KOVTER Malware Analysis - Fileless Persistence in Registry
Рет қаралды 331,598
2 жыл бұрынYou can register now for the Snyk "Fetch The Flag" CTF and SnykCon conference at snyk.co/john ! Come solve some great beginner-friendly challenges -- including some of my own!
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: johnhammond010@gmail.com
Discord: johnhammond.org/discord
Twitter: / _johnhammond
GitHub: github.com/JohnHammond
@josephvictory9536 2 жыл бұрын
Dude the most valuable point to this video for me, that keeps me watching and wanting more, is that you show your process and explain your reasoning as well as the deductions for each stage. Feels like a master class or high level university lecture, but without the typical boredom or theory.
@garbagetrash2938 Жыл бұрын
These videos are very close to what I do everyday for work. I love it!!!
@kaguiful 2 жыл бұрын
John says: "sorry for the long video" Me: " MAKE IT LONGER, I WANT IT!"
@UmbraAtrox_ 2 жыл бұрын
We all underappreciate how good this man is at naming variables.
@petevenuti7355 2 жыл бұрын
Let's call it 'please subscribe' 😜
@SirThane13 Жыл бұрын
I don't know if he's better at naming variables necessarily, but he's certainly better about picking one and moving on instead of agonizing about a better name.
@shamlicheetu6351 5 ай бұрын
@@petevenuti7355TT combin b think
@elinorris2942 2 жыл бұрын
Malware Analysis is literally my favorite playlist on KZfaq. Never watched anything more interesting/entertaining, keep up the awesome work!
@FahyGB 2 жыл бұрын
Could you suggest more channels that showcase malware analysis
@pitche Жыл бұрын
@@FahyGB I'd recommend OALabs, MalwareAnalysisForHedgehogs
@resonance378 2 жыл бұрын
Thanks John for hosting this stuff, diving into it, and giving the constant reminder that it's OK to use your brain and nerd out about really complex IT problems.
@SubitusNex 2 жыл бұрын
Every time you went "this is getting awfully long" or "I know this might not be all that interesting" I was like... Doooooooooooood no this is da stuff. Good one John :)
@TheSauxer 2 жыл бұрын
- So how do we call this thing? - Programmers every time: hmm..'test' sounds fitting.
@DarkCrux 2 жыл бұрын
34 mins into the video, and I am just mind blown how deep this embedded code goes... Absolutely amazing job refactoring and de-obfuscating. Some of the best i've ever seen.
@numpty_ 2 жыл бұрын
Really appreciate you taking the time to explain the shortcuts here John!
@dustinhammond3376 2 жыл бұрын
Really appreciate the lengthy videos. This is a fantastic dive and great way to get into your headspace. Very easy to follow your thought process here.
@Bobtb 2 жыл бұрын
That was indeed a long video, but also quite interesting to watch how you do this. I keep learning from your videos, thanks for sharing John!
@byoung006 2 жыл бұрын
Just wanted to say thank you for the time and effort you put into your content. For a young guy in IT, you’ve made this stuff super accessible, and I can’t wait to attend the upcoming Snyk CTF! You’re a goddamn inspiration John! ❤️
@pbjandahighfive 2 жыл бұрын
This is my new favorite KZfaq channel. Can't believe I hadn't come across this sooner. Very competent and thorough analysis and deobfuscation in these videos. Really quality stuff.
@vanashgaming8370 Жыл бұрын
As someone with next to no experience in malware and very little in programming in general, i find that you make these super easy to understand and teaches at the same time
@aurinator 2 жыл бұрын
I initially mistakenly read the title as "Flawless Persistence in Registry," but after completing the video am thinking that misread title is actually applicable. Snyk is awesome though, and I'm actually happy to see the section near the beginning about it explicitly. I really want to see this field of study gain popularity, because it's still unfortunately relatively overlooked IMO.
@c1ph3rpunk 2 жыл бұрын
Malware analysis is overlooked? Not really, I know dozens of folks that do it. Snyk is decent at the dev stage, and especially for containers, but they’re only 33% of a solution.
@Gob. 2 жыл бұрын
@@c1ph3rpunk he’s talking about the KZfaq series not the actual act of doing it
@abandonedmuse Жыл бұрын
You actually taught me a ton. I guess because you are also learning that it makes the process easier for me to grasp? Or maybe because I know everything you are saying now. Years ago I was very clueless but I had never seen the fileless process outlined so simply. A world of gratitude from this girl.
@spoiledbeans7402 2 жыл бұрын
John John John.... I just discovered your channel few days back and I am totally hooked... Your Content is brilliant captivating and very well presented. Thanks for your Obviously incredible hard work that you put into this!
