HTA JScript to PowerShell - Novter Malware Analysis

Поделиться
HTML-код
  • Опубликовано: 4 ноя 2024

Комментарии • 159

  • @mincraftfrontiersman
    @mincraftfrontiersman 3 года назад +104

    I never thought I'd be spending my friday afternoon watching a cross between seth rogen and louis c.k. analyze malware, but here we are.

  • @pinobeppo9287
    @pinobeppo9287 3 года назад +35

    "146 IPs, we could do this forever..." Well, I 'd definitively watch that! Please keep these malware analysis videos coming, they are great. I really enjoy seeing all the thought process behind the analysis.

  • @GodModeMaker
    @GodModeMaker 3 года назад +7

    Was just reading about MSHTA and you come up with this. Your timing is perfect John! Awesome xD

  • @AntoniGawlikowski
    @AntoniGawlikowski 2 года назад +5

    If anyone is using EQ for their computer sound, I found that cutting down 2k Hz range makes the sound much less obnoxious (a bit more swampy, but intelligible and sans all that awful highs).
    Hope that might help someone.
    Still, despite the sound problem, great video as usual!

  • @CJMAXiK
    @CJMAXiK 3 года назад +7

    As soon as I saw the Russian text I was screaming "SLOT MACHINES!!!" )) Really cool analysis, kudos!

  • @Krysstof
    @Krysstof 3 года назад +23

    2 powershell tips for your future adventures:
    - you can use > to redirect output in a file, it is after all a "shell", instead of | out-file
    - parenthesis around something are evaluating that something and treat is a variable, so if you have an array built on the fly and want the first and third char [1,3]. in your case around 31:15
    the variable $VerbosePreference is cast as string : [string]$VerbosePreference
    then with parenthesis around it, it avoids storing this into a variable to work with it, it's the equivalent of $a=[string]$VerbosePreference ; $a[1,3] when you do ([string]$VerbosePreference)[1,3]
    just my 2 cents :)

  • @AlydeahMclydersan
    @AlydeahMclydersan 2 месяца назад

    Thanks John for your talking through analysis techniques. Its extremely helpful to learn how you logic your way through reverse engineering these scripts. Im hooked!

  • @wesleyhall6727
    @wesleyhall6727 3 года назад +16

    "It builds character" I love it 😄

  • @StanLTU
    @StanLTU 3 года назад +1

    I love these videos. I am learning so much about malware.

  • @jameselliot9114
    @jameselliot9114 3 года назад +12

    50:25 - "that's math" thank you for that profound insight

  • @getellied
    @getellied 3 года назад +3

    Oh my goodness, this was crazy
    Really interesting to see the cool (and shady, I guess) techniques they use
    John, ty for this video (and don't worry about the audio ;) )

  • @kenprochaska2286
    @kenprochaska2286 2 года назад

    I learn a ton everytime I watch one of your videos. You are da man!!!!

  • @vbExpert4You
    @vbExpert4You 3 года назад +4

    I enjoyed the video and always enjoy watching people reverse engineer code. When you translated the text to English to find "slot machines" you missed the obvious exclamation "Jackpot!"

  • @monkz1813
    @monkz1813 2 года назад

    Thankyou John and Thankyou for all of the free lessons! I appreciate it so much and have learned most of what I know to this day from you. Thankyou

  • @valterpereiracjr
    @valterpereiracjr Год назад

    You ROCK JH. Great job. Thank you!

  • @desjomp
    @desjomp 3 года назад +1

    john , no need to say sorry for the sound or or or , if you broadcast like in 1950 in short wave or long wave or in morse ,or black and white , always happy to see a new upload !greetz rootsh3ll1

  • @praetorprime
    @praetorprime 3 года назад +2

    have a try{}catch{} for the algorithm. Entertaining and informative as always, keep it up!

  • @_DeProgrammer
    @_DeProgrammer 3 года назад +34

    If you use vscode instead of sublime it has a beautifier module and a bunch of other helpful modules and a built in console.

  • @padrebeaversmsk1178
    @padrebeaversmsk1178 3 года назад +1

    the site you explored is just russian illegal online casino "Вулкан" which was very common in Russia. it is known for very aggresive advertising. The adress is probably was own by command center but it was unpaid or got banned after that domain was sold to casino or just use it as a filler for sold domain. Thank you for your videos it is fun and educational.

  • @brentbice1151
    @brentbice1151 3 года назад +1

    Yay! strings for the win! :-) Remember when you were looking at that powershell script that was throwing an error? Somewhere in the midst of that I thought I saw a "SilentlyContinue" or "ContinueSilently". Now, I'm now powershell superhero - I R a linux/unix geek - But maybe that's an option to tell powershell to keep interpreting if it gets any errors? More red herrings to trip up folks dissecting malware?

