Uncovering NETWIRE Malware - Discovery & Deobfuscation
Рет қаралды 90,089
2 жыл бұрынMake security 100x better in 2022 with Snyk's "The Big Fix" event! Get started here → j-h.io/snyk-bigfix
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
👨🏻💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
@plut4580 2 жыл бұрын
John please do not ever stop doing this kind of videos. As a student i really love them, there super interesting, keep the great job!
@MrSilkutz 2 жыл бұрын
I agree, these videos are super fascinating.
@verolyn8459 2 жыл бұрын
Ikr
@andrewmingst1797 2 жыл бұрын
I swear, I learn more on YT than in college
@jonharper5919 2 жыл бұрын
I love the journey John goes on in these videos. From "HOW DO THEY KNOW IT'S NETWIRE??" to "Oh here's a super unique obfuscation key that's an obvious IOC and they literally create directories named 'Netwire'"
@rstech10 2 жыл бұрын
I appreciate the dark mode. I watch these videos on break during my night shift. LOL Great job with the content. Your dissections make it look easy.
@zer001 2 жыл бұрын
Last week I dig into a .Net Assembly with some base64 encoded string in it. And thanks to the Videos of John I recognize the string and I know what to do with it.
@bbelsito 2 жыл бұрын
Thank you for doing more of these! They're my favorite type of videos by you. I know you love doing CTFs because you enjoy it. Don't quit either series. Just know people love this series too
@securedigitsplus 2 жыл бұрын
To be honest, I'm surprised that you haven't tried using Windows Terminal + SSH to connect to your remnux box for these deobfuscation videos... That'd be pretty slick.
@y.vinitsky6452 2 жыл бұрын
Thank you John for using dark mode. I've been called a vampire since I was 17 :)
@kadoskreeper 2 жыл бұрын
More more more! I love just learning new things. I like how you notice things that are the same. This is so cool
@nv_takeout 2 жыл бұрын
was super excited for this vid! great watch and more valuable info! thx john
@cdenver 2 жыл бұрын
Hell yeah! Thanks John. Love your content!
@quangvinhnguyen7649 2 жыл бұрын
Fantastic video! Hope you continue this series
@DM-qm5sc 2 жыл бұрын
31:40 I was getting worried that he wasnt going to upload the video
@davidsii4173 2 жыл бұрын
🤣🤣🤣
@letlaka8812 Жыл бұрын
I just recently discovered CTF's and John your content is GOLD! i am trying to transition into Cyber security, thank you for all the work you are doing.
@joacoordonez1973 2 жыл бұрын
thanks man. love this kind of vids
@abdirahmann 2 жыл бұрын
"dark mode for all you vampires that watch my content" 💀 am dead john 🤣🤣🤣 19:58 that gave me a good laugh and energy to finish this video 😂 soo good.
@jovanpoursamadi7477 2 жыл бұрын
John, would you care to do a piece on firmware/UEFI malwares, their persistence and how to approach deobfuscation and/or removal?
@bullittstarter4408 2 жыл бұрын
That was awesome. Keep it up
@4Da_Tech 2 жыл бұрын
Good video, good content 👌 and always something interesting hidden 👍
@davidmarley5577 Жыл бұрын
4D 5A is the hex representation of 'MZ', the magic string at the start of a Windows executable file.
@johnwickey4179 2 жыл бұрын
Can't wait.
@kubagow 2 жыл бұрын
Thank you amazing and informative video. It's almost morning time to go to sleep - The Vampire 🤓
@Paasj 2 жыл бұрын
Great tour..
@snakebite1538 Жыл бұрын
Good job John
@donovanelliott9060 2 жыл бұрын
It makes since why it works fine in firefox but not with curl because according to cloudflare, error code 1010 means that the owner of the website has banned your access based on your browser's signature
@jeffarends8843 2 жыл бұрын
The content is enjoyable and informative, as always. Keep up the good work!
