The King Of Malware is Back
Рет қаралды 189,719
Жыл бұрынHelp the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
🐜Zero2Automated ➡ Ultimate Malware Reverse Engineering j-h.io/zero2auto
⛳Point3 ESCALATE ➡ Top-Notch Capture the Flag Training j-h.io/escalate
👨🏻💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk
🤹♀️SkillShare ➡ j-h.io/skillshare
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
@JordanFromIT Жыл бұрын
That VBA brute force method for removing worksheet protection is kinda interesting. My favorite technique for removing worksheet protection is to open it as a zip file and edit the sheet xml file to remove the sheetProtection key
@_JohnHammond Жыл бұрын
This was another option in that article that I admittedly tried first, because I didn't think the VBA brute force method would be so fast. I tried to extract it as a ZIP, but for some reason it couldn't pull out the /xl/ folders and files within it. I should have kept that footage in 😅 Either way it is an awesome trick to know for the future!
@andreasrothenhauser5352 Жыл бұрын
Never thought of unprotecting sheets. I usually just dump the contents with ssconvert (gnumeric) and do some regex to clean up the output.
@GrundGad Жыл бұрын
Not sure the xml method still works. 😅
@zkdr6278 Жыл бұрын
wait a minute, you can hack protected worksheets? That's where I keep all of my passwords 😳😳
@pcsecuritychannel Жыл бұрын
Love the title, king of malware, from imhotep to emotet. :D
@CattopyTheWeb Жыл бұрын
LEO! Didn't know you watch him. Nice to see you here.
@jony9867 Жыл бұрын
I'm too new to understand this
@CattopyTheWeb Жыл бұрын
@@jony9867 understand what?
@jony9867 Жыл бұрын
the joke
@_JohnHammond Жыл бұрын
GREAT TO SEE YOU MY FRIEND, thank you for the support!
@scoobsmcgee9325 Жыл бұрын
The E4 and 5 are short for epoch 4 and 5. They are the specific botnets used for the campaign.
@JacobKent Жыл бұрын
I would love a follow up video with some more digging.
@charlieisacatwithseizures Жыл бұрын
Please make more videos like this! I love hearing about the latest malware news, and having you give us insight into how it actually works using demonstration is really helpful!
@jackbillau Жыл бұрын
I like how the placement of your mic changed your T-shirt's logo from WARNING to WANG
@jarekmillburg9170 Жыл бұрын
Amazing video John, great way to show us the concept as well as some cool techniques about the password protected sheets.
@sagivmichael405 Жыл бұрын
Great video! although I would love to see a dynamic anaylsis of it! don't be intimidated by making long videos, believe me we all kind of sad when the video ends quickly haha
@Rostol Жыл бұрын
Dear John, one of the fastest ways is to add the Developer tab to excel (file->options->customize ribbon then add it from the right list) and from there you can click macros and view all the embedded or stand alone macros edit: not as a workaround to unprotect, just to see all macros on all sheets, hidden or not. the vba brute force method was BRILLIANT, Loved it!
@andrewcapps8211 Жыл бұрын
IS THIS WHY EVERYONE ALWAYS TELLS YOU TO BE CAREFUL WITH DEVELOPER OPTIONS??
@chocapic2373 Жыл бұрын
Dude, I just discovered your channel today, and I can't stop watching. Yeah, you cover subjects I'm very into, but also your narration and depth of work really can keep my attention. Cheers from Poland, keep rocking, king!
@zachelkins1229 Жыл бұрын
Just getting into info sec as an interest and got suggested this channel. This was really interesting to me. I remembered some of the basic programming you could do in XL from an intro level class I took some years ago. It's both surprising that it's being used this way and that it took so long for somone to try and abuse it (though I doubt this is all that new, just new to me). TL:DR thanks for the vid and the neat examples to go with the warnings.
@TheHaircutFish Жыл бұрын
Another great Video John, I do enjoy when you don't know something and show us that you go to find it. It shows us that even the Pros need to look up stuff, and not to be hard on ourselves for not knowing something, so thank you again!!
@affiliateanimalistic9607 Жыл бұрын
Yes and do it day to day basis 😐
@YachtyBurner Жыл бұрын
@@affiliateanimalistic9607 🤨
@ryanolsen294 Жыл бұрын
@@affiliateanimalistic9607 lol
@KA-NV Жыл бұрын
I absolutely love your videos. The way you explain things to make them simple to understand is amazing.
