 Hello everybody and welcome back! Welcome back to some OG original John Hammond content, you know, where we kind of just do it live. We got the screen capture going on and we're all hanging out, we're having some good time doing nerdy computer stuff. So I'll hop over to my desktop here and I'll show you what we're looking at today. I'm in this directory. I'm in this directory called Spicy, because this is a, this is a spicy one. It's a little bit of an onion and let's check out what we got here. We have the original command that we're going to take a look at and stage1.js. Now you know me, right? When you see a .js extension, you typically think, oh that's JavaScript and you would be right, right? Sometimes, right? The thing is, right, if this is going to end up being malware or if it's going to be some malicious code that ends up on an end user computer or a victim target host and machine, that is typically going to end up running Windows, right? So Windows has its own interpreter, the wscript.exe or cscript.exe, depending on whether or not you want it to be in window or console, cscript, and those will end up executing typically visual basic script or MSHTA would be used for like a hypertext application thing that Microsoft and Windows has their own rendition of like an HTML language sort of thing. That was a horrible explanation, but jscript, right, is the Microsoft dialect of JavaScript and that uses some other functions and functionality that kind of come from inherent to Windows, right? That's enough boilerplate. Let's get into it, right? We've got the stage1.js and let's take a gander of what we've got in here. Now, this is a big file, right? It is jscript and then it's javascript. So it's going to have javascript like syntax. You can see a tri statement here and bringing me all the way all the way to the very end, what I accidentally clicked on it. People keep yelling at me, John, you got to use word wrap. So here you go. This is what it looks like with word wrap on with large ginormous text. And if I were to set the syntax here to javascript in sublime text, the line is so long that it like doesn't like render it or it doesn't recognize it and end up doing it. So obviously there is a lot of obfuscated javascript kind of in this code that we can see and it is all compressed to one line minified. So we should end up beautifying this. Now normally I tend to do this and you've seen me do this in other videos. I kind of do this manually and I use that as a means to understand and read the code as I'm going through it. A lot of people whine, complain, you know, they write in the comments, which is great. Keep up the engagement, YouTube algorithm stuff. They say, John, why don't you just go ahead and like use a beautifier or some tool to be able to beautify things? And I mean, you're right. You're totally right. You have a point. We can go use some online tool like an online javascript beautifier. I'm on beautifier.io right here. And we could just go ahead, paste the code in, slap it right there. And now it's beautified. So we can kind of make sense of this. So I will copy this and I will go ahead and put that in a new file that we'll call like stage one beautified.js. There we go. And now we have our syntax highlighting. It's all on different lines. It's not minified. It's not compressed, et cetera, et cetera. We have some random variable names and seemingly random arbitrary base 64 encoded comments, which aren't helpful. And I don't think these actually decode to literally anything. So I'll just dump that in there. I will pipe this to base 64, trying to type tacky. And yeah, it's a lot of nonsense. So there's that. Let's get back to the code. It has this function are it does some array string things, et cetera, clamp. Where's euk nib, right? Uh, we got Xi to get game six m, et cetera, et cetera, some randomly named functions and some functionality to deal with strings, et cetera, et cetera. But eventually we start to notice some like encryption like stuff, some cryptography things kind of in the mix. So reading through this and just kind of getting a general glance as to, all right, we are working with blocks. And there is as we scroll down more and more, some functionality that will set like a block size and an IV or an initialization vector and the key length, et cetera, et cetera. So there, I think just kind of looking at this with my eyeballs, this is going to end up doing some form of encryption very, very likely AES or I guess the advanced encryption standard is what that acronym is. So, uh, yeah, you can see key size, some hasher, some iterations. We have an algorithm that is going to end up using some different names. Uh, but notice all this and it will kind of get things out in base 64, key size, IV size, encryption and decryption modes, stream cipher, blah, blah, blah. We don't exactly need to dive through all of this because when we get down to the very, very end, we realize that there was some ginormous humongous base 64 in here. Uh, clever trick is that this base 64 is reversed or spelled out backwards. Uh, there's a telltale sign here and that the equal signs that you normally use to identify base 64 is typically at the very end of the random assortment of capital letters and numbers and lowercase letters, et cetera. Um, in this case, it's kind of at the front. You still see the forward slash, you still see the plus, you still see more and more things that will kind of