@vadymderevianko135 2 жыл бұрын
Great work, John! Thanks for sharing your experience with the community
@securiosityy 2 жыл бұрын
Super interesting video! Being a Linux guy wanting to get into Malware analysis, I always learn a ton from your videos. Thank you! It takes a lot of confidence and skillz to do this (mostly) live while working through the challenge and still looking like the expert that you are. Keep up the great work.
@Cyanid3-VX 2 жыл бұрын
Great video! I love these breakdown videos. Really interesting. It’s crazy how someone developed this.
@adamheiner2229 2 жыл бұрын
I am loving these Malware Analysis vids, and all of the knowledge that is poured out in these vids.
@buhaytza2005 2 жыл бұрын
Screw YT! Didn’t even get a notification that 3 videos have been uploaded 😒
@jamesvincentcarrollII 11 ай бұрын
Watched the whole thing. Learned a lot. Thank you!
@dataolle 2 жыл бұрын
Love this long form videos, great stuff!
@jmprcunha 2 жыл бұрын
Thank You John. It is a pleasure to watch your videos! I always learn something :)
@miguelsoares3465 2 жыл бұрын
Will be my first real Con CTF !! Thanks John!
@emgarc1982 2 жыл бұрын
Another great video. Really interesting to see how you approach this.
@joetango8521 2 жыл бұрын
John, have you looked into using a beautify extension when working with malicious JavaScript? It saves a lot of time and allows you to dig into the functionality of the code much faster instead of manually removing the minification.
@kanra7678 2 жыл бұрын
Yay, i really enjoy your longer videos. :D
@brandonconway5286 2 жыл бұрын
I’ve never seen one of your videos before. This is super interesting, thank you. Subscribed 😁
@securityguruguy 2 жыл бұрын
Amazing work as always!
@Alb1n0blk 2 жыл бұрын
Your Vids, especially these investigations, are awesome. Very informative
@renn3014 10 ай бұрын
This is so, so interesting . I learn a lot from watching you, David Bombal, darknet diaries and network chuck . It’s great to see your process, learn important terminology and techniques as I am at the start of my cybersecurity journey. This is amazing to see how you guys solved this mystery ! Thanks ☺️
@smithclk 2 жыл бұрын
Many thanks mate. Very informative and exciting stuff!
@moustafakashen3610 Жыл бұрын
Awesome content Mr. Hammond!
@jeremiahpatz1192 2 жыл бұрын
Thank you, this was awesome. I didn't even notice how long it was.
@Korrokable 2 жыл бұрын
KOVTER always brings me back, no AV would ever find it, easiest way to find it was do a string search on the reg for ";eval" and just killing every reg entry.
@Demoralized88 2 жыл бұрын
Near certain I have some bot/RAT like featured in this video. I'll have to try digging in registry as no AV has been able to detect anything,,
@michaelgaddajrfi9192 2 жыл бұрын
@@Demoralized88 I too have a very persistent RAT and no idea who to hire how to hire etc. I really wish I was as skilled at this. I find it fascinating.
@lksw42439 2 жыл бұрын
Y’all need to wipe clean if you have any reason to believe this is true.
@AnjewTate 2 жыл бұрын
@@Demoralized88 Have you done anything since? Found it? Used Malwarebytes or Bitdefender (paid versions)?
@Demoralized88 2 жыл бұрын
@@AnjewTate I tried everything, including brand new drives and known clean W10 ISO USB. It had persistence below the OS level. Still not sure how or what, but I got called a schizo for thinking it. Recently, security researchers are now uncovering UEFI and other FW malware. It started when my home network got attacked, and most people in my apartment complex are affected. We only have one ISP option: COX. This all started around May, and have switched to Chromebooks and Linux on Ethernet until something is figured out. Symptoms of a Miner/Infostealer, but pretty subtle rather than sustained 100% usage. It's been a long saga my dude.
@mastaghimau 2 жыл бұрын
really great man.... time flies while watching your tutorial.....
@jeffarends8843 2 жыл бұрын
Good stuff, thanks for the content!
@DaPanda19 2 жыл бұрын
That trailer feature is really useful, also signing up for that CTF :)
@kevinejames8534 2 жыл бұрын
Enjoying your videos all the way from Kenya
@romanburczymorda4313 2 жыл бұрын
Malware Finds a New Place to Hide: Graphics Cards
@samsepi0l336 2 жыл бұрын
thank u for everything john!!
@debarghyadasgupta1931 2 жыл бұрын
Thank you Sensei 🙏
@shamvilkazmi3447 2 жыл бұрын
its like solving a puzzle, didn't expect, id watch the whole video, awesome content also that technical document was so great
@davidmiller9485 2 жыл бұрын
it's been years since i've seen Delphi even mentioned. Back in the late 80's early 90's i used it to write programs to use with Web Compass (note here: web compass back then was a crawler, not malware. It was actually a decent one considering we really didn't have search engines online back then) for my business. Talk about memories.