@TheMAZZTer Жыл бұрын
Regarding bypassing the macro protection, in order to place files in the templates folder, you need to be admin (since the location is otherwise read only). Once the user is willing to perform dubious actions as an administrator for the malware author... there's not much you can really do to protect them. Raymond Chen would likely classify this as one of the "other side of the airtight hatchway" type of "exploit".
@PlanetEleethal Жыл бұрын
Thanks for the awesome insight, as a malware analyst by trade I actually ran into some of these new samples yesterday.
@makal4966 Жыл бұрын
Like the trail and error playarround tinkering video's :-). Hope you will go further with this dll "unpacking" you just showed us. Great stuff
@salihtaysi Жыл бұрын
NOO! You cut some out one of my favorite arts of your videos, which is the deep dive investigations and playgrounds. Could it be possible you release a more lengthy version of these videos, as well as the shortened videos? Watching your investigation helps so much with all those hidden gems you reveal (example, "code written in excel cells but turned white and hidden" really helps formulate new ways of perceiving the situation, especially for us n00bs :P) great video!
@Ancipital_ Жыл бұрын
Thanks, Turbo! Good video. Would have enjoyed see you dive in a little deeper though.
@atsekbatman Жыл бұрын
Thank you for that showcase! Very interesting...
@OneOfThePetes Жыл бұрын
Nice work mate :) Those old office formats are a nightmare. I remember they use some crazy compound binary file system that's a bitch to parse. MS-XLS Compound file. OLE. (google cached result are different to where M$ redirects to). There are some good resources online where people have poked into it more. I'm not a security researcher. I just needed to find the "Content Created" date (not the "Created Date") of all files on a filesystem at my workplace, a few years back (GDPR, blah blah blah). My weapon of choice was PowerShell. Easy with the newer formats, nightmare with the older formats. Absolute time drain looking into it. I did get it done though. Thank fuck for other people's research. Fascinating subject though! [/nerd]
@elouahidiahmed9522 Жыл бұрын
Great video, thank you so much for sharing!
@6YJI9 Жыл бұрын
I agree with some of the other commenters in that I'd love to see you do more lengthy deep dives in investigating these types of things. I don't believe I've ever watched any of your videos before, but have already subbed considering the value you provided in this video alone. But as someone who has always had an interest in learning more about cybersecurity and wanting to actually go into a cyber career field (I'm currently in IT networking & desktop support), those types of indepth videos will truly be beneficial for many of us who are looking at deepening our knowledge in the field, if that makes sense. Thanks and looking forward to seeing more videos from you!!
@Avaez Жыл бұрын
Man I had this running in the background and when John read the "Ivan is in need of some cash again so he went back to work." I said out loud, "True...wait" The whiplash I had when I realized John wasn't referring to me lmao
@xenostim Жыл бұрын
I read this as you had emotet running in the background lol
@rudigerheissich9800 Жыл бұрын
Any chance you deobfuscate this in another video? I love your malware analysis vids
@chaoslab Жыл бұрын
A little brute force password cracking VBA script. Isn't that one of the cutest things you have ever seen?
@bammer800 Жыл бұрын
Brilliant vid. Learnt so much
@DarkFaken Жыл бұрын
This was really awesome, thanks John
@guilherme5094 Жыл бұрын
Thanks John👍
@jabowah Жыл бұрын
I like the part where your shirt says "WANG" due to the mic hiding some letters.
@friedrichschlundt8734 Жыл бұрын
Interessting thx für thus great explain video!👍
@SkeeterPondRC Жыл бұрын
Awesome to see TheAnalyst getting a shout out!
@Polandisch Жыл бұрын
Great video! Thanks!
@dree2228 Жыл бұрын
Extremely weird to see someone from my high school in my recommended, especially when the school was so small! I was a senior in drama when you were a freshman - fun to say I have an answer for the most famous person who went to my high school :)
@_JohnHammond Жыл бұрын
Oh dang, now I need a hint as to who you might be :) I was doing theatre right there with you!!
@dree2228 Жыл бұрын
@@_JohnHammond Haha! My name was Josh (Curtis) at the time, but it's Adrienne now. My career is in medical IT, but I do love content about the spicy stuff ;)
@c0m372 Жыл бұрын
This is a Diamond 💎, Great Sir 👏🏻👏🏻
@dorky5256 Жыл бұрын
Fun video! Little thing though: You turned off your internet when you were looking inside de file, but it was turned on again when you executed the file... I don't think that was intentional.
