I'm just learning how to code and these videos make me super excited. I never thought watching someone analyze some malware would hold my interest this well.
@@Tempi_ I started out with intro to C++ where it was the basics like how to print to screen and the likes. Then C++ 1, where we started to get more in depth and build off the basics like looping a piece of code if an if statement that we created was true and learning about nested loops and other more advanced basic functions like really simple pointers. I just finished my C++ 2 class. We started learning how to really use pointers, and that led into data structures like the use of linked lists and basic binary trees. data structures is where learning this stuff gets pretty damn difficult, please if you do get to that point make sure you're not taking too many classes at once so you can focus on learning it well. I made the mistake of taking too many classes and that made it much more difficult to learn how to code properly.
By youtube logic, nearly 2 hour long videos containing nothing but code shouldn't be interesting. But my god sir, I only started playing with C# in Unity a month ago, and not only am I loving watching all of these, but I feel like I'm learning way more than I did from any of the online courses I've been doing. I've gotten so much exposure to the inner working of computers, and how other languages look both familiar and different, and it's been FUN. There's even starting to be moments where I'll catch onto a pattern or what something's doing at the same time you do, and it's been an amazing brain exercise learning to not only keep up, but also to look for things myself. I'm learning coding both as a hobby and an auxiliary skill to my career (I work in entertainment production), and these videos are both fun and invaluable. Thank you!
I just watch this like "How it's made" or some detective stuff... Feels good. And i am not even a coder (literally cannot do anything i require sometimes without google).
@@XGalaxyPlqyZ as we all know it's a requirment to learn R to understand any youtube video about hacking.just throw away python and oracle programming. what you're going to want is to learn assembly and best way to do that is with elon musks lovelace rs fmri net since thinking is power
Hey john, chinese viewer here, according to the author's bio, he is preparing for a postgraduate exam and all of these seem to be just passion projects he is making for fun as his bio would imply. If you have any more questions, feel free to ask, hope that helped.
The reason why many scanners tag it as AsyncRAT is because DCRat's code is largely built upon it, most of the core features have been copied directly. I've been following this chinese guys work for a while and came across all kinds of interesting stuff, the language barrier is a bitch though.
I saw some similar program of excel that used the VBA macro codes, the program was made in china. What that program basically did was stole your data with some kind of get string and get tables VBA functions. The problem with security in this kind of software like excel is that you install tools from the web with out knowing that these tools contain malware. Funny story is that nobody believed that. I even got screen shots of the malware code being executed in a window macro of an excel VBA code . It's amazing how enterprises can spied whit a single .file with code. Any way awesome video, very pedagogical.
I recently found your channel. These deep dives are great for getting better at reading other people's code. A lot of coding channels concentrate on writing fresh, new code, but on the job you often need to read other people's work and add on to it or re-factor it to improve the functionality.
This is great! It's so cool to see someone take the time to make content like this; it's super helpful & not a perspective I usually see. Really useful to students of programming/security. Thanks John :)
So I just started learning some offensive C# and poweshell and am finally able to wrap my head around these videos and it's helping me understand to be better at offense. Love the content John.
"RunPE" refers to code that loads a host process and replaces the PE (hence the name) executable with another one. This is done to execute a windows PE file (.exe commonly) in-memory without writing it to the disc since windows requires a process to be loaded/created from a file on disk. This essentially creates a "zombie" process that points to a specific PE file on disc but inside it executes (hosts) another PE file. You could of course construct a "shellcode" so you dont have to "zombify" another "host" process but this requires delicate knowledge and is more complicated. In your video the "AppLaunch" is used as the zombie file mainly because is included in all windows installations, does nothing when launched (although doesnt really matter since the zombie-host process is spawned in suspended state) and contains imports to required libraries that the "parasite" PE file needs. From what I see this is copy-pasted and not really anything advanced.