indicate, okay, this is, this is very likely base 64. It's using that same character set. Now, if I were to scroll all the way down the very, very end, you'll notice there is a lot of base 64 there. Again, I'll turn on word wrap and you can see the sidebar here. That's a lot of base 64. So eventually we get to the end and we do something peculiar. Let me, let me turn off word wrap so we can kind of make sense of this when you're here. We create all of that base 64 inside some wrapped function that apparently splits it on nothing reverses it. Kind of, as we said, that base 64 is backwards joins it all together. I think it has to do this because it probably has the reverse function in the functionality for like an array or a list, not simply a string. So there's that and then it passes it afterwards created this variable to this GA5GMNGZFALYCN with other stuff in it. Using this function, I'm assuming to end up decrypting it or doing whatever it needs to do. And that's actually an interesting thing. If we were to kind of tinker with this, I will show you only let me nerf out this line because this function that GA5G blah, blah, blah is going to end up essentially being eval. It's essentially going to run code that's passed to it as if it were a string. So you can see that right in the function definition, it takes in the argument, but the argument is going to end up being cast to its own function and then called and executed, right? So we know that we're going to end up having more J script or Java script coming from this. We don't want that to detonate. So we aren't going to actually let that run. I think, I think that's a good idea, right? I am, of course, in a virtual machine. I am, of course, with behind a proxy and a virtual private network, and we're being safe. Guys, don't you worry about me. I'm okay. So let's try and display out, and I'll use node to go ahead and execute this. I'll display out the contents of this variable, doing nothing else, right? Trusting that there's nothing else in this code here, but we've done our analysis. So now we have this stage one beautified. And I guess we should kind of rename that to like our testing playground. But if I were to use no JS to run that, you get all of this more base 64, right? A lot of base 64. Now is this the base 64 that we saw present in this original string that that code that we saw that was kind of reversed? We can take a look. I see that. Yes. So it's corrected it. That's the base 64. If we were to try and I guess decode this, what do we get? I'm running a base 64 attack D command right there. Non printable characters, right? Because hey, we have this understanding that this is encrypted or something is done with it. Let's actually read that redirect that out to a something file. And that tells me, Oh, this is open SSL encrypted with a salted password. And you can verify that by just taking a look at something that file. And you can see the salted it kind of a header here, the signature right of the very, very start of that file telling us, yeah, that it is in fact open SSL encrypted data. So what does this code do that decodes it or decrypts it, right? And then executes it because of this, I'll call this gag five, even though that's not what that's called. But gag five function, it uses the function calls that it's already defined with this variable of all that base 64 included it. But it does finally do something specific to J script. It does finally do something specific to the windows realm in that operating system, because we're going to end up using the W script object and checking out the arguments that are present. Now I could hop over to a, I think I have a windows virtual machine here. I'll drag that guy over and I clicked on Ubuntu like a dummy. Let's fire up that windows 10 virtual machine. Hopefully it doesn't take too long. And I can explain and show you that that W script that argument zero is exactly what you think it's going to end up being a list of arguments that are supplied to this program. And it, you know, will do something with that specific argument. If we wanted to examine what came out of this or what the code ended up being, we kind of need to figure out, okay, what is that because that may very well be the key to decrypting this code. Now let's take that line. We'll comment that out here again. And I'll do a console.log for all of that with this again, completely useless comment, removing some of the parentheses here and making sure that we don't actually execute it with this function that we know is eval that we know is execute. So let's nerf that out, remove one of those parentheses here. The problem is, because I'm testing this in Ubuntu, because I'm testing this in Linux, it doesn't know what W script is. Node.js, that interpreter that I was using to run and execute this JavaScript J script code, it doesn't know what that is. So if I were to try and go ahead and run our Node.js with our stage one beautified, it doesn't do anything. And it caught me off guard for a second, because this is all inside of a try catch statement. If we were to modify this and do a little console.log, oof, we erred. I like all those suggested absolutely nonsense variable names. And then we could console log out the e variable or the error itself. It will tell us, hey, we erred, and it doesn't know what W script is. Fair enough. Fair enough. That's totally understandable. That's totally cool. So if we were to go do this in Windows, log in