I love how John can easily edit the parts he messes up out but he still doesn't and leaves it in. I love seeing your internal thought process when it comes to solving problems.
I got hacked and I really cant get enough of this content, it's just so interesting. As far as I know your the only one making videos about this stuff that are really fun and enjoyable. Thanks dude
I am a beginner Python programmer and I like to watch you videos because they make me feel like I understand the things that are happening, but I am just absolutely clueless as to what's happening. Love it
I can see two reasons why running update.exe at ~15:00 didn't work: 1) it needs three args, the first of which being the pid (you only gave two), and 2) you misspelled the Windows/kaspersky directory as Windows/kasperky.
@Throwaway123 It could be because he has more experience with Bash scripting. The zeroth argument ($0 ) is automatically the path to the script. I also come more from the Linux-world and I would have thought the same thing in his place...
omg... North Korean did this. "완충기" which means buffer in Kanji sound 緩衝器. South Korea use "buffer" "버퍼[buffer]" as it is pronounce in English when programming. "오유[O:YU]" means error, which is "오류[ORYU]" in South Korean. "량[Liang]" = Quantity is "양[Yang]" in South Korean. North Korean has liquidization in ther R, L, I sound.
This is so creepy. Wehn you type kaspersky in youtube, many RUclipsrs instroducing "Hey you can use Kaspersky for free!" in Korean language. This is how they works...
I have to disagree with your theory. This is chinese malware. Check out the one password the developer of it uses. "shengui foresight 1988 2 27" (spaces added post for clarity).
I have to agree, North Koreans are notorious in their search of escaped citizens around the world, and considering there was not program ran, it could be setting up a bot network to monitor email activity and passing/notifying information to the people sitting and waiting for the positive results. Just a hypothesis, would need to make a deeper analysis to be sure.
Shen means god in Chinese, GUI don't need explanation, although North Korea can make malware, Wannacry ransomware originated from there. It is possibility that chinese IT guy got kidnapped or is coworking with N.K._
John: Here is what I think you should try with this: Determine what the config url turns out to be, then see if you can slap your own command and control server together, to send you an email. That would be cool. Like, tame the malware and do your bidding. Another approach would be to fake an update server, and see if your can push other code to your VM that way. It would give viewers a nice insight into how the remote (usually hidden) aspect could work in theory. That would also make for a great hackthebox style box as well!
John: download two time kaspersky.exe instead of upload.exe Me: scream at the monitor for 3 minutes straight John: you should told me! Me: I did it John, I DID IT.
Your videos are so exciting! Not to mention extremely informative. This makes your content so unique!!! Thank you so much for everything you do! You have one of my favorite channels. The other happens to be David Bombal. I can not express how grateful I am to have you guys as resources!
I had just installed the malware 2 weeks ago Lol, I figured out what's happening to my computer quickly and I shuted it down then opened it up and ran my windows defender again and started cleaning and voila.. My computer is clean Love you from Egypt. Keep it up
I've been starting to get into malware analysis myself, but it all seems so daunting. These videos help dramatically. Thanks for releasing this high quality, entertaining AND FREE content!
I don't know if anyone else mentioned this before, but apparently "Shengui" has a number of potential meanings depending on the accent marks. In chinese it can be: lady's bathroom (shēn guī), miraculous (shén qí), ghost/divine ghost (Shén guǐ), divine turtle (shénguī), etc. In korean it can be faith (sin-ui), god (singwi), etc.
Really nice John, been with your channel since 70K~ and am really not suprised it grew that much. As for this series, I love them, can't wait for the next one! Never responding to video's but just wanted to let you know how good they are and that you should definitely keep it up! Kind regards
Great video showing the process of breaking down the software! The program itself didn’t run because it had a check for internet right at the beginning. If it had an internet connection then it would have run but that’s a problem in itself. I program a lot in C# and recognized a lot of the code that was written while you were going through all of it. It was an overall great breakdown video to watch and see your process for this type of thing.