The urlencoded text was clearly not ascii text, so utf-8 was definitely not the correct encoding to use -- but I was curious what the correct approach in Python is, and there are actually a couple interesting things: - Using urllib.parse.unquote(data) is already irreversibly mangling the data. It performs a conversion step (taking the string to be percent-encoded data as bytes(?), and producing a string with unicode code points based on an encoding), with the encoding defaulting to utf-8. The gzip header includes an invalid sequence, which gets replaced by the unicode replacement character (U+FFFD), so the first four characters in the sequence (%1f%8b%08%00) become \x1f\xff\xfd\x09\x00. This is irreversable, since the data (\x8b) has now been lost. - You tried converting the result of that to bytes with latin1, but you already had the (already-mangled) data, which would have been correct if not for the implicit encoding step by unquote. The unicode replacement character can't be encoded as latin1 data into bytes, so it threw an exception. The correct code appears to be `bytearray(urllib.parse.unquote(urldata_bytes, 'latin-1'), 'latin-1')`, which gives `bytearray(b'\x1f\x8b\x08\x00')` I found it interesting that this is particularly obtuse in Python and that there seems to be no really obvious/clean way to "just do the thing"
thanks for the explanation. that this has always puzzled me. have a lot less knowledge about what goes on under the hood than you, but parsing things from bytes to strings and between different encodings is pain in the ass.
@@Safex I don't really know anything special about what's "under the hood" here or Python, I just saw something I didn't understand and wanted to understand it. I experimented and read docs. That's how I learned everything I know: be curious, explore. Make a habit out of that, and you'll build up a base of knowledge. You accrue all sorts of useful tidbits this way. As an example, I'd like to elaborate on my comment about "clearly not ascii text" -- I phrased that poorly (which is probably what the troll above was reacting to) -- but it derives from just a tiny bit of information about how the ASCII table is organized: Uppercase letters are 010xxxxx, where xxxx=1 is "A" and xxxxx=2 is "B" and so on. Lowercase letters are 011xxxxx. In hex that makes letters fall into the range 0x50-0x8F and space is 0x20. Anything less than space (0x20) is a control character and generally not present in text. That's a pretty restricted set of values, and once you know that "one weird trick", you can make a good guess as to whether you're looking at text or not, even if you don't immediately know what it says. (Unicode encoded as UTF-8 has clear patterns too, in addition to sequences that are invalid) Compressed data (by its nature: read about entropy coding) is pretty similar to random data. If you're looking at a compressed data stream, then aside from any magic/header bytes the values will be all over the place without much of a discernible pattern. An executable or some data file may have some bits of "ascii" text mixed in, but also chunks of null bytes, or small/large bytes that don't look like text. It will look like it has structure, but it won't consist entirely of text-looking content. With all that in mind, even the first four bytes "%1f%8b%00%00" suggests that the data isn't text-based (especially in light of the null bytes -- %00). It also suggests it isn't compressed (there's clear structure). Anyway, I just wanted to mention that there's no magic here, just curiosity at work. Anyone can do it, and I encourage them to :)
@@myndzi This is the correct approach, it just requires patience and persistence which is hard if you’re expecting instant results and want to be like John on day two. That said, you’ve gotten a lot further than I ever have with character encoding. I’ve only gotten deep enough to know it’s complicated as heck to step into, and only know enough that two tools are handy when you’re new and still trying to figure things out. CyberChef has two tools - Magic, and one for character encoding brute force that can be very helpful to start you off or sometimes just get you a quick result when you don’t have time to dive deep just to learn.
43:05 if applaunch is open it gets the proccess id (type in cmd tasklist its shows the pid). Then it injects itself into it effectively being run in every instance of every executable that uses dot net framework with forums. Kinda clever hard to detect which process is the one doing the malicious stuff meaning this could be hard to remove without the right tools.
I've never even touched any of this stuff and know nothing about it. Yet I watched the whole video because of your explanations! Great info for anyone looking for it. More please!
I code games, I wish I could have 2 lives to get enough time to dig into this field. Back top my days, it was only assembly and C++, now the amount of knowledge behind is immense
Great video. One request: add key presses to video. I love how you navigate in subline, or tinker in terminal with just a keyboard. Will be great to see what hotkeys are you using. Helps learn that kind of stuff. =)
1:14:00 and before, it didn't show key because you wrote Console.WriteLine("key=", key), which invokes the overload Console.WriteLine(string format, object value). Since there were no placeholders (like "{0}") it didn't format them.
You know someone is amazing with computers when they know and utilize every windows keyboard shortcut imaginable. It's one of the questions I use when interviewing people for IT positions.. lol
It creates c++ code, compiles it, sets up 2 ways for the malware to execute automatically incase one fails. It replaces applaunch which start automatically with the framework and on startup. It stores itself (the "exe" is compiled in c++) in memory. Easy. Projectfud = a library stored in your memory doing things. It launches on start up 2 different ways.