  • @cacurazi
    @cacurazi 2 года назад +3

    13:28 summery of .this (object):
    .this in JS will keep track of the instantiation of the code that is running. Like all the functions and variables that were being set/ instantiated. So, this object keeps track of all of the functions and vars that we have initially defined

  • @soncrypto8794
    @soncrypto8794 Год назад

    I just started with cybersecurity, but it's so fun watching this.

  • @comicdev
    @comicdev 2 года назад +1

    In the try-catch chain, the errors are basically an antivirus bypass. The double brackets ([[), they first create the string "message", and in JavaScript, you can select properties using strings, like string.split() can also be called as string["split"]().

  • @marckerkvliet2999
    @marckerkvliet2999 3 года назад

    Great to watch! Entertainment and educational.. thx!! (Audio is not so bad)

  • @peaceforever3661
    @peaceforever3661 3 года назад

    This was awesome John. Love your content. A big fan.

  • @matthewlandry1352
    @matthewlandry1352 3 года назад +2

    Hey John one of your best videos IMO. For a long time I have always wanted to watch someone dissect Windows Malware and your videos scratch that itch like no other.
    I just wonder is this like exactly what you do at work or is your analysis At huntress more in depth?
    Ps: Leave it to John to end up at a shady Russian slot machine 🎰 online Casino. I laughed so hard.

  • @lopiid
    @lopiid 3 года назад

    Well done John, thank you!

  • @ericellenwood
    @ericellenwood 3 года назад

    I have been watching for a while. This is the most interesting sample you have reversed. Best Video

  • @bhagyalakshmi1053
    @bhagyalakshmi1053 Год назад

    You have in a lot of funny explaining in the other sources big point is a small to smile to explain so nice explaining master up and CEO 👋

  • @dand.2944
    @dand.2944 3 года назад +1

    f
    great work, love the videos.

  • @alincraciunescu
    @alincraciunescu 3 года назад

    Thank you, for this video!

  • @viam1101
    @viam1101 3 года назад

    Awesome video man, Appreciate it!

  • @denisulianov9627
    @denisulianov9627 3 года назад +5

    It's adv for russian online casino. Cause it became out of law in Russia. I meant it trying to look like it. And that "vulkan" was insanly popular 8-10years ago when it had been legal.

  • @AmanKumar-tm8id
    @AmanKumar-tm8id 3 года назад +1

    I am taking notes on reverse-reverse engineering, learning how to write and obfuscate malware ;)

  • @JonSnyderfudge
    @JonSnyderfudge 3 года назад

    This was great. Nice job 👌

  • @ripcityraider9469
    @ripcityraider9469 3 года назад

    I hope that one day I can become half as good as you are. You are an inspiration my friend.

  • @szirsp
    @szirsp 3 года назад +3

    41:19 the C# code seems to be the AMSI bypass
    LoadLibrary amsi.dll, GetProcAddress AmsiScanBuffer (or rather DllCanUnloadNow then search for the address), then VirtualProtect to overwrite it
    www.contextis.com/en/blog/amsi-bypass

  • @pseudouser9360
    @pseudouser9360 3 года назад +1

    This is mindblowing ^^

  • @raulcattelan4506
    @raulcattelan4506 3 года назад

    Thanks for the video

  • @Lov2dance87
    @Lov2dance87 3 года назад +19

    So I'm new to your channel and can I just say, I'm getting some serious Ed Sheeran vibes right now! Can't wait to dive into some videos : )

    • @kitrodriguez992
      @kitrodriguez992 3 года назад +4

      I got more of a JScript nerd Charles Cornell vibe. LMFAO

  • @Handskemager
    @Handskemager 3 года назад +1

    The more of your videos I see, the more amazed and scared I am at the true power of Powershell..
    Thank god I’m using UNIX systems

  • @hellofriend3091
    @hellofriend3091 3 года назад

    Thank you for this session. Just one humble request please discuss about new sudo flaw and wap3 vulnerability...

  • @ripcityraider9469
    @ripcityraider9469 3 года назад

    You are awesome!!!

  • @nothingnothing1799
    @nothingnothing1799 3 года назад +4

    Accidentally clicked on this before anyone else.

  • @HuhnK0t
    @HuhnK0t 3 года назад

    i'm somewhat new to the channel but i am still hoping to get to know.. uh.. ooknib? soon? what an awesome word

  • @axo137
    @axo137 3 года назад

    damn I watch your videos and I am not even into programming or cyber security.
    quality content, keep on delivering :D

  • @djneohlp
    @djneohlp 3 года назад +5

    so that payload doesn't look like a pe executable but an actual x86 binary memory dump... which they load back into ram to execute

  • @kennymd
    @kennymd 3 года назад +1

    Hey John, what's you opinion on bash alternatives like fish etc.? Love the videos btw keep up the good work

  • @orgozlan323
    @orgozlan323 3 года назад

    Amazing thank you !