@jasonb2221 Жыл бұрын
Hi John, first time to this channel and so far your content is awesome! Wanted to know if there was a safe way for us to follow along with you.
@manoharbaratam8792 2 жыл бұрын
Fantastic
@blinking_dodo 2 жыл бұрын
Blindly search-replacing variable names is a VERY breakable thing. Imagine someone deliberately starting with a "Set aaabbbccc = myObject" , and using "aaabbbcccqqq" and "CustomObjectqqq" further down. You are going to mess up when someone starts doing that.
@tobiwonkanogy2975 2 жыл бұрын
from the 10 malware videos i have watched , the method works very well most of the time .
@boomson3082 2 жыл бұрын
You can use exact match which negates your point.
@blinking_dodo 2 жыл бұрын
@@boomson3082 exact match doesn't care about what is directly after your search. replacing "ab" with "x" in "abc" will still result in "xc".
@boomson3082 2 жыл бұрын
@@blinking_dodo it does though, I just tested in on my machine. Would you like a video? Go test it yourself. You can have it set to find 'ab' and it will find all or you can have exact match where it does care about only ab and not abc. But either way, even if he didnt use exact search the code would obviously stick out after the replaced text unless it was the exact amount of characters.
@doyoufeel...thatyoulackcri6760 2 жыл бұрын
can't you just regex replace? I am no regex expert but something like w/word shouldn't that find the exact word and not if it is part of a word? you can do that in sublime, no?
@slamscaper128 Жыл бұрын
I would LOVE to see some beginner friendly tutorials on Python and Javascript. Any plans for videos of that type? Thanks for your content!
@agoodshadow 2 жыл бұрын
Lets start 😁
@hypedz1495 2 жыл бұрын
Ah yes.. John.. John hammond does it again
@mathieucartier2678 2 жыл бұрын
hello jhon hammond could you make a vid on your ubuntu VM the settings you use and themes thank love ur vids
@rkgnanesh5465 2 жыл бұрын
Hi john hammond please do a analysis on xmrig miner software, it shows a lot of red flags in malware scan
@user-uj8bo5bc7e 2 жыл бұрын
Very nice video! One question. I am sharing data from REMnux to FLARE VM, but when I look at the paths, they are interacting like local data. How do you build such a lab environment? I am interested because I always use KVM to share files over a virtual network.
@ivailopashov4463 2 жыл бұрын
i was waiting for months for new malware video lol
@TheSecretDev 2 жыл бұрын
Excitement!
@MemesandLeague 2 жыл бұрын
Hey john great video as always. Intezer is great! I am scared for what will happen with the upcoming ukraine and russia conflicts
@snakebite1538 Жыл бұрын
That's right John because my z flip att phone front screen was completely copied completely compromising my accounts and device keys
@lorenzcyber 2 жыл бұрын
nice video ^^
@scottch4444 2 жыл бұрын
Cyber Chef would make your life easier at times lol.
@hamadkhan7236 2 жыл бұрын
Why would something not respond to curl but to a browser ? 10:25 , didn't know that can happen.
@casper64 2 жыл бұрын
The context of a request with curl is different, for example the user agent is different so the server would know the request didn’t came from a browser.
@tikkj 2 жыл бұрын
Love this content. I know precisely nothing about coding, but this really makes me want to pick it up - the logic is pretty straightforward to follow even though I couldn't replicate it, and it just looks like a really interesting puzzle.
@AgeofReason 2 жыл бұрын
PATRICK LIKE "CODING" PATRICK BE A "CODER," SPONGEBAHHB
@ripcityraider9469 2 жыл бұрын
I love how happy and giddy you get when you figure something out. It's adorable, but I know deep down there is a serial killer in you. ;b
@4Da_Tech 2 жыл бұрын
Ohhhh spicy
@Tronic48 2 жыл бұрын
What’s the song in the outro called?