a little password here, awkward silence, because I was like, oh, let's just randomly do this demonstration. It'll get the point across. Trust me. I'm sure you believe me at this point that it is going to end up being the argument that's applied. But I'll pause the video and let this thing go so I can show that. Oh geez, come on, Cortana, get out of here, whatever. I have already kind of tinkered with this a little bit. So I have this testing.js. And if I were to delete this so that I can show you it from the real view, let's do a testing, okay, kind of remove my focus there testing.js, creating a empty file. Let's edit it with notepad. And let's do a w script dot echo to display out w script dot arguments, zero, right? If I were to try and just click on this and run it, it'll error because of the subscript out of range. There weren't any arguments that were passed along to it. So let's open up command prompt, right? And I will hop over to my desktop where I created that file. And I will use w script dot exe to call that testing.js. Again, you'll see subscript out of range. Now this is what I was kind of discussing where you use w script versus C script. W script creates that window while C script displays it out in the console. And it has that error. So let's actually supply an argument here. We'll do a please subscribe. And now that displays that just like that w script. Of course, you can see it as the window. So we need to know what was the argument that was supplied to this malicious code to this JavaScript J script file. And remember, we have our good friendly original dot cmd where we kept track of the original command prompt that ran this. So this calls w script dot exe and it's using the slash e tag to specify the language that it's going to end up using. And if we take a look at the help file for w script, you can see that Hey, that's actually something that you can use w script. We'll do a slash question mark and the e engine specify use the engine for executing script. And you can specify the specific one I'll do that with C script. So it's a little bit more visual engine use the engine for executing script. It could be either C script or w script at exe as the interpreter, but the engine will be kind of the programming language to interpret and run this front. So J script in our case, back to the original command. We'll run J script to run this file, which is interestingly enough called adobe color CR extra settings one oh mull dot zip. It was originally trying to, you know, fool us with the facade and the deception, masquerading as a zip file. It is not an archive file. It's it's not so w script dot exe slash e key hhz rtsm, etc, etc. This thing is the argument, right? If we were to take this original command, go back to kind of our windows playground. If I were to run this, uh, you can see that it errors and my new lines are getting in the way. So let's not do that. And let's get back to it, clear the screen, paste this all in. Now we're going to end up using the w script e j script to testing dot j s with that argument supplied. You can see it pops out this full string w script at exe, etc, etc, etc. Again, if we were to do that with c script, it will display it just out on the console, but it totally knows how to do that. So there's our key. That is what we need to go ahead and replace inside of our little beautified code here rather than using the w script argument zero. So let's nerf that and just replace it with that string that we know it's going to be now trying to run this with no j s. It should behave and give us something new. Let's go ahead and find out. I'll run no j s on what the heck did we call this stage one beautified crank. Now we have more code. Now we have more seemingly base 64, etc, etc, etc. A lot of nonsense. Let's just kind of redirect that out to a new file. We will call it stage two dot j s and let's open that up. And it is the exact same sort of structure, of course, all compressed and minified. So let's bring this to our good friend beautifier dot IO, slap that in, grab the beautified code and create a new file where we call this stage two beautified dot j s. Okay, there we go. Now, if you notice, this is the exact same functionality. This is the exact same structure and setup with some different variable names here, different randomness for those things that it tries to kind of hide and obfuscate. But at the end of the day, it's all the exact same code again using some base 64 encryption encoding, not encryption, but a yes or some encryption type that will kind of hide and bundle up this file. Turns out if we go all the way to the very very end of the file kind of as we did previously, check it out the exact same setup where we have a new function that's going to act as our eval to execute the code and the reverse base 64. So let's do the exact same thing again, where we will not execute this, but we will display it out on the screen. And rather than the W script argument zero, we're going to end up using our original command key, which we have all the way over here. Slap that in. And now we can execute this. So I pivoted to windows when I didn't need to we want to get back to our console and Linux. Let's run node.js on our stage to beautify.js. Here we go again. Redirecting this out to a stage three.js. I'm sure you can kind of get the picture here. We are once again going to have the very same obfuscated code that we will de obfuscate and find it is