@poiu477 Жыл бұрын
E4 and E5 are Epoch 4 and 5 and are seperate botnets, they could be separate factions or the same faction running multiple generations of software
@Jeeeee-in6hi Жыл бұрын
After messing with this following your tutorial I am shocked they didn’t make use of the Macro command to create an alert. Prompting the user to save the file in the templates. Making it look like a windows alert.
@_JohnHammond Жыл бұрын
Well, unless I am not following, they wouldn't be able to invoke an alert, because they cannot run macros at that point? They would need the file moved to the Templates folder before they would be able to pop open a prompt asking them to put it in the Templates folder 😅
@Jeeeee-in6hi Жыл бұрын
Yea you’re absolutely right 😅 lol I’m dumb and new to cybersecurity so if I can make excel docs execute stuff I get overly excited! Classic noob stuff here. 😂😂
@BWAC Жыл бұрын
Wheres the best place to download the malware? i've got a windows 10 box with a non functioning network card that would be cool to play with this. Especially as I swear every modern virus is an excel document with a bad config
@Rishi_Prakash Жыл бұрын
He is the only guy that brings something mind blowing.🤩
@ChristofferNehm Жыл бұрын
I would love a video of how you set up a fresh Kali VM
@MsDuketown 6 ай бұрын
This is a huge gem, a hidden niche.. You'll see tousands of walk-throughs videos setting up the Linux Desktop post-installer and WM's, yet I've never seen one how to do a fast install to get an InfoSec environment up and running, totally updated to get started. Given the number of global OpSec students, I'd say this will be a hit.
@anonymoustm2997 Жыл бұрын
great vid keep it up
@d0h Жыл бұрын
I believe E4 vs E5 varients are based on the type of Excel macro is being used. (Excel 4 vs Excel 5)
@batchampa Жыл бұрын
Does excel still not have an option to just view all macros in a sheet?
@toobangbass2144 Жыл бұрын
Emotet never went away John! It's still prevalent.
@abdullahsiddique6393 Жыл бұрын
Finally, upgrade! Shure SM7b 😎
@sandra8139 Жыл бұрын
Top Jack ryesider video John is one that using On me right now
@LouisSerieusement Жыл бұрын
that was so cool, in a bad way ! thanks
@gabriels6425 Жыл бұрын
Love videos like this
@codingblues3181 Жыл бұрын
How do I get rid of malware installed by state actor?
@threatgamingexp7686 Жыл бұрын
SeeDosRun is the "fix-all"
@moonbase.alpha.one. Жыл бұрын
Thought this was going to be about Limewire!
@BMSworldNZ Жыл бұрын
Why do we still allow anyone and everyone to register a domain without any form of formal identification?
@MattRose30000 Жыл бұрын
or email adress...
@stevenbryant1011 Жыл бұрын
@@MattRose30000 don't they? Doesn't the email come up on a whois request?
@vm4026 Жыл бұрын
what would you say the risk of this malware is? low risk, medium or high risk? and why? thank you
@omiorahman6283 Жыл бұрын
please cover the SpinMaze virus
@bhagyalakshmi1053 11 ай бұрын
Regulators what master volume hie please
@sibsec7660 Жыл бұрын
Does anyone know where it is possible to download the malware file for analysis?
@tatatotz Жыл бұрын
This gonna work on linux.?
@Jeeeee-in6hi Жыл бұрын
Lmao I died on the reading of the random folder!!!
@lancemarchetti8673 Жыл бұрын
Awesome!
@logiciananimal Жыл бұрын
I assume that directory under Program Files etc. has its default ACL - Microsoft does say never to give world-write here, ever. So there's that. (Assuming Microsoft is eating their own dogfood here.)
@logiciananimal Жыл бұрын
Yup! Good.
@SetYourBarTo10 Жыл бұрын
Oh, that’s interesting.
@leqyugaming5499 Жыл бұрын
Now I completely understand why we shouldn't click random Offices file
@whtiequillBj Жыл бұрын
I heard that Microsoft was going to disable xlsm or xlsxm files. when is that supposed to happen?
@guitarware Жыл бұрын
I’m here for the example samples 😂
@Q-Ball. Жыл бұрын
The analyst has a fire profile pic
@SethAurelius94 Жыл бұрын
Wonder if Emotet is what's fucking my PC. Tronscript only kneecapped it. Eset, Kaspersky and MBAM can't figure out what's wrong and my c drive keeps filling slowly.
@KenSherman 10 ай бұрын
Trying to read your 👕: WARNING _Cyber Security Proposition 65_ ...code... What does the rest say and what does it mean?
@krishnendusarkar-fj1yv Жыл бұрын
done
@JW-yj3cy Жыл бұрын
E4 / E5 == Epoch 4 / Epoch 5... it's botnet specific.
