$2 MILLION DOLLARS STOLEN in Bitcoin/Ethereum - JScript Malware Analysis
2021 ж. 5 Сәу.
136 894 Рет қаралды
If you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. www.kite.com/get-kite/?... (disclaimer, affiliate link)
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: johnhammond010@gmail.com
Discord: johnhammond.org/discord
Twitter: / _johnhammond
GitHub: github.com/JohnHammond
Update: Thanks to @Wikidude in comments for pointing this out. The "Mizu" address that I didn't do a good job of digging into is apparently a BTC address. Looking this up, it has over 2.5 MILLION dollars, with transactions in March of 2021. Absolutely crazy. www.blockchain.com/btc/address/1NSrjTotDiuK7S1xMm9yuppq4dr4Uf9saM
It was really awesome!!! It felt like a real movie hacker like stuff 🔥🔥🔥🔥
change the video title for moar clickbait!
We are Big Boi investigators now xD
Holy smokes
Wow.... makes one wonder doesn't it.... all stolen or mined, hmmm...
I just wanted to say. You have inspired me. I have officially enrolled in university again as a mature student finally and will be working towards a bachelors in Cyber security
same i didnt know what i wanted to do in life, but john has shown me a path
@@philipstringer4425 you now know the way
Hell yeah!
I am currently studying cybersecurity too!
@@chillytheprogrammer Best field to get into. Lot's of money to be made as long as you have the right mindset.
39:05 this is in a language that I do not speak: Proceeds in realtime reading and translation from Italian to English with no issues
The Threat Report PDF at 38:53 was in Italian and yes was a report about a similar malware Italiani facciamoci sentire :)
Spaghetti code ftw
Impressive how you managed to understand obfuscated italian though
...
Bruh
🤦🏻♂️
So just Italian?
What is being insinuated here? Just curious.
Hey John, the BTC address (Mizu in the sample) that you didn't check properly on blockchain explorer, has received $2.5 Million. Should probably change the title. $2.560.000 looks better xD
Holy shit.
@@_JohnHammond yeah it's 72 BTC at 44,000+ USD each xD
@@salticidae1.618 BTC is up to $56k each right now
Is 13 millions now
This video inspired me to get into ethical hacking. I literally watched over 20 hours of videos about hacking in the last 2 days. I haven't been this excited since I started programming 17 years ago. Just hacked into my Bose soundtouch 😂 Thank you for bringing back the fun and fire in me for computers 😁
This video inspired me to make a bot net that is spreading around the earth and sending millions of dollars to me from "inactive" crypto wallets. 😉 I am almost on the leader board of top 500 humans!
How Tf did you have that
Updates? Was it short-term hype or you stick to it up until now?
Excellent work, watching this helped me realize that this cyber security degree I am finishing up is something that is achievable and interesting. So much of our classes are report driven and it is great to see a real world example of what actual analysis looks like and the progression through it. Thank you!
I know this video is a couple months old, but I'll still say that These videos are much better when you go through the malware for the first time, rather than explaining what you've found previously.
39:08 that is Italian :)
Thanks bro
Scammers these days pose as people who have literally just said in the video they don't know shit about crypto
It was an interesting dig and got spicier with those dollar numbers. Keep up the good work!!
I think this is pretty small compared to ransomware in terms of value and damage. Though it's nice to see a John spambot.
John thank you for the great video, I'm a complete newbie to software development, debug and analysis. I'm able to follow you perfectly, understand most of what is presented and am having a great time!
Great work... love how fluent you are in this. Kudos to you John!
@John Hammond Thankfully I have not. However, I try and stay isolated as best I can. I love the programming and security in the videos.... and am doing some entry level hackme items trying to learn. Your inspiring, thanks!
Sailing Sangha that was a fake account
@@_asidy agreed... but good interactions help the algorithms 😁
Man, i love this vids, you'r an absolute genius. I learn a lot
You rock, John! Thanks for the cool videos and for being such an inspiration to all of us aspiring info-sec pros, and for educating the general public! You're the man!
