The King Of Malware is Back
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
🐜Zero2Automated ➡ Ultimate Malware Reverse Engineering j-h.io/zero2auto
⛳Point3 ESCALATE ➡ Top-Notch Capture the Flag Training j-h.io/escalate
👨🏻💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk
🤹♀️SkillShare ➡ j-h.io/skillshare
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
Пікірлер: 162
Love the title, king of malware, from imhotep to emotet. :D
@CattopyTheWeb
Жыл бұрын
LEO! Didn't know you watch him. Nice to see you here.
@jony9867
Жыл бұрын
I'm too new to understand this
@CattopyTheWeb
Жыл бұрын
@@jony9867 understand what?
@jony9867
Жыл бұрын
the joke
@_JohnHammond
Жыл бұрын
GREAT TO SEE YOU MY FRIEND, thank you for the support!
That VBA brute force method for removing worksheet protection is kinda interesting. My favorite technique for removing worksheet protection is to open it as a zip file and edit the sheet xml file to remove the sheetProtection key
@_JohnHammond
Жыл бұрын
This was another option in that article that I admittedly tried first, because I didn't think the VBA brute force method would be so fast. I tried to extract it as a ZIP, but for some reason it couldn't pull out the /xl/ folders and files within it. I should have kept that footage in 😅 Either way it is an awesome trick to know for the future!
@andreasrothenhauser5352
Жыл бұрын
Never thought of unprotecting sheets. I usually just dump the contents with ssconvert (gnumeric) and do some regex to clean up the output.
@GrundGad
Жыл бұрын
Not sure the xml method still works. 😅
@zkdr6278
Жыл бұрын
wait a minute, you can hack protected worksheets? That's where I keep all of my passwords 😳😳
The E4 and 5 are short for epoch 4 and 5. They are the specific botnets used for the campaign.
Please make more videos like this! I love hearing about the latest malware news, and having you give us insight into how it actually works using demonstration is really helpful!
Amazing video John, great way to show us the concept as well as some cool techniques about the password protected sheets.
Dude, I just discovered your channel today, and I can't stop watching. Yeah, you cover subjects I'm very into, but also your narration and depth of work really can keep my attention. Cheers from Poland, keep rocking, king!
Great video! although I would love to see a dynamic anaylsis of it! don't be intimidated by making long videos, believe me we all kind of sad when the video ends quickly haha
Another great Video John, I do enjoy when you don't know something and show us that you go to find it. It shows us that even the Pros need to look up stuff, and not to be hard on ourselves for not knowing something, so thank you again!!
@affiliateanimalistic9607
Жыл бұрын
Yes and do it day to day basis 😐
@YachtyBurner
Жыл бұрын
@@affiliateanimalistic9607 🤨
@ryanolsen294
Жыл бұрын
@@affiliateanimalistic9607 lol
I absolutely love your videos. The way you explain things to make them simple to understand is amazing.
I like how the placement of your mic changed your T-shirt's logo from WARNING to WANG
Dear John, one of the fastest ways is to add the Developer tab to excel (file->options->customize ribbon then add it from the right list) and from there you can click macros and view all the embedded or stand alone macros edit: not as a workaround to unprotect, just to see all macros on all sheets, hidden or not. the vba brute force method was BRILLIANT, Loved it!
@andrewcapps8211
Жыл бұрын
IS THIS WHY EVERYONE ALWAYS TELLS YOU TO BE CAREFUL WITH DEVELOPER OPTIONS??
I would love a follow up video with some more digging.
Regarding bypassing the macro protection, in order to place files in the templates folder, you need to be admin (since the location is otherwise read only). Once the user is willing to perform dubious actions as an administrator for the malware author... there's not much you can really do to protect them. Raymond Chen would likely classify this as one of the "other side of the airtight hatchway" type of "exploit".
Just getting into info sec as an interest and got suggested this channel. This was really interesting to me. I remembered some of the basic programming you could do in XL from an intro level class I took some years ago. It's both surprising that it's being used this way and that it took so long for somone to try and abuse it (though I doubt this is all that new, just new to me). TL:DR thanks for the vid and the neat examples to go with the warnings.
Thank you for that showcase! Very interesting...
Great video, thank you so much for sharing!
Thanks for the awesome insight, as a malware analyst by trade I actually ran into some of these new samples yesterday.
