Cryptocoin Miner - Unpeeling Lemon Duck Malware

  Рет қаралды 94,717

John Hammond

John Hammond

Күн бұрын

If you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. www.kite.com/get-kite/?... (disclaimer, affiliate link)
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: johnhammond010@gmail.com
Discord: johnhammond.org/discord
Twitter: / _johnhammond
GitHub: github.com/JohnHammond

Пікірлер: 190
@YesitdidBlazin2gunz
@YesitdidBlazin2gunz 3 жыл бұрын
Man I am obsessed with these videos
@DMWatchesYoutube
@DMWatchesYoutube 3 жыл бұрын
The CS equivalent of a cold crime investigator, if it's old malware you can be an archaeologist lol AND ALL FROM HOME.
@solemngravisyre
@solemngravisyre 3 жыл бұрын
Amen
@julesl6910
@julesl6910 2 жыл бұрын
Yep. The seed is sown, other pros will follow suit in time. John has started new forms of ASMR - malware unpeeling and relaxing haxing
@droopylikesyourface
@droopylikesyourface 2 жыл бұрын
Bruh same , i cant pass a day without watching a video like this
@donovanelliott9060
@donovanelliott9060 2 жыл бұрын
Same
@AngryAxew
@AngryAxew 3 жыл бұрын
Hacker mission: find as many ways as possible to sneakily hide IEX
@Clane267
@Clane267 Жыл бұрын
True Lol
@bhagyalakshmi1053
@bhagyalakshmi1053 Жыл бұрын
Hack files 7zip files cery .
@Jacob-ABCXYZ
@Jacob-ABCXYZ Жыл бұрын
Gotta catch em all
@Konym
@Konym 3 жыл бұрын
Don't mind me, just sharing the absolute love for these malware analysis videos.
@LeetKrew090
@LeetKrew090 3 жыл бұрын
Man.. idk how got to view this channel, but now it's on my Top-Tier list channels to watch, quite addicting :D
@jkobain
@jkobain 2 жыл бұрын
I concur.
@borisvukcevic1454
@borisvukcevic1454 3 жыл бұрын
That was very interesting. I really enjoyed watching you take this whole thing apart. It never ceases to amaze just how far malware creators go to conceal and drop their payloads into people's machines.
@mossdem
@mossdem 3 жыл бұрын
These videos are incredible. Loved seeing another one being premiered today! Keep up the good work Hohn Jammond
@mossdem
@mossdem 3 жыл бұрын
@@lsh_ 😂 I know i was joking lol
@AGPMandavel
@AGPMandavel Жыл бұрын
@@lsh_ Jesus learn what a joke is
@foxdk
@foxdk 3 жыл бұрын
I'm so excited for this. After watching your first Malware analysis I was HOOKED! I've watched all 4-5 videos multiple times. It's gotten to the point where I can recite your words exactly. It's so exciting watching you go through the code, peeling back layers, and going off on a tangent trying to look something up. Seriously John, I'm addicted at this point. I kinda wish I would've stumbled upon your channels 5 years from now, because then there would've been a catalogue to fill my desires. Oh well, at least I can add this video to my repeat cycles, and watch it 10 times over, just like the other ones.
@DyslexicFucker
@DyslexicFucker 3 жыл бұрын
Then recite them
@oneeyew1lly
@oneeyew1lly 3 жыл бұрын
Recite it then
@kabalibabo
@kabalibabo 3 жыл бұрын
Sounds a bit sketch ngl
@tear728
@tear728 2 жыл бұрын
@@kabalibabo lol right
@XxZigonxX
@XxZigonxX Жыл бұрын
that's quite the fervor for some videos about malware analysis. Its really got your attention, eh?
@atmclick
@atmclick 3 жыл бұрын
This is the video I never knew I was waiting patiently for...until now
@criticalposts3143
@criticalposts3143 3 жыл бұрын
I have been waiting for more malware analysis in my life..
@vanessabakeryrecommendedha8292
@vanessabakeryrecommendedha8292 3 жыл бұрын
Thank you hackermendax On telegram for saving me, i’m really grateful and will continue to tell my family and friends about you
@criticalposts3143
@criticalposts3143 3 жыл бұрын
@@vanessabakeryrecommendedha8292 I can only assume this random message about "thank you [username] on telegram you saved me" is spam.
