The fact that you can analyze, decypher, plan ahead and slow yourself down for us, in order to perform this perfectly clear pedagogic explanation, all at once, is kinda impressive.
Thanks for uploading. I’m learning a lot of cool stuff from the channel. Haven’t seen all the videos but thank the algorithm for the recommending this channel.
Great job Laurie! I love how strace can show so much. In a CTF I wrote in x86 Assembler, I worked to hide all of the traces but few ever go to such lengths.
Kudos to the amount of work you put into the production! The MacOS/WinXP crossover made me lough and love to the Corgi :) Also, you have a really calm and structured way of teaching. 👌
I started my reverse engineering career as a teen in the late 80s, mostly cracking games and hunting malware on MS-DOS. Glad to see the next generation going strong at it!
Actually, her experience was due to the fact she was not running Virtual Machine hardware in a certain configuration. A mere change to a path can result in the ransomware not working.
I'm so confused... it encrypted to a length of bytes that you'd probably expect. Which then decrypted to a small number of bytes (about the size of a key). Which then encrypted back to a length similar to the original encryption. Which then decrypted back to the original bytes. I've never come across anything like that before... wouldn't the initial decryption that shortened the bytes lose information? Is this multiple encrypt/decrypt a common method in cyber-sec land?
it's really weird for sure... but after the first "Decrypt" the length could also be similar to the "hello world" text itself, so maybe it converted it to something close to the original bytes, but maybe NOT'd or something. Then when you Encrypt again, and Decrypt again, you get another NOT inverse which results in the original text. I'm actually more interested how it really is doing the encryption, what key it is using. if they really wanted the client not to be able to recover it they would generate a random encryption key on the fly and then send it back to the "mothership". but I guess that leads to too many potential problems so it's not worth it -- better to make a pseudo security theater encryption/decryption for the best chances of getting paid.
@@MichaelButlerC It's perhaps a XOR pass or something else that masks the data in a reversible way? If it's XOR'ed with the key, it would make it more difficult to break, as the decrypted data wouldn't actually match the encrypted data in a predictable way?
It doesn't appear that the ransomware is actually "stealing" the data and transferring it to another server. Wouldn't you see that in the strace? Or am I misunderstanding how this malware works?
My guess is that the authors are bluffing with the data being stoled, but obviously not with the encryption part. They have probably crafted versions of this malware based on the targeted company and when paid ransom would reveal the decryption key based on the company id of the target (or they wouldn't share it at all). I was looking for the malware attempting to detect network interfaces as based on the fact that this container is isolated it would not be able to do much and cease further attempts, but I did not see any syscalls that would indicate it.
@@MartinWoadand also, looks like the "decryption" part didn't even require any decryption key input, so it was most likely all "built-in" to both binaries (probably to reduce risk of failure, which leads to failure in getting paid).
Probably a mistake of malware writers. I have seen a case when some ransomware encrypted all files with the same kay and IV, so if you happen to have an original file of one of the encrypted files, you just needed to xor them, and then xor the result with all other files to decrypt them (except ones that are longer, obviously). It would be nice to find out how it really works and understand why it happens.
Hi Laurie great video do you mind making a video of putting black Basta into ghidra I'm currently trying to analyze a windows version the one that starts with ae7 an I'm completely lost in ghidra
Well, strace doesn't tell you much, just traces system calls. You should use gdb and/or a disassembler instead to figure out how the actual encryption works.
This must be one of the most underrated channels on YT.
I beg to differ
she chose the worst ransomware to investigate ever
Explain @@thesickestnoodle-nq3wn
@@thesickestnoodle-nq3wn what's wrong with this one?
@@dogyX3It's incredibly simple and featureless... Tons of more fitting samples
@@thesickestnoodle-nq3wn Come on... I am impressed. Don't be a dick
I absolutely love this format. The "window" switching is really cool.
yup, a switch to classic Mac OS. Could use some BeOS love :D
The fact that you can analyze, decypher, plan ahead and slow yourself down for us, in order to perform this perfectly clear pedagogic explanation, all at once, is kinda impressive.
Let's all love lain
Thanks for uploading. I’m learning a lot of cool stuff from the channel. Haven’t seen all the videos but thank the algorithm for the recommending this channel.
Great job Laurie! I love how strace can show so much. In a CTF I wrote in x86 Assembler, I worked to hide all of the traces but few ever go to such lengths.
strace traces syscalls. No way to read or write files under Linux without syscalls, even in assembly.
Yea I’m wondering how it would even be possible to hide
This was a great watch, really interesting stuff. Thank you for creating this
Kudos to the amount of work you put into the production! The MacOS/WinXP crossover made me lough and love to the Corgi :)
Also, you have a really calm and structured way of teaching. 👌
I started my reverse engineering career as a teen in the late 80s, mostly cracking games and hunting malware on MS-DOS. Glad to see the next generation going strong at it!