again going to be the exact same structure windows. Get out of here. I want to stay in Linux, please. Let's call this stage three beautified.js. And yes, you know what's coming. It is once again the very, very same setup and structure. Let's nerf this line, clean it, display it out onto the screen and correct W script arguments. Now at this point, you might be thinking and I was thinking like, ooh, this is going to be some neat, neat, you know, little, matrioshka doll, right? Or how many layers of this are we going to have to peel back before we get to something else interesting or worthwhile? And I thought, hey, hey, hey, hey, or at this point, we should probably start to like, script this out. We should probably start to figure out something that could do this on the fly. No matter how many layers there were, it would be able to drill down and carve all these out. If I run this, though, we finally have different output. So I'm like, hmm, are we maybe onto something? Are we doing something new here? So I redirected this to stage four.js. And now we're at stage four. Again, compressed minified all on one line, poop it into our little beautifier here. Now we have new syntax and structure with we are, we should be excited to see, we'll call that stage four beautified.js. And now we have this, right, a little stub, kind of tiny little thing here. But of course, this should stick out like a sore thumb, we have a new function being defined, where we take in the arguments, consider it to be code, wrap a function around it, and then execute it. This is yet again another eval setup. And this function is seemingly called, but it has some comments all the way over here. In fact, there's more comments added to it, other comments that kind of get in the way. So at that point, I'm like, all right, we need to get rid of all these nonsense comments. The way that we can do that is of course, some regular expressions, find replace magic in sublime text. You can see I just used a forward slash and then an asterisk will have to escape that out with a backslash to know we literally want to interpret that. Then we'll use the dot star to glob everything. And we'll make that lazy, right? So add the question mark. So it doesn't eat the entire line that happens to be starting with the forward slash star, just the portion, the minimal amount that it can get. And then we'll have again, another literal star backslash there and a closing forward slash. So replace those all with nothing. Now we no longer have that garbage kind of getting in the way of the code that we're trying to run, even though this is already garbage code, right? So eval function, calling more code with another eval function, building it out from a character code from all of these ASCII values that will represent characters that we need to go figure out what they might be. Let's nerf those. So this doesn't again detonate, but just display this out. So we'll grab that string character code sequence. And of course, toss that into console.log so we can figure out what is supposed to come from this. Again, that line is way too long. So sublime text doesn't register and add in the syntax highlighting. But that's okay. We can trust it. We can know. And what was that? Was that stage four beautified? Yep. So let's know JS, stage four, beautified. And we have this again. Again. So let's redirect that to stage five.js. Let's open that bad boy up. And now we have this thing. So let's once more give this to beautifier, we should really get to a point where we can automate this. I'd love, I'd love to kind of like build out some kind of tool that could do this sort of thing. What is it? Stage five now? Yeah. Stage five, beautifier, maybe like take Katana, like take our kind of original engine and change it up to like beautify things or de obfuscate and reverse things like languages like this, but it might need like some abstract syntax tree and other things that I just haven't kind of made the time to particularly do yet, you know, life, everything kind of gets in the way. So now we have new functionality, right? This is not the exact same identical code that we saw previously. It is however still doing things with strings. I'm going to assume looking at this that it's doing some interesting like custom base 64 encoding, just like with a language that it defines inside of this code. I thought that was kind of neat. So it could encrypt or encode, right? Some base 64 functionality and scrolling down, we have other convenience functions or other helpers to encode and decode UTF eight, but eventually we get to a legitimate eval. We get straight up eval function. Cool. That's all good. That's all fine and dandy, but we have all these nonsense variables replacing, I'm assuming what's going to end up being like, yeah, they're faking padding by having extra crap in here. Equal signs to replace that out equal signs to replace that out and all of this will then go into eval. After this function handles all of this base 64. So we know what to do. We know the procedure. Let's just let the language, let's just let the code kind of de obfuscate reverse unravel this all on its own and let's see what it comes up with. So back to our Linux shell. Let's once again run no date, no JS on stage five, beautify. I called that beautifier or rather beautified, whatever. And let's bring that to stage six.js. Here we go. You might notice that this now becomes seemingly readable somewhat code and