KOVTER Malware Analysis - Fileless Persistence in Registry

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone before we dive into this video i want to give a quick shout out and some love to our good friends over at sneak if you haven't heard sneak is hosting a free capture the flag or what they're calling a fetch the flag on october 5th the ctf is for beginners to intermediate players and i've actually included a couple of my own original old school vintage challenges there will be 20 challenges in total including a few that i created so hey if you win in addition to the glory and bragging rights that you can take home you can win some awesome prizes including a nintendo switch it's all totally free it's all online and you can register right now with the link in the description below you're gonna have my little tag in there sneak dot co slash john and take a look have some fun it should be a great game it's going to be beginner friendly and welcoming to just about all players and levels of expertise solve some challenges learn some cool new things and i'm going to be doing write-ups of course i'll be showcasing some video write-ups and solutions after the capture the flag but if you want to get the most out of it you should totally jump in go play and try your hand yourself the ctf kicks off on the first day of sneak con sneak's conference on building securely so participate in the ctf on october 5th and then stick around on october 6th and 7th for a hundred sessions and more including some live hacking workshops totally free all online virtual you can register right now link in the description below and i hope to see you there hope to see you on the scoreboard and i hope to see you soon hello everyone and welcome back to another malware analysis youtube video i'm pretty excited to bring this one to you because i think this is an interesting little uh task here i've gotten halfway through the portion of the analysis i want to show you this this nice trick and then the actual like quote-unquote reverse engineering you're walking through the sample i have not yet done so there will be a little bit of uh tiptoe tap dancing a little bit of improv don't exactly know where i'm going it's going to be exploratory going to be discovered discovery based and we're going to have some fun but i think this is an interesting one because there's a little bit of a problem a slight snag and then a cool resolution that i think some of you are probably already familiar with or others might not be so without further ado i think we're already like what a minute into the intro let's get after it i'm over here on my computer screen uh i should be working in remnucks for a linux distribution to kind of reverse engineer and do this analysis but i am just in my ubuntu vm at the moment please forgive me internet overlords and let's see what we're up against i'm in this directory called reg using z shell and with z shell syntax highlighting using exa to display ls contents in a nice beautiful way and i've got a couple files here i've got the original command that was ran and another interesting file we'll talk about in just a moment but let me give you a little bit more background and pretense here the original command was found being executed on a victim host set up as an auto run right set up as kind of a persistent foothold set up as an implant or a little back door to kickstart more code just on startup automatically and auto run right that original command was originally i think just an lnk file or a windows shortcut file and it tucked in more code that we will take a look at right here i'll go ahead and cat out this original command and the syntax that we see is invoking command prompt cmd.exe c to invoke one singular command as an argument to this command prompt window or kickstarting and we'll start a new process now the color syntax highlighting gets a little bit messy because there are lots of quotes and weird minified compressed data here right it's obviously all just one big long line uh but we're using quotes here to note the string of the process that we will start through the command prompt we're using mshta now mshta is that engine and interpreter and program built in native inherent to windows that will execute other scripting languages kind of used with the html application stuff that microsoft has uh so it'll be able to run javascript or jscript windows dialect rendition of javascript or visual basic script vbscript um and other weird things you can see it used a ton if i go ahead and google up to lol bins mshta and there we go just fire that up you can see used by windows to execute html applications mshca mshta in the default paths and a lot of good reading and research already done but you could really be hunting for this sort of thing trying to detect it by using raw or obfuscated scripts within the command line you could have it execute an hda file on its own or you could pass in more code as a command line argument just as we're seeing being used here mshga.exe with a language and syntax to be used visual basic script or javascript and you could also do some spooky scary stuff with alternate data streams adding things with a colon after a file and other neat tricks so if you haven't heard of logan's other incredible resource if you haven't heard of ms hta other thing to explore and take a look at but i think that's enough top cover on that idea i'm sure you are more interested in the syntax here we're running javascript and uh looks like we're setting some weird variable names o and k dq q7 totally random to the letter n u six q being set to a new active x object to run a w script.shell okay could be doing some nefarious stuff there pretty soon and then some other variables being set to other random strings uh and then taking the object that was set to wscript.shell and reading from the registry and we regreed or read from the registry in the hive hkcu or hkey current user we reach into a software little key and then a sub key uh random letters random letters as the final value there also setting other weird strings to nonsense also setting other weird strings to nonsense but ultimately we end up evaling and executing code that's going to be present in that registry key let me go ahead and clean this let's copy the original command to like a stage one uh i guess we'll call it dot js because it is going to be running javascript after all let's open that up and i could turn on word wrap to make this a little bit easier for us to see super duper zoom in here and let's cut out everything up until executing javascript because we know we are just going to end up running javascript in this file adding new lines after each semicolon just doing this by hand manually because there isn't a whole lot to do like that was what seven lines um let's go ahead and save this maybe a copy of it we'll call it cleaned stage one and i guess we can start to rename some of these variables let's call this the letter n not reuse anywhere else uh u6q is going to be a representation w script shell and then we have another random carriers another one for more cares and then another one for other cares super easy uh so i was using ctrl alt h or excuse me i used use ctrl h and sublime text to enter find and replace and then i hit control alt enter on my keyboard to find and replace all occurrences just some nonsense that i use here [Music] code from registry oh makes a little bit too big to read so ultimately aside from some weird random strings that aren't used whatsoever in this snippet here we're just grabbing more data being stored in the windows registry and then executing it with the eval statement so there could be dangerous stuff going on it's just a matter of knowing what is in that registry key now if you're doing this in sort of a actual investigation or just kind of responding and trying to figure out what this might do or doing the analysis uh in uh an environment right you could very well be working with an edr product endpoint detection response or some sort of incident response agent uh ger right grr i think that i think that's google rapid response i could be wrong um but oftentimes you might have a utility to be able to look for and search for these in one specific way where you're running as system you have the ultimate god-like powers often times when you're checking out h key cu or the current user you run into this problem where you're only going to be able to see the users that might be logged in because hkcu is not going to be relative to your running account system i don't know if i explained that in a very good way let's grab a windows virtual machine and kind of show you what i'm feeling here i'll fire up reg edit right for a registry editor and forgive me i might have some stuff left over to clean here but hkey current user only refers to your user that you have you're currently running as right current user there is h key users which you might be able to actually reference and explore different users current user key if you knew their sid or their user identifying number right s tac 1 tac 5 etc etc and then a random string here i don't i don't think good is the right word for that but that identifier for sid is the right word