I came to see what this was. Was going to watch for 5mins... stayed till the end and wanted more 😄

This video is just an artistic description of how much John hates tangent functions

Realising that entire ascii value-ish blob of nonsense was the actual malware, which was executed as string joins, has been a truly astonishing upload. I've never expected this'd be my morning

That switch to dark mode killed me 😂 Google was like "HACKER MODE ENABLED"

Probably the tangent stuff was intended to send a malicious person on a tangent. This was fascinating to watch.

When he sad "Now we're getting to the real malware", that's when I started not understanding anything anymore

Thank god im not the only one what looks up these functions, reads the documentation, and the first words out of my mouth are "but wtf does that even mean"

"I'll secure my malware by obscurity". Nice

Those random, doing nothing functions such as the excessive amount of sleeps and tangent functions are to evade from anti virus sw, that checks for hashes and heuristics. Those are added progressively with each version of the virus.

So in VB, you can have arrays that can indexed in anyway you choose, and this can be chosen per array. If you wanted, you could have an array that's valid indices were 5-10. The purpose of LBound and UBound is to determine what that range is for a given array. LBound(array) returns the lowest index while UBound(array) returns the highest index. This allows for a generic loop structure of For i = LBound(array) to UBound(array) stuff using array(i) Next

"Lol. Let's just copy paste some random function a couple hundred times. There. Obfuscated. I'm a genius." -some bad guy, probably

"I swear I've done this before." - Famous last words

If the hacking action in hollywood movies are "real" like this, those movies would take hours before finish

To quiet a few annoying trolls, in this video I mistakenly said "I can't run a VBScript file because I'm running Windows right now". If I were on Windows, I could certainly execute the VBScript. I should have said "I'm running Linux" because I am clearly using Linux for this showcase. (You can still partially run VBScript code with Wine on Linux, but your mileage may vary)

If i remember correctly, those tangets were called 'sandpiles', random piles of odd maths with completly randomized variables, was used to hide the first steps to decode stuff.

Just when I was saying "he is wasting his time, this code is just a troll joke" you made the @@@@@ magic and BOOM! you found the cake! ^_^ Thanks for sharing your skills John! Really appreciated

Me: Uh wow that's a long video. Let's watch it for 10 minutes and save it later. 40 minutes later - *subscribes*

This reminds me of a situation that happened at a client I was consulting at in the late 90s (it might have been ILoveYou, but I can't remember). An e-mail with an attached .vbs file was running rampant on user's machines. They finally stopped it, but they had no idea what it was doing. Since I had VB experience, I was asked to dive in and see if I could figure it out. The code was obfuscated in many ways similar to what Hammond runs into in this video, but I finally figured out what the code was doing....and it was pretty nasty.

Him fighting the ragex is literally me, tears roll down my face everytime.

What lifeOverflow has taught me: if you see a long string, there must be some decoding going on. So ignore the junk code and go straight to the decoding loop. Then you can get the return value of that decoding loop (or just the value you end up with when the decoding is done) and go around with it. Removing all of those /Tan functions is time wasteful

I really enjoy these kinds of videos; fast-paced unnedited breakdown of malware ur a legened

Just here to say you should definitely do more of these

That first tag said "HAAAAA" because it was mocking you. It realized that it actually managed to stop you from reading the file

This was a great work-through! I loved watching your process! As a soon-to-graduate CS student, this brought a lot of stuff into focus, especially on how to work through these kinds of problems!

Will you be making more Malware Analysis videos?

I love learning with you! It’s always interesting and I feel like I’m learning along side you rather than being taught.

I'm only about 20 minutes in, but it's interesting to see this idea of a program obfuscating it's own code, then during it, possibly rebuilding it so that it can bypass virus detection. If that's what this thing is doing it's kind of brilliant if that's even possible. It seems like it has strings of characters that it's joining together, recursively. If, after all of that it used that newly made string for something devious, that's pretty interesting.

I almost died of pain in the RegEx part. Function .+[\s\S]*End Function Would do it

why did I just watch all of this and enjoy all of it... I'm really realizing how little I know about computers now

Interesting how the code was hidden behind some random garbage. Even the tangent functions make some sense now

I always enjoy seeing your thought process in malware analysis. Good stuff!

I just got into learning IT and im very interested in coding. As I search more about coding, youtube recommends me videos like this. So You really got my attention by that caption. You got me even more hyped up about this all and you just earned another follower!

The way you un-obfuscated that code was inspiring.

It may sound a bit weird, but I love seeing you struggle with some things. Thanks for recording the whole thing. What matters the most to me is to understand your thought pattern and how you resolve the problems you encounter.

This was highly entertaining and enlightening! I'm taking a programming training course for the next few months, and having a glimpse into the wonderful world of cybersecurity like that, especially since it doesn't seem too complicated to decode, was really nice :) Subscribed! Cheers!

Randomly popped in my recommendations and I enjoyed every second of it! great job :) subscribed

Houdini, he's the creator of H-worm an Arabic developer specifically from Algeria

As someone starting to work in the coding/IT field, it blows my mind that someone made something this thorough.

Fascinating stuff - thank you. Makes me realise now why I switched my brain off to learning coding when I was young. Just crossing my fingers that my yearly purchase of Bitdefender can cope, or that I remember to back up my drive very often!

new to this channel but already learning a lot.. just combine John's content with memory forensics and you have your own forensics course. Great John. Please keep the spirit up.

"Hashtag, at sign, tilde, karat, *haaaa*" why is this so funny

The last man using sublime text

Hey John! I'm currently in school for CyberSecurity. Your videos are always interesting and I enjoy watching them in the background while helping myself code. Thanks for the content man :)

yeah more of these, this video I really enjoyed and it was suspenseful, funny. Great workflow how you rename the functions to map a picture

You're like if Seth Rogen was a computer guy instead of an actor

I prefer to let the code decode itself and then just pulling out what you need from hooking API calls or memory, but manual deobfuscation can be fun every so often.