@universalponcho 2 жыл бұрын
I love watching this dude videos. Might take a while to get through. Though something about him just makes me want to keep watching and learning.
@WiseSmokingNative 2 жыл бұрын
Watched the whole video thought it was interesting, Thank you for the educational video!
@kantnklaar 2 жыл бұрын
What a piece of work. KOVTER is amazing as well :)
@iddqds 2 жыл бұрын
i love this stuff. i give my full attention understand everything john says and does and try to create links but it seems there are nearly endless things to learn. i think reverse engineering is really cool.
@vanillagorilla__ 2 жыл бұрын
Great vid, thanks!
@effexon 2 жыл бұрын
Wow, I didnt think investigating malware could give same engaged feeling like CSI or other crime shows.... John has talent explaining things with captivating tone of voice.
@UsernameXOXO 2 жыл бұрын
Hey, too much of that positivity and they will take the effexoff.
@Handskemager 2 жыл бұрын
I was almost screaming at you about that big blob of text looked like hex values, thankfully you figured it out yourself! xD
@an0ndev Жыл бұрын
I had a mini heart attack when you decided to run the stage 2 JS directly and almost missed the second eval... and my friends call me a risk-taker for clicking links aimlessly, haha. Great video as always, thank you John :)
@mohamedaamir682 2 жыл бұрын
Great Contents as Always 😍😍😍
@AlphaLumenTV 2 жыл бұрын
The Snyk CTF looks very interesting for sure. 👀 Might give it a go!
@list1726 Жыл бұрын
This was fun!
@CShock1245159 2 жыл бұрын
The powershell comments! LOL! I was yelling at my monitor. Happens to all of us!
@andrewkelley9405 2 жыл бұрын
Wow. Very impressive.
@abepl 2 жыл бұрын
I have no idea what I'm watching but i love it.
@liudvikasstankus 2 жыл бұрын
was interesting. thanks
@danytoob Жыл бұрын
I don't understand any of this but it was fascinating following along with the big brains doin big brain stuff. Next level+
@michaelgaddajrfi9192 2 жыл бұрын
I really want to get started in this field and help people that are in over their heads like I am currently. I just have no idea what tools and who to pay to help or how to get ahold of them. Is there a list of tools you use or recommend? I read a lot about your exploits on the news and your KZfaq channel is proof of prowess. Keep up the good work and any fileless bots or RAT coverage would be a godsend, maybe someday I'll find out what pluages me for about two years now.
@SV_Sangha Жыл бұрын
Love it!
@haroldbrown5887 Жыл бұрын
Thank you Mr Hammond this has been very very interesting and also may explain some of the problems I've had in the past with memory usage and registry creep. I'm thinking that I would like to know what kind of registry scanners would locate these types of malware?
@vincentsvlog1761 Жыл бұрын
John, you are my hero 🥰.
@world_affair 2 жыл бұрын
GOOD INFO!!
@MalwareAnalysisForHedgehogs 2 жыл бұрын
The PE file you got from Caleb is corrupted (more specifically the e_lfanew value in the DOS Stub) and cannot run. That value affects how the file type gets parsed. That's why no AV detects it.
@jesusibarra4055 2 жыл бұрын
I enjoy your content
@amx2311 2 жыл бұрын
I will admin I thought the numbers in the shellcode were ip addresses since they ran up to 255 but not higher. Aside from that I have been thoroughly entertained, seeing this kind of analysis and also the wrap up including Virustotal, bringing it back to the "end user experience" as far as using common ways of checking for vulnerabilties without digging into the code yourself.
@CZghost 2 жыл бұрын
Avast - undetected. Thanks, Avast, now I know you won't protect me against Kovter.
@arseniy.k8895 3 ай бұрын
thank you
@BeethovenHD 2 жыл бұрын
very nice, very crazy - thanks for this nice video :3
@GeorgeWulfers_88 2 жыл бұрын
Will definitely check you out on Twitch. I just started streaming there as well. Games for now so I can just chill :P Awesome video as always! Thanks :)
@leestaton1697 2 жыл бұрын
good channel and Rearly good videos John
@callmemc6 2 жыл бұрын
Man, I love watching ginger seth rogan. Genuinely getting me addicted to malware analysis.
@asilaydying0123 7 ай бұрын
sometimes when i'm working on a project, i'll just hear hammond's voice "ok then we pipe that to grep" or some other thing that I don't understand and it ends up working
@DarkMantisCS 2 жыл бұрын
I'm sure you know this but in Sublime Text you can press Ctrl+d with a variable highlighted and it will select the next one in the file. This saves you from doing ctrl+f on every var :)
@ItzRetz 8 ай бұрын
I'm convinced that if you and The Lockpicking Lawyer teamed up, there isn't a single facility on this planet you wouldn't be able to break into.