I work in software engineering and data science oriented projects, and even tough this is far away of the malware analysis of this video, it highly remembered to significant reverse engineering parts you have to do, too, in legacy code (without documentation and similar), or sometimes even to start a part of the work on semi-protected older projects (where author and everything else left the company some time before). Even web scraping involved a lot of similar techniques (there's a lot of obfuscation parts inside, too, especially if the web sites don't want to be scraped, or more often, when it's using a whole lot of historical technology, like JavaScript Shortifier over some old AJAX over some old SOAP connecting to deprecated MS SQL server technology that might now have a more up to date backend, but still kept the API, etc, with still some survived obfuscation technology that end of 90s were security techniques). I think this also tells why writing anti-malware software is so hard, as even legit code does look very often enough similar odd, including such hardcoded obfuscated byte strings as integers and similar. (Just look to some autogenerated gRPC code as one example).
do you do code analysis's often? i had a lot of trouble trying to learn during high school. ive got turing complete which has helped me actually understand what is happening & how the variable names used by programing languages are used at the bit/byte level. i got a mental block once i got to the actual coding portion. mainly because the whole system is made from scratch besides the few examples they use to get you started. so its a little dificult to use useful name for the bytes with my limited experience with coding.
1 hour in, the BS-OD is neat. Think about it, it delivers its payload, maintains persistence then BSOD's. Natural response is power cycle PC thereby initialing the start up routine. I'll wait and see how it pans out :)
@@x3ICEx i bet it does that too, bsod is just one of possible stuff it does. Especially as it definitely allows to take commands from remote server... And i 100% bet that BSOD is one of them... Soo mass BSOD is possible
This was one of the funniest malware analysis videos I've ever watched XD For example: 1:30:10 "He follows me?!?" It's funny to see you crack up laughing because of that ;)
Very instructive and very interesting video. I don't know much about windows (I use linux) but I was shocked what a piece of cake it is to bypass amsi!
I love these videos although I literally have no clue what you’re talking about. Learning cyber security is interesting, but very challenging to start off. Any recommendations on where to start off?
Cyber security is a broad topic. Malware analysis, though, requires knowledge of programming, assembly language and reverse engineering, in that order. python, c#, powershell, among other things, were mentioned here, as well.
I've been binge watching these malware analysis videos after a friend of mine tore apart a virus I managed to get. If you want another exe (that at the time wasn't caught by anything on virustotal, could have changed since then) to add to the pile of things I'm sure you have to analyze, let me know :)
Lol. I don't watch coding, programming, or computer videos at all. Tonight at dinner me and my brother talked about coding for 20 minutes or so, and talked about how you could code a snake game pretty easily. Now I've got this video on my recommended. But no, they're not listening lmfao.
Would Constrained Language Mode prevent this attack given only certain Add-Type's are permitted? How do you feel about leveraging CLM for Powershell hardening?
I think that from time to time when I’m investigating new phishing emails at work. Like, some of these people have genuine skills and it makes me sad to see them wasted on malicious activity when they could have real jobs actually accomplishing something and doing some good for people. Once in a while you run across something that’s quite elegant and clever, and the person who had the skill to accomplish all that should be using their skills somewhere productive, and if they’re not, then that’s just very sad.
So, a lot of time, I'll put on your long videos on my screen next to me while I'm working on my computer, honestly just half-paying attention to it, but I really got into this one. Quick question though, how cool was it to see that he was following you on Twitter? That's got to be an interesting feeling. Anyways, thanks for the great video, and I've learned so much from you. Super appreciate it.
You'll get no argument about IDEs from me-- I'm an Assembly programmer, so I just use plain old Notepad! :P There's so many varieties of Assembly language, that syntax highlighting is basically useless, when you're working with bare-metal.
I thought of something. Macro robotic compression. Cryptorgraphical context such as that a 0x00 resembles a keystroke convertered from ASCII. See if you do not have access directly to the shell you can impersonated the keystrokes and torjan a backdoor so every time a infected exe run it than triggers a cache file for determinted macro inject into a shell not as a remote user but impersonated as the user itself. Personal Computers mainly are owned by self adminstrated folk unlike a school or so with password and admin protection more secure. But you can inject a backdoor into a basic user even in guest. Some electrinic social minipulation and you got your self a keylogged access. That has a person socket connect to transfer from client to serve and vice versa. Cache inject, will automated the keystokes into a user defined shell. You not typing in a shell you automating it. Ticking time bomb.