Protip, the kansas pin on the map is just the center of the US and default when not knowing any better. There is a farm there and the local sheriff will yell at you if you try to say they are cyber criminals.... again :D
On windows you can't (re)write the exe file that's currently executing, so if a program needs an update, you'd need another process to swap the files - that's probably what update.exe does. You can rename the exe tho - some hacky programs rename themselves, place the new exe, launch it, die, then the new process cleans up the old files - no need for another program!
Seems like its purpose is to check with the hub servers and make sure they are up to date and not taken down, get latest updated IP addresses to mail/route through, add your ip to the list. So TLDR you become a free spam mail server while getting spam, its also possible they only care about getting access to your email and contacts as well. Also its loging into a mail server that only requires a username and password but that you dont register its hard to explain its kinda like a burner email site its not like hotmail or a real mail site with security.
Those ip addresses are likely residential. This looks like an intermediate stage SMTP C&C tool. Maybe for a stresser. It listens for commands from the top-level C2 server, then forwards the instructions via SMTP to the zombies at the end of the chain. Also: I
@@paulspl2581 More like this: www.usenix.org/legacy/event/hotbots07/tech/full_papers/wang/wang_html/#:~:text=A%20%22botnet%22%20consists%20of%20a%20network%20of%20compromised%20computers%20(,)%20%5B5%2C6%5D.&text=shows%20the%20basic%20control%20communication,more%20than%20two%20C%26C%20servers). What I am suspecting is that this sample is one of the C2 on the diagram at that link
15:00 I’m a solo game developer and I make typos all the time because I’ve reach a level of confidence where I can just code really quickly at times, but visual studio will catch the errors for you. “Kasperky” should be “Kapersky”. I think programming in the terminal would help me catch theses errors by myself more
Amazing Content John, I appreciate it I've seen a lot of channels related to this niche but your channel just looks unique and you're very natural unlike the others :D
you definitly need the following tools for your safety: process hacker sandboxie simple firewall (henry++) *noscript* addon (!!) *privacy* *badger* addon so basic yet so powerful.
Having reverse lookup for the IPs is seen as a good signal for SMTP - there's a higher chance mail won't end up in spam. Most mail servers set these up. Also you need an MX record to receive mail, so naturally each mail server will have at least one domain associated with it in some way.
This reminds me of that one guy in my classes who did thir best to demostratively pretend like they understand perfectly what is going on but it was ao obvious they just do randon things to just try to look smart I'm already comoletely filled with disgust by the 17th minute of the video, thank you
I might use your videos for the PNPT cert instead of using theirs. You a have an natural ability to explain complex subjects in plain and simple English.
If I recall correctly, the IP that lead to Kansas isn’t actually in Kansas. If a more precise location can’t be resolved, the location will default to the geographical center of the country the IP leads to (in this case, Kansas) I only vaguely remember this because a family in Kansas kept having law enforcement show up to their home/farm/whatever because the pin is right on top of their property.
I LOVE THIS DUDE! Admin security: No Access No Admin John: I DO WHAT I WANT, (opens vertical OS, clicks a few clicks) John: Now I'm an Admin Just subscribed, you are the man Mr Hammond. Saw your video with the bearded moooostashed guy, LOL can't remember his name or channel and I know that's horrible. Anywho, thanks for all the amazing knowledge. I'm a NOOB in all my beautiful nieve glory, but I had aquired this passion for building PC towers learned from a friend, then my own curiosity has driven me down the rabbit hole and I wanna know it all! All the way from Network, to scripting, security processes and hacking. ... THE BEARDED MUSTACHE GUY, THE VIDEO WAS ON HACKING! that's where I learned of your existence. And am forever grateful. I love how you took this small little fake thing, and dissected it all the way down to the guys and where they were located in Taiwan and those other countries. This fake antivirus thing. It's amazing watching you work almost like a digital surgeon! Love it man!