@vanessabakeryrecommendedha8292
@vanessabakeryrecommendedha8292 3 жыл бұрын
@@criticalposts3143 nah bro try and see
@criticalposts3143
@criticalposts3143 3 жыл бұрын
@@vanessabakeryrecommendedha8292 why tho. why. this is the most suspicious random message of all time. give me a good reason.
@criticalposts3143
@criticalposts3143 3 жыл бұрын
@@vanessabakeryrecommendedha8292 I mean ffs you have a bitcoin as an avatar. if, like you, I enjoyed gambling money on useless things I would bet that this is either a straight up bitcoin scam or a dodgy, possibly illegal pump n dump operation
@bbowling4979
@bbowling4979 3 жыл бұрын
I'm sure you already know this, but 128 bytes is the length of a digital signature for a 1024 bit modulus. Converting those 128 bytes (+1 for padding) using base64 encoding gives you 172 characters. Also 0x010001 is a commonly used exponent for RSA parameter sets.
@mutahartechtips9444
@mutahartechtips9444 9 ай бұрын
Thank you, where do you suggest I learn this field of content?
@TiltIndeed
@TiltIndeed 3 жыл бұрын
I've been absolutely devouring your videos over the past weeks. Keep them coming!
@okolol
@okolol 3 жыл бұрын
20:20 I guess john never heard of "soft wrap" or "word wrap"😂‎
@nikolas8741
@nikolas8741 3 жыл бұрын
Sure he does is just suspense
@user-pm2ru6ir6n
@user-pm2ru6ir6n 3 жыл бұрын
also, never heard of "can't resolve hostname"
@okuno54
@okuno54 3 жыл бұрын
I just keep it off when I'm coding; it's not helpful except for natural language text
@adamgibson7181
@adamgibson7181 Жыл бұрын
I watched every second of this and have literally no idea what is happening. good stuff!
@ivanboiko8975
@ivanboiko8975 3 жыл бұрын
Hello John! I actually learned something new for myself, so thank you :) This video has helped me a lot!
@miallo
@miallo 3 жыл бұрын
If you want to replace single letter variables, you can use the word-boundaries from regex: \< (start of a word) and \> (end of a word). So you should be able to replace $d\> with $data
@soundscrispy
@soundscrispy 3 жыл бұрын
Love watching these on my way into work ☺️
@melasonos6132
@melasonos6132 Жыл бұрын
this is your best video imo, so funny, and informative.
@jackrendor
@jackrendor 3 жыл бұрын
Thank you a lot John Hammond. I always learn something new in your videos and I really appreciate your content! Hope to see more of this powershell obfuscation!
@LouisSerieusement
@LouisSerieusement 2 жыл бұрын
I love all the malware analysis video so much ! thanks !
@d3dk3ny
@d3dk3ny 3 жыл бұрын
you know it's super cheezy to have that cmatrix background for your website when it contains no useful data
@navibongo9354
@navibongo9354 Жыл бұрын
Loved the breakdown, thx for the tasty recepty John!
@btarg1
@btarg1 3 жыл бұрын
This program is really clever and super interesting, this series is great!
@CybrJames
@CybrJames 3 жыл бұрын
John, my friend. 7:30am, I'm still dreaming that I am Chris Hemsworth. So early lol.
@persona2grata
@persona2grata Жыл бұрын
This is a fantastic video. Well done, sir.
@cry-wr4wt
@cry-wr4wt 2 жыл бұрын
I dont have a pc and pretty much no backround in IT stuff but i really enjoy watching this
@julesl6910
@julesl6910 2 жыл бұрын
If you make the effort to learn how to install Linux, you'll be hacking code in no time
@ApexFPS
@ApexFPS 3 жыл бұрын
Love how you break these down
@DanielWoldeHawariat
@DanielWoldeHawariat 2 жыл бұрын
came across this video while researching Lemon Duck, a Great breakdown and walkthrough. Can you recommend any solutions on how to remove the malware from an infected machine?
@flightless8402
@flightless8402 Жыл бұрын
Sadly everyone is so much smarer at computers, BUT! I feel at home in analysis, because John Hammond is my go to with my morning coffee.🌻
@ericm8502
@ericm8502 2 жыл бұрын
These videos are awesome, keep up the great work!!!
@Scarter63
@Scarter63 2 жыл бұрын
Between these unpeeling videos, and your deep dive into the dark web, this is more fun than watching Mr. Robot.
@samsevennine6742
@samsevennine6742 3 жыл бұрын
Always Enjoy Your Vids
@kingpopaul
@kingpopaul 3 жыл бұрын
Talos always have great and comprehensive reports.