for that realistically for that user if you were to navigate in hkey users under that user's sid you could explore what would be in that user's current user hive and key the hard part is if you are running a system and you don't have visibility on hkey current user you're relying on this hkey user's hive but you'll only be able to see things potentially if that user is logged in or their user profile has been loaded what i'm getting at is that i was kind of blind to what was living in hkcu itchy current user software this weird that weird and i wasn't going to be able to see what this spooky scary code was doing what this malware might be trying to execute and run that was the problem that was the issue there is that i didn't have the visibility into hkcu now that i've beaten the dead horse let's talk about the solution i try to do a little bit of research on this i try to google around you know as you should uh we could get back into chrome we could be googling for like view other users hkcu or or current user registry hive and you might be able to see some super user tricks and this is exactly what i ended up learning and i would like to bring to you in case you don't already know this trick it is literally just manually loading a user's key i'm looking for a way to access the registry of another user on the computer so i can copy and work with that the ideas that i'm trying to get a combo background they don't need i don't know the other user's password so i can't log in as them or do a run as and maybe this is the scenario you might find yourself in is if you're doing that incident response you're working with some ir agent uh and you're in this situation what you could do is swipe that user's nt user.dat file and i'm sure you saw that in my current directory there that's located in user profile and that in essence is their hkey current user hive that of course requires you to be admin or system and have access to that have file but if you're doing memory analysis if you're doing forensics maybe you might find that situation let's get back to my windows vm and i'll show you that kind of in action i will open up a command prompt here and i am in currently my user profile i'll show you that variable super quick yep just the current directory the home directory equivalent in windows here and i could run a dir or check to see if nt user.dat really exists in here uh i think i need to do like a slash a to show all files yeah there it is because uh that is hidden in a system file by default so dir slash a nt user dot dot it could very well be a decently large file a couple megs maybe four megabytes six megabytes i think i think the most i've seen is six megabytes so far but uh you could swipe this file grab it and then start to play with it and work with it i could open this up and load it within regedit kind of like i had just read previously you can see i actually have done this and i have a little leftover that i feel bad about i have an apples thing that i tried to load in because if you do this within regedit if you were to try and click on a hive go into file and you'd want to load a hive you might have saw a comment in that super user post that said uh load hive will only be visible and accessible for you if you are in hkey users or hkey current user uh i believe it's just actually hq users so now if i were to load hive i could get to where i would have stored that nt user.dat file i'll open that up and looks like it already has been loaded which makes sense because it's in that apples thing here i don't know if i can unload that i tried to delete it but it was like no i don't want to do it um oh unload hive yeah do that thanks okay now back to hq users load hive let's pull in that nt user.dat file and it'll ask for a name or like just a nickname that you want to refer to this hive as within your local registry editor it's not the actual name of something within that on the on the actual machine it's just your local testing copy so you could say i literally called it apples you could call it whatever we could call it please subscribe um i'll call it test just nice and easy and it will load in and then you could navigate and look around it uh i'm not gonna end up showcasing this uh in all its entirety because of confidentiality reasons right but i think this gives us a little bit more runway and because we could work with this the hard part is that if we're viewing this in the registry there could very well be a lot of locations and lots of huge ginormous chunks of code and payloads and data that we can't readily copy out of regedit like by hand you could right you could do it manually but it might just suck so let's automate it in a different way or try to get it so we could copy and paste things out in an insane way to do that that brought me to this next conversation and now brought me to this next talking point where if we have this nt user.dat file how can we carve out all the data and information in a way we could use it on linux right because i was in windows but i really want to do my analysis in linux because i'm a linux guy so you could be googling around for registry extract tool command line or things like that trying to look for things obviously regripper is a great discussion and talking points maybe a red ripper would work really well for us um i think one that i wanted to get into was trying to do stuff with with python because maybe i'd want to automate this or or do more with it in the future so i would google around for registry extract tool how about python pure python parser for windows registry hives registry extraction winrag there's plenty of these the one that i stumbled across was regipie and i think i really liked that one if you'd like totally feel free to explore a couple of these this looks actually really really similar to the same sort of syntax that i had seen in regipie but totally google around totally explore maybe see what they offer you or what they don't offer you but i would i would i would encourage you to explore if you wanted to let's dive into regipie though because regipai would work really well for me and that's the one that i'd played with thus far you can install it super easy pip install regipai and it is a python library for parsing offline registry highs exactly what we need right here you can use it as a python library if you'd like or you could use some command line tools you can dump an entire registry hive to json and i'll show you that let's see if i were to pip3 install regipie i already have it installed but you could run that command to get your hands on it yourself if you'd like to and then you should have a couple new commands in the command line right they're not strictly all called regipai if i were to try and run regipie on its own it's like uh i don't know what that is sorry dude but if i tab complete just hit tab a little bit it'll offer some examples for me or some options i could use registry diff a registry dump or list plugins or parse header or all these things and you could see these are a bit more defined in the uh regipie github and the documentation there installation discussion the command line tools you can parse headers and see some nice tabular output or you can dump an entire hive to the disk uh this might take a little bit of time and that's what i was originally doing right i could just run registry dump registry dump on that nt user.dat file now i'm not gonna do that because again i don't want that all to be displayed out on screen maybe i could just snuff it and move it to like devnet or something uh but that would literally as the description in the readme had explained take a long time uh because it's dumping out everything in a json format maybe you just want to specifically narrow down to the registry key that you were looking at are hkcu software etc etc now that we could dive into hkcu with nt user.dat we could reach this we could access the data that's there let me pull that out using regipie as a library kind of as it suggested in python syntax you can see it offers a lot of this here you could initiate the registry hive object from regipi.registry import registry hive and grab all this uh i could copy and paste that but i know that i would get scolded from the youtube comment trolls i don't know i don't i honestly don't think i even would i'm just making that up as an excuse for me to type it and feel better about myself but uh registry hive let's do a dot slash on our nt user dot um does that have no it doesn't it doesn't have dat and capital letters so they literally use this exact example as well if you check it out they're using an entity user.dat file that's loaded in and you could iterate recursively over the entire hive or maybe we could do some unneat stuff you can see the syntax here with a reg object created we can get a key or get sub keys and iterate through sub keys so let me do that let me go ahead and reg get key we'll use software and just for a sanity check let's just print this out on the screen to see that it works and runs for us i'm using ctrl b and sublime text to be able to run that kind of on the fly looks like it does return an object for me so i know that that had succeeded it got something but now let's try