  • @agroforestryconsultancyroz3157
    @agroforestryconsultancyroz3157 2 года назад

    Nice to see how cyberserutity works, it looks like solving a puzzle or Mario game.

  • @nikolas8741
    @nikolas8741 3 года назад

    Amazing!

  • @ilyasabi8920
    @ilyasabi8920 3 года назад +1

    These IP addresses look like general stockpile of proxies back in the day we used to do sketchy shit when we were trying to bypass WAP/GPRS firewall shenanigans.

  • @mxschmitt_
    @mxschmitt_ 3 года назад

    Awesome video

  • @1wk407
    @1wk407 3 года назад

    tbh nice job cleaning up the audio all things considered, i forgot about it for most of the video

  • @custume
    @custume 3 года назад

    good one

  • @user-kd1mp5qw5e
    @user-kd1mp5qw5e 3 года назад

    this is insane haha never seen someone breakdown script at all it's got me mad intrigued. would each little intricate step of hiding and encrypting bits be done separately or is there some sort of preset that would be applied to a whole sequence? Im actually shocked at how much im enjoying watching it being worked out although i have no clue whats happening visually apart from getting neater hahais there many good forums for novices? im keen on racking my brain on this stuff

  • @vadimtoptunov9152
    @vadimtoptunov9152 3 года назад +1

    It's so funny to see my native language here! It's funnier when someone have to translate it. :))

  • @charlieisacatwithseizures
    @charlieisacatwithseizures 2 года назад

    I dont know why but this gives me the creeps so bad like its so creepy to uncover their motive, what they are trying to do and get.

  • @anonymousguy121277
    @anonymousguy121277 3 года назад

    Thanks johnh. Your videos rock.
    Love, a data analyst maybe getting into cyber security?

  • @viv_2489
    @viv_2489 3 года назад

    Liked the video

  • @sydneypemberton5138
    @sydneypemberton5138 3 года назад

    John! Get an IDE. It reformats your code AND it can rename variables very quickly and precisely.

    • @nothingnothing1799
      @nothingnothing1799 3 года назад

      Been thinking this for a while plus he could customize it easily

  • @Chrattac
    @Chrattac 3 года назад

    Been watching your content for a while after finding. Just one question about your code cleaning: why don't you just run prettier to automate the process instead of going through these blobs of mumbo-jumbo by hand? Is there any reason?
    Oh yea, you mentioned the reason while speaking about beautifier... mb.

  • @7thAttempt
    @7thAttempt 3 года назад

    This thing was wild 😂

  • @catalingavan9198
    @catalingavan9198 2 года назад

    it's almost like refactoring a legacy application :)

  • @fantasmosnugget
    @fantasmosnugget Год назад

    I could watch this shit for fucking hours, dude

  • @Alterpalm
    @Alterpalm 3 года назад +8

    1:04:11 Оо, русские буквы, какая неожиданность!))
    Look out, John!!
    Russian school kids will snatch all your CS:GO skins =)

    • @imadbouaziz8441
      @imadbouaziz8441 3 года назад

      Hello , where can i found this malware file ? thanks

  • @conqu3red545
    @conqu3red545 3 года назад

    I few years ago my computer was nearly infected from me opening an hta file. Anti virus stepped in though. Unfortunately I didn't keep a copy of the file after that, it would have been fun to analyse

  • @TheWorthyWubba
    @TheWorthyWubba 3 года назад

    You can also use the Chrome Dev Tools to beautify js too.

  • @josephze8543
    @josephze8543 3 года назад +2

    Where can I find these malwares that he is analyzing?

  • @nandobordas
    @nandobordas 3 года назад +1

    I've recently gotten into watching your videos; as someone with a mild background in coding, they're extremely informative and fun to watch, but I have to admit that sometimes I kinda feel you miss the really, REALLY obvious stuff... Like at 31:57 -- it's not giving you the output you want because you're not treating $VerbosePreference as an object, you're casting and trying to immediately use as an array without wrapping in parentheses. That's why it works a few moments later, because you copy the entire thing from the file (including the parentheses).

  • @whtiequillBj
    @whtiequillBj 2 года назад

    You say that IEX means that the code isn't written to disk. Does that mean that it is written into RAM directly?

  • @karnafelfamily7590
    @karnafelfamily7590 2 года назад

    John, based on the amount of malware/ransomware and etc. you have done. What is the common port is used for C2 communication?