I've had them on my mail server. 3 strikes and they were out. And then we had that guy who never got his password correct and locked out himself all the time. He always called and complained. Get your f-n password right the first time dummy.
Shen gui >> tales of demons and gods (there's a trap ~ see fandom wiki) >>> shengui >> game creator >>> foresight (self explanatory) 1988 probably the birth year of the creator >>> system error 227 That was my first guess. (There's some more funny things with that ~ could be a coincidence) Anyway, this was a fun video.
46:52 looks like korean-chinese(조선족) or north korean to me. because we don't really use the word 토막(piece) combine with 자료(data). and 47:31 they used the 배열(array; bae-yeol) with no phonological rule 배렬(bae-ryoel)... so that code is definitely from north korea!
something john should be aware of, its entirely possible for these programs to look for network adatpers and enable them, so disabling isnt a guranteed mesaure. best to disable on vm host side.
Hell yeah! Enjoying your malware analysis videos, man! Btw kaspersky itself is a malware, guys spying on their clients, because in russia nobody can work without fsb(former kgb) permission.
Love your videos man great content ! Just way too long for me compared to 15-30 minutes videos i’m used to on similar content but that’s just me. Keep making more content though it’s super helpful !
that string cypher is just AES btw I would suggest that this is a spam email generator. The IP's appear to be mail relay type servers? Broad overview I got from your scroll through the code: it connects to their C&C server, gets a list of ips tries to connect to them to get the "Good IPs" then spams emails using the default.cfg usernames and passwords for common accounts.
When browsers warns you that this file might be dangerous ( ~ 1:21:10 ), what makes them figure this out? Is it only based on the file name and/or extension or does chrome actually check inside the file a little bit? Is it possible to get a log of why did chrome triggered a warning on that file? Thanks!
I think this malware uses victim computer to check Good working IP address and send some spam mails using the list. Malware is creating spam workers. Another good video :)
"Sometimes a man's gotta do what a man's gotta do" while looking at John's face with utter disappointment for getting a mistake 4th time 🤣 I keep saying just use the for loop 🤣
yo bruv, you should have tried to find the decryption method for the server it sends it to which was mentioned in the config.. :/ Anyways, great video as always, keep it up like this. Much love from germany ❤
I think this is a worker bee, not c&c. It gets the email to spam, IP and ids to spam with, and it goes for it. They probably post process the log files to see which IP's are valid and which id/passwords are valid. Or, they may not, they are wasting the victim's resources, not theirs.
After running the kaspersky.exe and nothing happens, open up the Windows Event Viewer and look under the application events/errors to see what caused the crash.
6:10 And you just made 2 of the same file with different names. Will you notice? 6:16 nope 6:46 Much better 14:42 You misspelled the folder 22:47 Huh 34:08 I heard about that domain. Cool
They had to include the catch in case a critical error happened that halted the program, it needs to run no matter what happens. I usually put all kinds of error catchers just because I don't want my programs to crash
"Skip ahead if you don't want to watch me suffer"... you have CLEARLY misunderstood why I'm here ;)
Hahaha me too!
Always a good feeling to see other coders struggle aswell on tiny mistakes :p
@@furioznetworkz945 ye, as coders, we make mistakes
🦆
I like that the videos are not scripted please make more of a Malware Analysis
+
Nice try, hacker!
@@johnhunt1813 ?
None of his videos are scripted bro, you can see in like the pico CTF playlist, he improvs on the way
@@harmitchhabra989 most actually are ;)
I cried when he downloaded update.exe as kaspersky.exe
I was impressed that he catched it that fast.
13:28 he makes a folder named Kasperky instead of Kaspersky. He does not catch this tipo and gives up. AAAAAAAAAAAAAAAAAAA
I love how John can easily edit the parts he messes up out but he still doesn't and leaves it in. I love seeing your internal thought process when it comes to solving problems.
