Unraveling a REMOTE ACCESS TROJAN (VBScript Deobfuscation)

Рет қаралды 159,605

Жыл бұрын

MASSIVE thank you to Snyk for sponsoring this video -- try Snyk FOR FREE and find vulnerabilities in your own code! j-h.io/snyk
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
🐜Zero2Automated ➡ Ultimate Malware Reverse Engineering j-h.io/zero2auto
🐜Zero2Automated ➡ MISP & Malware Sandbox j-h.io/zero2auto-sandbox
⛳Point3 ESCALATE ➡ Top-Notch Capture the Flag Training j-h.io/escalate
👨🏻‍💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk
🤹‍♀️SkillShare ➡ j-h.io/skillshare
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc

Пікірлер: 153

@asbestinuS Жыл бұрын

I'm loving these deobfuscation videos, please do more of them. I don't really care which malware it ends up being, I love to see your thought process and deobfuscation techniqes and so on.

@nordgaren2358 Жыл бұрын

Same! I love the deobfuscation videos, and I don't care if it's a new malware or not! The process of getting there is what intrigues me, not the outcome. If it's some new malware we have never seen, then bonus!

@FVT-tn8ji Жыл бұрын

Same here, I dont really understand that much but his process of understanding this program is really interesting to me!

@plut4580 Жыл бұрын

OH YES, finally some malware analysis, i love your content and i’m learning so much, unfortunately i gotta do some homework first! Don’t stop making videos.

@TriSept Жыл бұрын

Your deobfuscation videos are my favorites. Definitely want to see more of these!

@calvinstar356 Жыл бұрын

Love these videos, you are 100% correct that this type of analysis is much easier to follow for beginners then binary in Ida. Keep up the great work John, love the content

@infidon9229 Жыл бұрын

had absolutely no idea what was going on, but I was still very entertained and had no problem watching this in one sitting. hoping to start to catch on/understand small things as I keep watching videos like this. Banger video, ty john

@stavros222 Жыл бұрын

I love that when you see names like hexadecimal values or strange names like AAAAAAA or whatever is 100% a malicious code

@sokai6475 Жыл бұрын

Dude, I love watching your malware analysis vids. By no means should you stop doing them. I especially appreciate how you're able to bounce between different programming languages and explain to your audience how the lines of code work and so forth. You've made it very interesting to me and as a layman who is trying to get into cybersecurity, this is very informative. Keep up the good work!

@z0mn1a Жыл бұрын

Beside learning the very basics of code, I like to watch your analysis videos as a way of reminding myself why I'm learning this stuff. Watching you do this is like watching someone disarm a bomb. You have me on the edge of my seat the whole time, even though I only understand about 30% of what your saying. Please keep making these videos. And keep them long!!!

@LexiLominite Жыл бұрын

I think most of the people dont care what is the end result of the video. But many people will like the thought process of you on deobsfucating things. This is nice. Glad that you uploaded it 🙂

@alanc12402 Жыл бұрын

Great video there John! It's great seeing your process and it's educational! Even if it's malware we've seen before, the process is super important.

@DexCode1337 Жыл бұрын

finally a new malware analysis video! more like this please!

@liamwhalen Жыл бұрын

Cool to see a thought process in effect and helpful to share techniques for all to learn from. I really liked the feeling expressed when you found the new technique with the Execute stuff. That feeling is one of the things that makes this sort of work worth the while. I wonder if the first part that stops execution entirely is the value added work to the old VBA script? Maybe something needs to be present on the machine in order for the trojan to execute. There may be some value to security through obscurity.

@slackerbelmont Жыл бұрын

Even if the end result is something that you've seen before, the process of getting to that point is most of the reason that I watch.

@cojocaru08 Жыл бұрын

I love these deobfuscation videos. And yes, that execute global override was neat

@sraven3671 Жыл бұрын

That was awesome, love your work - you're a legend!

@charlieisacatwithseizures Жыл бұрын

As someone who wants to become a malware analyst, please make more of these videos. They are great practice and examples so that when I try to do it myself, i can look back at the thought process and get my head in the right mode to think critically.

@briank8525 Жыл бұрын

Outstanding John. I agree with the comments below. I learn so much by watching you and taking notes as well.

@ph4seon3 Жыл бұрын

Its so cool to watch you Deobfuscate. Great thinking exercise for the morning.

@Alex-qx1gx 10 ай бұрын

I loved the video - happy KZfaq recommended it for me. I enjoyed seeing your thought process a lot, even if VBS is not a programming language I know.

@JeffGolenia Жыл бұрын

I too am loving these videos. Far beyond by programming abilities but it's really nice to see how it's done.

