JScript Deobfuscation - More WSHRAT (Malware Analysis)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's up everybody and welcome back welcome back to another youtube video welcome back to some more malware analysis uh it's bright and early in the morning i'm trying to squeeze this in before the work day gets started you know and uh this one a little spontaneous a little off the wall as it usually is but uh i don't know what i'm up against in this one i have not looked at this file other than just opening it in like an editor and then seeing oh this would make for a good video i'm totally holding off until we get to recording time so uh i hope we have fun with this one but i don't know this might be a success maybe we're cruising through this maybe there's actually some good fun stuff to it or it just crashes and burns we're gonna find out so let me show you what we're up against i got this email the other day that says hey john i got a sketchy email attachment for you maybe got some malware i found this little cute i like that cute piece of javascript on my email account today it looks pretty fun but time consuming to play with password is as always infected cheers thank you thank you guys please keep sending me malware you know i'll say it it'll be on my tombstone it's my yearbook quote please send me malware it's a lot of fun so we'll have a good time with this one but uh let's get after it i am going to work in remnux for this video as usual ubuntu pops up hey system problem detected whatever great way to transition and get us over to remnucks r-e-m-n-u-x the reverse engineering malware at least i believe that's what the uh ram rem actually stands for uh linux distribution so that's really really what i should be working in i traditionally gonna bend in ubuntu for previous videos but i'm trying to get myself in with the cool kids and i really start to do this for real so that's why we're in rum nooks i'll open up my terminal here and i am working with terminator although i just have a different kind of color display here so i've created this directory called email and in that i have this factor.7zip archive and file that we would have downloaded from that generous fellow's email so we could extract this with 7z e to extract and then factura given the file name it'll need to know the password which he let us know is infected which is i believe the standard that's just kind of what it kind of always should be if you're working with this stuff so we have a factura dot text file and let's open that thing up i'm using sublime text i do have it installed in here um because i like sublime text you could use whatever texture you want obviously i know a lot of the vim fanboys will be screaming at me but it's okay you can just shout at your monitor and i'll hear it eventually if you shout loud enough i'll hear it this is what we're looking at so i don't know if you can see over on the right hand you know mini map sidebar here there's a lot of good stuff in this uh down at the very bottom we get to some more stuff i see a couple eval statements um i see other potentially strange things uh this makes me think that we have like a w script something in here but uh i guess we're going to de-obfuscate this and find out let me save this as a i guess stage zero dot js or something so we know okay we'll have some syntax highlighting we'll have some color in here this is this will be javascript but um let's explore and see what we're up against i guess i know that i'm going to want to end up working with node in this to be able to actually run some fragments of this javascript so i can let the code unravel itself so i will install node.js which i don't already have ready for me on remnux but that's fine we can totally download it and let's get back to what we're working with i guess now i'll start to call like a cleaned stage 0 maybe as a file name and this string.prototype looks to be a function that will do some strange things um let's put that together okay i guess node.js is not the command for it uh but let's slap that all in here so we have this function that could be defined to work on string data i think they use this h1sen zz3 h1sn and they get this functionality here so looks like it's cutting together pieces of numbers but that builds a string prototype okay so it looks like this is going to end up being a primitive that will allow us to work with creating other types of functions so i see that this would mangle some text to define this h1sen zcc3 and then they use that same string prototype syntax here to now create a dot love it function literally spelled love it with leet speak so that's that for us i'm assuming they're using this not string prototype to be able to detect or test if this function already exists so maybe this function might end up running twice but this uses some regular expressions to replace numbers and return the types of them i think we can kind of press the i believe button on that but let's make sure we have that functionality to use that love it function and then we have this thing array prototype slaves i think slabs i'm gonna i'm gonna assume that that is slaves um this could return a long long piece of data that we can assume is going to end up running with love it following it oh oh with like a format string functionality right because