Unraveling the IcedID Malware Stager & Phishing Email
HTML-код
- Опубликовано: 11 дек 2022
- Learn even more malware analysis with 0ffset's Zero2Auto training! j-h.io/z2a And pre-register for their updated Beginner course! j-h.io/z2a-beginner
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
🐜Zero2Automated ➡ Ultimate Malware Reverse Engineering j-h.io/zero2auto
⛳Point3 ESCALATE ➡ Top-Notch Capture the Flag Training j-h.io/escalate
👨🏻💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk
🤹♀️SkillShare ➡ j-h.io/skillshare
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
In my opinion, reading out the wacky variable names adds an extra layer of entertainment on top of the already great content
it was hilarious. John knew he was sounding crazy. "What kind of video IS THIS?!?"
Was about to comment "It's next level entertainment to stubbornly keep reading out those variable names!"...
Hey! It's time for my 15 minutes of fame! Thank you for these educational vids, and thanks for the emails acknowledging my email/letting me know you would make this video.
I got about as far as John did 15 minutes into the video, and at the time my javascript knowledge was so tenuous I couldn't figure out what happened next. My apologies to you all for not getting far enough to download the DLL from the attackers' server. Since my coworker/boss/nemesis was a little more vigilant after a previous (less interesting) phishing attack (that had worked), they did not detonate this payload and we never saw the later stages.
Given that Zero2Auto course is only about $200, I'm absolutely gonna look into that. This series is some of my favorite cybersecurity education, along with the videos teaching DIY lab setups and playing around with pentesting them, and I'd pay at least that much to learn how to do my own in-depth malware analysis.
P.S. even if I had been a little more skilled, I probably still wouldn't have downloaded the DLL; it's my understanding that some of the variables set in the url identify the target and would probably result in my coworker getting more attention from future campaigns
Love the way you unpacked the entire thing. Mind blowing lol. The amount of experience and skill it takes to get to this level.
Would love more malware analysis / deobfuscation videos! They are really interesting and I'm absolutely hooked, even though I don't always completely understand how they're constructed.
Hope you'll post more, even if we've seen the malware before
One day I'm gonna be on this level of CS
You won’t if you think this is CS.
@@c1ph3rpunk What is CS even a shortening for in this context? I'm very involved in the IT world and I've never heard of that.
@@123sleepygamer i think he means cyber-security
It's either Computer science or Cyber security
@@c1ph3rpunk why not?
Thank´s so much for this kind of walktroughs. It made me wanna get more into this.
I absolutely adore the methodical dissection of code and your method of stepping through it with the jokes. Legend!
I enjoy this type of video, more of these, please!
I receive millions of this type of malware in my email and I do go through them but the way you do it is fun and I like it a lot!
Great work! You always come out with some really informative and educational videos! Love it!
Awesome content and well presented, well worth a watch
This was so enjoyable to watch, thanks for sharing 😁
Very informative thanks 👍
This video rocks. Thanks, John! :D
Love these kind of vids. Have you ever done similar videos with the samples from the malware traffic analysis site?
I did enjoy this one, thanks man!
Never thought that the technique I used as a kid to up my word count in word by changing the font colour would be used by malware, since it seems so obvious now as an adult
I love it 👍
greetz from Germany
Love the content John!
Thank you very much for your valuable information
Those variable and function names will drive anyone crazy. I was really hoping it would somehow end up with Opposite("Always coming from take me down")
thanks john, and again i learned something new :)
i love it when you do malware analysis
Great Stuff John
thanks for the well made videos.
Thanks John👍
I love your videos! I also couldn’t stop laughing with the function names doorpowlove lovekarolpumps😂😂
As a JS dev, it hurt my soul when you got the window error
My favourite video of phishing
Insightful
I am just waiting to receive my first phishing attempt so I could also try to dissect my first malware for analysis
Okayy finna watch this before the majority hehe
It's good that window defender caught and flagged this
Hey John... maybe I'm late to the party and thinking something that goes without saying for others. I'm also not yet totally code-smart and running off of a kindof general analysis, but is it possible to re-examine this from the following angle:
Is the while loop decrypting the long string in dowGirlDow, pointing back to the index within the doorPowNext string? Obfuscation via cipher, then use of the while loop to decipher a payload?