@charmquark0
@charmquark0 3 жыл бұрын
Awesome video. A quick question. Where do I get a copy so as I would like to go though the process myself.
@eyyubaydin1370
@eyyubaydin1370 3 жыл бұрын
Damn this is a good video. I like to see more malware analysis tutorials (walkthroughs)
@MohaiminulIslamra
@MohaiminulIslamra Жыл бұрын
getting iex outta comspec was the aha moment for me :D thanks john for feeding us regularly with nerd bites
@nordgaren2358
@nordgaren2358 2 жыл бұрын
John "I could just replace this with nothing, but I'd rather do some fancy RegEx expression" Hammond. Rolls off the tongue!
@praetorprime
@praetorprime 3 жыл бұрын
test1 could come from an earlier IEX? I'm learning a lot from your unpeelings, keep up the good work!
@Ookami8raven
@Ookami8raven 3 жыл бұрын
Great Video! I love it!!! keep it up.
@alexanderastardjiev9728
@alexanderastardjiev9728 3 жыл бұрын
Hi John I really enjoy your videos. You are awesome! Am really hoping you are using somekind of the proxy when checking if the malicious domain is still up. You can hide your IP in the video, but you cannot hide it from the server owner logs...
@max_ishere
@max_ishere Жыл бұрын
Omg so cool! I want that sneak skill. It's like make IEX out of someone's computer
@RumenRad
@RumenRad 3 жыл бұрын
just a advice. Start the malware at the end of the video to see what's going on :)
@padreigh
@padreigh 2 жыл бұрын
1st rule of business - add ; into everything to thwart easy line detection :D
@slamscaper128
@slamscaper128 11 ай бұрын
Watching your videos is making me want to learn Python, not to mention get more experienced in Linux.
@djosearth3618
@djosearth3618 Жыл бұрын
jus kernt more aabout regexp then ever knewed ! thxu, again ;]
@tuckerward9844
@tuckerward9844 3 жыл бұрын
that o0knib tho...
@mcgiwer
@mcgiwer 2 жыл бұрын
Please configure your sublime that it automatically wrap the text. It would be easier for the viewers
@kherkert
@kherkert 3 жыл бұрын
Great deobfuscation walkthrough! IEX still the way to go so it seems
@ausieaxemurderboyz1711
@ausieaxemurderboyz1711 3 жыл бұрын
I was just about to analyse on thia
@lordofhack5368
@lordofhack5368 2 жыл бұрын
wouldn't surprise me if the attacker is keeping an eye on connections to the URL, after so many hits or if certain probing command come in it probably turns off to hide itself
@blade1551431
@blade1551431 3 жыл бұрын
how much preparation you make on video before recording I mean what you do with the sample you downloaded before recording
@popooj
@popooj 3 жыл бұрын
always a blast !!
@ek8507
@ek8507 2 жыл бұрын
>deadbeef "i've beaten a dead horse"
@charismaticmedia8585
@charismaticmedia8585 3 жыл бұрын
Love your videos sir.
@bhagyalakshmi1053
@bhagyalakshmi1053 10 ай бұрын
Regular expressions for your Ruby details in more starting beginning explain in the regular expressions.
@jkobain
@jkobain 2 жыл бұрын
Hi, John! I heard they ported PowerShell to MacOS and GNU/Linux too. I can't say why exactly they think it'd be important to have it somewhere else than on MS Windows, still they did it. Probably to allow OS-independent malware, lol. Thanks for the videos, liked them a lot.
@stevebanning902
@stevebanning902 2 жыл бұрын
FBI's gotta get their data from you somehow, no matter what OS you're on
@WickedNtent
@WickedNtent 3 жыл бұрын
I’m new to Cub Sec and I’m doing it as a hobby. How do you get your hands on the payload without it executing so you can break it down?
@osamaamarneh5762
@osamaamarneh5762 3 жыл бұрын
I'm a simple man I see a John Hammond video I click like
@logiciananimal
@logiciananimal 3 жыл бұрын
Isn't it possible the jsp page need a parameter value set to do anything?
@imanuelbaca2468
@imanuelbaca2468 2 жыл бұрын
I actually had this on my computer good to know what it was doing.
@MultimediaCizzy
@MultimediaCizzy 3 жыл бұрын
55:48 THE RETURN OF MEMECATZ ༼ つ ◕_◕ ༽つ
@darkfusion9215
@darkfusion9215 2 жыл бұрын
Can u give me a guide step by step about reverse engineering. like i want to enter in malware analysis and cracking software so where i should start beginning to advance
@matej_grega
@matej_grega 3 жыл бұрын
I understand like 5%, but I love it!
