Cryptocoin Miner - Unpeeling Lemon Duck Malware

  Рет қаралды 90,199

John Hammond

John Hammond

Күн бұрын

If you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. (disclaimer, affiliate link)
For more content, subscribe on Twitch!
If you would like to support me, please like, comment & subscribe, and check me out on Patreon:
Twitter: _johnhammond

Пікірлер: 189
B Bowling
B Bowling 2 жыл бұрын
I'm sure you already know this, but 128 bytes is the length of a digital signature for a 1024 bit modulus. Converting those 128 bytes (+1 for padding) using base64 encoding gives you 172 characters. Also 0x010001 is a commonly used exponent for RSA parameter sets.
Konym 2 жыл бұрын
Don't mind me, just sharing the absolute love for these malware analysis videos.
AngryAxew 2 жыл бұрын
Hacker mission: find as many ways as possible to sneakily hide IEX
claudio leggiero
claudio leggiero 11 ай бұрын
True Lol
Jacob 2 ай бұрын
Gotta catch em all
Boris Vukcevic
Boris Vukcevic 2 жыл бұрын
That was very interesting. I really enjoyed watching you take this whole thing apart. It never ceases to amaze just how far malware creators go to conceal and drop their payloads into people's machines.
Mossy 2 жыл бұрын
These videos are incredible. Loved seeing another one being premiered today! Keep up the good work Hohn Jammond
Mossy 2 жыл бұрын
@LSH 😂 I know i was joking lol
AGPMandavel 2 ай бұрын
@LSH Jesus learn what a joke is
Rob 2 жыл бұрын
Man I am obsessed with these videos
Dm 2 жыл бұрын
The CS equivalent of a cold crime investigator, if it's old malware you can be an archaeologist lol AND ALL FROM HOME.
Solomon 2 жыл бұрын
Jules L
Jules L 2 жыл бұрын
Yep. The seed is sown, other pros will follow suit in time. John has started new forms of ASMR - malware unpeeling and relaxing haxing
iiDrisTN Жыл бұрын
Bruh same , i cant pass a day without watching a video like this
donovan elliott
donovan elliott Жыл бұрын
Michael L
Michael L 2 жыл бұрын
If you want to replace single letter variables, you can use the word-boundaries from regex: \< (start of a word) and \> (end of a word). So you should be able to replace $d\> with $data
Scarter63 Жыл бұрын
Between these unpeeling videos, and your deep dive into the dark web, this is more fun than watching Mr. Robot.
Mohaiminul Islam
Mohaiminul Islam 5 ай бұрын
getting iex outta comspec was the aha moment for me :D thanks john for feeding us regularly with nerd bites
Jack Rendor
Jack Rendor 2 жыл бұрын
Thank you a lot John Hammond. I always learn something new in your videos and I really appreciate your content! Hope to see more of this powershell obfuscation!
Mathijs van Leeuwen
Mathijs van Leeuwen 2 жыл бұрын
I've been absolutely devouring your videos over the past weeks. Keep them coming!
foxdk 2 жыл бұрын
I'm so excited for this. After watching your first Malware analysis I was HOOKED! I've watched all 4-5 videos multiple times. It's gotten to the point where I can recite your words exactly. It's so exciting watching you go through the code, peeling back layers, and going off on a tangent trying to look something up. Seriously John, I'm addicted at this point. I kinda wish I would've stumbled upon your channels 5 years from now, because then there would've been a catalogue to fill my desires. Oh well, at least I can add this video to my repeat cycles, and watch it 10 times over, just like the other ones.
Dyslexic 2 жыл бұрын
Then recite them
nullptr 2 жыл бұрын
Recite it then
KeBaBeeN 2 жыл бұрын
Sounds a bit sketch ngl
tear728 2 жыл бұрын
@KeBaBeeN lol right
Zigon 10 ай бұрын
that's quite the fervor for some videos about malware analysis. Its really got your attention, eh?