That clipboard trick is really slick
I love that I found your channel! I want to get into cyber security so watching you go through code and explain things is fascinating! I do have one thing to say... why do you NOT use dark mode on EVERYTHING? It is so much easier on the eyes using Window's dark theme and any dark theme where sites allow it (like twitter...).
This malware analysis is nothing short of magical
You have no Idea How much i love your videos ❤️
The only thing me and you have in common is that we both speak English good, but man I love your content, style, etc. Thanks for doing this and please keep it up! Subscribed. And I watch until the end.
Yo Johnny!! I've been a fan of yours for the longest bruv! Malware analysis is a neat content twist👌🏽.. Looking forward to more bro. **Side note : PLEASE CREATE YOUR OWN MALWARE, AND UPLOAD A VIDEO EXPLAINING THE CODE AS WELL AS A DEMO USING IT.. PRETTY PLEASE!! 😭😍🔥🙏🏽
Great fun again John. Great work
excellent stuff. Love your content. Keep it up.
Man, I don't understand all of it but now I remind myself that I was supposed to do other stuff and 32 minutes gone like a slap, or wait what does suppose to mean? And yeah, it's really interesting stuff! John, you are a Legend! :D
Great job... I've learned so much... plz continue with this... cya
dude you are doing really cool stuff, keep going!
Exelente video!! Gracias por compartir
great job John fascinating stuff as always
Love em. keep em coming
that pdf was in italian! c: very entertaining video :)
Good Job , John "MALWARE" Hammond , Lovely to See and Hear Your Enthusiasm For Malware Man you Nailed IT.👊👌🤚✌🔥🔥🔥🔥As Usual 🔥🔥🔥🔥👌✌👊👊
pls someone make something that looks like malware but in the end it gives you a youtube link to rickroll (and send this to him, pretending its crazy malware)
Lol
You know what? You bet! :D
@John Hammond Shut it off, we know you're fake ↑ Real one would have a tick next to his name, as an author of this video highlighted name and updated profile picture...
Love your content, John. I've learned a lot just listening while I work. I have applied a bunch to using Linux and have implemented your techniques starting Hack the Box. Just bought a shirt from ya👍. Keep up the good work. It would be cool if sometime you could make a mini series specifically about writing little tools, but I know your videos often contain python scripts you write on fly (which is really dope btw).
love your videos john keep it up!
Another great video. Keep it up!
57:32 that's batman voice noice
Amazing as always!
many thanks for content, man
God, i learn so much from watching John's videos it literally takes me 3 days to digest one
I know right it's amazing
39:05 greetings from Italy ❤️
I do not know why this came up in my feed ... I understand absolutely nothing of what I'm watching ... Good work to get a subscriber who has no idea what he is subscribing to. and yes the text is with Google translate ;-)
You know I have searched extensively to see if anyone actually does anything like what you do for this malware/virus/ransomware/ect... No one displays it like you. This information digging explorer style of the software. Most try to show off a tool or explain how you can learn to go do this and how it benefits you career. But no one is doing what you're doing here. I can't get enough of it cuz it is incredibly awesome.
Would have been interesting to see this part @51:45 via Burp suite :)
ammount of good advices and the fact you actually read them and use them is really creating that community vibe... me like it... also, i like it more when you come somewhat uprepared and research this like you would usual, sometimes it feels like you wanna make these videos to be explorations when they are clearly well prepared demonstrations, that feels more natural to me... and ofc tnx for all the good and spicy insides on how this is done! 👊
0:30 onions aren't spicy, John 🤦♂️
On the POST - the server doesn't have to answer - it could be doing nothing visible to avoid another IOC. Also, for all we know it could have been compromised itself, partially taken down by intelligence or law enforcement, etc.
I would be interested in building something that automatically beautifies. We could use Go and an API call. Thanks for the content.
I think the simplest thing would simply be to rewrite the "eval" function to print instead. it would also be somewhat more secure since it might be called from other places as well.
I love how self-remove is "UnMonk"
have u deobfuscated a pyarmor obfuscated script? (python) a video on that topic would be interesting, thanks!