@amaz404
@amaz404 2 жыл бұрын
What if you were to curl the jsp file with the lemon-duck header?
@Freeak6
@Freeak6 2 жыл бұрын
So interesting !! Would be interesting if you talk about who could do such malware. Do you think a single person could have developed it? Or is it more likely a team? How long would it take for a single person to develop such complex malware?
@mattsadventureswithart5764
@mattsadventureswithart5764 Жыл бұрын
A single guy wrote the whole of TempleOS, including writing his own version of a "c" type language to code it in, and a lod of apps for it. It's very believable to suggest that a single person could write this malware entirely on their own. I don't know if true or if a team did this, just that's its believable that someone could have done.
@paradoxicalegg6112
@paradoxicalegg6112 2 жыл бұрын
when i saw to thumbnail i thought it said "demon luck" lol
@stevencowmeat
@stevencowmeat Жыл бұрын
This things got more layers than an onion😂
@flleaf
@flleaf 3 жыл бұрын
11:14 he checked date on hand watches even though he he has it in the top right corner on screen
@sliver7993
@sliver7993 3 жыл бұрын
I'm gonna take a 4 hour nap I guess
@sammo7877
@sammo7877 3 жыл бұрын
here we go again :D
@mechanicalfluff
@mechanicalfluff 3 жыл бұрын
great video! more... MORE.
@0x8badf00d
@0x8badf00d 2 жыл бұрын
5:30 If you're going to do that rather than just deleting all backticks, maybe use `([^abnt"']) instead of `(.)
@TheDyingFox
@TheDyingFox 3 жыл бұрын
19th? ouch, so it takes around 10 days/video?
@TheRogueBro
@TheRogueBro 3 жыл бұрын
The whole reason this script looks at the graphics card (and hash rates) are because if those exist, it wants to use them. You can generate more hashes (earn more money) with a graphics card vs a cpu. Not sure if you pick up on this later, only 41min in lol.
@bhagyalakshmi1053
@bhagyalakshmi1053 10 ай бұрын
How to check this wion what defryint login looking. That's wonderful icai this woinder exl explain powerful
@kushshah3682
@kushshah3682 3 жыл бұрын
If only these bad actors commented their code :)
@jelmervdbij1672
@jelmervdbij1672 3 жыл бұрын
nice vid!
@Joel-gf4zl
@Joel-gf4zl Жыл бұрын
You shouldn't be getting a cached page if you already are including random data in the query. Maybe the date serves another purpose.
@lehangajanayake2705
@lehangajanayake2705 3 жыл бұрын
16:59 I did that mistake luckily for me it was only targeting phones
@krraa
@krraa 3 жыл бұрын
Stupid question but why doesn't the (.) create a copy of the character in front of the '? Like ob'ject to objject?
@mymoomin0952
@mymoomin0952 3 жыл бұрын
The (.) counts as part of the match. So the find-and-replace sees `j, goes "that matches my pattern `(thing)", then replaces it with (thing) - i.e. j
@vis9536
@vis9536 2 жыл бұрын
In reference to replacing the back ticks... Can't you just replace them with an empty box? That would remove them.
@guild975
@guild975 2 жыл бұрын
I love these
@vlOd_yt
@vlOd_yt 2 жыл бұрын
Yes
@criticalposts3143
@criticalposts3143 3 жыл бұрын
judging by the amount of spam in this comment section I'd hazard a guess and say that you're been hit by, you've been struck by, an automated system that goes only off title keywords
@trojan8550
@trojan8550 3 жыл бұрын
How is this vírus spread? ANd gratulation for this video!
@julesl6910
@julesl6910 2 жыл бұрын
the human factor
@bhagyalakshmi1053
@bhagyalakshmi1053 Жыл бұрын
Edureka master jon hamthe yes.
@Explor1ngth3w0rld
@Explor1ngth3w0rld 2 жыл бұрын
dream to seee in live🛑to john sir😔
@idoabitoftrolling2172
@idoabitoftrolling2172 3 жыл бұрын
Ah shite here we go again
@w00tklumpWn
@w00tklumpWn 3 жыл бұрын
Epic Games Launcher looked like a valid at Port 43669, maybe they wann do stuff with it
@chillydickie
@chillydickie Жыл бұрын
super awesome
@MrRayWilliamJohnson9
@MrRayWilliamJohnson9 Жыл бұрын
Games incorporate lemon into code to then get hash rate from all users discretely
@bhagyalakshmi1053
@bhagyalakshmi1053 Жыл бұрын
Url is elmint
@fu886
@fu886 3 жыл бұрын
39:19 43669 is an azure thing to collect data i tihnk
@kidkrow3386
@kidkrow3386 3 жыл бұрын
What’s the new setup looking like?