you can see that the curly braces denote oh one two one two there's a zero in here etc etc etc so this might end up building i'm assuming more base 64 but it uses this love it function as its own like format string because it's going to replace numbers based off of these curly braces so love it looks to be format string i guess and then we eval something to create an element now a lot of this looks to be printable characters just represented in a byte method so part of me wants to know what these might actually come out to be oh they use love it again so so let's get this string they use loveit at the very very end of this to pass in those arguments is there a curly brace thing anywhere in there let's look for a curly brace zero no oh wait a second oh it has to be because of these uh escape bytes that's actually super slick it kind of tries to hide it there so because we have our love it function already built out in our node working along side by side us we can just slap this in just as well and there we go looks like we are creating a var la wsh.create object microsoft.xml dom create element bsc array.prototype that thing equals eval so we now have a new eval functionality this nxt55h is now going to end up being the syntax to run an eval statement spooky scary gotcha and then we create this element bsc and we set the data type yep because that's all going to be joined together and just become data type duh that one we we kind of figured it out without needing to run that and then we use this join method spin.base64 so i feel like this is building up to be a download you you know you have to think uh and hey array we have the slabs functionality yeah is this the only time this is actually called this this slay slaves code it is it is so that's got to be the uh actual we i want this because that's going to probably end up being the base 64 that we need to work with why did i do that i just tried to paste it all in and that's going to take forever um we'll let that go you know hey we can uh we can stop to get a cup of coffee or something realistically can node can like import a file and like run it inside the interpreter can it not i'm sure there's a way to do that and like realistically we could have just done that on our own we could have just done a find and replace on that real quick let's try and do that real quick let me slap that into its own other buffer so zero is going to end up being replaced with g zero with a g done oh no there are 32 826 matches i'm breaking all of my programs what is happening here that has to be like a null byte pattern it's it's totally a i'd have to think that's a binary not gonna lie i guess we're just we're stuck in this loop now god dang it let's okay okay okay okay fine fine thank you thank you sublime text i know buddy just die on me i don't mind it's totally okay please commit sudoku i know that's not how you say seppuku please what do we got let's get back into node and get these functions back in here boom now we have our primitives love it and this thing and we should we should we use this you know what here let's make a directory to or make a file extract that like i guess gosh that you know and then can i console.log that i think i think yeah yeah so let's node my that thing love it is not a function oh no no you need that you need that functionality and you don't need the h1 thing because i already replaced that string prototype method or like uh thing up there so now that should no longer die theoretically and now we have a ton of base 64. so let's redirect that out to new base 64. and obviously that's going to be a humongous snippet of text but i'm just going to grab that and put that back for the elements here yep yep now just for funsies i might be jumping the shark here no no there's even more we didn't even finish stage zero i guess this is now stage two to be honest uh and what we're working with was probably considered stage one realistically uh i should have should have named these better anyway what do you got going on let's get back into node and yep it's gonna end up doing a download i i really really think it is because all of that functionality is being built out and this thing is create object but why are you using these indexing with zeros you're call setting this equal to a one and then calling it what what this should be reevaluated read to do we use the oh we end up we must end up using love it later that's exactly i was thinking that the that one was going to uh be used again but that's the base 64 specific thing so let's get that in single quotes real quick there we go and then all of these i'd like to clear out can i have that in its actual proper representation please good enough oop i removed my vehicle variable here okay okay okay so we're doing weird things now this is an eval nxt55h is an eval so that would be danger it would try and execute the code that's passed in here and this is going to end up kind of being carved out from all of these primitives that have already been determined with loveit and all these arrays that have just been created because that's why they end up having these indexes so it's cutting up the pieces that might potentially trigger some automated solution like antivirus or edr uh oh i guess i should define that as an actual function there you go and now you can have