Like the trail and error playarround tinkering video's :-). Hope you will go further with this dll "unpacking" you just showed us. Great stuff
NOO! You cut some out one of my favorite arts of your videos, which is the deep dive investigations and playgrounds. Could it be possible you release a more lengthy version of these videos, as well as the shortened videos? Watching your investigation helps so much with all those hidden gems you reveal (example, "code written in excel cells but turned white and hidden" really helps formulate new ways of perceiving the situation, especially for us n00bs :P) great video!
Thanks, Turbo! Good video. Would have enjoyed see you dive in a little deeper though.
I agree with some of the other commenters in that I'd love to see you do more lengthy deep dives in investigating these types of things. I don't believe I've ever watched any of your videos before, but have already subbed considering the value you provided in this video alone. But as someone who has always had an interest in learning more about cybersecurity and wanting to actually go into a cyber career field (I'm currently in IT networking & desktop support), those types of indepth videos will truly be beneficial for many of us who are looking at deepening our knowledge in the field, if that makes sense. Thanks and looking forward to seeing more videos from you!!
Man I had this running in the background and when John read the "Ivan is in need of some cash again so he went back to work." I said out loud, "True...wait" The whiplash I had when I realized John wasn't referring to me lmao
@xenostim
Жыл бұрын
I read this as you had emotet running in the background lol
Brilliant vid. Learnt so much
Nice work mate :) Those old office formats are a nightmare. I remember they use some crazy compound binary file system that's a bitch to parse. MS-XLS Compound file. OLE. (google cached result are different to where M$ redirects to). There are some good resources online where people have poked into it more. I'm not a security researcher. I just needed to find the "Content Created" date (not the "Created Date") of all files on a filesystem at my workplace, a few years back (GDPR, blah blah blah). My weapon of choice was PowerShell. Easy with the newer formats, nightmare with the older formats. Absolute time drain looking into it. I did get it done though. Thank fuck for other people's research. Fascinating subject though! [/nerd]
Interessting thx für thus great explain video!👍
Awesome to see TheAnalyst getting a shout out!
This was really awesome, thanks John
A little brute force password cracking VBA script. Isn't that one of the cutest things you have ever seen?
I like the part where your shirt says "WANG" due to the mic hiding some letters.
Great video! Thanks!
This is a Diamond 💎, Great Sir 👏🏻👏🏻
Any chance you deobfuscate this in another video? I love your malware analysis vids
E4 and E5 are Epoch 4 and 5 and are seperate botnets, they could be separate factions or the same faction running multiple generations of software
Thanks John👍
Does excel still not have an option to just view all macros in a sheet?
Fun video! Little thing though: You turned off your internet when you were looking inside de file, but it was turned on again when you executed the file... I don't think that was intentional.
He is the only guy that brings something mind blowing.🤩
Extremely weird to see someone from my high school in my recommended, especially when the school was so small! I was a senior in drama when you were a freshman - fun to say I have an answer for the most famous person who went to my high school :)
@_JohnHammond
Жыл бұрын
Oh dang, now I need a hint as to who you might be :) I was doing theatre right there with you!!
@dree2228
Жыл бұрын
@@_JohnHammond Haha! My name was Josh (Curtis) at the time, but it's Adrienne now. My career is in medical IT, but I do love content about the spicy stuff ;)
Wheres the best place to download the malware? i've got a windows 10 box with a non functioning network card that would be cool to play with this. Especially as I swear every modern virus is an excel document with a bad config
How do I get rid of malware installed by state actor?
Thought this was going to be about Limewire!
I believe E4 vs E5 varients are based on the type of Excel macro is being used. (Excel 4 vs Excel 5)
Finally, upgrade! Shure SM7b 😎
Emotet never went away John! It's still prevalent.
Top Jack ryesider video John is one that using On me right now
what would you say the risk of this malware is? low risk, medium or high risk? and why? thank you
I would love a video of how you set up a fresh Kali VM
@MsDuketown
7 ай бұрын
This is a huge gem, a hidden niche.. You'll see tousands of walk-throughs videos setting up the Linux Desktop post-installer and WM's, yet I've never seen one how to do a fast install to get an InfoSec environment up and running, totally updated to get started. Given the number of global OpSec students, I'd say this will be a hit.
After messing with this following your tutorial I am shocked they didn’t make use of the Macro command to create an alert. Prompting the user to save the file in the templates. Making it look like a windows alert.
@_JohnHammond
Жыл бұрын
Well, unless I am not following, they wouldn't be able to invoke an alert, because they cannot run macros at that point? They would need the file moved to the Templates folder before they would be able to pop open a prompt asking them to put it in the Templates folder 😅
@Jeeeee-in6hi
Жыл бұрын
Yea you’re absolutely right 😅 lol I’m dumb and new to cybersecurity so if I can make excel docs execute stuff I get overly excited! Classic noob stuff here. 😂😂
that was so cool, in a bad way ! thanks
Does anyone know where it is possible to download the malware file for analysis?