Minor thing, but why do the #!/usr/bin/env python in the script when you’re calling it using python3 on the command line. The shebang (#!) is what informs your shell what to use to run that script, in that case you’re saying “use whatever python is found in my $ENV which could be anything depending on the OS (dist, version, local settings). I would either a) set the shebang to the same used (python3) or b) chmod +x the script and let the shebang do it’s job. Note that if you do the latter and don’t set it to python3, and if python3 isn’t the env default, you’ll likely get Python 2. Using both the interpreter on the command line AND using the shebang with env can cause unnecessary confusion and troubleshooting down the road. 25+ years of +NIX “what the $x?!?!” hard won pain.
add-type compiles to temp, you should use reflection for red teaming. even if you patch amsi, it will often trigger windows defender itself anyways so amsi patch wont matter possibly if you add type. (not all cases of course, but dont be that 1 guy on the team lol).
Well , I have to admit that it once is a class homework , I even make a ppt for it ! LOL
Really cool video , i love it
@qwqdanchun WOW 😆That is incredible. Thanks for checking out the video!!!
@@_JohnHammond Please do malware analysis on a ransomware. there is not much resources to learn. i hope you can fill the gap :p
That completes the cycle.
Btw it's a nice uni which gives homework to write a RAT :)
Haha, this is crazy how things turned out. Great piece of kit qwqdanchun!
"he follows me" was the most fun moment by far!
time stamp?
@@imtm 1:30:10
I'm just learning how to code and these videos make me super excited. I never thought watching someone analyze some malware would hold my interest this well.
lmao same, this is some new entertainment i'm able to enjoy, and each time is better.
Same one of his vids appeared in my recommended and I was hooked.
What are you learning and how far have you gotten in 8 months? I've just started python for data analysis
@@Tempi_ I started out with intro to C++ where it was the basics like how to print to screen and the likes. Then C++ 1, where we started to get more in depth and build off the basics like looping a piece of code if an if statement that we created was true and learning about nested loops and other more advanced basic functions like really simple pointers. I just finished my C++ 2 class. We started learning how to really use pointers, and that led into data structures like the use of linked lists and basic binary trees. data structures is where learning this stuff gets pretty damn difficult, please if you do get to that point make sure you're not taking too many classes at once so you can focus on learning it well. I made the mistake of taking too many classes and that made it much more difficult to learn how to code properly.
By youtube logic, nearly 2 hour long videos containing nothing but code shouldn't be interesting. But my god sir, I only started playing with C# in Unity a month ago, and not only am I loving watching all of these, but I feel like I'm learning way more than I did from any of the online courses I've been doing. I've gotten so much exposure to the inner working of computers, and how other languages look both familiar and different, and it's been FUN. There's even starting to be moments where I'll catch onto a pattern or what something's doing at the same time you do, and it's been an amazing brain exercise learning to not only keep up, but also to look for things myself. I'm learning coding both as a hobby and an auxiliary skill to my career (I work in entertainment production), and these videos are both fun and invaluable. Thank you!
I just watch this like "How it's made" or some detective stuff...
Feels good. And i am not even a coder (literally cannot do anything i require sometimes without google).
I love watching videos like this when I know absolutely nothing about scripting, it's confusing as hell but also entertaining
Same bruh xD
@@XGalaxyPlqyZ as we all know it's a requirment to learn R to understand any youtube video about hacking.just throw away python and oracle programming.
what you're going to want is to learn assembly and best way to do that is with elon musks lovelace rs fmri net since thinking is power
@@springchickena1 Thanks!
@@springchickena1 Thanks
@@springchickena1 what??
This guy in one malware program wrote more code then i in my entire life xD And in description he puts "a SIMPLE remote tool"
The follow reveal was golden
Idk how you do it John, but somehow you make entertaining videos while doing one of the most raw forms of data teardown in command shells.
the talking and he explaning stuff help so much
Hey john, chinese viewer here, according to the author's bio, he is preparing for a postgraduate exam and all of these seem to be just passion projects he is making for fun as his bio would imply.
If you have any more questions, feel free to ask, hope that helped.
The reason why many scanners tag it as AsyncRAT is because DCRat's code is largely built upon it, most of the core features have been copied directly. I've been following this chinese guys work for a while and came across all kinds of interesting stuff, the language barrier is a bitch though.
so, i got home at 2 am from a guys night out, bought some food and wanted to watch 10 min meme vid...
now i am hooked to this.