you're totally right. I think at this point we've made it to the end. I was going to call that a PowerShell script, my bad. Stage six.js. Oh, beautified, beautified, beautified, not beautified, but beautified. There we go. Okay. And here we are. I'm assuming at the final layer, the final piece of the onion here, right? So we define some active X objects so we can do windows specific stuff. W script.shell, scripting file system object, a split or maybe a delimiter character to note backslashes, and then VRSS, which displays backend soft one dot zero dot one dot nine and get serial, which looks like a function that will probably be defined later startup is a function that will grab the environment variable app data and add in, okay, the rest of the path to get to the startup folder. Same thing for all users profile. That's kind of handy. This likely end up creating persistence. It determines the temporary directory desktop app data. And then it knows this full script name. So let's, uh, this script full name and then this script name. There we go. Udex is kind of declared delay set to 20 PowerShell for PowerShell, batch file, VBSF, PSS. I haven't actually seen that extension before. I'm not a thousand percent positive what that might be. Ellen K for of course, a startup file, and then Modini SKS is a function that we end up calling. That's all in a try statement. And then if we catch, we fail, okay, we don't, we don't bother. But then we do continue with a little do statement, likely a do while. We try to send something with a send HTTP. Oh, and we get some commands seemingly from that where we split up those things. Uh, it looks like EX will evaluate and actually execute more J script or JavaScript code. CMD as some of these command messages that this might end up using, that will go ahead and run a command like with w script.shell will execute a program, right? Uh, D this script name probably would have been WN. So download EXE. I'm going to assume DWNL download EXE. It will down file, which probably is another function that's going to end up being called adding it into the temporary directory and then having command.exe start that. Oh man, we really butchered it. We really, we really nerf this when I ended up typing DW replacing WN with the script name. My bad. Oh geez. It's everywhere. Why did we do this? Let's, let's replace this script name with WN. We'll fix it up. Download only rather than executing it, it will still save it, whether you want it in the temporary directory or the desktop, et cetera. If it's an EXE, then down file and it will run it, which is interesting. Self-remove unmonk sec. Another function that we'll end up finding here, update S maybe update script because it looks like it will download something and overwrite itself or the path to this potentially. Or just get a new script and update, run that. And then we have a funk, crete functionality that's called. Let's go see what that is. But before we get down to it, we do have the send HTTP function, which has the syntax and boilerplate code to be able to send web requests, right? Within Jscript or JavaScript. We're going to end up using Microsoft XML HTTP and we call out to this bad boy, API backend.com 880 slash connect. Ooh. Okay. Little indicator of compromise there. Something fun we can play with and poke at later. We add in our user agent from a get user agent, little method or function here, adding the X header for VN and looks like the get user agent function checks if like VBC exists. And this is, is that the visual basic compiler? Yeah. Visual basic command line compiler. So if you have a .NET framework that will very, very likely end up being on your machine. And it checks whether or not it's NT with that makes sense. And then we gather more information like the computer name, the username, and then in get system, get OS version, get anti V. I'm assuming anti virus, neat, get ENV, of course, we'll get an environment variable, get serialed. We'll get the serial number for each hard drive, get system, we'll get the operating system name or the caption here using WMI, the windows management instrumentation, same thing with the OS version. And Enav. I'm not positive what that is. Enav enabled disabled. Is that get enabled AV maybe? I think that makes sense. Get enabled AV because defender could be in those couple of different states. But this, this function, I think is neat. Funk Kret has this MISU variable, has this Etho variable and BCH variable. It creates an HTML file object where it grabs the text from clipboard data and replaces stuff out of it. And then Pat T looks like it's looking for a pattern, right? Regular expressions pattern. It tests if inside the clipboard data that has that pattern, if it does, hey, are we looking for result ET or Pat BCH that looks for Bitcoin Cash, BCH red or BCH test. If it finds these results, it will send clip based off of these variable names. Now you can probably already determine that's a Bitcoin address. That's an Ethereum address. And if it's working with the clipboard, is this kind of do some like crypto hijacking? Is it going to replace and modify? Hey, if you were end up pacing in or if you had Bitcoin like addresses in your clipboard, would it go ahead and replace them with this bad actors? Like with this hackers and this threat actor here? Are they trying to swipe and steal and snarf Bitcoin and cryptocurrency? And these are the addresses, right? Kind of cool, kind of