@Kiesp Жыл бұрын

I don't mind it not being something new. It's great to see you decode and deobfuscate random stuff :D When saving a file in Notepad++ (and a lot of other programs) just add " around the filename, so you don't have to pick it manually ^^ So call it "experiment.vbs" and it'll save as a vbs file :D

@1stAshaMan Жыл бұрын

You can also just scroll up 1 line in the file type box to select "All Types (*.*)" As long as you have an extension in your file name it'll save as that type I always wondered why they didn't just have it default to the type you enter when you put in a file extension

@duscraftphoto Жыл бұрын

Great deobfuscation content, as usual! Keep up the amazing work!

@Thoraxe12 Жыл бұрын

I don't know if you will see this but as a newer programmer this was amazing to watch. I have never tried or seen obfuscation in a real life example and it was just amazing. I thought this was so much harder then it really is and makes me want to try to do this myself. Please do more because this got me excited just to go program again even though my current project is killing me XD

@Ryoushin Жыл бұрын

gotta love deobfuscating acbogs, great video!

@jimsmind3894 Жыл бұрын

Although it was a dud, still enjoyed. This is my favourite sort of stuff you do, your knowledge of different languages is impressive!

@msalih Жыл бұрын

Awesome. Overriding the eval function with echo really cool 😂

@speeder3235 Жыл бұрын

yoo more deobfuscation Missed those dearly, thanks for gifting us another one of these videos!

@truenerthus4460 Жыл бұрын

Please do more of this. Great content

@AngryMarkFPV Жыл бұрын

Such a good teacher, keep it up mate. I feel smarter every day (pun almost intended) when I watch these.

@not4real920 Жыл бұрын

I agree - i get more out of the thought process vs. which malware it actually is

@DavidCosta85 Жыл бұрын

thank you for the knowledge sharing. blessings

@Defotowe Жыл бұрын

John is back with the content we all crave, love it .

@danf4321 Жыл бұрын

Great video as always!

@patrickwootang Жыл бұрын

Thanks for being a great teacher!

@henryfrere8680 Жыл бұрын

I really love these videos. I wish I had the motivation to learn more about this stuff. One day!

@xthukuh 2 ай бұрын

I like the thought process.

@lukebremer5647 Жыл бұрын

I am disappointed you didn't say spooky wooky but great content man, keep it up.

@bijss1595 Жыл бұрын

These videos are the best to watch :) doesnt matter we've seen the rat before. Always learn new stuff from your videos! Keep it up :)

@williamist Жыл бұрын

love this type of content!

@jojobobbubble5688 Жыл бұрын

Interesting stuff. Super new to all of this but I'm enjoying it as I learn

@Basieeee Жыл бұрын

"This is gonna suck, you guys must hate listening to me." Me: 20 mins in already.

@verolyn8459 Жыл бұрын

Man, I'm waiting for it and now its back.. New video, New Learnings.

@waxnet Жыл бұрын

Finally I love these videos

@Octomany Жыл бұрын

Haha that "Yeeaahhh" of pure satisfaction at 27:35, love it. Nice trick by the way, thanks for sharing!

@daze1781 Жыл бұрын

These vids are always my fave

@hishamtarsoo5233 Жыл бұрын

Great video John!

@gijsyo Жыл бұрын

This was really fun to watch

@deliryc Жыл бұрын

huge fan of these videos!

@The_Fancy_Duck Жыл бұрын

I find this relaxing and educational, like you can just put this on in the back ground or something.

@stanceverse2427 Жыл бұрын

AAAAAAA if BBBBBB then CCCCCCC

@santiagofonzo9336 Жыл бұрын

Thank you John for making these videos! This is how you get someone to change his career from chemistry to cybersec haha 😂. So interesting 🙌🏻

@hm-jr4ok Жыл бұрын

I enjoyed watching this!

@Gersberms Жыл бұрын

Notepad++ is such a tease. It looks so helpful, but I hate it every time I use it. Get VS Code. I'm really surprised VBS lets you use apostrophes as well as quotes!

@refaiabdeen5943 Жыл бұрын

Cheers Mate.

@broom7294 Жыл бұрын

FINALLY MALWARE ANALYSIS

@MrGattor33 Жыл бұрын

Great deobfuscation content! Keep up the Great work John! Just curious as to why you couldn't run this on a separate machine or in a VM and see what the whole thing really does before breaking it down like you have here.

@hartlink Жыл бұрын

Hola, don't feel bad about the ending for us was entertainment, fun and educative, thanks for sharing this kind of content, keep it up!

@YouKnowTGreen Жыл бұрын

lol still so kool to watch John videos even though i have no idea on how to do the deobfuscation but John make you feel like you watching a movie

@yeetoro3693 Жыл бұрын

more of these please

@seansingh4421 7 ай бұрын

This is the reason I have extremely strict Applocker settings on any of my Windows desktop.

@GhostOfAnubis09 Жыл бұрын

Sure it's 'just' houdini again. But that was a really slick trick to overwrite executeglobal, so thanks for that at the very least!

@netanel135 Жыл бұрын

You are awesome 👌🏾

@HackTheHackers Жыл бұрын

awesome!