Alexander Astardjiev
Alexander Astardjiev 2 жыл бұрын
Hi John I really enjoy your videos. You are awesome! Am really hoping you are using somekind of the proxy when checking if the malicious domain is still up. You can hide your IP in the video, but you cannot hide it from the server owner logs...
Eyyub Aydin
Eyyub Aydin 2 жыл бұрын
Damn this is a good video. I like to see more malware analysis tutorials (walkthroughs)
B Targ
B Targ 2 жыл бұрын
This program is really clever and super interesting, this series is great!
TechJunkie Ай бұрын
Watching your videos is making me want to learn Python, not to mention get more experienced in Linux.
Ivan Boiko
Ivan Boiko 2 жыл бұрын
Hello John! I actually learned something new for myself, so thank you :) This video has helped me a lot!
Daniel W/Hawariat
Daniel W/Hawariat 2 жыл бұрын
came across this video while researching Lemon Duck, a Great breakdown and walkthrough. Can you recommend any solutions on how to remove the malware from an infected machine?
Freak Жыл бұрын
So interesting !! Would be interesting if you talk about who could do such malware. Do you think a single person could have developed it? Or is it more likely a team? How long would it take for a single person to develop such complex malware?
Matt's adventures with art
Matt's adventures with art Жыл бұрын
A single guy wrote the whole of TempleOS, including writing his own version of a "c" type language to code it in, and a lod of apps for it. It's very believable to suggest that a single person could write this malware entirely on their own. I don't know if true or if a team did this, just that's its believable that someone could have done.
Janus Kobain
Janus Kobain 2 жыл бұрын
Hi, John! I heard they ported PowerShell to MacOS and GNU/Linux too. I can't say why exactly they think it'd be important to have it somewhere else than on MS Windows, still they did it. Probably to allow OS-independent malware, lol. Thanks for the videos, liked them a lot.
Steve Banning
Steve Banning Жыл бұрын
FBI's gotta get their data from you somehow, no matter what OS you're on
persona2grata 2 ай бұрын
This is a fantastic video. Well done, sir.
Critical Posts
Critical Posts 2 жыл бұрын
I have been waiting for more malware analysis in my life..
Vanessa Bakery recommended Hackermendax On telegram
Vanessa Bakery recommended Hackermendax On telegram 2 жыл бұрын
Thank you hackermendax On telegram for saving me, i’m really grateful and will continue to tell my family and friends about you
Critical Posts
Critical Posts 2 жыл бұрын
@Vanessa Bakery recommended Hackermendax On telegram I can only assume this random message about "thank you [username] on telegram you saved me" is spam.
Vanessa Bakery recommended Hackermendax On telegram
Vanessa Bakery recommended Hackermendax On telegram 2 жыл бұрын
@Critical Posts nah bro try and see
Critical Posts
Critical Posts 2 жыл бұрын
@Vanessa Bakery recommended Hackermendax On telegram why tho. why. this is the most suspicious random message of all time. give me a good reason.
Critical Posts
Critical Posts 2 жыл бұрын
@Vanessa Bakery recommended Hackermendax On telegram I mean ffs you have a bitcoin as an avatar. if, like you, I enjoyed gambling money on useless things I would bet that this is either a straight up bitcoin scam or a dodgy, possibly illegal pump n dump operation
Eric M
Eric M Жыл бұрын
These videos are awesome, keep up the great work!!!
Chris Conyers
Chris Conyers 2 жыл бұрын
This is the video I never knew I was waiting patiently for...until now
Ange1walk 2 жыл бұрын
Man.. idk how got to view this channel, but now it's on my Top-Tier list channels to watch, quite addicting :D
Janus Kobain
Janus Kobain 2 жыл бұрын
I concur.
kingpopaul 2 жыл бұрын
Talos always have great and comprehensive reports.
Melas Onos
Melas Onos 2 ай бұрын
this is your best video imo, so funny, and informative.
Norman Reed
Norman Reed 2 жыл бұрын
test1 could come from an earlier IEX? I'm learning a lot from your unpeelings, keep up the good work!
Vis Жыл бұрын
In reference to replacing the back ticks... Can't you just replace them with an empty box? That would remove them.