this so you can properly run love it and this guy is setting his type open right position okay so these were all i see of the parameters or arguments that it might configuration settings it would need for this adodb stream yes so because this is going to end up running eval it would execute that and it opens that stream and it just hides the functionality that it has just built out this has some longer code here um oh i grabbed an extra parenthesis because i was forgetting about the eval let's steal that and yep sorry i know this part is boring because i could very well maybe automate it but i wanted to build i want to unravel all this because these variable names like uh those are things that i want to be able to go back and do with some find replace or replace the variable names so that's kind of just even if i'm piecemealing it even if i'm kind of going slow i think it still you know works for me anyway and i'm the one doing the song and dance here so we write this node typed value and then this eval because this is eval is it not no wait what how did that get the context oh it's an array it's an it's accessing accessing this thing through an array object which is neat to begin with gotta say it's then it's eval's not like dangling out in the like regular context or namespace but then this would have to execute so it must read text and that would mean it will execute the contents of that base64 that we just found which means that is in fact our stage two and we were really working on stage one at that point so what do we got here oh oh this one actually looks juicy uh how long is this file my god oh no decode pass pass grabber unzip key log starter site downloader download upload delete faf command shell enum process exit process get parent directory enum faff get key logger get rdp get reverse proxy get binder run binder [Laughter] over a thousand lines of straight evil badness let's try and de-obfuscate this shall we javascript diabetes um i guess really realistically i want a beautifier because i'm going to end up going through and like probably working with those these variables on my own but uh please beautify that code i saw a comment in a recent youtube video that was like john you realize you just told a website giving it unknown malware and told it to clean it lexify it and beautify it for you uh like yeah i know but it's all running client-side like their javascript should be client-side like to to run the code to clean this uh let's put this in a clean stage too see now my numbers are all off it looks like it looks like i said i just skipped stage one but that i gotta fix it registry content windows registry editor 5.0 new line newline is this building a registry file it is it's setting disable anti-spyware to one so it's not going to deal with that it's not it's going to turn off windows defender for that anti-spyware thing monitoring this and it creates it in this directory so in this file name in the temporary directory so if that actually exists then go ahead and delete it and then write it fantastic um run file looks like it's just going to end up running part which is the registry key that it just created and that's it okay and that's w script.shell that's why that can happen gotcha then we check if that file exists and over and over again we'll try and run file and repeatedly read from that registry to make sure that that registry key has actually been changed this is a long horizontal scroll bar yes but that disable anti-spyware has now been made sure that this will not get caught neato benito and then it removes that registry file clever girl or is that jurassic park right i should know i'm john hammond but we have this thing that's defined and this variable which is a lot of strings all put together again these look like printable characters just representing bytes so let's get back to our terminal and let node handle most of that for us why why do i do this why do i do this every stage it's like it's still in my buffer okay um weird data dot js obviously that's what it's called uh and then let's get a console.log on that guy console.log u please please node weird data oh there are a lot of items in this can't you display them all please are you guys seeing what i'm seeing right here show toast oh duck.dns.org there's a good indicator of compromise little domain calling out what are you what do you got going on who are you can i run a who is dang it i'm having too much fun with this one we've we've deteriorated we have just fallen off the train tracks uh i only got an hour left of recording time who is this not found am i am i am i doing the right thing i'm not doing the right thing this guy has this ip address all right showdan showdown.io where's that boy liv come on no results found we were having so much fun together i want this to be all displayed i i i do if i look yeah there are i'm searching for the comma right now there are 1018 entries i want all of those entries can i please have that displayed realistically this would actually be displayed in python so you know me let's uh let's p print this guy let's remove that semicolon over there and let's from p print import p print do it up i know everyone's gonna hate me like john stop using python uh let's t that into um [Music] dot extracteddata.log wait a second was there more base 64 