KOVTER Malware Analysis - Fileless Persistence in Registry
2021 ж. 6 Қыр.
331 870 Рет қаралды
You can register now for the Snyk "Fetch The Flag" CTF and SnykCon conference at snyk.co/john ! Come solve some great beginner-friendly challenges -- including some of my own!
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: johnhammond010@gmail.com
Discord: johnhammond.org/discord
Twitter: / _johnhammond
GitHub: github.com/JohnHammond
Dude the most valuable point to this video for me, that keeps me watching and wanting more, is that you show your process and explain your reasoning as well as the deductions for each stage. Feels like a master class or high level university lecture, but without the typical boredom or theory.
These videos are very close to what I do everyday for work. I love it!!!
We all underappreciate how good this man is at naming variables.
Let's call it 'please subscribe' 😜
I don't know if he's better at naming variables necessarily, but he's certainly better about picking one and moving on instead of agonizing about a better name.
@@petevenuti7355TT combin b think
John says: "sorry for the long video" Me: " MAKE IT LONGER, I WANT IT!"
Thanks John for hosting this stuff, diving into it, and giving the constant reminder that it's OK to use your brain and nerd out about really complex IT problems.
Malware Analysis is literally my favorite playlist on KZhead. Never watched anything more interesting/entertaining, keep up the awesome work!
Could you suggest more channels that showcase malware analysis
@@FahyGB I'd recommend OALabs, MalwareAnalysisForHedgehogs
Every time you went "this is getting awfully long" or "I know this might not be all that interesting" I was like... Doooooooooooood no this is da stuff. Good one John :)
That was indeed a long video, but also quite interesting to watch how you do this. I keep learning from your videos, thanks for sharing John!
Just wanted to say thank you for the time and effort you put into your content. For a young guy in IT, you’ve made this stuff super accessible, and I can’t wait to attend the upcoming Snyk CTF! You’re a goddamn inspiration John! ❤️
Really appreciate the lengthy videos. This is a fantastic dive and great way to get into your headspace. Very easy to follow your thought process here.
Really appreciate you taking the time to explain the shortcuts here John!
34 mins into the video, and I am just mind blown how deep this embedded code goes... Absolutely amazing job refactoring and de-obfuscating. Some of the best i've ever seen.
This is my new favorite KZhead channel. Can't believe I hadn't come across this sooner. Very competent and thorough analysis and deobfuscation in these videos. Really quality stuff.
Great work, John! Thanks for sharing your experience with the community
You actually taught me a ton. I guess because you are also learning that it makes the process easier for me to grasp? Or maybe because I know everything you are saying now. Years ago I was very clueless but I had never seen the fileless process outlined so simply. A world of gratitude from this girl.
Super interesting video! Being a Linux guy wanting to get into Malware analysis, I always learn a ton from your videos. Thank you! It takes a lot of confidence and skillz to do this (mostly) live while working through the challenge and still looking like the expert that you are. Keep up the great work.
John John John.... I just discovered your channel few days back and I am totally hooked... Your Content is brilliant captivating and very well presented. Thanks for your Obviously incredible hard work that you put into this!
Great video! I love these breakdown videos. Really interesting. It’s crazy how someone developed this.
I am loving these Malware Analysis vids, and all of the knowledge that is poured out in these vids.
I initially mistakenly read the title as "Flawless Persistence in Registry," but after completing the video am thinking that misread title is actually applicable. Snyk is awesome though, and I'm actually happy to see the section near the beginning about it explicitly. I really want to see this field of study gain popularity, because it's still unfortunately relatively overlooked IMO.
Malware analysis is overlooked? Not really, I know dozens of folks that do it. Snyk is decent at the dev stage, and especially for containers, but they’re only 33% of a solution.
@@c1ph3rpunk he’s talking about the KZhead series not the actual act of doing it
As someone with next to no experience in malware and very little in programming in general, i find that you make these super easy to understand and teaches at the same time
Watched the whole thing. Learned a lot. Thank you!
Thank You John. It is a pleasure to watch your videos! I always learn something :)
Will be my first real Con CTF !! Thanks John!
Another great video. Really interesting to see how you approach this.
Thank you, this was awesome. I didn't even notice how long it was.
Love this long form videos, great stuff!
- So how do we call this thing? - Programmers every time: hmm..'test' sounds fitting.
Many thanks mate. Very informative and exciting stuff!
