KOVTER Malware Analysis - Fileless Persistence in Registry
HTML-код
- Опубликовано: 6 сен 2021
- You can register now for the Snyk "Fetch The Flag" CTF and SnykCon conference at snyk.co/john ! Come solve some great beginner-friendly challenges -- including some of my own!
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: johnhammond010@gmail.com
Discord: johnhammond.org/discord
Twitter: / _johnhammond
GitHub: github.com/JohnHammond
Dude the most valuable point to this video for me, that keeps me watching and wanting more, is that you show your process and explain your reasoning as well as the deductions for each stage. Feels like a master class or high level university lecture, but without the typical boredom or theory.
These videos are very close to what I do everyday for work. I love it!!!
John says: "sorry for the long video"
Me: " MAKE IT LONGER, I WANT IT!"
We all underappreciate how good this man is at naming variables.
Let's call it 'please subscribe' 😜
I don't know if he's better at naming variables necessarily, but he's certainly better about picking one and moving on instead of agonizing about a better name.
@@petevenuti7355TT combin b think
Malware Analysis is literally my favorite playlist on RUclips. Never watched anything more interesting/entertaining, keep up the awesome work!
Could you suggest more channels that showcase malware analysis
@@FahyGB I'd recommend OALabs, MalwareAnalysisForHedgehogs
Thanks John for hosting this stuff, diving into it, and giving the constant reminder that it's OK to use your brain and nerd out about really complex IT problems.
Just wanted to say thank you for the time and effort you put into your content. For a young guy in IT, you’ve made this stuff super accessible, and I can’t wait to attend the upcoming Snyk CTF! You’re a goddamn inspiration John! ❤️
Really appreciate the lengthy videos. This is a fantastic dive and great way to get into your headspace. Very easy to follow your thought process here.
Really appreciate you taking the time to explain the shortcuts here John!
That was indeed a long video, but also quite interesting to watch how you do this. I keep learning from your videos, thanks for sharing John!
34 mins into the video, and I am just mind blown how deep this embedded code goes... Absolutely amazing job refactoring and de-obfuscating. Some of the best i've ever seen.
This is my new favorite RUclips channel. Can't believe I hadn't come across this sooner. Very competent and thorough analysis and deobfuscation in these videos. Really quality stuff.
Every time you went "this is getting awfully long" or "I know this might not be all that interesting" I was like... Doooooooooooood no this is da stuff. Good one John :)
You actually taught me a ton. I guess because you are also learning that it makes the process easier for me to grasp? Or maybe because I know everything you are saying now. Years ago I was very clueless but I had never seen the fileless process outlined so simply. A world of gratitude from this girl.
Super interesting video! Being a Linux guy wanting to get into Malware analysis, I always learn a ton from your videos. Thank you!
It takes a lot of confidence and skillz to do this (mostly) live while working through the challenge and still looking like the expert that you are. Keep up the great work.
John John John.... I just discovered your channel few days back and I am totally hooked... Your Content is brilliant captivating and very well presented. Thanks for your Obviously incredible hard work that you put into this!
- So how do we call this thing?
- Programmers every time: hmm..'test' sounds fitting.
Great work, John! Thanks for sharing your experience with the community
Great video! I love these breakdown videos. Really interesting. It’s crazy how someone developed this.
I am loving these Malware Analysis vids, and all of the knowledge that is poured out in these vids.
As someone with next to no experience in malware and very little in programming in general, i find that you make these super easy to understand and teaches at the same time
I’ve never seen one of your videos before. This is super interesting, thank you. Subscribed 😁
Thank You John. It is a pleasure to watch your videos! I always learn something :)
Another great video. Really interesting to see how you approach this.
You have a brilliantly clear mind! It's a pleasure attending your lectures.
Watched the whole thing. Learned a lot. Thank you!
Yay, i really enjoy your longer videos. :D
Love this long form videos, great stuff!
Thank you, this was awesome. I didn't even notice how long it was.
Will be my first real Con CTF !! Thanks John!
This is so, so interesting . I learn a lot from watching you, David Bombal, darknet diaries and network chuck . It’s great to see your process, learn important terminology and techniques as I am at the start of my cybersecurity journey. This is amazing to see how you guys solved this mystery ! Thanks ☺️
its like solving a puzzle, didn't expect, id watch the whole video, awesome content also that technical document was so great
Your Vids, especially these investigations, are awesome. Very informative
Many thanks mate. Very informative and exciting stuff!
really great man.... time flies while watching your tutorial.....
Amazing work as always!
Awesome content Mr. Hammond!