I saw some similar program of excel that used the VBA macro codes, the program was made in china.
What that program basically did was stole your data with some kind of get string and get tables VBA functions.
The problem with security in this kind of software like excel is that you install tools from the web with out knowing that these tools contain malware.
Funny story is that nobody believed that.
I even got screen shots of the malware code being executed in a window macro of an excel VBA code .
It's amazing how enterprises can spied whit a single .file with code.
Any way awesome video, very pedagogical.
I recently found your channel. These deep dives are great for getting better at reading other people's code. A lot of coding channels concentrate on writing fresh, new code, but on the job you often need to read other people's work and add on to it or re-factor it to improve the functionality.
This is great! It's so cool to see someone take the time to make content like this; it's super helpful & not a perspective I usually see. Really useful to students of programming/security. Thanks John :)
Unsafe allows it to access memory space that isn’t assigned to it by the JIT (example you can’t use pointers unless you compile as unsafe)
So I just started learning some offensive C# and poweshell and am finally able to wrap my head around these videos and it's helping me understand to be better at offense. Love the content John.
Hi! Which books/videos/courses do you use?
@@ldSt3345 Hey Lt, do you still need help getting started?
@@richoffremo461 not rn. Like, don't have much time, war, that sort of thing
"RunPE" refers to code that loads a host process and replaces the PE (hence the name) executable with another one. This is done to execute a windows PE file (.exe commonly) in-memory without writing it to the disc since windows requires a process to be loaded/created from a file on disk. This essentially creates a "zombie" process that points to a specific PE file on disc but inside it executes (hosts) another PE file. You could of course construct a "shellcode" so you dont have to "zombify" another "host" process but this requires delicate knowledge and is more complicated. In your video the "AppLaunch" is used as the zombie file mainly because is included in all windows installations, does nothing when launched (although doesnt really matter since the zombie-host process is spawned in suspended state) and contains imports to required libraries that the "parasite" PE file needs. From what I see this is copy-pasted and not really anything advanced.
Hey. U is smert
@@0rez u is enterteneng
Any examples of advanced stuff?
The urlencoded text was clearly not ascii text, so utf-8 was definitely not the correct encoding to use -- but I was curious what the correct approach in Python is, and there are actually a couple interesting things:
- Using urllib.parse.unquote(data) is already irreversibly mangling the data. It performs a conversion step (taking the string to be percent-encoded data as bytes(?), and producing a string with unicode code points based on an encoding), with the encoding defaulting to utf-8. The gzip header includes an invalid sequence, which gets replaced by the unicode replacement character (U+FFFD), so the first four characters in the sequence (%1f%8b%08%00) become \x1f\xff\xfd\x09\x00. This is irreversable, since the data (\x8b) has now been lost.
- You tried converting the result of that to bytes with latin1, but you already had the (already-mangled) data, which would have been correct if not for the implicit encoding step by unquote. The unicode replacement character can't be encoded as latin1 data into bytes, so it threw an exception.
The correct code appears to be `bytearray(urllib.parse.unquote(urldata_bytes, 'latin-1'), 'latin-1')`, which gives `bytearray(b'\x1f\x8b\x08\x00')`
I found it interesting that this is particularly obtuse in Python and that there seems to be no really obvious/clean way to "just do the thing"
Damn you are 1337 dude
thanks for the explanation. that this has always puzzled me. have a lot less knowledge about what goes on under the hood than you, but parsing things from bytes to strings and between different encodings is pain in the ass.
@@Safex I don't really know anything special about what's "under the hood" here or Python, I just saw something I didn't understand and wanted to understand it. I experimented and read docs. That's how I learned everything I know: be curious, explore. Make a habit out of that, and you'll build up a base of knowledge.