I got hacked and I really cant get enough of this content, it's just so interesting. As far as I know your the only one making videos about this stuff that are really fun and enjoyable. Thanks dude
ohh welcome to a new world
You were hacked by a grammar nazi who hated you for using "your" instead of "you're". :')
@@liesdamnlies3372 Are you confessing the crime? hahaha
@@liesdamnlies3372 The hacker probably added a script that would autocorrect all cases of "you're" into "your" so he would get random hate online. :P
Yaaaassssss,
Another malware analysis wooooooo
I am a beginner Python programmer and I like to watch you videos because they make me feel like I understand the things that are happening, but I am just absolutely clueless as to what's happening. Love it
I can see two reasons why running update.exe at ~15:00 didn't work: 1) it needs three args, the first of which being the pid (you only gave two), and 2) you misspelled the Windows/kaspersky directory as Windows/kasperky.
I caught that too!
Another one who caught that typo there!😂
You forgot an s! You forgot an s! You forgot an....oh forget it, you can't hear me.
@@natetronn 😂😂😂
i felt so smart when i saw that mistake haha
File Description: b
John: *disables windows adapter*
Me: *internal screaming* _You should do that in the VM settings_
@Throwaway123 bruh yes
And he made a typo in the directory name: "kasperky"
@Throwaway123 It could be because he has more experience with Bash scripting. The zeroth argument ($0 ) is automatically the path to the script. I also come more from the Linux-world and I would have thought the same thing in his place...
omg... North Korean did this.
"완충기" which means buffer in Kanji sound 緩衝器.
South Korea use "buffer" "버퍼[buffer]" as it is pronounce in English when programming.
"오유[O:YU]" means error, which is "오류[ORYU]" in South Korean.
"량[Liang]" = Quantity is "양[Yang]" in South Korean.
North Korean has liquidization in ther R, L, I sound.
This is so creepy. Wehn you type kaspersky in youtube, many RUclipsrs instroducing "Hey you can use Kaspersky for free!" in Korean language. This is how they works...
Really interesting. Might very well be a false flag though.
I have to disagree with your theory. This is chinese malware. Check out the one password the developer of it uses. "shengui foresight 1988 2 27" (spaces added post for clarity).
I have to agree, North Koreans are notorious in their search of escaped citizens around the world, and considering there was not program ran, it could be setting up a bot network to monitor email activity and passing/notifying information to the people sitting and waiting for the positive results. Just a hypothesis, would need to make a deeper analysis to be sure.
Shen means god in Chinese, GUI don't need explanation, although North Korea can make malware, Wannacry ransomware originated from there. It is possibility that chinese IT guy got kidnapped or is coworking with N.K._
The content usually isn't that interesting to me, but with that enthusiasm of yours i just cannot get enough of it.
John: Here is what I think you should try with this: Determine what the config url turns out to be, then see if you can slap your own command and control server together, to send you an email. That would be cool. Like, tame the malware and do your bidding. Another approach would be to fake an update server, and see if your can push other code to your VM that way. It would give viewers a nice insight into how the remote (usually hidden) aspect could work in theory. That would also make for a great hackthebox style box as well!
finally a constructive vent for my paranoia (brought me here)
Same
You are quickly becoming my new favorite person to watch when I get home from work. Great stuff!
John: download two time kaspersky.exe instead of upload.exe
Me: scream at the monitor for 3 minutes straight
John: you should told me!
Me: I did it John, I DID IT.
Same situation here. 😂
LMAOO samee
Your videos are so exciting! Not to mention extremely informative. This makes your content so unique!!! Thank you so much for everything you do!
You have one of my favorite channels. The other happens to be David Bombal. I can not express how grateful I am to have you guys as resources!
These videos are honestly so great - even if you can grasp all the technical coding stuff, it’s still so educational!
Keep the malware analysis coming! Love it!
I had just installed the malware 2 weeks ago Lol, I figured out what's happening to my computer quickly and I shuted it down then opened it up and ran my windows defender again and started cleaning and voila.. My computer is clean
Love you from Egypt.
