Uncovering NETWIRE Malware - Discovery & Deobfuscation
HTML-код
- Опубликовано: 17 фев 2022
- Make security 100x better in 2022 with Snyk's "The Big Fix" event! Get started here → j-h.io/snyk-bigfix
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
👨🏻💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
I love the journey John goes on in these videos. From "HOW DO THEY KNOW IT'S NETWIRE??" to "Oh here's a super unique obfuscation key that's an obvious IOC and they literally create directories named 'Netwire'"
John please do not ever stop doing this kind of videos. As a student i really love them, there super interesting, keep the great job!
I agree, these videos are super fascinating.
Ikr
I swear, I learn more on YT than in college
I appreciate the dark mode. I watch these videos on break during my night shift. LOL Great job with the content. Your dissections make it look easy.
Last week I dig into a .Net Assembly with some base64 encoded string in it. And thanks to the Videos of John I recognize the string and I know what to do with it.
Thank you for doing more of these! They're my favorite type of videos by you. I know you love doing CTFs because you enjoy it. Don't quit either series. Just know people love this series too
More more more! I love just learning new things. I like how you notice things that are the same. This is so cool
I just recently discovered CTF's and John your content is GOLD! i am trying to transition into Cyber security, thank you for all the work you are doing.
To be honest, I'm surprised that you haven't tried using Windows Terminal + SSH to connect to your remnux box for these deobfuscation videos... That'd be pretty slick.
Fantastic video! Hope you continue this series
was super excited for this vid! great watch and more valuable info! thx john
Hell yeah! Thanks John. Love your content!
Thank you John for using dark mode. I've been called a vampire since I was 17 :)
thanks man. love this kind of vids
"dark mode for all you vampires that watch my content" 💀 am dead john 🤣🤣🤣 19:58 that gave me a good laugh and energy to finish this video 😂 soo good.
Thank you amazing and informative video. It's almost morning time to go to sleep - The Vampire 🤓
31:40 I was getting worried that he wasnt going to upload the video
🤣🤣🤣
Good video, good content 👌 and always something interesting hidden 👍
Can't wait.
That was awesome. Keep it up
Great tour..
John, would you care to do a piece on firmware/UEFI malwares, their persistence and how to approach deobfuscation and/or removal?
Good job John
Fantastic
Hi John, first time to this channel and so far your content is awesome! Wanted to know if there was a safe way for us to follow along with you.
I would LOVE to see some beginner friendly tutorials on Python and Javascript. Any plans for videos of that type? Thanks for your content!
Very nice video!
One question.
I am sharing data from REMnux to FLARE VM, but when I look at the paths, they are interacting like local data.
How do you build such a lab environment?
I am interested because I always use KVM to share files over a virtual network.
The content is enjoyable and informative, as always. Keep up the good work!
Lets start 😁
Ah yes.. John.. John hammond does it again
Excitement!
4D 5A is the hex representation of 'MZ', the magic string at the start of a Windows executable file.
hello jhon hammond could you make a vid on your ubuntu VM the settings you use and themes thank love ur vids
It makes since why it works fine in firefox but not with curl because according to cloudflare, error code 1010 means that the owner of the website has banned your access based on your browser's signature
i was waiting for months for new malware video lol
Hi john hammond please do a analysis on xmrig miner software, it shows a lot of red flags in malware scan
Hey john great video as always. Intezer is great! I am scared for what will happen with the upcoming ukraine and russia conflicts
Blindly search-replacing variable names is a VERY breakable thing.
Imagine someone deliberately starting with a "Set aaabbbccc = myObject" , and using "aaabbbcccqqq" and "CustomObjectqqq" further down.
You are going to mess up when someone starts doing that.
from the 10 malware videos i have watched , the method works very well most of the time .
You can use exact match which negates your point.
@@boomson3082 exact match doesn't care about what is directly after your search.
replacing "ab" with "x" in "abc" will still result in "xc".
@@blinking_dodo it does though, I just tested in on my machine. Would you like a video? Go test it yourself. You can have it set to find 'ab' and it will find all or you can have exact match where it does care about only ab and not abc. But either way, even if he didnt use exact search the code would obviously stick out after the replaced text unless it was the exact amount of characters.
can't you just regex replace?
I am no regex expert but something like
w/word
shouldn't that find the exact word and not if it is part of a word?
you can do that in sublime, no?
What’s the song in the outro called?
I love how happy and giddy you get when you figure something out. It's adorable, but I know deep down there is a serial killer in you. ;b
That's right John because my z flip att phone front screen was completely copied completely compromising my accounts and device keys
Ohhhh spicy
Love this content. I know precisely nothing about coding, but this really makes me want to pick it up - the logic is pretty straightforward to follow even though I couldn't replicate it, and it just looks like a really interesting puzzle.
PATRICK LIKE "CODING"
PATRICK BE A "CODER," SPONGEBAHHB
do you use linux for daily use ??
Cyber Chef would make your life easier at times lol.
Hey John Hammond,
Can you please make a video on Configuring Ubuntu as a Lab? I was trying to setup Ubuntu-latest LTS version, but somehow when I install some git-software(specifically: portkali), the whole GUI crashes and boots only on Terminal. i tried different article to install GUI or boot into it, but no outcome. I maybe tried 4times for 3 days, but it didn't worked.
Also, my Ubuntu navigation wasn't great, don't know, is it that I am not used to Ubuntu or just it's like that.
But, yeah, hopefully you can help.
arch based
21:04 "I don't know why I'm asking, as if you can answer" well, I don't know why I'm answering, as if you can hear me. But that was still a bit small for me on my phone screen.
Why would something not respond to curl but to a browser ? 10:25 , didn't know that can happen.
The context of a request with curl is different, for example the user agent is different so the server would know the request didn’t came from a browser.
Once again, wonderful shit sir. Keep it up!
nice video ^^
cool
👍!
Work headel
Sir it is very super hacker has gone some time attack thanks
That thumbnail though.
Vir ,ras data definitely
my frd laptop recently got ransomware djvu file type march 2022 file type xcbg file
U have play scary movies 😄
santa is loosing christamas gift
You should take a look at some discord/"test my game" malware
Not working
Browsing through LOLBAS and the possibilities alone in findstr make me wanna puke. And there is so much more available in the plethora of tools and binaries MS ships to their users in Windows ... and most of these things can be run under a simple User account, not even local admin or alike.
Entertain me John
I'm laughing John we're going to get Justice for all
Maybe that's because I didn't put an image because I I don't know how someone else is to blame
20:00 We set dark mode because light attracts bugs.
Siml litre size small
Agent
Community video is video nost
ITS A MONKEY OVERLAY
SMTP server files
Rat
Cat
Detyls.
4D5A MZ
случайно все остановились на 665?))
Iocs
Random comment. I just jnstalled subl on kali and its fucking cool lmfao
Man all I hear is "haha your never getting a job once you get out of school now!!"
help
Employee is blind.
This work?hot what this time 10
premieres suck
My community collection to click skills and tools 25 you explaining the videos I can I have in the purview handling in the file handling never to you want handling you should me your decision what my handling is why what's your opinion opinion pass for your reply place
Agent dells explaining .
Madl work headel '4wondrs' looking.
This video zoom add files cod opening 🪟 asml
Entertain me John