and get a sub key of this thing rnv ttqbrn that really weird uh sub key there we know we're going to be working in h key say you to begin with it it is that hive specifically so we could just use software as part of the path uh to retrieve that let me make that a a separate screen that you can see yeah so as we get software now we'll get the sub key rni etc and let's display that out on screen we've retrieved that object nice and easy and now we could get a specific value that should be that thing let's get value that looked like i think uh some syntax we could use here get the values of a key scrolling over to the right here yeah you could get values plural or can we just get a singular value get value that guy and let's display that out on the screen okay so see exactly that is why i didn't want to do this in regedit purely because there could be a crap ton of data and lots of stuff that you wouldn't easily be able to copy and paste out of that graphical user interface i am going to get values just as the documentation had suggested and let's see what else is in here what looks like base64 right um what looks like random characters that don't make sense but this is obviously a lot more data you can see my my vertical scroll bar over on the right here there's a lot of stuff so we have this experiment dot python script now to be able to carve out data let's try and get the value that we just saw previously before i do that i suppose let's grab all of the values and then run it there's that all let's redirect that to like an output.log file just so we have it uh and then we can use this utility as a little bit more of a scalpel to get the value for specific registry values it looks like all of this is literally just returning the value itself though right yes okay so i'm not seeing any other tags like the name or the timestamp or the registry type etc all of this is is just the reg value that we want to see with that said we have this pulled out and extracted for us so now that we're over 20 minutes into the video and we've covered enough of the background here laid the foundation to be able to extract out the data that this malware might even use now we can get into the analysis and we'll see where we go i haven't gone down this road yet so this might this is uncharted territory for me if i fail more than usual please forgive me we'll call that stage two dot js if i could type and stage two is going to still have some of the variables that were present in stage one so we defined letter n in random characters as things that were kind of loaded before we run this eval statement even more characters so we should take their original variable name and see if they're used or referenced in this next stage before we do that let's word wrap all this and let's try to automate cleaning this up i'll use a find replace yet again to replace any colon or semicolon to indicate at the end of the line or end of a command with a new line character right so now we can see we have a couple other variables set as strings of randomness this looks like base64 but i don't exactly trust it i don't know if this other variable is even going to be used anywhere else in the script uh we have this giant chunk of data seriously this is this is a huge chunk of data uh maybe we could just ignore for the moment as we kind of continue on and see what else this code does looks like we define lots of other randomness uh an empty string and then we start a for loop which it looks like i broke while i was trying to use the semicolon find and replace i don't see a curly brace following this for loop so i think it's just going to end up running one command um we could go ahead and just add a new line for that so that's displayed and visible uh and then another chunk of defining other random strings yet another new line character or a sorry empty string and then another for loop and this one actually does have a curly brace so it looks like there's going to end up being multiple lines of code in this we start to work with things looks like do an xor have another semicolon and uh we add stuff to it okay okay and then we eventually eval that new payload okay so we've hidden something else in here but all of these random strings these variables are not used uh so so let's we should realistically name this to a cleaned stage two i i seriously don't think we're gonna end up using these so we could basically for decode the data like if we wanted to but it's not gonna be anything worthwhile like i really have the hunch this is just a rabbit hole yeah completely garbage data none of these are used so probably just trying to make a noise add to the problem uh and make see if we can hide from antivirus or automated detection stuff like that but we could nerf some of that out we are using uh new line or empty strings though to add in different syntax though and i actually think that this is used that has a longer length than others and you can see as i click on it it is highlighting other variables here so something this looks like it's being used as a maybe an xor key is kind of in the mix here but all this other stuff nonsense complete garbage kind of a waste of time there with that said we should grab the original uh variables that were defined here this guy being the letter n do you think that's even going to be used though no maybe those other ones will be used later we don't know but we can keep track of those variables that were defined previously and used let's set that up actually u6q realistically we should take this whole payload i gotta be honest and then we can try and cut this up on our own the red reed though i don't think we'll need but it might be worthwhile to use and keep track of so with that said let's go ahead and work with uh this thing looks like it's doing some xor and this is of course javascript which means we can just let node run this force execute this for us we could just let this run without letting the eval statement detonate or execute the next layer of code the next stage here so let's take a um i guess testing stage two and rather than eval let's go ahead and console. this final variable that's displayed out here uh i don't think there's anything else that's malicious here okay no no this this eval is still present we also wouldn't be able to execute that new activex object or run this red read because i'm running on linux and node.js won't know what to do with that those are specific to jscript and windows i think this is totally set to be ran with node so we have this uh testing stage two now and let's try and run it now that we've declawed the thing and defang the thing to not execute things with eval i just want to see what the next layer of code would be that's going to end up being passed to eval we got something oh i see some powershell usage in here whoa we're going everywhere all right let's redirect this to dot j s um and let's open that up and see what we're up against it's word wrap yet again let's try and clear out the semicolons some new random variables and oh boy this does not look fun at all oh actually wait a second you know what maybe this isn't all that bad more random strings we tried to move the window we tried to resize it we get a new activex object being w script dot shell and we grab the environment process an environment variable is that what that does process wait a second oelcxx is that something that's present in the registry or in the process that we would have seen let's open up that log file that we had oh god this is horrendous um the oel cxxh is not present in what we would have seen in the registry but it looks like it's just being set to powershell syntax and trying to execute some big base64 code we would have to go ahead and remove uh once that is ran we go ahead and run see windows powershell powershell iex the environment okay so it's just setting up some abstraction uh to hide this code and not store it on the file system that's actually very clever that i think that's kind of a neat trick in the whole fileless malware buzzword right we have not written to disk other than that simple um well excuse me we we sort of have between the original autorun lnk file and of course the registry thing that we were able to retrieve from the file system with entry user.dat but this actual malicious payload nah dude it's tucked away it's hidden so we've got powershell code here now we're gonna iex and execute this text encoding ascii getstring from base64 all of that and then we go ahead and execute it with iex with that said we know that this is new powershell code to run so let's call that i guess stage three a dot ps1 um and let's make sure word wrap is on we don't have a eval statement or an iex or invoke expression here but we are going to end up displaying this code out so how many parentheses are gonna be in there two it looks like no three three so let's tack in those three and let's see if this will run with a with a closing single quote just like they have it sorry my face was probably in the way i was looking at how they ended this so once again we could just use powershell to run stage three a dot ps1 um and i don't know if that will output anything on its own it did that it did okay so we're doing more weird