Screw YT! Didn’t even get a notification that 3 videos have been uploaded 😒
John, have you looked into using a beautify extension when working with malicious JavaScript? It saves a lot of time and allows you to dig into the functionality of the code much faster instead of manually removing the minification.
I love watching this dude videos. Might take a while to get through. Though something about him just makes me want to keep watching and learning.
That trailer feature is really useful, also signing up for that CTF :)
I initially mistakenly read the title as "Flawless Persistence in Registry," but after completing the video am thinking that misread title is actually applicable. Snyk is awesome though, and I'm actually happy to see the section near the beginning about it explicitly. I really want to see this field of study gain popularity, because it's still unfortunately relatively overlooked IMO.
Malware analysis is overlooked? Not really, I know dozens of folks that do it.
Snyk is decent at the dev stage, and especially for containers, but they’re only 33% of a solution.
@@c1ph3rpunk he’s talking about the RUclips series not the actual act of doing it
Good stuff, thanks for the content!
Watched the whole video thought it was interesting, Thank you for the educational video!
i love this stuff. i give my full attention understand everything john says and does and try to create links but it seems there are nearly endless things to learn. i think reverse engineering is really cool.
I was almost screaming at you about that big blob of text looked like hex values, thankfully you figured it out yourself! xD
Enjoying your videos all the way from Kenya
I had a mini heart attack when you decided to run the stage 2 JS directly and almost missed the second eval... and my friends call me a risk-taker for clicking links aimlessly, haha. Great video as always, thank you John :)
it's been years since i've seen Delphi even mentioned. Back in the late 80's early 90's i used it to write programs to use with Web Compass (note here: web compass back then was a crawler, not malware. It was actually a decent one considering we really didn't have search engines online back then) for my business. Talk about memories.
KOVTER always brings me back, no AV would ever find it, easiest way to find it was do a string search on the reg for ";eval" and just killing every reg entry.
Near certain I have some bot/RAT like featured in this video. I'll have to try digging in registry as no AV has been able to detect anything,,
@@Demoralized88 I too have a very persistent RAT and no idea who to hire how to hire etc. I really wish I was as skilled at this. I find it fascinating.
Y’all need to wipe clean if you have any reason to believe this is true.
@@Demoralized88 Have you done anything since? Found it? Used Malwarebytes or Bitdefender (paid versions)?
@@AnjewTate I tried everything, including brand new drives and known clean W10 ISO USB. It had persistence below the OS level. Still not sure how or what, but I got called a schizo for thinking it.
Recently, security researchers are now uncovering UEFI and other FW malware. It started when my home network got attacked, and most people in my apartment complex are affected. We only have one ISP option: COX. This all started around May, and have switched to Chromebooks and Linux on Ethernet until something is figured out. Symptoms of a Miner/Infostealer, but pretty subtle rather than sustained 100% usage. It's been a long saga my dude.
Thank you Sensei 🙏
Great vid, thanks!
Malware Finds a New Place to Hide: Graphics Cards
What a piece of work. KOVTER is amazing as well :)
Wow, I didnt think investigating malware could give same engaged feeling like CSI or other crime shows.... John has talent explaining things with captivating tone of voice.
Hey, too much of that positivity and they will take the effexoff.
thank u for everything john!!
The Snyk CTF looks very interesting for sure. 👀 Might give it a go!
I have no idea what I'm watching but i love it.
Great Contents as Always 😍😍😍
I have been trying to get your terminal theme, I installed zShell and exa but I can't seem to get it to look like yours? Did you install some theme, or have custom colors set in terminator?
The PE file you got from Caleb is corrupted (more specifically the e_lfanew value in the DOS Stub) and cannot run. That value affects how the file type gets parsed. That's why no AV detects it.
This was fun!
I don't understand any of this but it was fascinating following along with the big brains doin big brain stuff. Next level+
I really want to get started in this field and help people that are in over their heads like I am currently. I just have no idea what tools and who to pay to help or how to get ahold of them. Is there a list of tools you use or recommend? I read a lot about your exploits on the news and your RUclips channel is proof of prowess. Keep up the good work and any fileless bots or RAT coverage would be a godsend, maybe someday I'll find out what pluages me for about two years now.
Thank you Mr Hammond this has been very very interesting and also may explain some of the problems I've had in the past with memory usage and registry creep. I'm thinking that I would like to know what kind of registry scanners would locate these types of malware?
Hey John, my ears can't allow me to grasp the correct name of the zsh extension you are using to color the output of `ls`. Which one is it? D:
Dose windows use cmd prompt ...if I have any running in task manger could I force stop them safely is my ?
