it.
Snyk is decent at the dev stage, and especially for containers, but they’re only 33% of a solution.
@@c1ph3rpunk he’s talking about the RUclips series not the actual act of doing it
I am loving these Malware Analysis vids, and all of the knowledge that is poured out in these vids.
Great work, John! Thanks for sharing your experience with the community
Watched the whole thing. Learned a lot. Thank you!
John, have you looked into using a beautify extension when working with malicious JavaScript? It saves a lot of time and allows you to dig into the functionality of the code much faster instead of manually removing the minification.
This is so, so interesting . I learn a lot from watching you, David Bombal, darknet diaries and network chuck . It’s great to see your process, learn important terminology and techniques as I am at the start of my cybersecurity journey. This is amazing to see how you guys solved this mystery ! Thanks ☺️
Enjoying your videos all the way from Kenya
Wow, I didnt think investigating malware could give same engaged feeling like CSI or other crime shows.... John has talent explaining things with captivating tone of voice.
Hey, too much of that positivity and they will take the effexoff.
Love this long form videos, great stuff!
Will be my first real Con CTF !! Thanks John!
KOVTER always brings me back, no AV would ever find it, easiest way to find it was do a string search on the reg for ";eval" and just killing every reg entry.
Near certain I have some bot/RAT like featured in this video. I'll have to try digging in registry as no AV has been able to detect anything,,
@@Demoralized88 I too have a very persistent RAT and no idea who to hire how to hire etc. I really wish I was as skilled at this. I find it fascinating.
Y’all need to wipe clean if you have any reason to believe this is true.
@@Demoralized88 Have you done anything since? Found it? Used Malwarebytes or Bitdefender (paid versions)?
@@AnjewTate I tried everything, including brand new drives and known clean W10 ISO USB. It had persistence below the OS level. Still not sure how or what, but I got called a schizo for thinking it.
Recently, security researchers are now uncovering UEFI and other FW malware. It started when my home network got attacked, and most people in my apartment complex are affected. We only have one ISP option: COX. This all started around May, and have switched to Chromebooks and Linux on Ethernet until something is figured out. Symptoms of a Miner/Infostealer, but pretty subtle rather than sustained 100% usage. It's been a long saga my dude.
I’ve never seen one of your videos before. This is super interesting, thank you. Subscribed 😁
- So how do we call this thing?
- Programmers every time: hmm..'test' sounds fitting.
Your Vids, especially these investigations, are awesome. Very informative
Great video! I love these breakdown videos. Really interesting. It’s crazy how someone developed this.
Yay, i really enjoy your longer videos. :D
really great man.... time flies while watching your tutorial.....
Thank you, this was awesome. I didn't even notice how long it was.
I don't understand any of this but it was fascinating following along with the big brains doin big brain stuff. Next level+
Thank You John. It is a pleasure to watch your videos! I always learn something :)
Awesome content Mr. Hammond!
The PE file you got from Caleb is corrupted (more specifically the e_lfanew value in the DOS Stub) and cannot run. That value affects how the file type gets parsed. That's why no AV detects it.
I love watching this dude videos. Might take a while to get through. Though something about him just makes me want to keep watching and learning.
Screw YT! Didn’t even get a notification that 3 videos have been uploaded 😒
I have no idea what I'm watching but i love it.
its like solving a puzzle, didn't expect, id watch the whole video, awesome content also that technical document was so great
I had a mini heart attack when you decided to run the stage 2 JS directly and almost missed the second eval... and my friends call me a risk-taker for clicking links aimlessly, haha. Great video as always, thank you John :)
Another great video. Really interesting to see how you approach this.
it's been years since i've seen Delphi even mentioned. Back in the late 80's early 90's i used it to write programs to use with Web Compass (note here: web compass back then was a crawler, not malware. It was actually a decent one considering we really didn't have search engines online back then) for my business. Talk about memories.
Many thanks mate. Very informative and exciting stuff!
That trailer feature is really useful, also signing up for that CTF :)
Good stuff, thanks for the content!
Amazing work as always!
I was almost screaming at you about that big blob of text looked like hex values, thankfully you figured it out yourself! xD
I really want to get started in this field and help people that are in over their heads like I am currently. I just have no idea what tools and who to pay to help or how to get ahold of them. Is there a list of tools you use or recommend? I read a lot about your exploits on the news and your RUclips channel is proof of prowess. Keep up the good work and any fileless bots or RAT coverage would be a godsend, maybe someday I'll find out what pluages me for about two years now.
