$2 MILLION DOLLARS STOLEN in Bitcoin/Ethereum - JScript Malware Analysis
Рет қаралды 136,673
3 жыл бұрынIf you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. www.kite.com/get-kite/?... (disclaimer, affiliate link)
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: johnhammond010@gmail.com
Discord: johnhammond.org/discord
Twitter: / _johnhammond
GitHub: github.com/JohnHammond
@_JohnHammond 3 жыл бұрын
Update: Thanks to @Wikidude in comments for pointing this out. The "Mizu" address that I didn't do a good job of digging into is apparently a BTC address. Looking this up, it has over 2.5 MILLION dollars, with transactions in March of 2021. Absolutely crazy. www.blockchain.com/btc/address/1NSrjTotDiuK7S1xMm9yuppq4dr4Uf9saM
@hackingguy 3 жыл бұрын
It was really awesome!!! It felt like a real movie hacker like stuff 🔥🔥🔥🔥
@void_p 3 жыл бұрын
change the video title for moar clickbait!
@wikidude 3 жыл бұрын
We are Big Boi investigators now xD
@Basieeee 3 жыл бұрын
Holy smokes
@SV_Sangha 3 жыл бұрын
Wow.... makes one wonder doesn't it.... all stolen or mined, hmmm...
@jht5225 3 жыл бұрын
I just wanted to say. You have inspired me. I have officially enrolled in university again as a mature student finally and will be working towards a bachelors in Cyber security
@philipstringer4425 3 жыл бұрын
same i didnt know what i wanted to do in life, but john has shown me a path
@deepergodeeper7618 3 жыл бұрын
@@philipstringer4425 you now know the way
@Nunya58294 3 жыл бұрын
Hell yeah!
@chillytheprogrammer 3 жыл бұрын
I am currently studying cybersecurity too!
@newbunny93 2 жыл бұрын
@@chillytheprogrammer Best field to get into. Lot's of money to be made as long as you have the right mindset.
@alessandro.rossini 3 жыл бұрын
39:05 this is in a language that I do not speak: Proceeds in realtime reading and translation from Italian to English with no issues
@EmaCannella 3 жыл бұрын
The Threat Report PDF at 38:53 was in Italian and yes was a report about a similar malware Italiani facciamoci sentire :)
@valeriobertoncello1809 2 жыл бұрын
Spaghetti code ftw
@LuisSieira 3 жыл бұрын
Impressive how you managed to understand obfuscated italian though
@haloball12 2 жыл бұрын
...
@FascistTrex 2 жыл бұрын
Bruh
@LinuxJedi 2 жыл бұрын
🤦🏻♂️
@dumbidiot1119 2 жыл бұрын
So just Italian?
@deutscher649 2 жыл бұрын
What is being insinuated here? Just curious.
@wikidude 3 жыл бұрын
Hey John, the BTC address (Mizu in the sample) that you didn't check properly on blockchain explorer, has received $2.5 Million. Should probably change the title. $2.560.000 looks better xD
@_JohnHammond 3 жыл бұрын
Holy shit.
@salticidae1.618 3 жыл бұрын
@@_JohnHammond yeah it's 72 BTC at 44,000+ USD each xD
@jimmyadaro 3 жыл бұрын
@@salticidae1.618 BTC is up to $56k each right now
@jbarriossandrea 3 жыл бұрын
Is 13 millions now
@MrCyphersphinx 3 жыл бұрын
Excellent work, watching this helped me realize that this cyber security degree I am finishing up is something that is achievable and interesting. So much of our classes are report driven and it is great to see a real world example of what actual analysis looks like and the progression through it. Thank you!
@heinrich3427 3 жыл бұрын
This video inspired me to get into ethical hacking. I literally watched over 20 hours of videos about hacking in the last 2 days. I haven't been this excited since I started programming 17 years ago. Just hacked into my Bose soundtouch 😂 Thank you for bringing back the fun and fire in me for computers 😁
@royslapped4463 2 жыл бұрын
This video inspired me to make a bot net that is spreading around the earth and sending millions of dollars to me from "inactive" crypto wallets. 😉 I am almost on the leader board of top 500 humans!
@Flaneur27 Жыл бұрын
How Tf did you have that
@jeromed.salinger647 7 ай бұрын
Updates? Was it short-term hype or you stick to it up until now?
@SV_Sangha 3 жыл бұрын
Great work... love how fluent you are in this. Kudos to you John!
@SV_Sangha 3 жыл бұрын
@John Hammond Thankfully I have not. However, I try and stay isolated as best I can. I love the programming and security in the videos.... and am doing some entry level hackme items trying to learn. Your inspiring, thanks!