Thanks for these videos. It has really got me interested in malware analysis.
typical Linux experience: you even have to troubleshot malware and actually try hard to get it working
Actually, her experience was due to the fact she was not running Virtual Machine hardware in a certain configuration. A mere change to a path can result in the ransomware not working.
Good work Laurie.
Excellente vidéo, merci pour ce contenu
Very interesting, love your channel
Pure Gold !
Pls never stop !
What keyboard are you using? I love the sound of it
perhaps a mechanical keyboard with customized switches.. I love the sound of it too
"Present Day, Present Time -- Copland OS"
I love your videos! I learn so much!! Thank you
Great content!
The world needs more Lauries
I'm so confused... it encrypted to a length of bytes that you'd probably expect. Which then decrypted to a small number of bytes (about the size of a key). Which then encrypted back to a length similar to the original encryption. Which then decrypted back to the original bytes.
I've never come across anything like that before... wouldn't the initial decryption that shortened the bytes lose information? Is this multiple encrypt/decrypt a common method in cyber-sec land?
it's really weird for sure... but after the first "Decrypt" the length could also be similar to the "hello world" text itself, so maybe it converted it to something close to the original bytes, but maybe NOT'd or something. Then when you Encrypt again, and Decrypt again, you get another NOT inverse which results in the original text. I'm actually more interested how it really is doing the encryption, what key it is using. if they really wanted the client not to be able to recover it they would generate a random encryption key on the fly and then send it back to the "mothership". but I guess that leads to too many potential problems so it's not worth it -- better to make a pseudo security theater encryption/decryption for the best chances of getting paid.
@@MichaelButlerC It's perhaps a XOR pass or something else that masks the data in a reversible way? If it's XOR'ed with the key, it would make it more difficult to break, as the decrypted data wouldn't actually match the encrypted data in a predictable way?
How about a roadmap for learning these techniques
That would be great
So the decryptor is from the ransom group and does decrypt anything without payment or is it a third party crack?
Ok you had ne at the Lain intro lol subscribed
awesome and way above my head! ::Swoosh::
Nice exercice! Note that this malware must first acquire root privileges to do anything ugly.
What theme is Laurie using for the XP feeling?
ty for the upload!
It doesn't appear that the ransomware is actually "stealing" the data and transferring it to another server. Wouldn't you see that in the strace? Or am I misunderstanding how this malware works?
My guess is that the authors are bluffing with the data being stoled, but obviously not with the encryption part. They have probably crafted versions of this malware based on the targeted company and when paid ransom would reveal the decryption key based on the company id of the target (or they wouldn't share it at all).
I was looking for the malware attempting to detect network interfaces as based on the fact that this container is isolated it would not be able to do much and cease further attempts, but I did not see any syscalls that would indicate it.
@@MartinWoadand also, looks like the "decryption" part didn't even require any decryption key input, so it was most likely all "built-in" to both binaries (probably to reduce risk of failure, which leads to failure in getting paid).
Fun! Informative! Really enjoy your videos! #LaurieWired
what OS is that?
win11
Weird that it took an extra encrypt+decrypt to get back to the original
Probably a mistake of malware writers. I have seen a case when some ransomware encrypted all files with the same kay and IV, so if you happen to have an original file of one of the encrypted files, you just needed to xor them, and then xor the result with all other files to decrypt them (except ones that are longer, obviously).
It would be nice to find out how it really works and understand why it happens.
This women has great style :-) and so cool how she explains stuff. Thanks
container inside vm inside vm. lets go!
Me wondering whether the windows desktop is a techbro trap oO
That's awesome
Thanks, I leaned so much. I agree withlkron5741, this channel is very underrated.
Looks like it targets VMware O/S
Hi Laurie. Stupid question, but the Ubuntu VM you are using is 64bit or 32bit ? just asking. Thank you
Great Video BTW
Actually its a great question.
Hi Laurie great video do you mind making a video of putting black Basta into ghidra I'm currently trying to analyze a windows version the one that starts with ae7 an I'm completely lost in ghidra
The old TV
Saw the lain intro and hit subscribe immediately
Jimmy 'two-times' from GoodFellas would've cracked this. "I'm gonna get the papers. Get the papers". "I'm gonna decrypt the files. Decrypt the files".
she's so adorable.
These thumbnails though 😂
she kinda sound like oyung sheldon
Well, strace doesn't tell you much, just traces system calls. You should use gdb and/or a disassembler instead to figure out how the actual encryption works.
Schway
WRITE A BOOK
похоже это настоящая девушка, не транс, фембой или актёрша не понимающая что читает с телесуфлёра...
i am sorry !what! thankyou
How's chad?