Nice John can I give you a tip for the SEO put the title in the first line of your description.
16:21 Uh-Oh! They've downgraded Windows XP. Now you can only ever have *one window* open at any time!
What a piece of work. KOVTER is amazing as well :)
John, you are my hero 🥰.
i love this stuff. i give my full attention understand everything john says and does and try to create links but it seems there are nearly endless things to learn. i think reverse engineering is really cool.
Great vid, thanks!
The powershell comments! LOL! I was yelling at my monitor. Happens to all of us!
Malware Finds a New Place to Hide: Graphics Cards
I love your(blind analysis videos I vas thin on first all videos are first look
I've signed up for the SnykCon and the CTF, should be fun. Can't wait for the video.
i have register for snykcon but how to register for r ctf?
@@ARIFF861 There should be a checkbox you click when signing up for the event.
@@aston3982 only that?
@@ARIFF861 I'm pretty sure that's how but idk tbh.
The Snyk CTF looks very interesting for sure. 👀 Might give it a go!
Thank you Sensei 🙏
I'm sure you know this but in Sublime Text you can press Ctrl+d with a variable highlighted and it will select the next one in the file. This saves you from doing ctrl+f on every var :)
Oh no...a RUclipsr with their hands on their head, on a frustrated fashion!!!
This MUST be important!
I enjoy your content
This was fun!
Love it!
thank u for everything john!!
very nice, very crazy - thanks for this nice video :3
I will admin I thought the numbers in the shellcode were ip addresses since they ran up to 255 but not higher. Aside from that I have been thoroughly entertained, seeing this kind of analysis and also the wrap up including Virustotal, bringing it back to the "end user experience" as far as using common ways of checking for vulnerabilties without digging into the code yourself.
Thank you Mr Hammond this has been very very interesting and also may explain some of the problems I've had in the past with memory usage and registry creep. I'm thinking that I would like to know what kind of registry scanners would locate these types of malware?
good channel and Rearly good videos John
The first time I watched this video, I was so bored that I left before even the deob started. I just watched the hta to powershell video and it, code was also extracted from reg. That's why I was able to push throught the early part because I was fascinated by the same technique used here. :D
Great Contents as Always 😍😍😍
scump I love you
حفظ الله الداعية اياد و الشيخ العدوي و الشيخ الكملي وكل علماء السنة و لا عزاء للأذناب الذين يريدون التسلق على ظهورهم ....تسمعون للأحمق لايفرق بين توحيد الالوهية والربوبية أتى بمقطع للشيخ الحويني يستهزأ به عندما قال أن المشركين كانو يقرون بتوحيد الربوبية و الأمثلة كثيرة...حفظ الله تامر اللبان جلادك وكاشف تدليسك
GOOD INFO!!
Your malware analysis videos are very interesting!
i just came back to this not knowing i had already watched, damn it
Man, I love watching ginger seth rogan. Genuinely getting me addicted to malware analysis.
Will definitely check you out on Twitch. I just started streaming there as well. Games for now so I can just chill :P
Awesome video as always! Thanks :)
was interesting. thanks
Avast - undetected. Thanks, Avast, now I know you won't protect me against Kovter.
Wow. Very impressive.
Fileless malwares are the most advanced types of dangerous malwares for which each and every antivirus and security software companies needs to give serious attention and improve there detection and removal capabilities and mechanism
Most APT use fileless vectors, a lot of antivirus products have mechanisms such as memory scanning to counteract. Registry scanning is a basic mechanism also. Many products run real-time heuristics to detect malware regardless of how it persists, based on what it is doing. Some processors even employ technology such as Secure Enclave to provide platform level resiliency against malware, but ironically there is malware that can compromise some of these platforms... so viruses that persist in the CPU of some computers.
@@GrumpyGrebo Yes big antivirus companies like Norton, Kaspersky,Bitdefender,Eset, Avast, McAfee,AVG,Sophos,Fortinet needs to focus and give more importance on Zero Day Behavioral Analysis both on cloud and off cloud so that fileless malwares are detected much more efficiently, also daily frequency of virus signature and database updates needs to be more frequent so that detection and removal capabilities can be improved much better
Hey John, would you consider making a video re: the setup that you use to safely acquire and dissect malware files like this? It's something I've always wondered about...
Linux distribution like Kali or Arch running on a VM with no access to the internet and a buffer between your computer and the VM.
thank you
I don’t quite seem to understand the beginning. To me it seems like this is basically malware that already exists un the registry and only has to be executed. What am I missing?