@_asidy 3 жыл бұрын
Sailing Sangha that was a fake account
@SV_Sangha 3 жыл бұрын
@@_asidy agreed... but good interactions help the algorithms 😁
@andreastefan3825 3 жыл бұрын
39:08 that is Italian :)
@asdqwery7593 3 жыл бұрын
Thanks bro
@jakubklecki2963 3 жыл бұрын
Scammers these days pose as people who have literally just said in the video they don't know shit about crypto
@BigBeesNase 3 жыл бұрын
It was an interesting dig and got spicier with those dollar numbers. Keep up the good work!!
@kingpopaul 3 жыл бұрын
I think this is pretty small compared to ransomware in terms of value and damage. Though it's nice to see a John spambot.
@kristiyangerasimov6708 3 жыл бұрын
John thank you for the great video, I'm a complete newbie to software development, debug and analysis. I'm able to follow you perfectly, understand most of what is presented and am having a great time!
@Masterism88 2 жыл бұрын
I know this video is a couple months old, but I'll still say that These videos are much better when you go through the malware for the first time, rather than explaining what you've found previously.
@joacoordonez1973 2 жыл бұрын
Man, i love this vids, you'r an absolute genius. I learn a lot
@rickybennett9410 2 жыл бұрын
You rock, John! Thanks for the cool videos and for being such an inspiration to all of us aspiring info-sec pros, and for educating the general public! You're the man!
@Henchman0077 3 жыл бұрын
Great fun again John. Great work
@StanLTU 2 жыл бұрын
excellent stuff. Love your content. Keep it up.
@joryiansmith 3 жыл бұрын
This malware analysis is nothing short of magical
@Tramontano_T 3 жыл бұрын
You have no Idea How much i love your videos ❤️
@imjustwolf 3 жыл бұрын
I love that I found your channel! I want to get into cyber security so watching you go through code and explain things is fascinating! I do have one thing to say... why do you NOT use dark mode on EVERYTHING? It is so much easier on the eyes using Window's dark theme and any dark theme where sites allow it (like twitter...).
@rastabong420 3 жыл бұрын
love your videos john keep it up!
@structure7 3 жыл бұрын
The only thing me and you have in common is that we both speak English good, but man I love your content, style, etc. Thanks for doing this and please keep it up! Subscribed. And I watch until the end.
@kunma3214 3 жыл бұрын
dude you are doing really cool stuff, keep going!
@2514ben88 2 жыл бұрын
great job John fascinating stuff as always
@internetdoggo4839 3 жыл бұрын
Love em. keep em coming
@juuse94 2 жыл бұрын
That clipboard trick is really slick
@chervesblezz 3 жыл бұрын
Great job... I've learned so much... plz continue with this... cya
@pedror9314 3 жыл бұрын
Exelente video!! Gracias por compartir
@foxdk 3 жыл бұрын
Another great video. Keep it up!
@timothysnyders1426 3 жыл бұрын
Yo Johnny!! I've been a fan of yours for the longest bruv! Malware analysis is a neat content twist👌🏽.. Looking forward to more bro. **Side note : PLEASE CREATE YOUR OWN MALWARE, AND UPLOAD A VIDEO EXPLAINING THE CODE AS WELL AS A DEMO USING IT.. PRETTY PLEASE!! 😭😍🔥🙏🏽
@ivanboiko8975 3 жыл бұрын
many thanks for content, man
@Hitmonkey420 3 жыл бұрын
Love your content, John. I've learned a lot just listening while I work. I have applied a bunch to using Linux and have implemented your techniques starting Hack the Box. Just bought a shirt from ya👍. Keep up the good work. It would be cool if sometime you could make a mini series specifically about writing little tools, but I know your videos often contain python scripts you write on fly (which is really dope btw).
@420Schmat 2 жыл бұрын
Amazing as always!
@NB-ph6cv 3 жыл бұрын
Man, I don't understand all of it but now I remind myself that I was supposed to do other stuff and 32 minutes gone like a slap, or wait what does suppose to mean? And yeah, it's really interesting stuff! John, you are a Legend! :D
@fra1897 3 жыл бұрын
that pdf was in italian! c: very entertaining video :)
@mikeylazok8789 Жыл бұрын
Good Job , John "MALWARE" Hammond , Lovely to See and Hear Your Enthusiasm For Malware Man you Nailed IT.👊👌🤚✌🔥🔥🔥🔥As Usual 🔥🔥🔥🔥👌✌👊👊
@sorrefly 2 жыл бұрын
39:05 greetings from Italy ❤️
@tylercoombs1 3 жыл бұрын
God, i learn so much from watching John's videos it literally takes me 3 days to digest one
@OmniPhantom Жыл бұрын
I know right it's amazing
@kerbatonbaton8108 3 жыл бұрын
pls someone make something that looks like malware but in the end it gives you a youtube link to rickroll (and send this to him, pretending its crazy malware)
@spoiledbread5688 3 жыл бұрын
Lol
@CZghost 3 жыл бұрын
You know what? You bet! :D
@CZghost 3 жыл бұрын
@John Hammond Shut it off, we know you're fake ↑ Real one would have a tick next to his name, as an author of this video highlighted name and updated profile picture...