stuff let's redirect that to stage4.ps1 because now we've shifted to powershell and we got a new layer of code here and this looks awful but has a lot of random comments we sleep for 15 seconds and then we try to define a couple functions now all of these function names i don't know if you can see them g delegate and g proc these look like boilerplate structures and building out the functionality uh to be able to run win32 api functions where we could try and get a delegate get a type get a a process and do weird things and oh maybe we'll execute shellcode oh some of this looks broken no we have gproc to [Music] get proc address yep that's literally the command it's literally the win32 function that we're running trying to get a procedure um get delegate would return the types for us and all of these bytes looks like shellcode sc sc32 all of this here is shellcode that would be executed looks like we try to get delegate for function pointer to find the proc address gproc for virtual alloc so we can allocate memory and then we use getdelegate for function pointer memset so we can make sure that that is going to be writable and executable and all that and then we try and create thread to execute code after we copy all of the shell code into that allocated memory address spooky oh no no that the for loop is just for the mems set and then we try and catch and exit so we have shell code except some of it is broken with some weird representation and that really bums me out it's not null bites it's just weird stuff is that something that powershell like knows how to handle can i get can i get into powershell super quick let me uh change the profile so it looks like i'm in powershell and you know it no if i define these bytes will it kind of know what i mean i just took the first line of bytes because it looks like that does include this bk and kj broken one i i truthfully just don't know what i'm looking at right now will that work regardless i mean it i mean it might it might do it 0x 8b that's the one three nine and what would have been so five seven is eight seven five six is eight six five three is eight three and what would have been kj and that weirdness is wait a second are those powershell comments am i just stupid i'm pretty sure i'm just stupid these are comments you guys are probably screaming at me the entire time you stupid idiot john okay so we have shell code and now we want to know what it does um to try and figure out what this does we could um write a shellcode file on our own and then and and then just have like speakeasy try it let's let's try and get back to subul let's create a shellcode uh saver dot python file i guess uh let's slap all this in here and let's remove anything within the stupid powershell comments so those all get nerfed out okay um and then we can i think simply make this a byte array in in python user bin and environment 5.3 um so that was shell code 32. let's try and import sys so in python 3 i could cis.centered.buffer.right to display that out onto the screen and maybe we could redirect it or save it realistically we could just do it with open sc32 right in bytes mode as filp for file pointer philip dot right what would be called sc32 maybe maybe let's try and run this real quick finished so now i have this sc32 file and it is supposedly data but we know that it is shellcode doing weird stuff in fact you can actually see a load uh i don't know if you can see live rari get proc address virtual alec so there's some spookiness in there maybe we could actually see what this is doing with speakeasy um i have to remind myself on the syntax for speakeasy just about every time i use it so if you haven't heard of speakeasy before i don't know if i've showcased it in a video i i feel like i might have at this point but it's a portable modular binary emulator designed to emulate windows kernel and user mode malware instead of attempting to perform dynamic analysis using entire virtualized operating system we'll just emulate specific components of windows and let you kind of see and figure out what shell code might be doing you could play with it uh and do neat stuff in python and i realistically we should do that since we just did some fun things um in regipie but if we were to emulate windows 32 shell code python 3 run speakeasy tac t for the shell code binary attack r and then attack a to specify the architecture as x86 let's try it we have opt easy run speakeasy let's go ahead and python 3 that and the syntax was tac t to specify the target which should be our shell code 32 and tack r and then tac a and x86 for the architecture will this give me anything cool i hope no uh 3.7 i don't even have that 2.8 no 3.9 [Music] maybe we could play with that a little bit more i know we're about 40 minutes into the video um and i am distracted with other things kind of beckoning my need uh so i'm deposit recording for now hopefully play with just for just a little bit more um and then i'll try to clear things back up and hopefully get uh more luck with running speakeasy hope to get back to you in just a little bit hi um hello if you can't tell by the uh change of shirt change of lighting change of me uh it's been a day it's been two days actually uh and i got pulled away from working on this trying to record it because i had to do some other obligations um and uh now at this point i really want to offer some closure because i did tinker with it i did play with it just a little bit more and i wanted to include that in the rest of this video here so please forgive me for the time travel but let me show you really what else i kind of got started with and was tinkering here with the rest of that and trying to get speak easy to play nicely uh gotta be honest i never did end up getting speakeasy to work with our shell code so remember we had this sc32 file um it is just data because it is of course shell code that would be executed and kind of interpreted or really ran and executed on the fly but when we tried to run it with speak easy we were getting a lot of errors now uh you could open this up in ghidra uh you could mess with this i try to finagle it and speak easy and uh i was thinking you know okay cool uh truthfully let's just try and do what every individual might if they're stuck in a bind then i would recommend this to folks uh ask for help check in with your friends check in with other researchers check in with other nerds and other geeks so i will uh in full transparency showcase a conversation that i had um with caleb a good friend of mine fellow geek fellow nerd a lot of folks that might watch this channel and watch some of the stuff that i do already know the individual we do a lot of projects together he's a very very close in real life irl friend but let me show you what we were doing because he is a genius much much smarter than me and i will be completely honest you have to go ahead and really respect folks that are doing they're some great stuff and they have their own technical prowess and their own skill sets and competencies not everyone especially myself is gonna be good at everything so i thought hey caleb do you think you might have anything to offer in this regard i messaged him like hey have you used speakeasy before he's like no i haven't but it looks super cool and i said it's really nice when it works i've seen it do incredible stuff i just like dump interpreter information and show what it's calling back and use the win32 api call functions etc sometimes i get an error though and it doesn't work and i don't exactly know what i'm doing so i was like hey if you aren't busy i gotta ask i have this shell code that's defined in powershell but it dies when i try to use it with speakeasy and i included a screenshot there and he's like oh cool all right hey let me play with it just give me a moment and then he used this bash to uh remove all the comments and get the shell code out of it a really cool one-liner same thing that he used to do he's he loves those uh one-liners right and i said hey just checking strings this thing likely reads from a registry key maybe the invalid read that i keep saying comes from just not having an emulated windows registry to pull things from and then i see oh he uses on hex which looks like a tool present in actually pwn tools let me showcase that if i were to use unhex on right now it's just going to give me an input prompt but if i hit control c you can see that it dies uh trying to use python's phone lib and pawn tools so that's gotta be that's gotta be prone tools that's pretty slick probably the same as like xxd attack r attack p uh to unhexify something or decode it from the hex representation base 16. slick if you didn't know it good handy stuff he says uh their docker file seems to be broken so i guess i'll mess with it i didn't have any issues trying to load up their docker file if you wanted to you can move into speak easy and then you'll notice that there is a docker file present uh you can docker build tac t um whatever you'd like to call this speakeasy and then a period for the current directory and then you could docker run it and work with it um but whatever he tried to work with it just kind of installed on his own system like i had been doing previously