@luthfisukma9787 2 жыл бұрын
do you use linux for daily use ??
@dani3l3_ 2 жыл бұрын
cool
@abdulalimmahir 2 жыл бұрын
Hey John Hammond, Can you please make a video on Configuring Ubuntu as a Lab? I was trying to setup Ubuntu-latest LTS version, but somehow when I install some git-software(specifically: portkali), the whole GUI crashes and boots only on Terminal. i tried different article to install GUI or boot into it, but no outcome. I maybe tried 4times for 3 days, but it didn't worked. Also, my Ubuntu navigation wasn't great, don't know, is it that I am not used to Ubuntu or just it's like that. But, yeah, hopefully you can help.
@omega3fatass61 Жыл бұрын
arch based
@bhagyalakshmi1053 10 ай бұрын
Work headel
@cameronsmith1807 2 жыл бұрын
That thumbnail though.
@bhagyalakshmi1053 9 ай бұрын
Vir ,ras data definitely
@guilherme5094 2 жыл бұрын
👍!
@razaullahkhan8099 Жыл бұрын
Sir it is very super hacker has gone some time attack thanks
@snakebite1538 Жыл бұрын
I'm laughing John we're going to get Justice for all
@pedallknife 2 жыл бұрын
Once again, wonderful shit sir. Keep it up!
@raremc1620 2 жыл бұрын
You should take a look at some discord/"test my game" malware
@snakebite1538 Жыл бұрын
Entertain me John
@vpnonline5897 2 жыл бұрын
U have play scary movies 😄
@activelearner9924 2 жыл бұрын
santa is loosing christamas gift
@snakebite1538 Жыл бұрын
Maybe that's because I didn't put an image because I I don't know how someone else is to blame
@activelearner9924 2 жыл бұрын
my frd laptop recently got ransomware djvu file type march 2022 file type xcbg file
@nonlinearsound-001 2 жыл бұрын
Browsing through LOLBAS and the possibilities alone in findstr make me wanna puke. And there is so much more available in the plethora of tools and binaries MS ships to their users in Windows ... and most of these things can be run under a simple User account, not even local admin or alike.
@bhagyalakshmi1053 10 ай бұрын
Not working
@joeborders Жыл бұрын
20:00 We set dark mode because light attracts bugs.
@bhagyalakshmi1053 9 ай бұрын
Rat Cat Detyls.
@bhagyalakshmi1053 9 ай бұрын
Agent
@Jonesy177x 2 жыл бұрын
ITS A MONKEY OVERLAY
@bhagyalakshmi1053 11 ай бұрын
Siml litre size small
@bhagyalakshmi1053 9 ай бұрын
SMTP server files
@ctf59 2 жыл бұрын
случайно все остановились на 665?))
@Theultimatebohab7137 2 жыл бұрын
Man all I hear is "haha your never getting a job once you get out of school now!!"
@bhagyalakshmi1053 10 ай бұрын
Community video is video nost
@shawn8163 2 жыл бұрын
4D5A MZ
@bhagyalakshmi1053 Жыл бұрын
Employee is blind. This work?hot what this time 10
@HTWwpzIuqaObMt Жыл бұрын
Random comment. I just jnstalled subl on kali and its fucking cool lmfao
@activelearner9924 2 жыл бұрын
help
@bhagyalakshmi1053 10 ай бұрын
Iocs
@bhagyalakshmi1053 11 ай бұрын
My community collection to click skills and tools 25 you explaining the videos I can I have in the purview handling in the file handling never to you want handling you should me your decision what my handling is why what's your opinion opinion pass for your reply place
@hingewichsterfick 2 жыл бұрын
premieres suck
@bhagyalakshmi1053 9 ай бұрын
Agent dells explaining . Madl work headel '4wondrs' looking.
@bhagyalakshmi1053 9 ай бұрын
This video zoom add files cod opening 🪟 asml
@snakebite1538 Жыл бұрын
Entertain me John