@samsepi0l227 2 жыл бұрын
im gonna signip up too!
@vaibhav3852 27 күн бұрын
The first time I watched this video, I was so bored that I left before even the deob started. I just watched the hta to powershell video and it, code was also extracted from reg. That's why I was able to push throught the early part because I was fascinated by the same technique used here. :D
@faker-scambait Жыл бұрын
Nice John can I give you a tip for the SEO put the title in the first line of your description.
@gabrote42 2 жыл бұрын
38:11 I trusted Sublimetext when it colored them gray :D
@blade1551431 2 жыл бұрын
I love your(blind analysis videos I vas thin on first all videos are first look
@DHIRAL2908 2 жыл бұрын
Wow those powershell comments in the shellcode were really sneaky haha! I also thought they were ascii bytes powershell decided to decode and give us like python does sometimes...
@kataleya 2 жыл бұрын
I've been watching your videos for quite a while now and I thought you were quite a Malware Analysis genius. Then I saw Caleb's help and contribution to fully analyze that piece of code. He's the genius, finally you're Not THAT good ! I'm joking of course, please forgive me 🤭 Thanks for your great Work, very inspiring ! And thanks John for the hosting and the montage. Ahahah Cheers Mate !
@edward9862 2 жыл бұрын
Oh no...a KZfaqr with their hands on their head, on a frustrated fashion!!! This MUST be important!
@vasanthakumar1249 2 жыл бұрын
Thalaiva ❤️
@ryancallahan2803 2 жыл бұрын
Awesome
@ItzRetz 8 ай бұрын
You're like The Lockpicking Lawyer, but with malware
@spyxd5245 2 жыл бұрын
I have no idea what I've just watched, but hey, here I am at the end of the video.
@supriyochatterjee4095 2 жыл бұрын
Fileless malwares are the most advanced types of dangerous malwares for which each and every antivirus and security software companies needs to give serious attention and improve there detection and removal capabilities and mechanism
@GrumpyGrebo 2 жыл бұрын
Most APT use fileless vectors, a lot of antivirus products have mechanisms such as memory scanning to counteract. Registry scanning is a basic mechanism also. Many products run real-time heuristics to detect malware regardless of how it persists, based on what it is doing. Some processors even employ technology such as Secure Enclave to provide platform level resiliency against malware, but ironically there is malware that can compromise some of these platforms... so viruses that persist in the CPU of some computers.
@supriyochatterjee4095 2 жыл бұрын
@@GrumpyGrebo Yes big antivirus companies like Norton, Kaspersky,Bitdefender,Eset, Avast, McAfee,AVG,Sophos,Fortinet needs to focus and give more importance on Zero Day Behavioral Analysis both on cloud and off cloud so that fileless malwares are detected much more efficiently, also daily frequency of virus signature and database updates needs to be more frequent so that detection and removal capabilities can be improved much better
@erithax 2 жыл бұрын
Awesome video! Does anyone know the outro music?
@matthewmorton7231 2 жыл бұрын
Hey John, would you consider making a video re: the setup that you use to safely acquire and dissect malware files like this? It's something I've always wondered about...
@abandonedmuse Жыл бұрын
Linux distribution like Kali or Arch running on a VM with no access to the internet and a buffer between your computer and the VM.
@askytune6019 2 жыл бұрын
THE HAIR you look like anime heros XD love that
@Theultimatebohab7137 2 жыл бұрын
I'm interested in all of it...
@aaaron19 2 жыл бұрын
I have been trying to get your terminal theme, I installed zShell and exa but I can't seem to get it to look like yours? Did you install some theme, or have custom colors set in terminator?
@aston3982 2 жыл бұрын
I've signed up for the SnykCon and the CTF, should be fun. Can't wait for the video.
@ARIFF861 2 жыл бұрын
i have register for snykcon but how to register for r ctf?
@aston3982 2 жыл бұрын
@@ARIFF861 There should be a checkbox you click when signing up for the event.
@ARIFF861 2 жыл бұрын
@@aston3982 only that?
@aston3982 2 жыл бұрын
@@ARIFF861 I'm pretty sure that's how but idk tbh.
@satkotech 2 жыл бұрын
Malware creators watching this be like: "Noted."
@__theycallmeaadi3316 2 жыл бұрын
yessir i noted.
@Ange1ofD4rkness Жыл бұрын
WAIT? They offer CTF competitions outside of just colleges? I only got to do this for one year during my college years, and really wanted to do more, but didn't think it was open to the public (I know this video is a year old, but now I know I can look out for them). (When I competed, More Smoke Leet Chicken was the best at these)
Low Level Learning
Рет қаралды 1,2 МЛН