Microsoft Defender better watch out
Hey John, base64 decoding multiple js comment blocks as one base64 string will certainly not work out. First split up the different /* ... */ blocks and decode them separately.
I actually use ESET several years now and for me looks good, also not expensive, sure have some things that can take it down but mostly gets a lot of things
Thanks 🙏
great video 😉
I have one question, this script changes your clipboard with another BTC/ETH address right? But do they hope you immediately send btc after that or something? What happens when you ctrl C something else, will it overwrite? I don't get that part.
Is there a Windows policy that will just disable this pattern "Function(string)()"?
As someone who works as a Software Developer since 17 years I am suprised how trivial the malware is. What I like most is how creativ it is with the clipboard. Are there common malware patterns?
Malware authors to me are some of the most creative people. I am sure there many patterns for achieving specific tasks, one I see a lot and here for example is to find the Startup Windows folder and copy it self to it. Some of them even go to the extend of making the icon invisible in said folder
Very Good my teacher 👨🏫
57:11 once you make a cryptocurrency transaction, it's public, everybody can see it.
_laughs in monero_
Thanks John. You really inspired my to sit on my lazy ass and continue watching your videos!
Stage 1: beautified Stage 2: beautified Stage 3: beautified Stage 4: beautifiee Stage 5: BEAUTIFIER
LIGHT MODEEEE AHHHHHHHHH MAKE IT STOPPPPP, and then you beef me for JavaScript.. low blows dude low blows xD Na for real keep it up dude these viddies are great
hey John, i am new to cybersecurity ..just subscribed
Malayali aano
@@yourfellowhumanbeing2323 alla
@@3xpl0i79 lla
Now what are you consider this kind of code malware spyware or adware
@@3xpl0i79 hehehe
I enjoy your videos because of the not-so-awkward silent moments.
It feels good and sad to see that these guys put so much efforts to obfuscate and encrypt the code, and you can just remove the eval function and let the computer decode all of it for you ^^
Your the best men 🔥❤
Could you try the notpron riddle - see how far you get?
I love how languages over lap -- di comando e controllo
I am surprised only eset detected it
I'm curious what infection vector they use to get this into a victim machine and executed.
From downloading pirated software i suppose.
great video
@John Hammond no 🤣
where do you find these?
I was laughing so hard as it went further and further down the loophole and when it got to stage 6 I was dying
53:51 Has he made a video on the minecraft malware??
i don't even understand it but I still keep watching. I don't know why.
Don't mind me, just keeping up the engagement.
Awesome!
Fantastic
Right has left the chat!
Aw I like watching you deobfuscate code
I have no idea what I just watched. But it was interesting
I am once again asking you to beautify the code
Is wscript enabled by default in win 10?
Is it maybe also a nice idea to build honeypots out of this code to monitor what these malicious actors are doing?
why did the developer used the "new function()" syntax in the first layers instead of an eval? it is an evasion technique?
Solid chance this is the reason why ! Also maybe just to throw off researchers.
What if the maker of this scripts is watching this video xD "oh shiiiiii"
When does this actually trigger? When does it hijack the clipboard?
I've heard of similar malwares that have a whole dictionary of addresses bundled with them, and will sub in the one that most closely matches the real one they're replacing. Spooky scary. Always check your addresses thoroughly, not just the last couple digits!
Was about to comment that whoever made this malware should've done exactly this.
Where can I get the original sample? :(
So the whole script relies on people not checking what they paste when sending money?
Why there is request to localserver if the video is only about what u said
its march 10th 2020
do you have a discord server?
Now if only it was this easy to find their current physical address. I'd go say hello to them, and introduce their backend to a soft viper.
Dang, I can't imagine writing a code like this. I'd die.
line 220 in 4:51 it's variable but without name 🤔
Thanks , wonderful walkthrough
Any plan to do the Wreath network? Would love another super long livestream like Throwback going through the whole thing.
Yes ^^^
Dude that box keeps disconnecting. I really hope he does it so the devs can see how bad the box is.
How they make people to download and run this script ?
1:15 almost slipped out a BULLSH**