crazy. Send clip, this next function literally does that. It will check the operating system with get system. It will check if Windows 10 is present. If Windows 10 is present inside of that string, or excuse me, if it's not present, I believe, I think that's right. I'm not exactly positive. When I use clip on my Windows VM, it does deal with the clipboard. It'll run PowerShell with SCB, which I think is set clipboard to whatever is passed in being one of these addresses, or it'll pipe it and hide it into clip. So let me show you that, right? If I were to echo out, hello, please subscribe, pipe it into clip. There we go. If I right click to paste that, that. We've just modified the clipboard contents, and that's how you can do it guys programmatically from the command line with those commands. Nice. Has a convenience function to get a hexadecimal string, continues to look for antivirus products with, again, WMI, look for instances of antivirus products, carving all of these out, adding them into what it will end up using inside of that user agent thing that it calls back to the C2 server with. And this modini SKS or whatever looks like it's setting up the persistence here. It adds in the app data with the file name of this script, as we know that WN variable is, and it has some other functionality here, checking for like visual basic strip, but this is commented out. I'm not a thousand percent positive why, but you can see that code and it again, basically just calls and runs itself and then cleans itself up, removing that W shell object. So persistence, right? If it exists, if that file system thing, if that file doesn't exist, it sleeps for a little bit of time and then copies that in to add it into that directory with an app data for your user. Same thing with the shortcut. Odd. If it doesn't exist already, it will add in its own persistence. Old modini SKS, again, PowerShell script using the same kind of startup as previously. Clean string looks like it replaces a literal backslash with something. We noticed that how it was using kind of the backslash for the limiter and it was calling back with the user agent back to the C2 server. And then on monk sec, as we saw, was going to end up being used if this would have like a remove self command. So this is like the kill switch, right? This is like deleting everything that and cleaning up its tracks trying to remove its fingerprints by deleting DEL that command, delete this script out of app data, delete the link file of the shortcut file and the script full name, the visual basic script file, et cetera, et cetera. We do of course have down file as another function that's going to end up using some PowerShell syntax to download files. It uses redirects, which is neat. Maybe we can do that and know that when we're taking a look at that endpoint or the HTTP. We download a file based off of what's passed in and we wait, create file, another convenience function to actually write this out to a file, create shortcut. This is peculiar because you can literally see it checking. It's the antivirus stuff. Hey, is a vast enabled? Is it antivirus, internet security, AVG? How many do we have in here? AVG internet security, more of vast, more of vast. And that's kind of it. But Windows Defender is also checked, which is peculiar. And then I mentioned, hey, MSHTA or the engine and interpreter on Windows to be able to interpret and execute HTA files. This syntax is again set up in here, creating the shortcut, adding its persistence, doing, doing and creating all the breadcrumbs that we already saw. You can literally see the key again that would have encrypted and decrypted this code and all those layers and that rabbit hole that we went down of different stages and payloads. Kind of neat. I liked it. It literally grabs an icon. It grabs the shell 32 DLL to grab an icon out of it, closes it and saves it. Very crazy. And then runs it, right? Or else running this code, running that shortcut. Boom. That's it. Not a ton to this thing like what we were, we went through that in a couple minutes and maybe it's under 300 lines, but it hides itself with a hide file, trying to set the attributes to hidden. And that's the end of that line. But I think the craziness in here, obviously command and control, right? Obviously a rat Trojan where, Hey, it can run and execute commands based off of like a cmd.exe or command prompt command or more J script code. And the, I just, I'm blown away by this crypto coin stealing technique or that, that like little crypto jacking. So if we Google around for this, where is this found or seen is, is this Modany SKS or kind of these other function names are these things that are well known? So malware bytes has an ad for me looks like hybrid analysis has seen this before CC dot VBS. So they saw the visual basics for a rendition tries to hide WMI queries. Not positive about all of those. What else is in the analysis? Uh, okay. That has, Oh, that it has all of the functionality for deleting itself, right? And it was able to pick up on that and catch that. Oh, and there's more. Okay. There's, there's a heck of a lot more. Yeah. Yeah. Yeah. Yeah. The visual basics for a rendition might be kind of interesting. What else is in here? Cyber threat report, TG soft, uh, cyber threat report, genio 2021. Oh, this isn't a language that I do not speak. Truthfully, um, viper soft X rap. Oh, but this is like the exact same code, the obvious getting portion of