@TheSauxer 2 жыл бұрын
57:32 that's batman voice noice
@bhagyalakshmi1053 10 ай бұрын
Thanks 🙏
@skalman2262 3 жыл бұрын
I do not know why this came up in my feed ... I understand absolutely nothing of what I'm watching ... Good work to get a subscriber who has no idea what he is subscribing to. and yes the text is with Google translate ;-)
@sammo7877 3 жыл бұрын
Would have been interesting to see this part @51:45 via Burp suite :)
@FalcoGer Жыл бұрын
I think the simplest thing would simply be to rewrite the "eval" function to print instead. it would also be somewhat more secure since it might be called from other places as well.
@custume 3 жыл бұрын
great video 😉
@kylefaust7743 Жыл бұрын
You know I have searched extensively to see if anyone actually does anything like what you do for this malware/virus/ransomware/ect... No one displays it like you. This information digging explorer style of the software. Most try to show off a tool or explain how you can learn to go do this and how it benefits you career. But no one is doing what you're doing here. I can't get enough of it cuz it is incredibly awesome.
@heizenbergwhite5669 3 жыл бұрын
Your the best men 🔥❤
@jameselliot9114 3 жыл бұрын
0:30 onions aren't spicy, John 🤦♂️
@BryceChudomelka 2 жыл бұрын
I would be interested in building something that automatically beautifies. We could use Go and an API call. Thanks for the content.
@mauritaniainjector3736 9 ай бұрын
Very Good my teacher 👨🏫
@pxdav 2 жыл бұрын
Stage 1: beautified Stage 2: beautified Stage 3: beautified Stage 4: beautifiee Stage 5: BEAUTIFIER
@custume 3 жыл бұрын
I actually use ESET several years now and for me looks good, also not expensive, sure have some things that can take it down but mostly gets a lot of things
@mihalachebogdan1 3 жыл бұрын
Microsoft Defender better watch out
@logiciananimal 3 жыл бұрын
On the POST - the server doesn't have to answer - it could be doing nothing visible to avoid another IOC. Also, for all we know it could have been compromised itself, partially taken down by intelligence or law enforcement, etc.
@leuropaische 3 жыл бұрын
its march 10th 2020
@irtizaali3334 3 жыл бұрын
great video
@irtizaali3334 3 жыл бұрын
@John Hammond no 🤣
@hgjfgjghfj8920 3 жыл бұрын
have u deobfuscated a pyarmor obfuscated script? (python) a video on that topic would be interesting, thanks!
@mjmeans7983 3 жыл бұрын
Is there a Windows policy that will just disable this pattern "Function(string)()"?
@szymusu 2 жыл бұрын
I love how self-remove is "UnMonk"
@diddyman1958 3 жыл бұрын
Awesome!
@kherkert 3 жыл бұрын
Hey John, base64 decoding multiple js comment blocks as one base64 string will certainly not work out. First split up the different /* ... */ blocks and decode them separately.
@pahvalrehljkov 3 жыл бұрын
ammount of good advices and the fact you actually read them and use them is really creating that community vibe... me like it... also, i like it more when you come somewhat uprepared and research this like you would usual, sometimes it feels like you wanna make these videos to be explorations when they are clearly well prepared demonstrations, that feels more natural to me... and ofc tnx for all the good and spicy insides on how this is done! 👊
@hexearth8258 3 жыл бұрын
57:11 once you make a cryptocurrency transaction, it's public, everybody can see it.
@_Fen 2 жыл бұрын
_laughs in monero_
@James-is6tg 2 жыл бұрын
Fantastic
@regishbabu1790 3 жыл бұрын
hey John, i am new to cybersecurity ..just subscribed
@yourfellowhumanbeing2323 3 жыл бұрын
Malayali aano
@3xpl0i79 3 жыл бұрын
@@yourfellowhumanbeing2323 alla
@grandmakisses9973 3 жыл бұрын
@@3xpl0i79 lla
@gotithowigetityoutube8144 3 жыл бұрын
Now what are you consider this kind of code malware spyware or adware
@yourfellowhumanbeing2323 3 жыл бұрын
@@3xpl0i79 hehehe
@ieatpushpops Жыл бұрын
I enjoy your videos because of the not-so-awkward silent moments.