I’ve never seen one of your videos before. This is super interesting, thank you. Subscribed 😁
Yay, i really enjoy your longer videos. :D
This is so, so interesting . I learn a lot from watching you, David Bombal, darknet diaries and network chuck . It’s great to see your process, learn important terminology and techniques as I am at the start of my cybersecurity journey. This is amazing to see how you guys solved this mystery ! Thanks ☺️
Your Vids, especially these investigations, are awesome. Very informative
Amazing work as always!
its like solving a puzzle, didn't expect, id watch the whole video, awesome content also that technical document was so great
Screw YT! Didn’t even get a notification that 3 videos have been uploaded 😒
That trailer feature is really useful, also signing up for that CTF :)
really great man.... time flies while watching your tutorial.....
Good stuff, thanks for the content!
it's been years since i've seen Delphi even mentioned. Back in the late 80's early 90's i used it to write programs to use with Web Compass (note here: web compass back then was a crawler, not malware. It was actually a decent one considering we really didn't have search engines online back then) for my business. Talk about memories.
Awesome content Mr. Hammond!
I love watching this dude videos. Might take a while to get through. Though something about him just makes me want to keep watching and learning.
KOVTER always brings me back, no AV would ever find it, easiest way to find it was do a string search on the reg for ";eval" and just killing every reg entry.
Near certain I have some bot/RAT like featured in this video. I'll have to try digging in registry as no AV has been able to detect anything,,
@@Demoralized88 I too have a very persistent RAT and no idea who to hire how to hire etc. I really wish I was as skilled at this. I find it fascinating.
Y’all need to wipe clean if you have any reason to believe this is true.
@@Demoralized88 Have you done anything since? Found it? Used Malwarebytes or Bitdefender (paid versions)?
@@AnjewTate I tried everything, including brand new drives and known clean W10 ISO USB. It had persistence below the OS level. Still not sure how or what, but I got called a schizo for thinking it. Recently, security researchers are now uncovering UEFI and other FW malware. It started when my home network got attacked, and most people in my apartment complex are affected. We only have one ISP option: COX. This all started around May, and have switched to Chromebooks and Linux on Ethernet until something is figured out. Symptoms of a Miner/Infostealer, but pretty subtle rather than sustained 100% usage. It's been a long saga my dude.
Thank you Sensei 🙏
Watched the whole video thought it was interesting, Thank you for the educational video!
thank u for everything john!!
What a piece of work. KOVTER is amazing as well :)
Enjoying your videos all the way from Kenya
i love this stuff. i give my full attention understand everything john says and does and try to create links but it seems there are nearly endless things to learn. i think reverse engineering is really cool.
John, have you looked into using a beautify extension when working with malicious JavaScript? It saves a lot of time and allows you to dig into the functionality of the code much faster instead of manually removing the minification.
Great vid, thanks!
Wow, I didnt think investigating malware could give same engaged feeling like CSI or other crime shows.... John has talent explaining things with captivating tone of voice.
Hey, too much of that positivity and they will take the effexoff.
I had a mini heart attack when you decided to run the stage 2 JS directly and almost missed the second eval... and my friends call me a risk-taker for clicking links aimlessly, haha. Great video as always, thank you John :)
I was almost screaming at you about that big blob of text looked like hex values, thankfully you figured it out yourself! xD
The Snyk CTF looks very interesting for sure. 👀 Might give it a go!
Great Contents as Always 😍😍😍
This was fun!
Love it!
I really want to get started in this field and help people that are in over their heads like I am currently. I just have no idea what tools and who to pay to help or how to get ahold of them. Is there a list of tools you use or recommend? I read a lot about your exploits on the news and your KZhead channel is proof of prowess. Keep up the good work and any fileless bots or RAT coverage would be a godsend, maybe someday I'll find out what pluages me for about two years now.
I don't understand any of this but it was fascinating following along with the big brains doin big brain stuff. Next level+
I have no idea what I'm watching but i love it.
Wow. Very impressive.
Thank you Mr Hammond this has been very very interesting and also may explain some of the problems I've had in the past with memory usage and registry creep. I'm thinking that I would like to know what kind of registry scanners would locate these types of malware?
I will admin I thought the numbers in the shellcode were ip addresses since they ran up to 255 but not higher. Aside from that I have been thoroughly entertained, seeing this kind of analysis and also the wrap up including Virustotal, bringing it back to the "end user experience" as far as using common ways of checking for vulnerabilties without digging into the code yourself.
GOOD INFO!!
was interesting. thanks
I'm sure you know this but in Sublime Text you can press Ctrl+d with a variable highlighted and it will select the next one in the file. This saves you from doing ctrl+f on every var :)
Malware Finds a New Place to Hide: Graphics Cards
Will definitely check you out on Twitch. I just started streaming there as well. Games for now so I can just chill :P Awesome video as always! Thanks :)
I enjoy your content
John, you are my hero 🥰.
very nice, very crazy - thanks for this nice video :3
thank you
The first time I watched this video, I was so bored that I left before even the deob started. I just watched the hta to powershell video and it, code was also extracted from reg. That's why I was able to push throught the early part because I was fascinated by the same technique used here. :D
The PE file you got from Caleb is corrupted (more specifically the e_lfanew value in the DOS Stub) and cannot run. That value affects how the file type gets parsed. That's why no AV detects it.