Keep it up
I've been starting to get into malware analysis myself, but it all seems so daunting. These videos help dramatically. Thanks for releasing this high quality, entertaining AND FREE content!
I don't know if anyone else mentioned this before, but apparently "Shengui" has a number of potential meanings depending on the accent marks.
In chinese it can be: lady's bathroom (shēn guī), miraculous (shén qí), ghost/divine ghost (Shén guǐ), divine turtle (shénguī), etc.
In korean it can be faith (sin-ui), god (singwi), etc.
Keep up these great and expansive videos! I've been learning a lot from them and I appreciate the work you put in!
Really nice John, been with your channel since 70K~ and am really not suprised it grew that much. As for this series, I love them, can't wait for the next one! Never responding to video's but just wanted to let you know how good they are and that you should definitely keep it up! Kind regards
Great video showing the process of breaking down the software! The program itself didn’t run because it had a check for internet right at the beginning. If it had an internet connection then it would have run but that’s a problem in itself. I program a lot in C# and recognized a lot of the code that was written while you were going through all of it. It was an overall great breakdown video to watch and see your process for this type of thing.
Hi 👋, I was wondering what was all that ip addresses ? Are they real people ips ???
Thank u 💓
Yup... agreed. That's where a proper isolated internet accessible VSwitch would have been great.
@@blazi_0 Yes? He literally showed you the locations of some of them...
Very interesting videos! Love seeing how this stuff works! There was no way I was going to skip ahead...
Protip, the kansas pin on the map is just the center of the US and default when not knowing any better. There is a farm there and the local sheriff will yell at you if you try to say they are cyber criminals.... again :D
Thank you for sharing! Someone should make a video about that
On windows you can't (re)write the exe file that's currently executing, so if a program needs an update, you'd need another process to swap the files - that's probably what update.exe does.
You can rename the exe tho - some hacky programs rename themselves, place the new exe, launch it, die, then the new process cleans up the old files - no need for another program!
I am so thankful i found this channel....I got a premium sub for THM and am taking courses to learn everything I possibly can.... thanks John 👊
Think I’ve found my new favorite channel
Seems like its purpose is to check with the hub servers and make sure they are up to date and not taken down, get latest updated IP addresses to mail/route through, add your ip to the list. So TLDR you become a free spam mail server while getting spam, its also possible they only care about getting access to your email and contacts as well.
Also its loging into a mail server that only requires a username and password but that you dont register its hard to explain its kinda like a burner email site its not like hotmail or a real mail site with security.
been waiting for another one.
love the content, thank you.
This is honestly a great tutorial on how to read someone else's code
Those ip addresses are likely residential. This looks like an intermediate stage SMTP C&C tool. Maybe for a stresser. It listens for commands from the top-level C2 server, then forwards the instructions via SMTP to the zombies at the end of the chain.
Also: I
So in this case every zombie transfers commands to eachother ?
@@paulspl2581 More like this: www.usenix.org/legacy/event/hotbots07/tech/full_papers/wang/wang_html/#:~:text=A%20%22botnet%22%20consists%20of%20a%20network%20of%20compromised%20computers%20(,)%20%5B5%2C6%5D.&text=shows%20the%20basic%20control%20communication,more%20than%20two%20C%26C%20servers).
What I am suspecting is that this sample is one of the C2 on the diagram at that link
Great content, as usual! I wanted to drop a note to say though, that ending track is bomb!
As a C# software engineer, this was really interesting to watch! Keep up the good work! :-)
15:00 I’m a solo game developer and I make typos all the time because I’ve reach a level of confidence where I can just code really quickly at times, but visual studio will catch the errors for you. “Kasperky” should be “Kapersky”. I think programming in the terminal would help me catch theses errors by myself more
Me watching this video as a C# and C++ developer: *My time has come.*
63:30 Advises viewers to skip forward to not see him suffer
Me: But no, this is the content I come here for!