it, right? Yeah. Yeah. Yeah. Like a crap ton of base 64 or there's those random comments in there. Oh, and it goes through different layers of obfuscation, right? Original obfuscation, layer two, layer three, layer four, layer of high layers. They had eight. They have a different, they must have a different sample. I think I don't know. So they carved this thing out, which, oh, oh, this has the exact same setup. Shell file system for SPL, but their VR SS says viper soft X when ours says backend soft. Yeah. So once they beautify the code, yeah, same look as what ours is, but they have the viper soft X. So is that VR SS like a legitimate version string? Yeah. There's the same modern key thing. Control command and control with a do while loop funk. Cret. Oh, totally. This absolutely has to be it. And it sends Bitcoin and Ethereum via infected clipboard. Yeah. Yeah. Delay with the weird capital L. The same sort of command functionality, send HTTP. This callback server is cco.vipers.pw88880. Oh, connect slash connect just like we saw. That's out of France. We could go explore the address that we have with the clean structure, all of this, all of this looks the very, very same. It's just like a different version, a different rendition to it. All the same code. Straight up exact same code, but it captures the Bitcoin or Ethereum. That's craziness. Oh, they have different addresses. Do they? Bitcoin one PRMM, et cetera, et cetera. What does ours look like? Cret. Let's get back to that function. Yeah, those are different addresses. Uh-oh. Find some bad guys in action. And is this like the full code? No, there's a conclusion here. And other stuff. Okay. Oh, Twitter. What do we got here? Sorry. Light mode, everybody. Cover your eyes. You stinking vampires. Follow malware analysis of Vipersoft X, a VJ worm variant with the obfuscated code traffic and samples for your detection pleasure. Hello? What else is in this peer DNS references? Nothing else for that is, is Vipersoft X like a known thing? Oh yeah. Yeah. Yeah. Yeah. Fortinet has some stuff out. J script malware obfuscated Vipersoft X variant. LNK file. C2. That same domain we saw earlier. Commands EX for eval. Command download EXE. Wait, wait, wait. What is it? What is the self-remove? Uninstall itself. That's funny. Ooh. Herm. Some kind of CNC running up at apibackendip.behindcloudflare, no less. Looks like, looks like a variant of Vipersoft X now using the user agent. Backendsoft. Different version number, but the same version, the same version string. Backend. Fuseknoob. What did you see? March 10th. This is April 5th at the time of recording. What did you see? Who are you? I got a comment on this. I got a look. Yo, we got the same stuff. Bro, go fish. Trading card game. Trading malware game. I want to look at this Fortinet article. Because Fortinet has got to have good stuff. Yeah, except with cookies, whatever. Windows. Recently, 40 guard labs leveraging the ADR, endpoint protection, detected and blocked a new highly sophisticated malware in large of an environment. This newly discovered JavaScript based remote access Trojan crypto currency stealer. Yeah, crypto currency stealer due to a hard coded string used by its creator became notably active towards the end of 2019 and remains with the time of writing. Well, look, we're seeing it in April with backends. Backupsoft. Whatever the heck was this called? Backendsoft. Not Vipersoft in this case. Vipersoft unravels eight layers of code obfuscation before executing its actual payload. Yep, I saw the same. Not exactly eight in my case. Maybe there are three different types of obfuscation techniques being being employed. AES decryption. Yep. Only using the first layer though. We saw it through a couple other iterations converting character arrays. We saw that UTF decoding. Most recurring the obfuscation layer. Persistence. Yep, adds itself to app data. As we saw rat functionality tries to go to that domain slash connect just like we saw and it adds everything that we saw as part of the user agents and X header. Gotcha. Breakdown of the function names. Output of the commands are not returned by the server. Interesting note X command indicates a malware author and we continue adding additional JavaScript based payloads. Developer feels more comfortable using JavaScript as his go-to programming language. Is that so? I'm kidding. All you JavaScript fanboys, you know you have a special place. You know there's a special place in hell for you. Replacing crypto wallets. Yeah. It then checks to see if the content matches either to regex patterns that match either Bitcoin or Ethereum address in case of a match and if the address are different from the address is hard coded, it sets the clipboard data to its own addresses. That's literally like cryptojacking, clickjacking. That's so cool. It's obviously evil and horrific, but so cool. Changing the clipboard data is done based on the operating system version. Yep. Windows 10 uses PowerShell. Otherwise, it runs the old school command. Okay. After examining these Bitcoin, Ethereum address is hard coded in the malware. Oh, that's a good idea. The current total sum of all the above mentioned stands at 32,000 US dollars. Well, this is not a significant amount. This is only the one campaign of the newly discovered threat, which is only operated for a short while and may only be the sort of bigger, more successful campaigns. Oh, Ethereum graphs conclusions. Yeah. Functionality is