Man, I love watching ginger seth rogan. Genuinely getting me addicted to malware analysis.
sometimes when i'm working on a project, i'll just hear hammond's voice "ok then we pipe that to grep" or some other thing that I don't understand and it ends up working
good channel and Rearly good videos John
im gonna signip up too!
Awesome video! Does anyone know the outro music?
The powershell comments! LOL! I was yelling at my monitor. Happens to all of us!
I'm convinced that if you and The Lockpicking Lawyer teamed up, there isn't a single facility on this planet you wouldn't be able to break into.
I love your(blind analysis videos I vas thin on first all videos are first look
I've signed up for the SnykCon and the CTF, should be fun. Can't wait for the video.
i have register for snykcon but how to register for r ctf?
@@ARIFF861 There should be a checkbox you click when signing up for the event.
@@aston3982 only that?
@@ARIFF861 I'm pretty sure that's how but idk tbh.
Thalaiva ❤️
Awesome
38:11 I trusted Sublimetext when it colored them gray :D
I've been watching your videos for quite a while now and I thought you were quite a Malware Analysis genius. Then I saw Caleb's help and contribution to fully analyze that piece of code. He's the genius, finally you're Not THAT good ! I'm joking of course, please forgive me 🤭 Thanks for your great Work, very inspiring ! And thanks John for the hosting and the montage. Ahahah Cheers Mate !
Wow those powershell comments in the shellcode were really sneaky haha! I also thought they were ascii bytes powershell decided to decode and give us like python does sometimes...
Nice John can I give you a tip for the SEO put the title in the first line of your description.
I have been trying to get your terminal theme, I installed zShell and exa but I can't seem to get it to look like yours? Did you install some theme, or have custom colors set in terminator?
Fileless malwares are the most advanced types of dangerous malwares for which each and every antivirus and security software companies needs to give serious attention and improve there detection and removal capabilities and mechanism
Most APT use fileless vectors, a lot of antivirus products have mechanisms such as memory scanning to counteract. Registry scanning is a basic mechanism also. Many products run real-time heuristics to detect malware regardless of how it persists, based on what it is doing. Some processors even employ technology such as Secure Enclave to provide platform level resiliency against malware, but ironically there is malware that can compromise some of these platforms... so viruses that persist in the CPU of some computers.
@@GrumpyGrebo Yes big antivirus companies like Norton, Kaspersky,Bitdefender,Eset, Avast, McAfee,AVG,Sophos,Fortinet needs to focus and give more importance on Zero Day Behavioral Analysis both on cloud and off cloud so that fileless malwares are detected much more efficiently, also daily frequency of virus signature and database updates needs to be more frequent so that detection and removal capabilities can be improved much better
Avast - undetected. Thanks, Avast, now I know you won't protect me against Kovter.
Oh no...a KZheadr with their hands on their head, on a frustrated fashion!!! This MUST be important!
Hey John, would you consider making a video re: the setup that you use to safely acquire and dissect malware files like this? It's something I've always wondered about...
Linux distribution like Kali or Arch running on a VM with no access to the internet and a buffer between your computer and the VM.
Hey John, my ears can't allow me to grasp the correct name of the zsh extension you are using to color the output of `ls`. Which one is it? D:
Great video, thank you! I have one question, though. Is it actually possible to execute this if you're not an administrator? At what point did the code change into an actual malware? I'm guessing GetProc-commands or something isn't something a non-administrative user could run? Also, could you please do something regarding the PrintNightmare vulnerability, pretty please? :) Thank you!
GetProcAddress is a Windows API procedure that is used by any program that wants to call a procedure in a DLL, so that's pretty standard stuff, and doesn't require privileges. I don't think anything this did required administrative privileges. While I'm not actually sure when exactly you'd say that it "caused damage to a computer or network" (which is what malware is), it is certainly though, _bad_, because of the fact that it used your computer to do stuff without you knowing, and without authorisation from you - so that's probably when it "changed." A remote-controlled click-bot is probably a nefarious thing for it to be without your permission!
You da man H
Your malware analysis videos are very interesting!
i just came back to this not knowing i had already watched, damn it
I'm interested in all of it...
I am ***very*** new to programming but you know what I'll nod and act like I understand this But either way still sounds very interesting