it says that when it dies it seems to be searching for a string in memory uh 64616 f4c which is load maybe it's trying to find load library already loaded into memory somewhere now i mentioned that i was getting started looking at strings here so you can run strings if you're leaked obviously you know strings is the most overpowered uh tool here uh and it shows some interesting things and i i will go on a tangent for a little bit if that's totally okay looking at this because just kind of as caleb noticed and i was kind of referring to we could see segments of some strings that could be executed load library get proc address virtual alec and exit process kind of chunked up so those are peculiar and interesting to me because obviously it's going to very likely do more things with more shell code or executing something new i have to think i also see a reg open and then a potential reg key or query value um odd and weird right but down below i noticed that same registry key or sort of hive location we were looking at previously run iv ttq brn and this lpmf was some value that we saw in the registry file uh i think i saved that in output.log right yeah so forgive me i know this is disgusting to look at but check out that value lpmf and the value that is included here is all of this absolutely nonsense disgusting stuff so maybe that's more shell code it looks like it's encoded in some weird way it's not all real bytes it's not an mz header to kind of act as another pe or portable executable or windows.exe or dll so i thought well okay maybe this is something maybe that's shell code but i don't know if i try to carve that out would it actually be more shellcode that i could potentially work with speakeasy or in ghidra um with all that said i was looking at these strings here and i thought it's odd that they're kind of separated and chunked up with different delimiters or different pieces surrounding them obviously it's not the full line load library so i thought let me just kind of poke at this thing with a hex editor i'll use hex edit sc32 and then over on the right hand side you can see the ascii representation of some of these fragmented portions right library get proc uh i think my face is in the wafer just that one yeah address virtual lock etc etc so scrolling through this just trying to see if there was anything else weird in here i saw this one peculiar thing and of course my face is absolutely in the way so let me uh show you how we could view that otherwise yeah i think strings el 32 does it yeah that's it so strings tac el makes it take the unicode representation uh let me check out strings the man page here attack e encoding pass in an argument here select the character encoding of the strings that are to be found possible values for encoding are s single 7 bit characters that's ascii etc that's the default as we just normally ran strings s b etcetera oh this is it l is 16 bit little endian useful for finding wide character strings so we found that just knowing that magical incantation with strings but realistically we could end up using something like floss to be able to track that down um do i have chrome open i don't think i do so floss github please this is it just like speakeasy this is another fire utility it is the uh obfuscated string solver basically strings but just amped up to be able to look for static strings advanced static string analysis trying to find things that might be present on the stack etc um trying to do other things and also finding static utf-16 strings that's what we were so we were just examining so if i were to literally run floss which i have cloned and installed in my op directory floss on sc32 will give us this static unicode string oh and that has an interesting syntax here shell colon colon or colon colon and then kind of arrow keys or the greater than less than symbols waka waka whatever you want to call them a strange syntax here and then an rm so i didn't exactly know what that was but it looked weird enough and unique enough to be something that maybe we could key off of and do some more digging and research because maybe that is one specific telltale that could help us diagnose or really detect what this malware sample is so with that said i'd go back to chrome and i'd try to google that sort of thing and i get some weird stuff trying to find shell gas stations nearby i'll have to be sure to obscure that blur that out um and the other results that it sees here are adb shell rm how to remove file on android using adb make rm move to trash etc um i'm going to assume that rm syntax up here is kind of making stuff weird let's google that again without that uh [Music] and that doesn't get anything worthwhile let's try and remove that rniv portion see if that does anything different no part of me thinks the shell thing is going to be cut up so let's try and just add double quotes around that to see if maybe uh like searching for that literal string and i have some weird thing here that returns uh coveter uncovered e white hats has done a deep dive analysis of coveter a click fraud malware that was the number one source of new crimeware infections in may of 2018. so let's go ahead and take a look at what that thing might be looks like it's a pdf to download i want to open this up here and we have coveter uncovered malware teardown maybe the sample that we're looking at is coveter here table of contents that kind of explains this sort of thing overview of covers behavior and then here what we're talking about abstract e white hats is in a deep dive analysis on cover click fraud malware number one source of primary mate 2018. uh copter's file list persistence technique which exploits bugs in the microsoft registry editor to write invisible keys to the registry is also discussed okay so this originally i think had been found by a malicious word document or an embedded visual basic script vba bb application which downloaded malware from a c2 server click fraud malware is this what it will do once it executes probably before diving into technical detail of cloud cover operates the section will explain the overall behavior of the malware we'll walk through all of its behavior from when it first gains execution when it begins click fraud activity comforter uses several clever tricks to achieve fileless persistence on the machine and effects the machine performs a variant of common technique adding a value to the registry key hkey current user software microsoft windows current virtual viewer that must be the actual auto run the lnk file that we had tracked down to like kind of kick start our investigation here uh yeah this caused the two headache suspicious values and registry and the red key are often a red flag and location malware is exposed kubter overcomes both of these obstacles by creating a registry value that is invisible to regedit and storing its malware executable in the registry the hidden value in the run key is a short snippet of javascript which is passed to the microsoft html host ace mshta as a command line argument that script decodes the next layer all of which is stored in the registry instead of an executable on disk oh that sounds kind of like what we were looking at the bot sends messages like resp bought ok to further mislead malware researches that must be some communication once it actually has like its full payload unraveled communicating with the command and control server c2 huh okay using chrome to be able to click on other things using a modified version of chrome i'm not extremely interested in this i kind of want to get into how this all kick-starts is this going to end up being the same malware sample that we were looking at oh but the the context strings it references here that looks like we're part of communicating with the c2 it does include that shell syntax that we just saw uh used when a shell 32 shell code 32 or a c32 variable that we just saw loads coveter causes cover to inject itself with into a new process with process hollowing in order of preference the process that we'll use the hosts are reg server 32 explorer and run dll and the process cover is currently running in crazy let's see configuration data in the resource segment uh this must be what the shell code is trying to execute out sc32 i'm assuming it's responsible for parsing the pe resource segment after the data is base64 decoded a 16 byte xor key is pulled down from the data which is used to decode the rest of the buffer as seen in the following algorithm uh xor which would be in the pe file i think if i'm reading that super quickly i don't think i need to dig into all that configuration data and registry this looks like this looks identical to what we would have seen how do we open that thing in registry because of these strange variable names the screenshot above showcases an example of culture's registry configuration data the random looking names are the result of a named generation algorithm coveter uses not only for registry names but also for naming files it would write to disk while the names appear random they're actually deterministically generated each value above starts as a clear text seed string that is salted with values from the infected computer such as the computer