You accrue all sorts of useful tidbits this way. As an example, I'd like to elaborate on my comment about "clearly not ascii text" -- I phrased that poorly (which is probably what the troll above was reacting to) -- but it derives from just a tiny bit of information about how the ASCII table is organized:
Uppercase letters are 010xxxxx, where xxxx=1 is "A" and xxxxx=2 is "B" and so on. Lowercase letters are 011xxxxx. In hex that makes letters fall into the range 0x50-0x8F and space is 0x20. Anything less than space (0x20) is a control character and generally not present in text. That's a pretty restricted set of values, and once you know that "one weird trick", you can make a good guess as to whether you're looking at text or not, even if you don't immediately know what it says. (Unicode encoded as UTF-8 has clear patterns too, in addition to sequences that are invalid)
Compressed data (by its nature: read about entropy coding) is pretty similar to random data. If you're looking at a compressed data stream, then aside from any magic/header bytes the values will be all over the place without much of a discernible pattern. An executable or some data file may have some bits of "ascii" text mixed in, but also chunks of null bytes, or small/large bytes that don't look like text. It will look like it has structure, but it won't consist entirely of text-looking content.
With all that in mind, even the first four bytes "%1f%8b%00%00" suggests that the data isn't text-based (especially in light of the null bytes -- %00). It also suggests it isn't compressed (there's clear structure).
Anyway, I just wanted to mention that there's no magic here, just curiosity at work. Anyone can do it, and I encourage them to :)
@@myndzi This is the correct approach, it just requires patience and persistence which is hard if you’re expecting instant results and want to be like John on day two.
That said, you’ve gotten a lot further than I ever have with character encoding. I’ve only gotten deep enough to know it’s complicated as heck to step into, and only know enough that two tools are handy when you’re new and still trying to figure things out. CyberChef has two tools - Magic, and one for character encoding brute force that can be very helpful to start you off or sometimes just get you a quick result when you don’t have time to dive deep just to learn.
I had a feeling it was the wrong encoding but I never knew unquote would encode into utf-8!
I was fascinated, there are a lot of impressive things with this specific analysis and it was very rewarding.
AMSI part is amazing, thank you for the quick explanation!
43:05 if applaunch is open it gets the proccess id (type in cmd tasklist its shows the pid). Then it injects itself into it effectively being run in every instance of every executable that uses dot net framework with forums. Kinda clever hard to detect which process is the one doing the malicious stuff meaning this could be hard to remove without the right tools.
That twist at the end though... 😳🤣
I'm doing my Sec+ class right now, and this was AWESOME. Will be sharing to my classmates. 👍👍👍👍
I've never even touched any of this stuff and know nothing about it. Yet I watched the whole video because of your explanations! Great info for anyone looking for it. More please!
and a huge draw for me personally is the voice! the sound and personality just drew me in and he's completely speaking greek
That was insane! What a twist. Brilliant work and entertainment.
Great job as always John! The INSTALL and Decompress were really crazy. Great analysis.
I'm slowly trying to get better at coding this video was honestly super cool. Amazing what you could end up doing
I code games, I wish I could have 2 lives to get enough time to dig into this field. Back top my days, it was only assembly and C++, now the amount of knowledge behind is immense
You are "decrypting" malware as I am "decrypting" old, legacy, badly, written source code. Great help and inspiration!
35:40 This was badass. I love Sublime Text for this kind of manipulation while writing
I could watch these all day.
Great video. One request: add key presses to video. I love how you navigate in subline, or tinker in terminal with just a keyboard. Will be great to see what hotkeys are you using. Helps learn that kind of stuff. =)
Great video, keep up with the quality content!
1:14:00 and before, it didn't show key because you wrote Console.WriteLine("key=", key), which invokes the overload Console.WriteLine(string format, object value). Since there were no placeholders (like "{0}") it didn't format them.
You know someone is amazing with computers when they know and utilize every windows keyboard shortcut imaginable. It's one of the questions I use when interviewing people for IT positions.. lol
What a waste of time that would be
@@jakezxz1352 wouldnt it be the exact opposite of a waste of time? :)
Very nicely presented and educational with your own trail and errors. I'm a subscriber now.
"Alright so we've done enough cyber-stalking [...] He is on twitter !!!" Made me chuckle. Then "HE FOLLOWS ME !!!" was hilarious xD
It creates c++ code, compiles it, sets up 2 ways for the malware to execute automatically incase one fails. It replaces applaunch which start automatically with the framework and on startup. It stores itself (the "exe" is compiled in c++) in memory. Easy. Projectfud = a library stored in your memory doing things. It launches on start up 2 different ways.