Loved the video man. Also a lot of the comments were really helpfull on getting a better understanding of what was going on with the first huge piece of code!!!

I'm addicted to these videos. I learned more here than many other places. Keep it up bro!

That was interesting! Thank you, I had a lot of fun

Man I laughed so hard when you were trying to beautify the VB code. My company still maintains some VB6 code , its like a blast from the past. VB studio does not even allow wheel scrolling.

This was REALLY awesome to see you dive into this. Definitely would love to see more of it. :)

This was fun to watch and I enjoyed seeing your process of "un-obfuscating" the code

I love how @25:00 he is the embodiment of "if you have a problem you are trying to solve with a regex you now have 2 problems"

26:00 im buckled in and commited to watching the struggle we are all too familiar with

I genuinely enjoyed this video!! Tbh this video got me motivated to learn more programming so that I can analyze malware. Can't wait to see more !!

Its refreshing watching a professional break down a malware code into understandable code ; Great content man

The regex for getting the line to work would've been [\s.]* ([] For characters to recognize, \s for any space character, . For any other char)

I just love how he stares into the void for a bit before he starts talking

It got real juicy after second stage. I loved this video way more than I thought I would. Keep up the good work man!

That was impressive, thanks for showing us the setp-by-step process !

At 29:56 you can see it's using windows new line which is 2 characters and (CR & LF) (Linux is only ), so in your regular expression you should have used . Also, in vb you can declare arrays from any index to any index, so you can make an array like "Dim my_array(10 to 20) As Integer". LBound will return the lower bound = 10, and UBound returns upper bound = 20

This is surprisingly fun for me

very good walk-through, please do more video like this. Very informative

Good stuff John. I would really love to see more videos like this. Botg instructive and fun... You got my subscription with this one.

The premiere is perfect for this format of video. Feels live, but I think you as the creator can concentrate on chat + the hacking at the same time 👍🏻👨‍💻

Oh, Houdini! I remember having to deal with some variants of it before! It wasn't prevented by AVs back then. Luckily, they *did* block the extra downloads, so the infection wasn't too serious, but every USB drive ended with all files hidden and links to the VBE added, posing as the files. They did open your files after reinfecting your machine, so did not know anything was happening at all. The first couple times I had to deal with it I did manual cleanups of the systems and the drives, then more variants started coming in so I exploited the infection check and local update mechanism to make my own fake infection for our machines. The script thought it was running and that my version was newer than the ones it knew, so it did not replace it. EDIT: And most new "re-releases" of Houdini or Dunihi are pretty much the exact same script with a different hostname and a different packing added to mess with its signature.

Watching this video brought me back to my days of studying for the OSCP. I enjoyed this a lot more than I thought I would.

Only 10min into the video and i already like it. I enjoy how you explain everything step by step!

Those tan functions and the weird functions at the end did just what they were supposed to; you spent twice as long messing around with those puzzles than it took to figure out the core code! :D

this was somehow even funnier than every meme channel combined

John! Glad to see you diving into malware analysis/maldoc

I'm in the process of changing careers and learning how to code. This was so fascinating to watch and really really inspirational watching the analysis with use of logic and knowledge of syntax across languages. It might seem easy to some people watching, I'm not sure lol. But to me this is magical to watch, I loved every second. I hope I can be this good some day.

comment: "nice vid" purpose: "algorithm"

Could the tangent lines be written to literally send you on a tangent as sort of a play on words

As soon as you stopped yourself to go back and explain the keyboard shortcut, I subscribed. Keep up the good work.

I didn't think I could watch the entire video, but following your thought process was just super fascinating. Would be super interesting if you did a video about your workflow. Tools,Extensions and maybe some neat resources.

It's just crazy how many people stay here because they relate to what you're doing :D. I love your content and I'm actually amused by watching something close to what I do every day.

9:09 It's always satisfying to find some actually humanly readable source code stuff 😅

This was a really awesome video, John! Thanks for always giving great content!

I love that you sound so professional and you also are

Doing KZfaq algorithm 'things' and expanding it.

Learned a lot from this video. Please do more of these videos!

I found it very cool that you were figuring it out as you recorded the video and showed all the troubleshooting though processes.

Hello, I just stumbled o to your channel! There is something weirdly relaxing about not having any cuts, or being able to follow the entire discovery process.

this is more interesting than a suspense thriller movie

I love how he describes his interaction with this vbs script as if he and it danced together.

I had nearly no hope for this to be an interesting video but I was bored senseless. Yet you delivered! Well done, I subscribed for more.

I did not expect to watch as much of this as I did! Great video!

More malware analysis please!!!

"More tangent functions, DIE" AHAHA

I have been wondering what Malware Analysis is like, This video is awesome. Thank you for sharing!

this is so satisfying to watch I was like I'm going to go watch an episode of a serie and than change my mind like nah I'm just going to watch a short KZfaq video and sleep but here I'm at the end of the video.

pretty cool.

25:19 was my every regex experience ever.

I have a cursory understanding of programming. Not enough to write a program myself, but enough to sort of follow along. I'm 20 minutes in, and this is great. Why is this so interesting?!

cool! really like watching you walk through your process.

Google: "You are now using Dark Theme" No shit, Captain Obvious!

Me, randomly finding this video and have been learning C# for the past four months, staring at the end of every line: "... Where is it? Does this world know no law and order?"

I've seen these obfuscated vbscipts before, even deconstructed them a bit (but not to it's conclusion like you did ). Never thought I would see parsing a vbscript on KZfaq, this was fun!

I learned a lot from you man, thank you very mush and thank to the community