Or am I off base? Or stating something obvious?
Why do they register domain names instead of using the static public ip of the server they hosted? Is using that "bad"? Or use some unmoderated pastebin alternative if such exists.
Would it be possible for a script to download some kind of "onion site curl" and get the payload using onion sites instead, given that onion sites are harder to shutdown?
Nice stuff, an absolutely entertaining series
Is there a way to submit some malware I got for analysis?
If only everyone knew shenanigans when they saw it... such as such a polite ask to enable all the doom from the file. It looks innocent enough if you simply didn't know any better.
Hello. I’m completely new to the space of cybersecurity, like no background in IT at all. What would you recommend for a beginner like me.
good day, enjoyed as always. is ooknibs still a thing?
@John Hammond can you share a sample of the maldoc if possible ?
The tag is backwards and an hta file. Nice
hi john
LoadsLikeVidieo 👍
God I wish the obfuscated code I've come across was this easy to dissect.
Him at 25:22 😂🤣😹 LOL
Oh John, you read js source code better than a JS developer xD
can u please share the copy of this file. need to experiment on it
But where did you get that shirt?
🤘🏻🤘🏻
Nice stuff.
Looks like stuff i could do too though...
How much does this kind of work pay? 🙃
However much you can get out of people 🤡
why did you give such reaction on 25:22 timeline
Because his huge monitors flickered, a VM issue. Not related to the reversing
Couldn't you just replace that eval with console.log?
❤
feel like these are acronyms, doorLikeLike = DLL?
[DISCLAIMER]: Video is too good...
It says windows user in russian so… Russian virus? 10:50
Doc language is also set to Russian
May I ask why you chose windows 10? I was assuming you’d use a Linux. I also assumed that most malware would be created on Linux. I’m a noob
Never mind I get it. Duh?!? Lol but I still thought you’d use a super coded Linux something. Still real cool thanks!
Arch nemesis 😅
I don't understand why malware writers go to this effort to obfuscate their code. Do they think it'll bypass Windows Defender? It clearly doesn't, we saw it get caught right away. I feel like this is barely more effective at evading antivirus than if they didn't attempt at all. Am I wrong?
It seems like "stages" are such a common theme in these videos, but what would prevent the DLL at the end of the video from being detected before it is run? What difference does it make how many steps they take before downloading and executing it if the buck stops there? Don't the stages just present more opportunities for detections of the various files created along the way? Wouldn't the obfuscation set off red flags for heuristic searches because of how obviously different from ordinary software they are with all the nonsense and gibberish?
The specific code(stages or DLLs) has to be recognized by AV first before it can be blocked. Hash-detection for i.e. the password-protected Word-document you receive or stages you download is broken by simply changing 1 character in the script and recompile it, which just takes seconds for the bad guys. If they're targeting specific high-value targets they can even make "different" payloads for each individual.
What the malware-writers hope for is unrecognized code or PC's that do not have the latest patches for Windows or the latest signatures for AV. As soon as your AV is updated for this malware, it can and will block it.
AV does not just block everything with i.e. eval and a download-function in it as those are legitimate functions for your PC. And that's also why you see the URLs where they download the next stages constantly change, AVs can only block URLs that they know are compromised, so there's always a small timeframe these URLs are not blocked by AV or firewalls.
A simple Google search would answer every single one of your questions.
Pre-watch prediction: houdini.
The obfuscation method was interesting. Certainly confusing to read, but I imagine it would make it easier to detect based on signature.
Prediction: :(
I love it when someone tries to understand my malware
I DO NOT KNOW HOW TO CODE THIS IS NOT MY MALEARE ALL JOKS
Just close your eyes and listen to "doorPowDow"
RIP VK
The first comment about a bot farm pushing what looks like an investment scam is very entertaining.
I have Parrot OS Security Edition I Can Hack useing Ready Scripts
bro these function and variable names got me confused as a mf
😂☠️🎃👎🏆🎖️🏅🥉🥈🥇🥇😂😂😂😂👎👎🥴🥴🥴🥴🥴🥴🥴🥴🥴🥴👏👏👏👏👏👏👏👏
Yo dude , malware creator is Russian speaking person
why are you pronouncing copeland as "copelagen"? 😅😅
enough with the ads. this makes for cringe content and i don't want to watch anymore.
yes my g