PowerShell CRYPTOSTEALER through DNS
j-h.io/snyk || Try Snyk to find vulnerabilities in your own code and applications FOR FREE ➡ j-h.io/snyk
🔥 KZread ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
Пікірлер: 73
Powershell is so cool, you never have to worry about installation. Makes it easier
@rodricbr
Жыл бұрын
yeah, I've never had much disposal to deep learn ps but it's really cool
John, you are an amazing Fella who always makes AAA+ quality videos! Huge props to you!! 😊 I really have obtained lots of knowledge from your videos!
Already stopped the same attack thanks for this. Also did the malware analysis of the .ps1 file.
Love this content! Thank you for the analysis as always ❤️
18:35 That looks like someone actually modified the malicious DNS record instead of just removing it XD
@autohmae
Жыл бұрын
yes, exactly
Love these videos 😎!!
Sho talented person. translation master and brother.
Great video! Almost went into the rabbit hole together with you :D
@averagejoe404
Жыл бұрын
yeah right
love your videos sir
Thanks man!!
That UUID at the top of the script in the registry is probably to change the signature of the script.
Powershell stuff is interesting af
13:01 and I'm here for it
I had this too and not sure where I had gotten it.
How did you get to stage 2? Did I miss something? These ps1 scripts are just reading from registry and getting values. What values are they getting?
@UnfiItered
Жыл бұрын
So after the first stage ran, it output a base64 code. He decode it and it shows a block of code. That code is the second stage.
@3WL2
Жыл бұрын
Stop fast forwarding through the video and you won't have to come to the comments to ask dumb questions.
@asbestinuS
Жыл бұрын
@@BryanLu0 I see, thank you kind sir.
How are they injecting and running the PowerShell? It feels like we’re missing the initial attack.
@Dakktyrel
Жыл бұрын
Phishing or adware would be my initial thoughts.
@UnfiItered
Жыл бұрын
Temp files/adware/malware. Unprotect your computer and visit as many fishy websites as you can. Then turn on your protection and watch it pick up a bunch of stuff in your temp folder.
Good stuff here.. thanks What editor is that please
@smtp4626
Жыл бұрын
sublime text bro
thanks
Great master
coolbase64 package for sublime would be useful for this kind of stuff since you do a lot of decoding ,you can just select and decode in sublime directly
@TechSY730
Жыл бұрын
For a moment there I thought scambot (EDIT: now banned and deleted) was doing a ^this style comment to reaffirm your suggestion. Which very well may be the first and only actually useful thing it did.
aaawesome !!!
uuh, wtf. I found this on a pc two weeks ago, 3 PowerShell files with a name of 4 random characters with the exact same contents. I correctly identified it as a virus and did some research, after deleting it there still remained some other parts which I could not find (I am a noob on this), so wiped everything. Amazing to see a video on it
@NederlandsPersoon
Жыл бұрын
I did think of sending it to you, just to see. But did not do it in the end, idk why
Do you ever go live??
Why they store payloads as byte arrays?
@Sestain
Жыл бұрын
Most likely harder to detect since it needs to be put back together
great
3:23 Shouldn't that have been, "to be able to be *run*?"
nice
This is so crazy 😂
More videos also following master
What is crypto jacker
@blackpinkmedia
Жыл бұрын
It's JM
@animeworld4775
Жыл бұрын
@@blackpinkmedia JM ?
@blackpinkmedia
Жыл бұрын
@@animeworld4775 Joe Mama
😅
bro i m overwhelmed what programming languages do i need for cybersecurity?
@taureon_
Жыл бұрын
what are you attacking?
@imyoubutbetter9951
Жыл бұрын
@djr thanks man appreciate it also what can i do with java?
One more reason to analyze DNS traffic
@scrpiona
Жыл бұрын
how to? any software or tips?
@brylozketrzyn
Жыл бұрын
@@scrpiona Suricata + Elastic Security with Machine Learning module. Easiest, but needs ML license. Still few orders of magnitude more accessible, than some popular solutions
Ingress/egress by DNS is so brutally annoying!
Mind-blowing how these files brutally murder PowerShell. Even if you think about creating a file that doesn't make sense, to help disguise the malware, these scripts are terrible.
@DiSiBijo
Жыл бұрын
huh?
@keylanoslokj1806
Жыл бұрын
He tripped?
@ancestrall794
Жыл бұрын
I think he meant that the person who wrote the powershell script did a really poor obfuscation job
Lol holy 20 secs early
Second view including him!!!
Wat
One 🕐 login all
third
They tell me to keep comment on your video to get more subs. so, am I need auto comment bot or something? 🤔
I am in sri lanka. Fifteenth yeah old.
@dannyuwu3741
Жыл бұрын
You will one day be very powerful
@techjack1848
Жыл бұрын
Nice!
@hackvlix
Жыл бұрын
Yeah!
@Redstoneprojrjr
Жыл бұрын
Grape! You will be good.
Codo details (echo Iymjmjimy) creation of the code different
So experience tools and codo nt mes tycopo mistake never to give up open tool hydel.
Omg i was like 1000 🥹 thank you, John. Amazing content as usual
The guys that saved everyone from becoming victims. GG