I work in software engineering and data science oriented projects, and even tough this is far away of the malware analysis of this video, it highly remembered to significant reverse engineering parts you have to do, too, in legacy code (without documentation and similar), or sometimes even to start a part of the work on semi-protected older projects (where author and everything else left the company some time before). Even web scraping involved a lot of similar techniques (there's a lot of obfuscation parts inside, too, especially if the web sites don't want to be scraped, or more often, when it's using a whole lot of historical technology, like JavaScript Shortifier over some old AJAX over some old SOAP connecting to deprecated MS SQL server technology that might now have a more up to date backend, but still kept the API, etc, with still some survived obfuscation technology that end of 90s were security techniques).
I think this also tells why writing anti-malware software is so hard, as even legit code does look very often enough similar odd, including such hardcoded obfuscated byte strings as integers and similar. (Just look to some autogenerated gRPC code as one example).
Did your 3yo write this?
I have NO FUCKING IDEA of how coding works, but i still enjoy the shit out of these videos? how?
i took an html class 10 years ago and this is wild to listen too, idk any of your crazy words magic man but they are cool
do you do code analysis's often? i had a lot of trouble trying to learn during high school. ive got turing complete which has helped me actually understand what is happening & how the variable names used by programing languages are used at the bit/byte level. i got a mental block once i got to the actual coding portion. mainly because the whole system is made from scratch besides the few examples they use to get you started. so its a little dificult to use useful name for the bytes with my limited experience with coding.
What a nice little surprise when the author was a twitter follower. was not expecting that XD
Very long video but definitely worth the watch. Crazy buddy actually came and saw the video and commented! AND FOLLOWS YOU! Crazy times.
1 hour in, the BS-OD is neat.
Think about it, it delivers its payload, maintains persistence then BSOD's.
Natural response is power cycle PC thereby initialing the start up routine.
I'll wait and see how it pans out :)
What would be even neater however, is running the malware wihout BSOD.})();
@@x3ICEx i bet it does that too, bsod is just one of possible stuff it does.
Especially as it definitely allows to take commands from remote server...
And i 100% bet that BSOD is one of them... Soo mass BSOD is possible
This was so entertaining to watch, seriously.
"Or you can use VSCode if you're that kind of human being"
idk i kinda like vscode
@@renchesandsords I like it too ;)
Had to come check this out after your advent of cyber room!
I love how animated you are doing this 😁
Love your vids John!!! How did you repair your Amsi-Scan?
Very cool video.. humbled after watching you work. Awesome twist at the end.. ;)
Great video, was a really fun ride. Inspiring as well
You can copy paste the URL into google translate to translate the page to english :)
Was really amazed, thank you for the video!
This was one of the funniest malware analysis videos I've ever watched XD
For example: 1:30:10 "He follows me?!?" It's funny to see you crack up laughing because of that ;)
this is cool. seeing you do all this reminds me of first learning CMD stuff and Bash after that lol
Maybe the BSOD one was for killing a System process in case admin privileges are present and then try to read passwords from the BSOD memory dump
Very instructive and very interesting video.
I don't know much about windows (I use linux) but I was shocked what a piece of cake it is to bypass amsi!
I have zero idea how I got here but, dang! this is sssssssssooooooooo cool! subbed!
46:06 that’s some big brain credits
I love these videos although I literally have no clue what you’re talking about. Learning cyber security is interesting, but very challenging to start off. Any recommendations on where to start off?
Cyber security is a broad topic. Malware analysis, though, requires knowledge of programming, assembly language and reverse engineering, in that order.
python, c#, powershell, among other things, were mentioned here, as well.
I've been binge watching these malware analysis videos after a friend of mine tore apart a virus I managed to get. If you want another exe (that at the time wasn't caught by anything on virustotal, could have changed since then) to add to the pile of things I'm sure you have to analyze, let me know :)
Yes please! Email in the description ;)
@@_JohnHammond sent! Forgot to mention in the email but I'm sure you'll get a kick out of some of the variable names/values, no spoilers though :)
$TP = target process id think, i didnt really think about it until i watched this video this second time 8) great videos
Lol.
I don't watch coding, programming, or computer videos at all. Tonight at dinner me and my brother talked about coding for 20 minutes or so, and talked about how you could code a snake game pretty easily. Now I've got this video on my recommended.
But no, they're not listening lmfao.
And I was like: “HHm..no obfuscation…” Then I saw the RUNPE variable 🤣
God i'm loving this Channel.
Does anyone else shout at their monitor whilst going through these? Great video! Subbed.
Would Constrained Language Mode prevent this attack given only certain Add-Type's are permitted? How do you feel about leveraging CLM for Powershell hardening?