in that oh my gosh look at these look at these sauce commands though right look at this suspicious stuff keck but seriously there's a whole this uh tvqa is that isn't that an image isn't that an image file there's a boatload of it for one thing or is that a binary is that an executable i think that's mz yeah i think that is mz because normally like an ivq is base64 for that uh so we got a lot of stuff ladies and gentlemen as we do let's uh you know let's copy that and make that the new variable that we're going to work with there so this guy is going to be that and what function oh oh oh no oh no f this is going to repeatedly use this variable over and over again to reach for the strings that it might use f i want to be able to know all of that i want to be able to see what all these strings are and that uses it everywhere well i think there's only one thing to do here wait a second whoa whoa whoa i saw some other sketchy domains wsh is this wshrat like we've seen wshrat before i think give me ffpv give me firefox password viewer chrome password viewer uh those are from nurseoftnersoft.net show toast all right all right all right enough dilly dallying let's um let's work with our um clean how about process code.pi let's grab all of the extracted data and that should be what we end up defining as lots of scrolling this guy you can equal that thank you i would really like it if i could coldfold that thanks now let's user bin environment python3 uh let's import regular expressions and let's try and script the process of cleaning out this clean stage two to replace all of the usage of this guy with the actual key presented in the thing does that make any sense i don't know so let's use a context manager because i'm on the internet and everyone's going to yell at me if i don't we'll use clean stage2.js just i don't know if i want in bytes whatever use a handle dot read to get a diet ginormous horrible bad practice all slurp it all up into memory and let's go ahead and r e dot [Music] let's for i uh value in enumerate this guy let's do an re dot sub uh oh god how will this ever work um contents handle.ring so let's store that in a variable replace the contents replace the string of this guy with a format string indexing at the value of i with the value that is actually in that dictionary yeah just a simple loop here and the contents is what we want to end up working with that should return it out i think i might have the parameters there backwards python re yeah python regex thanks what is it uh re.sub pattern replace string count i guess that needs to be escaped though i mean yeah because i don't want i don't want these to be considered to be the regular expression symbols so let's do fr for format string and r for a real string uh raw string whatever and then it does it maybe what do we got i hope this is just a complete guess dang it oh because this thing can't have a freaking variable the variable name can have a dollar sign in python okay that's not bad you gotta give me a pass on that one guys damn it bad escape end of pattern what why is that happening let's see how far we get do we process anything yeah yeah okay so we process a couple but once we get to zero one two three four five six seven eight why is that bad is it because we already did it what if we just use a try-catch statement will you still blow up do it anyway please go no wait i think it did it it totally did it totally did it yeah yeah um let's replace it with the representation of that so that way we actually get it represented as the variable so what should we call this like what stage three dot js yeah yeah that was dumb that was silly that was stupid but we did it uh so we don't need this guy anymore we found our spooky domain we can start to replace some of these a little bit more now that we know what they actually are imagine that app data environment variable this can be false if false is equal to true then elevate uh and this can be true this can be true this can be the number 2031 for some reason uh this can be our weird uh domain or our commanding control server c2 server maybe c2 server domain if we were to assume and guess that that's what it was uh if ww script arguments named exists elevated that's slick like it'll know whether or not it can actually if it if it is and then you will see disabled reboot required disable security setting more registry values nice whatever i guess that's fine um we'll call this w script shell we'll call this file oh sorry i started to write over the wrong thing file system object and xmlhttp so we can download things or have internet comms script name startup folder gotta add persistence gotta do it all the time huh okay update environment equals expand data so if the folder exists then app data environment is now going to be the temporary directory oh if it doesn't exist i follow and then a pipe i'll call that updated environment wsh sdk app data wsh sdk and then it adds in represented characters python should totally be able to parse that i think yeah let's just let's just let python do that oh come on give me interpreter please python what is wshrat just doing it in python um so wsh sdk must bring in like download and pull its own um like wsh like or like python executable so we'll call that wsh sdk python exe this can be 5000 random things uh we'll