name the campaign key is also used as a salt in the above screenshot the key containing the rest of its values is iiid this is generated by the function generate unique computer name and is referred to the unique computer name elsewhere in the paper oh that i'm going to assume is is that would that be our lpmf equivalent or where we found this original thing um scrolling around registry values there are some tricks here i didn't see any plain text user agent not gonna lie but this might be a new variant or something i think coveter was doing some jupiter tricks or jupiter was doing some cover tricks i don't exactly remember which one it was but though many ip addresses are stored in the registry and covers resource segment most of the addresses are not legitimate c2 addresses the address of the actual c2 is stored in reg value 32. this registry value contains a domain list so the address in this list are stored with the prefix http all communication with the c2 over occur over ssl using port 443 understood hmm let me see what javascript you guys see let me see what you had found to showcase this do you are you not going to show me no well this is a very cool graph here i don't mean to completely scroll right by it but update executable context things runs mshta does all this process hollowing double loader regular pe loader that's crazy that's a very cool uh graph you guys have what else we got file is persistence and this appendix will discuss custer's fileless persistence technique the techniques that allow it to take advantage of weaknesses and registry to create invisible things oh this this screenshot showcases it mshda javascript random value set to random string something set to a new object of wshw script shell and then regreed hkcu software random thing random thing and evaluate that's exactly what we were just seeing large hex string is x or decoded and passed to a second javascript eval function meaningless javascript variables are created and intermixed with the xor decode algorithm we literally saw that exact same thing as well okay stage three base64 string is decoded and passed as an environment variable to powershell which calls iex or invoke expression on it again literally saw that two functions are defined g delegate and g proc exact same these resolve virtual alec allocate a rewrite executable buffer and copy a byte array called sc32 into the and then create thread passes control to buffer and executes it wow again identical to what we're seeing so i think without a doubt we can pretty confidently say look this is coveter um explaining all of this they do reference an lnk file which would be what we had tracked down they also saw a bat file in their case or a specific extension to be able to then run and execute the spooky actual cover payload this is their batch script syntax um that wasn't one that we had seen but that it it ends up creating what it sounds like a handler for that specific random file extension the start command uses the default handler of the file extension to run this file but the malware would install a default handler for that file extension and it'll add that in hkeyclassroot um that's not going to be present in our own registry like hive that we got from end to user.dat but i wonder if it is on the host on the target and you can see the javascript syntax with mshta blah blah blah i think i'm beating the dead horse on this i've been doing this for a while but seriously look at how identical all of this is and it is exactly what we were up against this truly is covetour we can see all the same tradecraft techniques and real syntax here i'll scroll through this a little bit more just to see yep yep g delegate sleep for 15 seconds all of the win32 functions of being able to be pulled in sc32 bytes with the comments just as it found and oh this explains it a little bit more powershell script has a large byte array called sc32 the script allocates a buffer of rwx memory uh s32 can be extracted from the script strings like byte intermix array are comments put theirs obfuscation took me a while to realize that thanks once the shellcode blob is extracted to be analyzed with ida gidra or whatever yep show code reads a registry value just as we thought it's a buffer containing the culture pe file encoded with an xor key the key is baked into the data section of sc32 uh so that must do some extort because the data that we saw all this is just too messy not gonna lie that's not something that i think would very easily be able to be pulled out uh at the time cover persist itself a random string no longer than 32 bytes long and at least 16 bytes long is generated covdr is encoded and that string uses xor decoded string 2. the key is burned and embedded into sc32 and the encoded cover is written to that registry value cover is loaded in the same address space as the shell code we're still executing in the context of powershell sc32 uses the cover pe loader with the double size allocation so the cover pe and context string can be written as rel excuse me the string shell shell rm and then the unique computer name identifier ncx in their example is used and that must do the process hollowing technique when ginanit sees the shell contact string uses the contact string power and does process hollowing to inject into another process the sleep in powershell script from the third stage that's that 15 second sleep that allows us to see powershell terminate and expire but the power context string causes the process to act as the main culture process that's insane it talks about the invisible registry tricks talks about conventional persistence but using hk current user is a little bit of a trick that's why we were hum jumping over hoops and hurdles with the uh nt user.dat stuff and other things but yeah trying to access some of those who just wouldn't be displayed in the registry if you're looking for the original auto run in the lnk file very slick very cool very spooky good malware tricks and cover i think has a lot of uh tricks up their sleeve all right uh i've been scrolling through this for forever but now that we know that this is coveter we could do some coveter malware analysis uh and maybe do a little bit of other reading and you can see that i've went around and just tried to uncover what else is described here what else is showcase trend micro has some info again this is previous research right back in 2017 um let's see if this explains a little bit more app data app data recovery and that is the end of that article that's not all that helpful i would like a technical analysis uh can i go back to google please malware analysis how about that oh here's one this is a malwarebytes blog perch has some good stuff analysis of viper [Music] quick heal that's another pdf cdn hubspot there's a lot that could come from this this is malwarebytes lab cover is a click fraud malware famous and everything that we've already read they work through a couple samples they showcase a lot of this stuff mshca to run powershell etc etc trying to unpack and extract some of the stuff up okay they're using a debugger to analyze these you can see the pe file that we would end up carving out um it breaks for them just as well is it packed or something persistence talks about the invisible run keys you can still see it with auto runs the batch file the persistent file handler that they've set the original mshta one how it would look in registry i'm cruising through this because i want to see some other new particular tricks they or how they might have figured out how to carve out the pe file from the shell code it sounds like that sc32 is position independent shell code content is loaded into a newly allocated memory page and executed a new thread you can see it and they examine it in their debugger every shell code must be self-sufficient and loading all the required imports for this purpose this one uses a trick i scrolled through that sorry what what what did i jump past it yeah uh it uses a trick known from the reflective loader and shell codes generated by metasploit okay at the beginning of the execution it tries to get the handle of kernel 32 to achieve this school it enumerates all the loaded modules calculates checksums of their names and compares them with the hard-coded checksum value ah that it uses checksums to get handles of the functions inside of kernel32.dll with their help it loads other necessary modules and functions i.e adv api i part of me is curious how that might oh yeah yeah because that's how we would need to get the registry open keys and reg query it needs to pull them in from adv api 32.dll uh using the checksum functionality and being able to get like a unique identifier for each of those is actually what they showcase and teach in osed the offensive security exploit developer when you're handcrafting and writing your own shell code from scratch you do this exact process you generate um your own position independent shell code with the techniques from the reflective loader that metasplate uses uh kind of a neat thing if you're into that they try to export it they try to get it the value that's stored in the registry in red in the memory and decrypted the encryption key is random newly generated on each