@MsDuketown 6 ай бұрын
64-bit time_t is a powerful integer. The integer overflow error will occur at 03:14:08 UTC on 19 January 2038. But various OS'es and language took various approaches to the problem so the specialists studying this Emotet beast since 2014 are more familiar with these type of programmatic innerworking of the blobs floating all over the internet. Programatically, a calc like this (E4 / E5) could make sense if you calc dates and times using 32-bit tm_year, so the logic will handle most architectures and scenario's. If it's an old feature, you'll probably see it transitioning along the crypto methods in use.
@jamalyarfoor5798 Жыл бұрын
I don't understand anything. Where to begin?
@codetutor6593 Жыл бұрын
Think Ivan implies a leader of a country in a 'special military operation'?
@DefconUnicorn Жыл бұрын
Those search suggestions for "unprotect..."
@IceWizRd Жыл бұрын
can you build another jurassic park with better security
@mckaymusicTV Жыл бұрын
Holy shit my personal email that I rarely ever get out has been RAVAGED by spam for the last week. I was wondering what the hell was going on! Thanks god I know how to spot phishing but there are millions that can’t 😔
@cutsign Жыл бұрын
Dude it’s 2022, wtf is XLS malware doing!
@Computerism Жыл бұрын
👍
@oppastoppa3496 Жыл бұрын
it’s called Eulen
@crageth Жыл бұрын
I just wonder why Templates shouldnt use protected view. Why this is even a "feature"
@DissonantSynth Жыл бұрын
Commenting for the algorithm
@abandonedmuse Жыл бұрын
I wonder why most of them are being targeted towards Italians? Frattura means invoice. At first I thought it was also Spanish but no, they are all either in English or Italian. What does Ivan have against Italians? Or maybe the person that took Emotet is Italian?
@user-js7ud9du2y Жыл бұрын
personally i would just use google sheets
@CattopyTheWeb Жыл бұрын
The King Of Malware has woke again!
@corners1733 Жыл бұрын
cool
@Kodo9mm Жыл бұрын
how did he create a shortcut copy of that excel file so quickly?
@fliporflop7119 Жыл бұрын
1: select file, 2: control+c = copy , 3: control+space = deselect, 4: shift+f10+p
@zkdr6278 Жыл бұрын
lmao that's a lot of work to ask from an end user. "I gotta copy what now where??" *grandma adjusting glasses* This is like if someone said "please put your credit card number in this box 👉👈
@Slime-xs6si Жыл бұрын
I'll be honest. I heard the title, and saw your name john. I thought john mcafee had come back from the grave.
@ekistic Жыл бұрын
Windows, Excel, is that even still a retro thing? Next thing we’ll see floppy disk viruses make their come back..
@Bishal101 Жыл бұрын
Dude do you have a side gig as a DOTA caster? Me trippin' FR
@mackenzie9712 Жыл бұрын
wait what do you mean “emotet” isn’t short for the emo rock band quartet known as My Chemical Romance
@Nightfighter82 Жыл бұрын
I'm getting spam shares of documents in Google Drive and just delete them without opening them put people that don't understand fishing attacks and other malicious attacks might open them.
@cherifoulayediallo7852 Жыл бұрын
Why Emotet is the King Of Malware?
@MattRose30000 Жыл бұрын
That's why you don't give your employees Admin rights unless you know they have at least some basic security literacy.
@bhagyalakshmi1053 11 ай бұрын
Regular letters
@oppastoppa3496 Жыл бұрын
i need you to analyze a largely used .exe file
@seb_gibbs Жыл бұрын
I've spent nearly two years writing software just to compact this virus. If anyone is having a major problem getting spammed with emotet emails, DM me.
@PriceActionResearch Жыл бұрын
Copy Paste All Red Text, Throw in Notepad++, Then Remove All Spaces, Null Characters if any. It will slam all the code together. ....COME ON MAN.... ;)
@donihilism1394 Жыл бұрын
Windows is just like just pulled a robocop .-.
@MsDuketown 6 ай бұрын
yeah, but xcopy wasn't supported in robocopy.
@Niko-te3wp Жыл бұрын
jokes on you i dont even check my email
@user-we7he7jo9v Жыл бұрын
Skydoesminecraft has changed
@0RespectMyAuthority0 Жыл бұрын
Boeing (child company jeppesen) was hit with a ransomware attack on the 4th.. related?
Scary Teacher Gaming
Рет қаралды 55 МЛН
AI Explained
Рет қаралды 57 М.