call that empty string i'm sure these might be used later i would have to hope or think maybe instance get binder run binder so it probably ends up doing okay so yeah this looks like the exact same uh setup as wsh rat like this looks like the same commanding control kind of messages and framework here as we've kind of seen before and we've seen pass grabber before and cmdc okay and it gets a python interpreter install sdk that's crazy is that is that new has wshred actually used python before oh but show toast unable to automatically recover the sdk you can try again manually huh wscript.b itself okay so it tries to update oh that's very very cool it must uh open a text file and maybe get a later copy i think no exact bring log wsh log site downloader file manager whoa huh rprox.exe kale plugin wsh logs check eligible install sdk i wonder if this is actually still hosting that because that would be something that i kind of want to report if like now that we know that domain um and where is it get this post okay so post must be the function that actually calls out but wsh sdk is something that has to be there i would think uh what the heck is this install looks like it does a lot of disgusting installation stuff c and d lots of reject lots of reddit lots of red x i don't know how much more there is to go down because like we could de-obfuscate we could we could work through this for days but i think if we've already kind of uh determined now that this is wsh rat like we diagnosed this at this point uh it's crazy to see some of the disabled security functionality oh yeah look at these these are these are the registry keys that are setting to uh enable lua uh is that that's is that w digest i think that's w digest no consent prompt that's u8 these are uac yeah these are user account control and then windows defender uh has its disable anti-spyware so uninstall tries to delete its persistence which is just a regular like run autorun task delete file blah blah blah blah blah post there we go there we go boys there's our c2 server domain cmd with the command and that must be what we're trying to download so let's find out if our cmd c2 server still exists let's get our c2 server domain give me the moment of truth are you still active uh you're 2031 and what's a file that we ended up downloading a dot zip post moz dk right so what would that what would that do if i were to go look for that post statement again look for the function post it takes a command and a parameter so we open a post request to the server plus command with a user agent that uh oh no it has to be its full thing empty string run wsa trap pipe javascript two get country oh geez it's probably not gonna respond because i don't i haven't been able i wouldn't be able to easily figure out what that user agent would be oh shoot sorry we wanted uh what was it moz sdk yeah and i should realistically make this verbose how about a user agent that has wshrat in it no nothing i guess is there a whole lot else in here oh yeah get country we'll just straight up get it from the ip api website crazy upstart hardware id that's used as part of the user agent when it sends requests to the command control what is this thing this looks like it's doing oh wmi to get the operating system kind yeah security center select from anti-virus products so it checks to see what other anti-viruses might be installed yep it doesn't have anything it says hey no av that's funny instance that must be setting up the w scripts i don't know what's going on with my color coding i probably just ruined it when i started to modify stuff my syntax highlighting probably died but got some decode base64 functionality nice decode pass this is these are all i'm telling you the uh near soft intersection i really have to think so ffpv and chpv those from what i remember oh there's a comment in here for firefox for chrome sketch man did i add a uh no where did i go dang it i lost like my place this new line was weirding me out i don't know how or why did i i don't know if i just put that there i'm i'm fading out obviously wait a second what do we do here we've run cmd.exe that's our comspect variable we change directory to the application data where the sdk is held gsp will probably get the shortest path to it crap i need to go back to where i was now a lot of comm spec pass grabber will try and run things do we oh it makes a whole new registry key for what like these this would be the bytes i think that are prevalent in a registry editor file or a dot a reg file i'm pretty sure i could be wrong comspec a lot is going on here wsh logs recover password email you would read it and try and send it get a reverse proxy task kill run the key logger it's a rat man i mean i don't know what more to tell you at this point service starter commanding control with that c2 server and download send to me pipe oh and those are the parameters are we close to the end like we've been doing this for a while i'd like to do a little bit of digging and research to see what more wshright does if it ends up doing stuff with oh get rdp oh no these are the files just embedded in they're all just base64. get rdp it's a freaking assembly for one thing so we could open that up in like il spy or dns pi if we really wanted to but the keylogger is also here let's slap all that and put that