@creativereasons7588 3 жыл бұрын
LIGHT MODEEEE AHHHHHHHHH MAKE IT STOPPPPP, and then you beef me for JavaScript.. low blows dude low blows xD Na for real keep it up dude these viddies are great
@whtiequillBj 3 жыл бұрын
I love how languages over lap -- di comando e controllo
@Bluscream 2 жыл бұрын
Thanks John. You really inspired my to sit on my lazy ass and continue watching your videos!
@alincraciunescu 3 жыл бұрын
You are the best!
@cloud7982 2 жыл бұрын
I was laughing so hard as it went further and further down the loophole and when it got to stage 6 I was dying
@GabrielSultanGabyyy 3 жыл бұрын
where do you find these?
@ianowens1905 3 жыл бұрын
Aw I like watching you deobfuscate code
@letsrugem Жыл бұрын
i don't even understand it but I still keep watching. I don't know why.
@blazi_0 3 жыл бұрын
line 220 in 4:51 it's variable but without name 🤔
@xdamijancoding7331 3 жыл бұрын
Right has left the chat!
@heinrich3427 3 жыл бұрын
As someone who works as a Software Developer since 17 years I am suprised how trivial the malware is. What I like most is how creativ it is with the clipboard. Are there common malware patterns?
@alvarocarrascosapenabad4355 2 жыл бұрын
Malware authors to me are some of the most creative people. I am sure there many patterns for achieving specific tasks, one I see a lot and here for example is to find the Startup Windows folder and copy it self to it. Some of them even go to the extend of making the icon invisible in said folder
@Freeak6 2 жыл бұрын
It feels good and sad to see that these guys put so much efforts to obfuscate and encrypt the code, and you can just remove the eval function and let the computer decode all of it for you ^^
@gauthamkrishna.s2912 3 жыл бұрын
Don't mind me, just keeping up the engagement.
@DarkAngel-ov2fu 3 жыл бұрын
I am surprised only eset detected it
@paashaasXD 2 жыл бұрын
I have one question, this script changes your clipboard with another BTC/ETH address right? But do they hope you immediately send btc after that or something? What happens when you ctrl C something else, will it overwrite? I don't get that part.
@mawortz 3 жыл бұрын
I have no idea what I just watched. But it was interesting
@imroot2454 3 жыл бұрын
Where can I get the original sample? :(
@theSidyous 3 жыл бұрын
Could you try the notpron riddle - see how far you get?
@Dan-uo9fw 3 жыл бұрын
I'm curious what infection vector they use to get this into a victim machine and executed.
@hunterhunter6517 3 жыл бұрын
From downloading pirated software i suppose.
@pXnEmerica 3 жыл бұрын
Why write a tool to unpack it? Write a tool from the parser/processor and list/breakpoint when functions happen. You run the code, it tells you it tried to access these methods, this many times. Skip a ton of obfuscation possibly and get more to what it's actually trying to do. When it tried a shell.run, print the commands, when it tries a sendhttp, don't and print the request.
@alvarocarrascosapenabad4355 2 жыл бұрын
A tool to unpack it is obviously much easier to program than what you are suggesting, but this is indeed a great idea!
@killerskincanoe 3 жыл бұрын
Is wscript enabled by default in win 10?
@mpcabete 3 жыл бұрын
why did the developer used the "new function()" syntax in the first layers instead of an eval? it is an evasion technique?
@maxpowell3528 2 жыл бұрын
Solid chance this is the reason why ! Also maybe just to throw off researchers.
@1wk407 2 жыл бұрын
this rules
@paashaasXD 2 жыл бұрын
What if the maker of this scripts is watching this video xD "oh shiiiiii"
@SomethingEternal Жыл бұрын
Now if only it was this easy to find their current physical address. I'd go say hello to them, and introduce their backend to a soft viper.
@tommyhetrick 3 жыл бұрын
OOF we errored
@viv_2489 3 жыл бұрын
Thanks , wonderful walkthrough
@royslapped4463 2 жыл бұрын
Dang, I can't imagine writing a code like this. I'd die.
@rydmerlin 3 жыл бұрын
When does this actually trigger? When does it hijack the clipboard?
@tzisorey 2 жыл бұрын
"This address has received 72 bitcoin ($44,000)" Had to check the date on this video when I saw that bit.
@sepgh2216 Жыл бұрын
"Double it and give it to the next person" in a Malware :D :D
@eugene5096 3 жыл бұрын
How they make people to download and run this script ?
@NikolayRogchev 2 жыл бұрын
So the whole script relies on people not checking what they paste when sending money?
@code-to-design 10 ай бұрын
Why there is request to localserver if the video is only about what u said
@bhagyalakshmi1053 Жыл бұрын
Why to file Wi-Fi hack the handling.
Forbes Kazakhstan
Рет қаралды 842 М.