I’m here for the example samples 😂
This gonna work on linux.?
great vid keep it up
Oh, that’s interesting.
The analyst has a fire profile pic
Regulators what master volume hie please
SeeDosRun is the "fix-all"
Lmao I died on the reading of the random folder!!!
please cover the SpinMaze virus
I heard that Microsoft was going to disable xlsm or xlsxm files. when is that supposed to happen?
Now I completely understand why we shouldn't click random Offices file
Love videos like this
I don't understand anything. Where to begin?
Those search suggestions for "unprotect..."
I assume that directory under Program Files etc. has its default ACL - Microsoft does say never to give world-write here, ever. So there's that. (Assuming Microsoft is eating their own dogfood here.)
@logiciananimal
Жыл бұрын
Yup! Good.
Why do we still allow anyone and everyone to register a domain without any form of formal identification?
@MattRose30000
Жыл бұрын
or email adress...
@stevenbryant1011
Жыл бұрын
@@MattRose30000 don't they? Doesn't the email come up on a whois request?
how did he create a shortcut copy of that excel file so quickly?
@fliporflop7119
Жыл бұрын
1: select file, 2: control+c = copy , 3: control+space = deselect, 4: shift+f10+p
Trying to read your 👕: WARNING _Cyber Security Proposition 65_ ...code... What does the rest say and what does it mean?
The King Of Malware has woke again!
Holy shit my personal email that I rarely ever get out has been RAVAGED by spam for the last week. I was wondering what the hell was going on! Thanks god I know how to spot phishing but there are millions that can’t 😔
Dude it’s 2022, wtf is XLS malware doing!
Commenting for the algorithm
Awesome!
it’s called Eulen
Wonder if Emotet is what's fucking my PC. Tronscript only kneecapped it. Eset, Kaspersky and MBAM can't figure out what's wrong and my c drive keeps filling slowly.
personally i would just use google sheets
Windows, Excel, is that even still a retro thing? Next thing we’ll see floppy disk viruses make their come back..
done
can you build another jurassic park with better security
That's why you don't give your employees Admin rights unless you know they have at least some basic security literacy.
Think Ivan implies a leader of a country in a 'special military operation'?
lmao that's a lot of work to ask from an end user. "I gotta copy what now where??" *grandma adjusting glasses* This is like if someone said "please put your credit card number in this box 👉👈
Dude do you have a side gig as a DOTA caster? Me trippin' FR
I'll be honest. I heard the title, and saw your name john. I thought john mcafee had come back from the grave.
I just wonder why Templates shouldnt use protected view. Why this is even a "feature"
E4 / E5 == Epoch 4 / Epoch 5... it's botnet specific.
@MsDuketown
7 ай бұрын
64-bit time_t is a powerful integer. The integer overflow error will occur at 03:14:08 UTC on 19 January 2038. But various OS'es and language took various approaches to the problem so the specialists studying this Emotet beast since 2014 are more familiar with these type of programmatic innerworking of the blobs floating all over the internet. Programatically, a calc like this (E4 / E5) could make sense if you calc dates and times using 32-bit tm_year, so the logic will handle most architectures and scenario's. If it's an old feature, you'll probably see it transitioning along the crypto methods in use.
I wonder why most of them are being targeted towards Italians? Frattura means invoice. At first I thought it was also Spanish but no, they are all either in English or Italian. What does Ivan have against Italians? Or maybe the person that took Emotet is Italian?
jokes on you i dont even check my email
cool
wait what do you mean “emotet” isn’t short for the emo rock band quartet known as My Chemical Romance
Regular letters
i need you to analyze a largely used .exe file
Windows is just like just pulled a robocop .-.
@MsDuketown
7 ай бұрын
yeah, but xcopy wasn't supported in robocopy.
I'm getting spam shares of documents in Google Drive and just delete them without opening them put people that don't understand fishing attacks and other malicious attacks might open them.
👍
I've spent nearly two years writing software just to compact this virus. If anyone is having a major problem getting spammed with emotet emails, DM me.
Why Emotet is the King Of Malware?
Skydoesminecraft has changed
Copy Paste All Red Text, Throw in Notepad++, Then Remove All Spaces, Null Characters if any. It will slam all the code together. ....COME ON MAN.... ;)
Boeing (child company jeppesen) was hit with a ransomware attack on the 4th.. related?