to base64 my face is in the way i'm sorry uh call that keylogger.exe another mono assembly oh bro what about this reverse proxy that's got to be what would that be would that be like ssh psycho all that another mono assembly ah okay that is the end of the wh wsh write script and code here uh now if i were to uh ielts by cmd is what um remnux offers you and that will just spit out the c sharp freaking everywhere does it actually write it to a file no um rev revproxy.cs let's do the same for keylogger let's do the same for get rdp let's check out what each of those are doing or using wsh reverse proxy is it custom because that's kind of insane not gonna lie form being created i don't know if there'll be anything extremely interesting in this but just the fact that we could pull it out was kind of cool my computer my forms my users module notify bring back socket reverse proxy resources this just has to be it it's like the tcp client that it ends up rearranging yeah there's our task kill yet again is it killing itself huh i might i might be misinterpreting that but i don't want to slow down right now is it get request method content length it's over https i think like from what i can tell it's doing uh weird stuff oh i mean i guess it's just gonna end up setting up that proxy so we could listen in on things very maybe i don't know what i'm saying at this point what do we got in the keylogger klplu back in 2019. what was the is there a copyright on this one no oh no there is 2019. how long is this keylogger one where would it save the output like where it's when it's logging keys where does it save those found keystrokes there's the hook messaging structs and enums and mouse messages oh wow this is in depth hey if anyone wants free c sharp key locker code get it while it's hot one only one time only i'm just kidding oh and these are called from uh win32 api these are called from user32 that makes sense set windows hook call next etc where do you write where do you output this stuff that's what i want to know so or do you just send it with the socket checking checking checking open keylogger that's got to be it obviously run keylogger offline so if it doesn't have potentially there it is if it doesn't have access to the internet or can't call back to the c2 then we'll go ahead and use the in the sdk folder and everything that wsh is working in the temp directory it has a wsh logs and it replaces it with the date dot log dang dang oh it prints out the debug messages that's funny that's like xev that you'd see on linux you know save keylog it puts it all there blah blah blah wow wow what about our rdp just just for the sake of showcasing right rdplu another wshrat plugin this is all the stuff that we were able to dig out of that single email attachment that our poor friend had received so kind of crazy you know kind of slick take shot take a shoot like you can take a picture yeah man get the screen resolution get it as a jpeg image oh my goodness connect to it and does it send it and let's send it like as ascii that's crazy mouse event click rdp wheel is it creating like its own rdp client through the web am i i might be misunderstanding because i'm not actually reading this but click no it does it click click mouse up mouse down wow wow wow wsh rat let's pivot and do our detective work on the internet oh is this like a following houdini okay there are a lot of articles we could look through revenge rat and wsh rat so this one found it through it looks like an hta file or something like a what does it say i mean it's html being able to call visual basic script so i can't complain we've seen this plenty of times before though like we we have uh i think i have a video on wsatrad i'm pretty sure and i feel bad that i'm kind of forgetting right now so part of me wonders though if this is a different version you know what i mean like is this a ladder one still using duck dns is sketch um wshrat first seen september 2013 last seen a couple couple days ago does the video end up doing anything when it's ran and uh when it's raining uh any dot runs emulator is it just five minutes of a blank screen dope super cool all right so it has been seen as uni houdini et cetera et cetera but this like what our sample is doing though did it write i mean it obviously wrote to disk because it needed to work with the sdk and get the python libraries etc and then still be able to have all of its executables between rdp and keylogging etc but i didn't because it would just end up being evaled through the email attachment it's like boom you're automatically executing this code maybe unless you had downloaded it to begin with or something donuts live fishing though as detailed in the beginning the attacks phishing attacks to distribute wshms email attachments url zipper mht format this was just straight javascript though i'm assuming what our friend had found in 2019 and wshrat appeared a javascript-based version of houdini yeah cause houdini was visual basic script was it not like that was one of the first ones that i ended up exploring but this variant has to be crazy yeah this is what i'm most used to seeing i think that's what we've showcased before we're like is noted in the code but this structure was the very very same for communicating with the c2 like code structure dang i don't know if