Will definitely check you out on Twitch. I just started streaming there as well. Games for now so I can just chill :P
Awesome video as always! Thanks :)
are you using a theme for sublime i want mine to look like yours && i can’t figure out how to change it
very nice, very crazy - thanks for this nice video :3
was interesting. thanks
Love it!
I enjoy your content
The powershell comments! LOL! I was yelling at my monitor. Happens to all of us!
I will admin I thought the numbers in the shellcode were ip addresses since they ran up to 255 but not higher. Aside from that I have been thoroughly entertained, seeing this kind of analysis and also the wrap up including Virustotal, bringing it back to the "end user experience" as far as using common ways of checking for vulnerabilties without digging into the code yourself.
Man, I love watching ginger seth rogan. Genuinely getting me addicted to malware analysis.
Where can I download kovter malware and do this analysis? If anyone could share the sample file please
Wow. Very impressive.
good channel and Rearly good videos John
I really need help with this. I reached out to the community on discord. I just factory reset my laptop this morning and it is already back to the way it was. I have a ton of stuff running and executing in the background. I have been revoked some of my privileges to the registry
John, you are my hero 🥰.
GOOD INFO!!
Nice John can I give you a tip for the SEO put the title in the first line of your description.
Wow those powershell comments in the shellcode were really sneaky haha! I also thought they were ascii bytes powershell decided to decode and give us like python does sometimes...
I'm sure you know this but in Sublime Text you can press Ctrl+d with a variable highlighted and it will select the next one in the file. This saves you from doing ctrl+f on every var :)
The first time I watched this video, I was so bored that I left before even the deob started. I just watched the hta to powershell video and it, code was also extracted from reg. That's why I was able to push throught the early part because I was fascinated by the same technique used here. :D
thank you
Great video, thank you!
I have one question, though. Is it actually possible to execute this if you're not an administrator? At what point did the code change into an actual malware? I'm guessing GetProc-commands or something isn't something a non-administrative user could run?
Also, could you please do something regarding the PrintNightmare vulnerability, pretty please? :)
Thank you!
GetProcAddress is a Windows API procedure that is used by any program that wants to call a procedure in a DLL, so that's pretty standard stuff, and doesn't require privileges.
I don't think anything this did required administrative privileges.
While I'm not actually sure when exactly you'd say that it "caused damage to a computer or network" (which is what malware is), it is certainly though, _bad_, because of the fact that it used your computer to do stuff without you knowing, and without authorisation from you - so that's probably when it "changed."
A remote-controlled click-bot is probably a nefarious thing for it to be without your permission!
I don’t quite seem to understand the beginning. To me it seems like this is basically malware that already exists un the registry and only has to be executed. What am I missing?
I don’t think you’re missing anything. I think this is an already infected box that John is then dissecting and taking a long at what the malware has been doing and how it was hiding.
Well, I was kind of missing the fact that this is an infected box. I was wondering why there would be malware randomly lying around in the registry of a perfectly fine PC just to be triggered by one line of code. This basically explains everything I didn’t understand about the video. I still don’t know how I didn’t see that but at least I do now. Thanks!
We saw that Kovter is extremely "polymorphic" - could it be that the engines can't follow that through yet? Might be a slight variant from the 2018 version?
Avast - undetected. Thanks, Avast, now I know you won't protect me against Kovter.
What is the outro song? Just wondering
Awesome video! Does anyone know the outro music?
im gonna signip up too!
I've signed up for the SnykCon and the CTF, should be fun. Can't wait for the video.
i have register for snykcon but how to register for r ctf?
@@ARIFF861 There should be a checkbox you click when signing up for the event.
@@aston3982 only that?
@@ARIFF861 I'm pretty sure that's how but idk tbh.
WAIT? They offer CTF competitions outside of just colleges? I only got to do this for one year during my college years, and really wanted to do more, but didn't think it was open to the public (I know this video is a year old, but now I know I can look out for them).
(When I competed, More Smoke Leet Chicken was the best at these)
I love your(blind analysis videos I vas thin on first all videos are first look
sometimes when i'm working on a project, i'll just hear hammond's voice "ok then we pipe that to grep" or some other thing that I don't understand and it ends up working
Hey John, would you consider making a video re: the setup that you use to safely acquire and dissect malware files like this? It's something I've always wondered about...
Linux distribution like Kali or Arch running on a VM with no access to the internet and a buffer between your computer and the VM.
Your malware analysis videos are very interesting!
i just came back to this not knowing i had already watched, damn it
Surely just printing the contents of code_from_registry from javascript would of been a lot quicker than using python to dump the registry?