I don’t think you’re missing anything. I think this is an already infected box that John is then dissecting and taking a long at what the malware has been doing and how it was hiding.
Well, I was kind of missing the fact that this is an infected box. I was wondering why there would be malware randomly lying around in the registry of a perfectly fine PC just to be triggered by one line of code. This basically explains everything I didn’t understand about the video. I still don’t know how I didn’t see that but at least I do now. Thanks!
38:11 I trusted Sublimetext when it colored them gray :D
here's an idea: rather than outputting directly to a stage2.js, you could create a malware.js file and just replace any evals with whatever code you find in the eval. alternatively, you could create a dynamic analysis engine with fake Windows API calls and a fake JScript environment. that's the fallacy of scripting languages: if everything is redefinable, you can fake the whole environment to be virtually anything.
I have no idea what I've just watched, but hey, here I am at the end of the video.
WAIT? They offer CTF competitions outside of just colleges? I only got to do this for one year during my college years, and really wanted to do more, but didn't think it was open to the public (I know this video is a year old, but now I know I can look out for them).
(When I competed, More Smoke Leet Chicken was the best at these)
Wow those powershell comments in the shellcode were really sneaky haha! I also thought they were ascii bytes powershell decided to decode and give us like python does sometimes...
I've been watching your videos for quite a while now and I thought you were quite a Malware Analysis genius. Then I saw Caleb's help and contribution to fully analyze that piece of code.
He's the genius, finally you're Not THAT good !
I'm joking of course, please forgive me 🤭
Thanks for your great Work, very inspiring ! And thanks John for the hosting and the montage. Ahahah
Cheers Mate !
We saw that Kovter is extremely "polymorphic" - could it be that the engines can't follow that through yet? Might be a slight variant from the 2018 version?
I wouldn't be surprised if several of the unused variables or even the comments in the code are used in some way by the final executable. It's doing all kind of direct memory access and manipulation, so one very straight forward thing in building up some keys would be to load a memory address holding a variable or even a comment. It probably can't really know the exact address, but if it is searching for one of the "random" content in its process memory, then it should know the offsets for the other variables and even for the comments. I'm not sure whether this would always work, but I guess it's close enough to be placed next to each other by powershell, javascript etc. unless the whole memory is used and everything gets fragmented. I mean, this was my first thought, because even though there is a massive amount of obfuscation, most of it is subtle reused to generative something predictive and individual in memory. And one of the "advantage" of working with the script languages is that they don't optimize away such "meaningless" code like a c/c++ compiler would do and that these scripting languages work very predictable even over different computer architectures (or here, different windows versions etc). [Programming languages used for webserving like Python or Perl are randomizing memory layout for exact this reason to make memory address guessing harder, but I doubt Powershell is doing it and dunno, but JScript maybe also not]
The fun fact here is that the way Kovter individually encrypts each important variable/section with a different key also not directly hold in memory, is something most real applications with sensitive data, really should also do. The current status is that the keys are usually hold in memory (not further encrypted) and even the content is only rarely ad hoc encrypted but most of the time once encrypted and then kept so in memory (or maybe freed, but then it's not safely overwritten). So every attacker who manages somehow to be able to read out memory content can just do something like strings on itself and filter for readable text (to see some free content) and for something with very high entropy what will either be the plain text keys or the encrypted content. And then an attacker just have to try which combination of that will decode it for him or her. That obviously does not work in the slightest here with Kovter, so it's not only a lection in malware, but also in protecting sensitive data :D
Great video, thank you!
I have one question, though. Is it actually possible to execute this if you're not an administrator? At what point did the code change into an actual malware? I'm guessing GetProc-commands or something isn't something a non-administrative user could run?
Also, could you please do something regarding the PrintNightmare vulnerability, pretty please? :)
Thank you!
GetProcAddress is a Windows API procedure that is used by any program that wants to call a procedure in a DLL, so that's pretty standard stuff, and doesn't require privileges.
I don't think anything this did required administrative privileges.
While I'm not actually sure when exactly you'd say that it "caused damage to a computer or network" (which is what malware is), it is certainly though, _bad_, because of the fact that it used your computer to do stuff without you knowing, and without authorisation from you - so that's probably when it "changed."
A remote-controlled click-bot is probably a nefarious thing for it to be without your permission!
1:19:30 ghidra decompile?
1:24:58 what is eset? (gambit finds it later as well)
I am ***very*** new to programming but you know what I'll nod and act like I understand this
But either way still sounds very interesting