LordOfHack Жыл бұрын
wouldn't surprise me if the attacker is keeping an eye on connections to the URL, after so many hits or if certain probing command come in it probably turns off to hide itself
charmquark0 2 жыл бұрын
Awesome video. A quick question. Where do I get a copy so as I would like to go though the process myself.
Louis Serieusement
Louis Serieusement Жыл бұрын
I love all the malware analysis video so much ! thanks !
Crisps 2 жыл бұрын
Love watching these on my way into work ☺️
Foobar Жыл бұрын
5:30 If you're going to do that rather than just deleting all backticks, maybe use `([^abnt"']) instead of `(.)
ApexFPS 2 жыл бұрын
Love how you break these down
David Crouse
David Crouse 2 жыл бұрын
I’m new to Cub Sec and I’m doing it as a hobby. How do you get your hands on the payload without it executing so you can break it down?
Rumen Radkov
Rumen Radkov 2 жыл бұрын
just a advice. Start the malware at the end of the video to see what's going on :)
fnd id
fnd id 2 жыл бұрын
I think maybe you need to try curl the a.jsp and report.jsp with user agent lemon duck
AM Жыл бұрын
What if you were to curl the jsp file with the lemon-duck header?
Adam Gibson
Adam Gibson 9 ай бұрын
I watched every second of this and have literally no idea what is happening. good stuff!
1805cry 2 жыл бұрын
I dont have a pc and pretty much no backround in IT stuff but i really enjoy watching this
Jules L
Jules L 2 жыл бұрын
If you make the effort to learn how to install Linux, you'll be hacking code in no time
Nordgaren Жыл бұрын
John "I could just replace this with nothing, but I'd rather do some fancy RegEx expression" Hammond. Rolls off the tongue!
Na'vi bongo
Na'vi bongo 2 ай бұрын
Loved the breakdown, thx for the tasty recepty John!
Keith Douglas
Keith Douglas 2 жыл бұрын
Isn't it possible the jsp page need a parameter value set to do anything?
Kayr Herkert
Kayr Herkert 2 жыл бұрын
Great deobfuscation walkthrough! IEX still the way to go so it seems
Michal D.
Michal D. Жыл бұрын
Please configure your sublime that it automatically wrap the text. It would be easier for the viewers
Joel 10 ай бұрын
You shouldn't be getting a cached page if you already are including random data in the query. Maybe the date serves another purpose.
Sorrow Harvest
Sorrow Harvest Жыл бұрын
I'd say the idea of a crypto worm is nothing new to the whole idea. The thought of even attaching backdoors not mainly to alter information but to sap the hardware capabilities of a targeted system. Computer evolved over the conception of increased amounts of stress testing, that being said insights that the machine can handle more task automated by services and regulated thru the registers. The service of a crypto miner is to solve calculations of equations that maintain the blockchain's structure. Which it's self a symbolic link to a hash dump of data (bytes, ints, func, etc); The direction of a numeral scale of which character is switch with another cryptic character to a chain of undifferentiated value. Which holds meaning of the reason a coin hold limited capacity due to the different, individual, and separate values, in example if a blockchain was a configuration of hybals 0000 - 1111 it would only hold 16 coins. Then we divide the value by 2 which in turn increase capacity of 32 different values but only 1 coin will equal the concurrent value of 2 different values. The worm purpose is to grow. Hermaphrodism, self-replicating which in turns is in meaning of a manifestation of a virus, yet the worm needs data to consume so the data is the blockchain itself but to a signature of grasp, drop, split and divide like a middleman within the transaction of transferred bitstreams that identify the blockchain.
FlightLess 8 ай бұрын
Sadly everyone is so much smarer at computers, BUT! I feel at home in analysis, because John Hammond is my go to with my morning coffee.🌻
oko lol
oko lol 2 жыл бұрын
20:20 I guess john never heard of "soft wrap" or "word wrap"😂‎
Nikolas 2 жыл бұрын
Sure he does is just suspense
Сергей Фёдоров
Сергей Фёдоров 2 жыл бұрын
also, never heard of "can't resolve hostname"
Okuno Zankoku
Okuno Zankoku 2 жыл бұрын
I just keep it off when I'm coding; it's not helpful except for natural language text
Allan 2 жыл бұрын
Great Video! I love it!!! keep it up.