Amazing Content John, I appreciate it I've seen a lot of channels related to this niche but your channel just looks unique and you're very natural unlike the others :D
I don't know why but when you found out it sends emails all I could think about was that spinach email meme.
yes I love reversing ! and seeing the process you use .
you definitly need the following tools for your safety:
process hacker
sandboxie
simple firewall (henry++)
*noscript* addon (!!)
*privacy* *badger* addon
so basic yet so powerful.
keep up the malware analysis! I learn so much from each video!
Having reverse lookup for the IPs is seen as a good signal for SMTP - there's a higher chance mail won't end up in spam. Most mail servers set these up. Also you need an MX record to receive mail, so naturally each mail server will have at least one domain associated with it in some way.
Last 30 minutes were tons of fun. ;) Keep it up!
Most underrated RUclips series. Keep up the good work!
I would like to get the packet and get through it. As a Senior C# Dev, I cried when you went through the code lol
This reminds me of that one guy in my classes who did thir best to demostratively pretend like they understand perfectly what is going on but it was ao obvious they just do randon things to just try to look smart
I'm already comoletely filled with disgust by the 17th minute of the video, thank you
you maybe could have made your own local smtp server and put it in the list and had a look at what email it actually sends out, assuming it runs
I might use your videos for the PNPT cert instead of using theirs. You a have an natural ability to explain complex subjects in plain and simple English.
If I recall correctly, the IP that lead to Kansas isn’t actually in Kansas. If a more precise location can’t be resolved, the location will default to the geographical center of the country the IP leads to (in this case, Kansas)
I only vaguely remember this because a family in Kansas kept having law enforcement show up to their home/farm/whatever because the pin is right on top of their property.
this content is really interesting, really shows the thought process oh how you do it and even the mistakes you could make
fun videos
Where do you find these files? I'd like to delve into this myself.
Oooh, great video John. Thanks for sharing, friend! :)
Hi John can you please demonstrate your setup with your various machines and how they are configured?
Thanks
I LOVE THIS DUDE!
Admin security: No Access No Admin
John: I DO WHAT I WANT, (opens vertical OS, clicks a few clicks)
John: Now I'm an Admin
Just subscribed, you are the man Mr Hammond. Saw your video with the bearded moooostashed guy, LOL can't remember his name or channel and I know that's horrible. Anywho, thanks for all the amazing knowledge. I'm a NOOB in all my beautiful nieve glory, but I had aquired this passion for building PC towers learned from a friend, then my own curiosity has driven me down the rabbit hole and I wanna know it all! All the way from Network, to scripting, security processes and hacking. ... THE BEARDED MUSTACHE GUY, THE VIDEO WAS ON HACKING! that's where I learned of your existence. And am forever grateful.
I love how you took this small little fake thing, and dissected it all the way down to the guys and where they were located in Taiwan and those other countries. This fake antivirus thing. It's amazing watching you work almost like a digital surgeon! Love it man!
It's just an system that cracks email server accounts they provide a ip and password list and when it finds a good login it reports it back.
I've had them on my mail server. 3 strikes and they were out. And then we had that guy who never got his password correct and locked out himself all the time. He always called and complained. Get your f-n password right the first time dummy.
@@arneanka4633I worked on tech support,I can feel your pain
Shen gui >> tales of demons and gods (there's a trap ~ see fandom wiki) >>> shengui >> game creator >>> foresight (self explanatory) 1988 probably the birth year of the creator >>> system error 227
That was my first guess. (There's some more funny things with that ~ could be a coincidence)
Anyway, this was a fun video.
Make more videos like this!!!!!!!! It's fascinating what you can found on internet free software
46:52 looks like korean-chinese(조선족) or north korean to me. because we don't really use the word 토막(piece) combine with 자료(data).
and 47:31 they used the 배열(array; bae-yeol) with no phonological rule 배렬(bae-ryoel)... so that code is definitely from north korea!