@KataisTrash Жыл бұрын

I kind of love watching you try to figure out that regex :)) All you needed was just "'\[PHP](.*?)\]", with multi-line flag (to skip the newline stuff). Not sure about multi-line in sublime, but as far as I could google it's just (?s) in the front, so "(?s)'\[PHP](.*?)\]" should work?

@Anon0nline Жыл бұрын

This seems like a lot of effort when it's really easy to write a script for both Windows and Unix-like systems that just creates a new elevated hidden account and a SSH session over tor.

@custard131 Жыл бұрын

you should try out the CTRL+D keyboard shortcut in sublime

@ValZarGaming Жыл бұрын

If you typo a name in Notepad++ you can just right click the tab and click rename

@DouweHummeling Жыл бұрын

This video is amazing, I love listening to you (20:01)

@iWhacko Жыл бұрын

the garbled names could be a conversion error between file encodings, like between unicode and utf8

@danomaly8943 Жыл бұрын

I'm learning a lot from these videos. Honestly it is a little disappointing that it's the same thing because it seems like they are being taught similar methods to hide the code however for me just getting into this it is helpful to know that people can use the same thing in different ways. On the other hand I think we all want to find something interesting or especially nefarious because that's exciting.

@justindeleon9074 Жыл бұрын

what a cool freaking channel. Subbed and liked.

@rafaellisboa8493 Жыл бұрын

I don't understand any of this but it was very cool to watch, want to learn some day

@hihihi1733 Жыл бұрын

Awesome

@beyondcatastrophe_ Жыл бұрын

28:30 "Would this even execute?" Yes, it would, you are forgetting the first line "On Error Resume Next". This basically tells the interpreter to set the global "Err" and continue as if nothing had happened.

@mattcargile Жыл бұрын

Do you know why we couldn’t get the next.vbs script to correctly display the data and how to override executeglobal?

@beyondcatastrophe_ Жыл бұрын

@@mattcargile I assume you mean the error at 22:45? I think this is because the syntax does not properly handle special characters. John just dumped the string as-is, instead of going through any serialization. Whereas when it is already in memory, that's not a problem. (E.g. quotes, in memory it's just a ", but if you want it inside a string, you need to do ""). As for how to override executeglobal, I'm not sure what your question is. "Override" is a slightly ambiguous term in programming; you can see at 24:45 that he just re-defines the function to "catch" the call to the built-in and do something else.

@telmo49 Жыл бұрын

Jhon, best video EVER XD

@SmallAngryNerd Жыл бұрын

"This is garbage! this does nothing!" - the TA grading my freshman coding projects

@MCorange9 Жыл бұрын

Hey, quick question, where do you find these. The deobuscation looks fun but i cant seem to find good malware

@majinfoo Жыл бұрын

You're so badass John

@vaibhav3852 28 күн бұрын

I just saw the other video where this rat was found. After that I hit your malware playlist and saw this. I was so sad like you when I saw the comment at the top of the code. :D

@snabbisnabb595 Жыл бұрын

I love these deobfuscation vids, however, I would feel uneasy just to use your execute function. What if there still is some eval function within the thing you are executing? Isnt this quite risky?

@diddyman1958 Жыл бұрын

Don't be sorry for putting this video out, the fun was in the de-obfuscation

@PhilXavierSierraJones Жыл бұрын

"Damnit it was Dunihi again!"

@altaccount648 Жыл бұрын

why use regex to remove the same lines 50 times when you can ctrl+d in vscode?

@SLZeroArrow Жыл бұрын

This must of been a freaking PAIN to do, like many many attempts to get it deobfuscated. Darn those hackers really challenged you here didn't they.

@sudoprophet 8 ай бұрын

Cool

@axjv Жыл бұрын

Interesting breakdown. At 26:34 I think you have an extra )

@nixielee Жыл бұрын

Deobfuscation videos are your best work. Apart from the excessive zooming. That drives me crazy.

@sammyfromsydney Жыл бұрын

I'd be very wary of your neat little trick of overriding functions because if you get it even slightly wrong you're going to have a bad day. At least it was on a VM and disconnected from the Internet.

@swamppifi6186 Жыл бұрын

it might help if you do a condensed version without the false starts. but it is still a good video

@alex-dn9to Жыл бұрын

wow they used a sphere 👌👌

@peekadutchu4928 Жыл бұрын

Couldn't you check if it would run in the first place, despite all the errors, by adding the custom executeglobal to the first script, since it would be nerved?

@KennethLongcrier Жыл бұрын

Won't Visual Studio Code run under RemNux? (VS Code should allow you to run VB/VBScript code)

@peterwestin1874 11 ай бұрын

Probably got one more soon.

@collect0r Жыл бұрын

10 minutes in i worked out the obfuscation of ascii

@SheIITear Жыл бұрын

28:10, arent those services used keep the same address? like if your server or whatever ip changes that service automatically takes care of it and you dont have to update the payloads with the new ip

@DaxyGamer Жыл бұрын

yes they say the ip is static not dynamic