Slaydarkend 4 ай бұрын
Games incorporate lemon into code to then get hash rate from all users discretely
Imanuel Baca
Imanuel Baca Жыл бұрын
I actually had this on my computer good to know what it was doing.
Charismatic Media
Charismatic Media 2 жыл бұрын
Love your videos sir.
Joe Bro
Joe Bro 2 жыл бұрын
The whole reason this script looks at the graphics card (and hash rates) are because if those exist, it wants to use them. You can generate more hashes (earn more money) with a graphics card vs a cpu. Not sure if you pick up on this later, only 41min in lol.
Elie David
Elie David 2 жыл бұрын
always a blast !!
Kush Shah
Kush Shah 2 жыл бұрын
If only these bad actors commented their code :)
Matej Grega
Matej Grega 2 жыл бұрын
I understand like 5%, but I love it!
Osama Amarneh
Osama Amarneh 2 жыл бұрын
I'm a simple man I see a John Hammond video I click like
max_ishere 9 ай бұрын
Omg so cool! I want that sneak skill. It's like make IEX out of someone's computer
mechanicalfluff 2 жыл бұрын
great video! more... MORE.
Lehan Gajanayake
Lehan Gajanayake 2 жыл бұрын
16:59 I did that mistake luckily for me it was only targeting phones
Guild 2 жыл бұрын
I love these
RageNugget 2 жыл бұрын
Epic Games Launcher looked like a valid at Port 43669, maybe they wann do stuff with it
𝕾𝖆𝖑𝖑 2 жыл бұрын
02:55 - 04:40 >> >> I can bet, this game been the 1st code you cracked by seeing how you moving those bricks. Impressed
KIDkrow 2 жыл бұрын
What’s the new setup looking like?
James Caramello
James Caramello Жыл бұрын
I want this Malware sample all the domains got taken down :( damn
d3dk3ny 2 жыл бұрын
you know it's super cheezy to have that cmatrix background for your website when it contains no useful data
VampireOS Жыл бұрын
Bro please share that code so we can also do along with you
ODOL MED 3 2 жыл бұрын
55:48 THE RETURN OF MEMECATZ ༼ つ ◕_◕ ༽つ
Sam Sevennine
Sam Sevennine 2 жыл бұрын
Always Enjoy Your Vids
Steven Cow-Meat
Steven Cow-Meat 2 ай бұрын
This things got more layers than an onion😂
Naughty Henry
Naughty Henry 2 жыл бұрын
i swear i have some kind of coin miner malware on my PC.. even after formatting a bunch of times and running all kinds of scans, theres something, I dont know where but its there, and It's so well hidden.. maybe im just being paranoid? nah.. I'm only getting 140 FPS in League of legends, useto get 240, it just doesnt make sense.. sneaky fuckers man
Dark Fusion
Dark Fusion Жыл бұрын
Can u give me a guide step by step about reverse engineering. like i want to enter in malware analysis and cracking software so where i should start beginning to advance
Stone Acesso
Stone Acesso 2 жыл бұрын
it would be good if you share the sample with us.. For study.
Highfish Жыл бұрын
KZfaq dont allow to share maleware
CybrJames 2 жыл бұрын
John, my friend. 7:30am, I'm still dreaming that I am Chris Hemsworth. So early lol.
Patrick Artner
Patrick Artner Жыл бұрын
1st rule of business - add ; into everything to thwart easy line detection :D
Meatwad Жыл бұрын
when John Hammond will quit reverse engineer malwares and will do reverse engineering of dinosaurs DNA?
AVX512 is a waste of Silicon
AVX512 is a waste of Silicon 26 күн бұрын
I don't know about yall but when someone brings Ooknib 6mook to the hootenanny in my town, everybody's goin hogwild
Washington Fernandes
Washington Fernandes 2 жыл бұрын
Whonder where you get this "bad stuff". I want to practice too :(
tear728 2 жыл бұрын
I dont really see the point of the obfuscation lol there's always some simple way to deobfuscate since they will have to eval or iex... you just end up pinpointing where that is and voila.