@shelled7321
@shelled7321 3 жыл бұрын
what's the point of the malware code being hidden? why does it matter if the code is going to execute anyways?
@123gostly
@123gostly 2 жыл бұрын
Hiding from AV and other detection systems.
@fndid337
@fndid337 3 жыл бұрын
I think maybe you need to try curl the a.jsp and report.jsp with user agent lemon duck
@sorrowharvest5884
@sorrowharvest5884 2 жыл бұрын
I'd say the idea of a crypto worm is nothing new to the whole idea. The thought of even attaching backdoors not mainly to alter information but to sap the hardware capabilities of a targeted system. Computer evolved over the conception of increased amounts of stress testing, that being said insights that the machine can handle more task automated by services and regulated thru the registers. The service of a crypto miner is to solve calculations of equations that maintain the blockchain's structure. Which it's self a symbolic link to a hash dump of data (bytes, ints, func, etc); The direction of a numeral scale of which character is switch with another cryptic character to a chain of undifferentiated value. Which holds meaning of the reason a coin hold limited capacity due to the different, individual, and separate values, in example if a blockchain was a configuration of hybals 0000 - 1111 it would only hold 16 coins. Then we divide the value by 2 which in turn increase capacity of 32 different values but only 1 coin will equal the concurrent value of 2 different values. The worm purpose is to grow. Hermaphrodism, self-replicating which in turns is in meaning of a manifestation of a virus, yet the worm needs data to consume so the data is the blockchain itself but to a signature of grasp, drop, split and divide like a middleman within the transaction of transferred bitstreams that identify the blockchain.
@tear728
@tear728 2 жыл бұрын
I dont really see the point of the obfuscation lol there's always some simple way to deobfuscate since they will have to eval or iex... you just end up pinpointing where that is and voila.
@ryonagana
@ryonagana 2 жыл бұрын
when John Hammond will quit reverse engineer malwares and will do reverse engineering of dinosaurs DNA?
@bhagyalakshmi1053
@bhagyalakshmi1053 10 ай бұрын
Fox push 43669? what subject litr
@jamescaramello6229
@jamescaramello6229 2 жыл бұрын
I want this Malware sample all the domains got taken down :( damn
VBScript & ILSpy Analysis of a RAT
1:05:19
John Hammond
Рет қаралды 52 М.
MICHIEL VS JUVENTUS WOMEN 🙈📏
00:26
Celine Dept
Рет қаралды 51 МЛН
Sigma Girl Love #sigmagirl #funny #comedyvideo
00:25
CRAZY GREAPA
Рет қаралды 4,1 МЛН
ЗОЛОТАЯ КНОПКА #shorts
00:24
Паша Осадчий
Рет қаралды 1,6 МЛН
Why is this number everywhere?
23:51
Veritasium
Рет қаралды 235 М.
Using My Python Skills To Punish Credit Card Scammers
7:13
Engineer Man
Рет қаралды 4,7 МЛН
KOVTER Malware Analysis - Fileless Persistence in Registry
1:28:14
John Hammond
Рет қаралды 329 М.
Uncovering NETWIRE Malware - Discovery & Deobfuscation
59:46
John Hammond
Рет қаралды 89 М.
I built a 6-axes 3D printer that could be groundbreaking!
26:52
Proper Printing
Рет қаралды 37 М.
TARGETED Phishing - Fake Outlook Password Harvester
47:09
John Hammond
Рет қаралды 255 М.
The Scientist Who Discovered the World's Most Beautiful Equation
14:58
Malware Analysis & Threat Intel: UAC Bypasses
33:00
John Hammond
Рет қаралды 20 М.
Snip3 Crypter/RAT Loader - DcRat MALWARE ANALYSIS
1:42:04
John Hammond
Рет қаралды 486 М.
Mozi Malware - Finding Breadcrumbs...
50:16
John Hammond
Рет қаралды 196 М.
MICHIEL VS JUVENTUS WOMEN 🙈📏
00:26
Celine Dept
Рет қаралды 51 МЛН