one of the installer so it's going to be specific to our own instance of coveter turns out to be pe file that was loaded before and then you could work through and extract it it doesn't explain a little bit more uh because how is it decrypting that how is it showcasing that here's another article i want to get a better feel for how it might extract that pe file from that big registry oh all strings are kept in a structured encrypted form the string is decrypted whenever required and erased from memory after use for string decryption cover uses rc4 that's new intel um because originally i think we were thinking it's xor all encrypted strings are kept in a control section in the following format below is a snippet of an encrypted string structure so they have a separator with fff f ffffffff and then a keyword and a key and another separator maybe we could see that present in our shell code encrypted key or the key is generally three bytes long for each string the key is different the key is used to decrypt the corresponding one and then they analyze some of the network traffic oh and you can see the click fraud here that they use trying to click on advertisements configuration this would be a very cool one to look through just as well on there's a config file you can see all the different potential domains wow wow so um with that said let's kind of go back to what we were discussing with caleb uh and i'll pivot back to this he's smarter than me right and he opens this thing up in ghidra and he says looking at this code in ghidra it appears to manually resolve the addresses of load library and other things and then uses them to load adv i api um that makes sense because it said it much with the registry yep we've we've processed that it doesn't get that far though in our speakeasy emulator it fails while trying to dynamically or manually resolve the initial methods it needs and i said look i see all of these library get proc addresses etc etc and it tries to read out this key in registry that lpmf i don't know if that's a binary or not or more shell code and then caleb is still trying to reverse engineer it and work through it he says hey it's getting more readable but it looks like what we're going to end up seeing in that registry key is more shell code maybe and i say well what i see in the registry lpmf doesn't have the usual mz header so it's not a regular pe or windows executable or dll i think it's more shell code it's just humongous he said yeah yeah i wouldn't expect it to loading an actual pe file for memory is not only difficult but also excessive as we come to find out and i think we see it is in fact literally a full full-blown pe file and executable i can see it allocating the space for and loading the data in from one of two registered keys if one fails it tries another but i can't i haven't figured out how it uses it yet and then i said the supposed shell code that was present in lpmf gets nothing out of speakeasy i tried to carve it out is there anything in the shell code that uses it looks like it might use some xor because that's what i was thinking is it encrypted or is encoded quote-unquote encrypted in some way and as we were just doing our own research just now we've come to think okay it could be xor it could be rc4 there are a lot of other random values that are in the registry so i was wondering if any of those are a key when we saw some of the smaller ones like let me look for value equals here is the original code that we saw b k q q h y etc but searching for other values there's one s debt which is tiny maybe that's a key tgbu maybe that's a key etc maybe that's a key uh can i set syntax highlighting on this please sort of okay uh now word wrap is gonna blow stuff up but i started to mess with some of these and base64 decode them and try and encrypt or decrypt with xor without as a key didn't really get anywhere uh i'm just a fool not open this thing not opening this thing up in ghidra but whatever i don't i don't care publicly be making a fool of myself caleb says look there's definitely something going on that's doing the xor or some sort of encrypting or decryption but he hasn't gotten through it yet and then i shared with him that covered her white paper that i had found in the moment and he says that sounds like what i'm looking at surprisingly they chose to dynamically link a full executable or pe file at runtime and that's a pain i said it would be cool to try and dig out the xor key and unravel the full pe and he says this is probably the loop that does it but following those memory references backwards would be hell and really annoying it says the key isn't directly in the binary it starts off as range 256 and then it's mutated at run time to produce the final key and i was thinking is it stored in registry kind of as part of the persistence there are those few short strings that might be candidates i'll try to copy and paste that there he says the shellcode appears to dynamically generate the key but i'm not done so one of those might be used as part of the stuff maybe one of those registry keys really is but it generates the initial range at a specific variable and then mutates it with the data in another variable but he can't figure out where that second one is initialized from eventually says hey i found the data but i'm getting an index error when trying to generate the key and i was like are you working in python now he's like yeah yeah yeah so this implementation that loop that i'm showing you looks like this in python we could grab the values or variables that he would have situated and this is going to essentially be the same algorithm that coveter would use to to grab or get the key there and decrypt things as needed uh and eventually he's like oh actually i realized my mistake one second i'm good now uh why did you show that window he says did you already have the registry key extracted i'm like yeah yeah yeah yeah uh i pulled it out from reading of the research i'm not sure if it's xor encrypted or rc4 encrypted and i'll go ahead and send you the blob and this is really cool caleb says now that i'm looking at the python code that i wrote i'm pretty sure it's rc4 which is really just a fancy rotating xor so i showed him the code that i had used to carve this out uh this was again using rajapai as we had previously um i grab the lpmf value and then i just write it and i encrypt it as or not encrypted is totally not the right word i encode it as bytes with utf-8 and now i have that binary i think utf-8 is writing coding here what the registry included was a ton of non-ascii characters obviously because it's encrypted with rc4 but i'm not sure if i'm re-representing that data that right and it's like did you get a key and then he just sends me an executable file and the work is done caleb has done it all the genius i says i'm surprised slack let me upload that here i'm surprised defender didn't trigger on that for me in all honesty i say how did you crank out the key he said what i identified as the unknown seed was the rc4 pass phrase what i was reversing was the key generation algorithm for rc4 after i reversed it and rewrote the block in python i realized it was very similar to the rc4 key generation in decryption routines there's a bug somewhere in my accidental code like what he was trying to write so on a hunch i just thought hey let's throw it into a real rc4 decrypter that has properly implemented this with the unknown seed value as the key and it worked so there he has the key now my home ruled bug riddled rc4 implementation gives us that in his code but i'm saying how did you track down that unknown seed value what was that this is the rc4 key scheduling algorithm the variable unknown seed that i obviously named it's a stack local variable but i cross referenced it to find where it was assigned and i found the second picture i had to figure out that the function being called was mem copy because it's an indirect call to another part of the shell code which implements a crude mem copy routine so putting in and placing shell code right from there i knew the key was at key name at that offset and the actual key length was in key name at that offset which are both memory references into the code blob itself so he was able to extract those values and then pull things out very very cool very slick the last part of the shell code is just doing the dynamic linking required to load a pe file without consulting the kernel it has the entire pe file itself in memory so it has to go through and load all of the required dlls reference in the pe resolve the requested functions from those dlls and then patch the pe file in memory in the end it just calls the entry point this is the same thing that the kernel would do when you call create process on its own but they do it manually so it doesn't create a new process it just takes over this one and it isn't logged as a quote unquote no process i commented this and it was like that is exactly process hollowing that is that is that is process hollowing that's cool kind of crazy to see that what language did you tell guider the shell code file is to open and get a pseudo decompile display i tried to pry it open but didn't have to write out the