This literally blew my mind .... I love how you keep saying "You just do this ... simple!" ....Uhm, yeah OK John ... we believe you. Real simple :D
It makes me sad that so much work goes into hiding something whose purpose is just to mess up our lives.
It's not though, there is massive money behind viruses.
Don't be. Messing up our lives is just colateral damage. There's a lot of money made here.
I think that from time to time when I’m investigating new phishing emails at work. Like, some of these people have genuine skills and it makes me sad to see them wasted on malicious activity when they could have real jobs actually accomplishing something and doing some good for people. Once in a while you run across something that’s quite elegant and clever, and the person who had the skill to accomplish all that should be using their skills somewhere productive, and if they’re not, then that’s just very sad.
3:44 "Looks pretty suspicious right away"
me who is just seeing a bunch of letters: ?? :0
That plot twist at the end when you saw he follows you LMAO.
palms sweaty when trying to reverse trace, the most bravest of brave is you.
@John it would be great if you can share the sha256 or malware link in the description of the video. That way while learning, we can follow along you.
One of the best videos I have ever seen!
Awesome!!! walkthrough John, it was a wild🎢 ride. ✨✨✨✨✨
bro I'm learning the analysis more here than my university Dr.
I should call you Dr. John 😂 LoL
So, a lot of time, I'll put on your long videos on my screen next to me while I'm working on my computer, honestly just half-paying attention to it, but I really got into this one. Quick question though, how cool was it to see that he was following you on Twitter? That's got to be an interesting feeling. Anyways, thanks for the great video, and I've learned so much from you. Super appreciate it.
I came for the code breakdown and stayed for the amazing plot
You'll get no argument about IDEs from me-- I'm an Assembly programmer, so I just use plain old Notepad! :P
There's so many varieties of Assembly language, that syntax highlighting is basically useless, when you're working with bare-metal.
I thought of something. Macro robotic compression. Cryptorgraphical context such as that a 0x00 resembles a keystroke convertered from ASCII. See if you do not have access directly to the shell you can impersonated the keystrokes and torjan a backdoor so every time a infected exe run it than triggers a cache file for determinted macro inject into a shell not as a remote user but impersonated as the user itself. Personal Computers mainly are owned by self adminstrated folk unlike a school or so with password and admin protection more secure. But you can inject a backdoor into a basic user even in guest. Some electrinic social minipulation and you got your self a keylogged access. That has a person socket connect to transfer from client to serve and vice versa. Cache inject, will automated the keystokes into a user defined shell. You not typing in a shell you automating it. Ticking time bomb.
the amsi break is the scariest thing I've ever seen on youtube and it's freely available 10 keystrokes away. thanks i hate it
OMG You're great, man! Had me dying laughing when you said he follows you on twitter.
Was a few BNB invested into a BSC token, he claimed he had be attacked by a RAT im here to learn more in-depth
I am Mexican and your videos is amazing!
The discovery that they follow you on Twitter was a twist that would make Shyamalan proud
Those videos are great! i love to watch them
Just gonna go ahead and like this before seeing the video because I know it's gonna be a banger
Literally a movie!
Thanks for the video, really liked the analysis :)
Best malware analysis yet you can find on RUclips, thanks mate)
Great video John
Minor thing, but why do the #!/usr/bin/env python in the script when you’re calling it using python3 on the command line. The shebang (#!) is what informs your shell what to use to run that script, in that case you’re saying “use whatever python is found in my $ENV which could be anything depending on the OS (dist, version, local settings). I would either a) set the shebang to the same used (python3) or b) chmod +x the script and let the shebang do it’s job. Note that if you do the latter and don’t set it to python3, and if python3 isn’t the env default, you’ll likely get Python 2.
Using both the interpreter on the command line AND using the shebang with env can cause unnecessary confusion and troubleshooting down the road. 25+ years of +NIX “what the $x?!?!” hard won pain.
Dude, this was so good!
add-type compiles to temp, you should use reflection for red teaming. even if you patch amsi, it will often trigger windows defender itself anyways so amsi patch wont matter possibly if you add type. (not all cases of course, but dont be that 1 guy on the team lol).
Him pops neck
The dog: *Windows startup sound*
what a time to be ALIVE!
Not even gonna lie this was mad interesting
WOW I truly love what you are doing , respect
Alex Yiik taught me about this bit of malware.