Stjepan Bodlović
Stjepan Bodlović 2 жыл бұрын
how much preparation you make on video before recording I mean what you do with the sample you downloaded before recording
Shelled 2 жыл бұрын
what's the point of the malware code being hidden? why does it matter if the code is going to execute anyways?
123gostly 2 жыл бұрын
Hiding from AV and other detection systems.
Paradoxical Egg
Paradoxical Egg Жыл бұрын
when i saw to thumbnail i thought it said "demon luck" lol
jhax 2 жыл бұрын
instead of "$d" which probably wouldn't work, you could probably try "^*$d=*"
Critical Posts
Critical Posts 2 жыл бұрын
judging by the amount of spam in this comment section I'd hazard a guess and say that you're been hit by, you've been struck by, an automated system that goes only off title keywords
fleaf 2 жыл бұрын
11:14 he checked date on hand watches even though he he has it in the top right corner on screen
Bhagya Lakshmi
Bhagya Lakshmi 19 күн бұрын
Docker files and java file refreshing
Kameron Chan
Kameron Chan 2 жыл бұрын
Stupid question but why doesn't the (.) create a copy of the character in front of the '? Like ob'ject to objject?
mymoo min
mymoo min 2 жыл бұрын
The (.) counts as part of the match. So the find-and-replace sees `j, goes "that matches my pattern `(thing)", then replaces it with (thing) - i.e. j
Jelmer vd Bij
Jelmer vd Bij 2 жыл бұрын
nice vid!
E K Жыл бұрын
>deadbeef "i've beaten a dead horse"
chillydickie Жыл бұрын
super awesome
L3TS_PL4Y_NP Жыл бұрын
dream to seee in live🛑to john sir😔
sg games
sg games 2 ай бұрын
Please don't play with prehistoric DNA :D
Bhagya Lakshmi
Bhagya Lakshmi 2 ай бұрын
Duck is my SQL server files Bank
Maxwell 2 жыл бұрын
Apologies for the delays. Was talking to the crows just now. Go talk with them+
Dash 2 жыл бұрын
39:19 43669 is an azure thing to collect data i tihnk
Trojan 85
Trojan 85 2 жыл бұрын
How is this vírus spread? ANd gratulation for this video!
Jules L
Jules L 2 жыл бұрын
the human factor
Sliver 2 жыл бұрын
I'm gonna take a 4 hour nap I guess
Bhagya Lakshmi
Bhagya Lakshmi 19 күн бұрын
Limin duck bust what install docker. Talos ? Ceco ? Assembly code file's
HackTheBox - "Remote" - Umbraco & Windows
John Hammond
Рет қаралды 76 М.
explore a Wordpress PHP BACKDOOR webshell
John Hammond
Рет қаралды 103 М.
У кого тоже заело?
Королева Кружек
Рет қаралды 13 МЛН
My Password Was Pwned 13 Times
John Hammond
Рет қаралды 47 М.
He tried to hack me...
John Hammond
Рет қаралды 339 М.
Gitlab LFI to RCE - HackTheBox "Laboratory"
John Hammond
Рет қаралды 103 М.
Async RAT - Batch Obfuscation
John Hammond
Рет қаралды 128 М.
TARGETED Phishing - Fake Outlook Password Harvester
John Hammond
Рет қаралды 246 М.
Mozi Malware - Finding Breadcrumbs...
John Hammond
Рет қаралды 187 М.
Exploiting Tomcat with LFI & Container Privesc - "Tabby" HackTheBox
FAKE Antivirus? Malware Analysis of Decoy 'kaspersky.exe'
John Hammond
Рет қаралды 249 М.
Pwntools ROP Binary Exploitation - DownUnderCTF
John Hammond
Рет қаралды 77 М.
У кого тоже заело?
Королева Кружек
Рет қаралды 13 МЛН