code on the right side um yeah so a couple things guide won't decompile arbitrary assembly it is shellcode right it decompiles functions if you loaded the pe file with any x86 language it would show up if doesn't decode a disassembly if it doesn't show a disassembly immediately you can just right click an address that contains an instruction and then tell it to disassemble that'll give you a disassembly but no functions to decompile if you know something is a function right click on that first address and click create function it'll create a new function there and should kick off the decompilation process secondly because this code is for windows you need to select the visual studio option if you don't the calling conventions will be wrong and the function calls will look super weird it's like this is super cool thanks so much for helping me out dude um i think this is cool and let's let's showcase this a little bit she's like hey no problem this was an interesting rabbit hole with that said i have this stuff that i could show you um let's try to fire up gydra just to i could show you kind of what i was getting at in that last segment there and i know this is becoming an egregiously long video and i apologize for that but hopefully we'll have some pretty cool stuff in here i have this sc32 file that i loaded into the project and if you actually were to load it up without it it will prompt you for the library and you'll have to select or the language and you'll supply x86 and then as caleb mentioned visual studio now hopping over to the function segment or checking out strings which we could see present clicking on the functions will actually let this like being the first one show a little bit of a decompilation and then we just kind of have to figure it all out though which gets a little bit of a mess but you could potentially see some of the same processes that we were seeing earlier that caleb was showcasing and the hex strings that will represent those those fragments of load library when you saw just load or libra or airy all those are cut up in their own hexadecimal representation so it's not stored strictly in the binary very cool very slick i won't go into that uh witchcraft at the moment but let me show you that binary that we have uncovered here uh i tried to chunk things up when i tried to experiment things with different keys i pulled out that encrypted one and i think i actually got that from experiment.pi uh i could show you that python code still present here yeah i just carved this out with that same syntax you saw earlier and then like i mentioned i was trying to carve out some of the keys on a hunch hoping that they might be it but they were not um we do have however this lpmf cover.exe which is an ms-dos executable mz for ms-dos now if i were to again run floss on this sort of thing let's try and pipe that to less program must be run under win32 or w32 because it's ms-dos it does a strange thing so scrolling through some of these here you can again see pieces to be able to use the borland compiler i'm assuming this is going to be a fragment of delphi uh we could open this up in ghidra if we really wanted to there are other things that could reference here and i want to get to some of the unique interesting ones yeah delphi etc i'm going to keep scrolling until i can find something peculiar for us because a lot of those bot commands like the uh articles that we were reading in the previous research that we were checking out it looks like you could see those straight bot commands written in and the user agent actually now baked into the pure original coveter value or executable just again fragments and portions and pieces of it but enough to give us the telltale and bread from like oh that's like there you can see the post requests get i was really hoping we might be able to track down one of the ip addresses but again that's in registry with the key that we have part of me wonders if we would be able to retrieve that now and see what c2 servers that might be using or i don't know if it's gonna end up being a different key because it said sometimes the key is different for each thing that it's trying to encrypt or decrypt uh maybe we could get caleb back in the party with us and see if he can jam and crank out the other one but you could see the portions of the previous javascript and powershell things that we would have seen how it used to set up its own persistence crazy um putting all these in different registry keys etc these are all just fragments again but let me see if i can find one of those colon colons to showcase some of the bot commands that it might run and execute with the command and control server trying to load kernel 32 etc oh fingerprinting windows server different things i don't mean to uh to delay and badger this thing i know this might not be all that interesting um let's kind of see if we can get any indicators of like power colon or any any colons that might help us find something that looks like one of the c2 calls connection close content length no no maybe i'm not gonna readily see one and there's a lot in here so that could be hunting for a while and again we are just literally looking through strings not all that interesting though so let's let's bail on that you can fire that open in guidro you could crack it open uh you'll notice or remember when i was chatting with caleb caleb was kind of surprised i'm surprised slack let me see that i'm also surprised when i tried to download it i was working on my host and windows defender didn't care so is this executable itself something that maybe would would have some issues here how does that look in something like virustotal so let's fire up virustotal and let's see what we have if i were to upload we could upload our shell code let's start with that there's probably no way that would find anything weird i'm not exactly positive i really doubt that it would because it's just straight shell code yeah i don't know oh hey eset's like hey that's covered nice he said he said always gets it he said it's pretty strong um with that said i did i just for the sake of curiosity nice eset's the only one that tracked it down uh i i did try to upload this previously uh the coveter executable the kilobad because this has been a few days right like i said so gambit was the only one that uncovered it but he didn't know strictly that it was coveter he just said unsafe ai score um can i rescan re-analyze this file because it's been a few days right now virustotal might have passed it to other vendors because virustotal has to do that um we're one to the 37 one out of 57 one of the 58 i don't know surprised that eset finds the loader but doesn't seem to track down this ms-dos file on its own so no still now a couple days later with one occurrence out of 60 defender let the thing cruise right on by so i never want to execute that but i don't know i don't know obviously all of this is just an exploratory thing i don't mean to speak with any certainty but it's been kind of fun to explore and dig into this thing covered was very very fun to walk through from that initial persistence carving through mshta to javascript and then powershell to uh looking at the shell code it looks like it has kind of carried itself around in different ways between macros that are being used to infect other machines or phishing emails right of course um vba scripts etc there's been a lot of cool research on this and cover's been doing some weird peculiar stuff even back at 2017 2018. uh i would encourage you if you're interested go do some of that research go explore go look around see what you're interested in but there's a lot of good stuff out here so yeah that's it i am poured out at this point i've been talking for a long long time and i hope this has been i know it's been a crazy long video but i hope there's been some cool good uh learning lessons in that so thank you so so much for watching everybody thank you for putting up with the time travel between the few days ago when i started recording this and now and i'm trying to finish it up the editing might look weird maybe my maybe my enthusiasm and energy's different i don't even know but thank you again and again please do those youtube algorithm things if you could like the video leave a comment and subscribe it would be super duper grateful hey i am trying to boost up my twitch account i'm starting to stream these days very very late at night probably like midnight eastern time uh that might depending on your time zone help you out depending on what time but trying to do it also trying to amp up twitter trying to amp up all the socials would love if you'd be willing to come hang out and track me down on those those platforms hey uh i'm gonna include a shout out in this video for the sneak uh capture the flag and conference coming up in october you should absolutely go play please do it and i'll see you there and i'll see you in the next video everybody thanks so much for watching i love you i'll see you later [Music] with food [Music] [Music]

Info

Channel: John Hammond

Views: 121,004

Rating: undefined out of 5

Keywords:

Id: DXlqAH1IV6A

Channel Id: undefined

Length: 88min 14sec (5294 seconds)

Published: Tue Sep 07 2021