54:00 This seems a great phishing attack to me :D this gives a lot of info about the "hooked" user
something john should be aware of, its entirely possible for these programs to look for network adatpers and enable them, so disabling isnt a guranteed mesaure. best to disable on vm host side.
I’m liking these malware analysis videos
Hell yeah! Enjoying your malware analysis videos, man! Btw kaspersky itself is a malware, guys spying on their clients, because in russia nobody can work without fsb(former kgb) permission.
Love your videos man great content ! Just way too long for me compared to 15-30 minutes videos i’m used to on similar content but that’s just me. Keep making more content though it’s super helpful !
LOVE these malware vids
mx stand from "mail exchanger", it is also DNS record for naming mail servers
Seeing you at work is awesome
As a korean myself, i can say that google translate SUCKS
I concur. So does Facebook's automatic translation.
as a foreigner live in korea, papago also sucks
@@derrylab what do you guys recommend to translate Korean then?
@@LegacyInBlood im not sure about korean but for english french and german deepl.com works really good.
Only John Hammond would be brave enough to RUN the malware he is sent
that string cypher is just AES btw
I would suggest that this is a spam email generator. The IP's appear to be mail relay type servers?
Broad overview I got from your scroll through the code:
it connects to their C&C server, gets a list of ips
tries to connect to them to get the "Good IPs"
then spams emails using the default.cfg usernames and passwords for common accounts.
New John Hammond video? Looks like sleep can wait.
15:55
That is a long ubuntu password!!
When browsers warns you that this file might be dangerous ( ~ 1:21:10 ), what makes them figure this out? Is it only based on the file name and/or extension or does chrome actually check inside the file a little bit? Is it possible to get a log of why did chrome triggered a warning on that file?
Thanks!
I think this malware uses victim computer to check Good working IP address and send some spam mails using the list. Malware is creating spam workers. Another good video :)
i love the linux computer that runs cmatrix behind you in the intro
Lol
Always entertaining, love your content
i really like the struggle and the sense of humor
Today John became MAG, most appreciated ginger, and will from now be known as Hammond117
It's a great series, keep doing it please!
you rock john. always inspiring me to learn.
"Sometimes a man's gotta do what a man's gotta do" while looking at John's face with utter disappointment for getting a mistake 4th time 🤣 I keep saying just use the for loop 🤣
Where did this file come from? I want to examine it in more detail!
Awesome. John the king
13:18 Top Left 😅
yo bruv, you should have tried to find the decryption method for the server it sends it to which was mentioned in the config.. :/
Anyways, great video as always, keep it up like this. Much love from germany ❤
malware analysis is a good, informative and original series i like it
You could've had a look on shodan for the ips to determine if whether they run smtp
Ooooh, that's a great idea! Will have to remember to do that for future videos!
I think this is a worker bee, not c&c. It gets the email to spam, IP and ids to spam with, and it goes for it. They probably post process the log files to see which IP's are valid and which id/passwords are valid. Or, they may not, they are wasting the victim's resources, not theirs.
After running the kaspersky.exe and nothing happens, open up the Windows Event Viewer and look under the application events/errors to see what caused the crash.
Thank you John you have shown me a lot
6:10 And you just made 2 of the same file with different names. Will you notice?
6:16 nope
6:46 Much better
14:42 You misspelled the folder
22:47 Huh
34:08 I heard about that domain. Cool
made mh day ❤
watching you sit there and do all those lines of decryption manually rather than just using a for loop and a streamreader hurt in unimaginable ways
Quite eyes opening videos. I do think twice now before I double click.
Love it dude ! MALWAREEEEE!!!
They had to include the catch in case a critical error happened that halted the program, it needs to run no matter what happens. I usually put all kinds of error catchers just because I don't want my programs to crash
@42:00 howabout it beeing base64 or something default like that and the string beeing the salt?
Thank you John, you´re great :)