anyone else has seen this specific one before does do any of them mention using python though or is it just c is it just called python.exe does this run i mean yeah pass grabber run cmd three what is what was that gsp oh get scripting path so it tries to run it oh but i was sketched out because it run dll wsh out it's not going to end up using run dll would it file exists decode pass red cmd i guess it decode pass must end up using it because it has functionality and yeah and that that's exactly what it was it was just calling that huh well ooh a lot of these are duck dns well for their indicators of compromise uh i don't think ours is on that list what is our c2 server this guy but when we ran dig it came back with 181 137 141.55 do they have that ip address no i saw the couple of 180s and i thought it would be right but nope yet another one gosh wshrat python sdk awesome rat oh binary defense put some stuff out about this heck yeah new wsa trot signatures wait a second oh this is back in 2020 are these actually analyzing it maybe sort of whoa there was a slim pdf reader oh no it's a fake.js fatura.jar and ours was called factora right that's weird not a jar file though awesome rat uh i'm in a weird place i'm kidding i'm kidding wc tread though yeah okay c sharp there's that cognito rendition like to knee huh all right sorry i know i'm like this has been dragging on and i want to maybe bring this down because we're getting to the end here but uh we've we've diagnosed this for sure and we have determinate wsh rat i'm bummed because oh dang that's something that we had kind of seen previously in a different video but i think in this one we maybe went a little bit more in depth and had a little bit more fun with the javascript and working through that code so slick thank you so so much to that individual that was willing to send this along again i can't say it enough uh i love when you share with me the weird spooky sketchy stuff that you end up finding because uh it's pretty fun it's pretty cool i enjoy it and it it helps keep the content farm blooming you know it's ripe there's plenty to harvest when i can help help get some some love from you guys so thank you thank you thank you oh this is an example of the user agent maybe we could latch on to that if we were to do any more analysis but i think it's time to tune out because this has been going on for quite a while uh but we got some crazy cool code that we were able to dig through found some other indicators of compromise uh and did some good work here so a lot of files that came from this i think it's okay thank you so so much for watching everybody thanks again i can't say it enough these are a lot of fun and again it's all credit and kudos to you please send me malware it's fun uh and whether it's a scripting language or something like hey compiled i do like to work and do a little bit more now with the legitimate binaries right maybe crack open ida crack open ghidra et cetera et cetera uh hey call to action you know the obligatory stuff marketing makes the world go round if you could pretty please do those youtube algorithm things i would love if you could like the video maybe leave a comment subscribe i'm super grateful i'm trying to grow my twitter account so if you are willing please please please go click that follow button over on twitter for uh john hammond i'd be grateful for that amping up the numbers getting to have a better engagement interaction with the community but you guys know you guys know track me down cyberstalk me you got me on discord i'm everywhere i'm happy to help and i hope this was a fun good video for you thanks so much for watching everybody i'll see you in the next one take care [Music] [Music] with [Music] you
Info
Channel: John Hammond
Views: 36,029
Rating: 4.9774394 out of 5
Keywords:
Id: XDAiS6KBDOs
Channel Id: undefined
Length: 62min 0sec (3720 seconds)
Published: Tue Jul 13 2021
Related Videos
HTA JScript to PowerShell - Novter Malware Analysis
John Hammond
41K
528Hz Powerful Euphoria Boost ➤ Positive Energy Euphoric Healing Meditation Relaxing Therapy Music
Nature Healing Society
2.4M
Windows 11 is bigger than we thought
Linus Tech Tips
3.5M
Binary Exploitation Deep Dive: Return to LIBC (with Matt)
John Hammond
41K
Cloudflare CDN CSP - XSS Bypass / HackTheBox Cyber Apocalypse CTF
John Hammond
24K
Cryptocoin Miner - Unpeeling Lemon Duck Malware
John Hammond
46K
MALWARE ANALYSIS - VBScript Decoding & Deobfuscating
John Hammond
562K
TryHackMe! Skynet - Wildcard Injection
John Hammond
70K
The Insane Engineering of the 787
Real Engineering
762K
Malware Marketplaces - 05 Dark Web Documentary
John Hammond
42K
FREE STUFF? TryHackMe - "The Great Escape"
John Hammond
61K
HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange
John Hammond
94K
I thought the Schmid Peoplemover was impossible
Tom Scott
1.6M
VOD - TryHackMe! Ultratech & Golang
John Hammond
12K
Is THIS a VIRUS? Finding a Remcos RAT - Malware Analysis
John Hammond
233K
TARGETED Phishing - Fake Outlook Password Harvester
John Hammond
75K
Basic Buffer Overflow - VulnServer TRUN
John Hammond
86K
$2 MILLION DOLLARS STOLEN in Bitcoin/Ethereum - JScript Malware Analysis
John Hammond
79K
VOD - TryHackMe! Game Zone - Recreating a Metasploit Exploit in Python
John Hammond
11K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.