    • @Optable
      @Optable Год назад

      The port is either collected or designated exactly

  • @julesl6910
    @julesl6910 3 года назад

    Audio is fine, this isn't going on a vinyl audiophile 180 gram

  • @0x8badf00d
    @0x8badf00d 3 года назад

    11:25
    try {
    throw Error(arbitrary_char);
    } catch (exception_object) {
    arbitrary_var = exception_object["message"]; // The junk always evaluates to "message"
    }
    // arbitrary_var = arbitrary_char;

  • @shaolinsword6698
    @shaolinsword6698 3 года назад

    Question why not fping all the ip addresses? I still learning

  • @whtiequillBj
    @whtiequillBj 3 года назад +1

    I see you use Sublime Text, why don't you use: https: // packagecontrol . io / packages / HTML-CSS-JS%20Prettify.
    I'm just wondering why go though the extra step of finding a web application to do it and not use a built in plug-in.
    Ampersand is evaluate silently

  • @ryankroetch6240
    @ryankroetch6240 3 года назад

    Per your request: "f" 👍🏻

  • @tehvvisard
    @tehvvisard 3 года назад

    LiveInternet.. crochet.. feels like a 3 am search hole

  • @5DimesPlayer
    @5DimesPlayer Год назад

    All of John's videos are very fascinating, but I have no clue on what he's doing lol

    • @_JohnHammond
      @_JohnHammond  Год назад

      same lol

    • @5DimesPlayer
      @5DimesPlayer Год назад

      @@_JohnHammond I doubt that! You can take a string of text containing HDHSHDLSDJFN284+$+3!2!"?3(3(&?"!2!_+3+_; and decode it to: Hello, I am John and I am very proficient at what I do.

  • @PR1NC3
    @PR1NC3 3 года назад

    I didn't know that RUclips algorithm cheks your wallpaper
    Btw just algorithm things

  • @ianowens1905
    @ianowens1905 3 года назад +1

    You should look into some old malware on machines like the Commodore 64, I think that could be really cool

  • @alexandermikael3615
    @alexandermikael3615 3 года назад

    13:49 look at this parent child this object.. :p

  • @joacoordonez1973
    @joacoordonez1973 3 года назад

    where can i send malwere to be analysed???

  • @drdisexon3952
    @drdisexon3952 3 года назад

    Where can I get such awesome samples of malware. Don't tell me malwarebazar

  • @btno222
    @btno222 3 года назад

    LINUS TECH TIPS

  • @LiquidBlaze9000
    @LiquidBlaze9000 3 года назад

    Hey John! I have a sus url from a text message. You think you can disect the contents of it? :) (I don't know where else to contact you about this..)

  • @djcb4190
    @djcb4190 Год назад

    "RENDER IMMEDIATELY!"

  • @reccer78
    @reccer78 3 года назад

    What would be cool if you get one of their IPs and try to root it.

  • @rodrilea1
    @rodrilea1 Год назад

    F
    Thanks John

  • @_AN203
    @_AN203 3 года назад +1

    hey john I hope you participate in the HTB event Cyber Apocalypse 2021 if you do plz write ups and the live if you did

  • @shaolinsword6698
    @shaolinsword6698 3 года назад

    SOC shift over time for malware analysis

  • @kraemrz
    @kraemrz 3 года назад

    "F"
    Don't want this malware 😨

  • @custume
    @custume 3 года назад

    I have use HTA in the past to automate stuff and feel like is dangerous because can bypass a lot of stuff in windows, good to start apps inside RDP and app server but because it can do a lot more I stop using it

    • @custume
      @custume 3 года назад

      I remember to use VB inside HTA too, because of that it can make code from scratch, and can also use other codes/lang

  • @jleg1104
    @jleg1104 Год назад

    Why am I watching this

  • @SankalpSaxena99
    @SankalpSaxena99 3 года назад

    Algorithm Stuff !!!

  • @Heavenig
    @Heavenig 3 года назад

    So this is how to build malware for Real?
    Am New to hacking, please where can I'll from?

  • @imadbouaziz8441
    @imadbouaziz8441 3 года назад

    good job , you can share the files with us ?

  • @Sawta
    @Sawta 3 года назад

    23:29 "...-1 + 1..." Oh man, I _think_ I know what they were going for, there! hackerman.activated 🐱‍💻👨‍💻

  • @DimkaTsv
    @DimkaTsv 2 года назад

    Yeah... Slot machines sites like that were very annoying ad's at some point, when they became kinda on other side of law in Russia.
    We don't see now many of sites and ads like these now. But there was plenty before.
    But this script was a bit too powerful and malicious for just being a virus to get these sites views, imo.