rather simple, but it is stealing money, like real money. I mean, cryptocurrency. So C2 domains, Bitcoin address, Ethereum address, and those are different, but they're the same as the one that we saw in the other article. What are ours? Let's use the Bitcoin address. Is there a way to like look up Bitcoin address look up? Yeah. Is that a thing? I am not by any means like a cryptocurrency guy. I'm not a, I'm not a, I haven't bought into the Bitcoin yet. Oh, wow. This address has transacted eight times in the Bitcoin cash blockchain is received a total of 72 Bitcoin, $44,000, ladies and gentlemen. Okay. Oh, wow. All you criminals out there, though, wait, these transactions are like 2020 December, December 2020, December 2020. So this has to be like a new address. And obviously it might be different because it's, it's not Vipersoft X. It's back end soft, but $44,000. It's not, it's not nothing to scoff at. You know, I wouldn't kick that off the table if it were me. Ethereum address look up. Is that a thing? Slap that in. Get that in there. Oh, zoomed in a little too much. Sorry. Sorry. Eight Ethereum $17,000. Okay. What are we doing on YouTube guys? What are we doing over here? Why are we? I'm just kidding. I'm just kidding. I am not advocating or insinuating any change of career to, to this. I don't know what this Mizzou one is. I gotta be honest. Mizzou. Is that a cryptocurrency? Is that a thing? Stimulus checks. Mizzou jcoin, jcoin. Mizzou, if I just slap the address into people know what it is. Cryptocurrency. I'm cool. If I Google cryptocurrency, I'm automatically cool. That is not the address that I typed, but then it has it there. BTC sniffer. Click on that. Click on that. Take me there. The address that you're checking is this. Yep. Okay. So that is the right address. But again, obviously you can kind of tell, I don't exactly know what I'm doing. So Bitcoin receives stuff. Yeah. Hashxp.org. That looks like the same link. Eat my cookies. I'm sorry. That was uncalled for. This address has been sent to 85 times. It has spent 94 times leaving negative nine outputs unspent. Little graph here. Report bad. Hmm. Might have to do that. Not gonna lie. I stopped the bad guys from being bad. I don't know what else to pour into this. Oh, the VJ worm though. I'd like to see. And I want to know about our little, whatever the new guy was. Cerberus. Guardian of malware. Hell. Cool. That's a great. That's incredible name. I actually give you props for that. Looks like he wrote about it back in February. Wait, of last year. Oh, with the responses that we saw last year? Where is our full second? It was last year. Oh, no. So this is still kicking. Back end soft is still up in action. But there's a little bit of research already out about this. Looks like Fyre or Ford Guard has some great stuff on it. It is kicking around in hybrid analysis, and I think like a Joe sandbox. Like if I look for funk, cret, is that getting any other hits? More of his Twitter posts. That's it. Okay. Okay. Oh, oh, oh, oh, let's let's let's take a look at our good friend API dot back end app dot com on port eight. This thing. Is he still, you know, doing business? Is he is he still open? Are you guys working overtime? It responded. All right. What are the headers that you come back with? I thought it had mentioned. Yeah, yeah, yeah, X powered by express. So node, no JS, little JavaScript kind of back end. Sus. Now, if I go to connect, what do we got it? It doesn't return anything. But it didn't give me that error. Help cannot get help. Is there anything we could like, we could, we could tinker with this. Let's, let's try that connect with a put, because it did put something. What if I tried that username? I can make it like real, real messy and add in the username, but user agent is going to be get user agent based off this thing. Um, let's add in that string and see if he behaves a will add in a user agent for me. Yeah. Oh gosh. Capital a that guy there still does not respond. I'm not adding all of the code in there. Like all the things that it would have exfiltrated or like tracked down, but it's still like doesn't return anything. Okay. Um, how, how, uh, how well is this thing? No, like if I go to virus total and try to kick this in there, what do you got? Let's choose a file. Let's get our spicy, uh, original stage one from the very, very beginning. One security vendor flag. This is malicious. Okay. It looks like back in August of 2020. Yep. Adobe color, CR, extra settings, one multiple, the exact same little zip masquerading thing that we saw. E-set picked it up though. E-set dude. E-set. E-set's always a hard hitter in this game. If we drill down to the stage six on its own, does that light up a little bit more? Please? Like people should know. Uh, I got to look into that VJ worm though, or whatever, whatever it said it called, uh, E-set's got it on the money. Nano antivirus. I don't think I'm, I'm not, I'm not familiar with them. I'll be honest. Where's my boy defender? Where's windows defender? Where's, where's Microsoft defender? Are you with me? It just squeeze right by. Power to the people. Give them their free antivirus engines. Hmm. Defender is a formidable foe now, everybody. Defader. Defender. Defender. Defender. Bit defender. Oh no, no, no. It hasn't, it hasn't gone through windows defender yet. It's still going. Ah, I've been talking for 50 seconds trying to cover you virus total. You're, the people are going to fall asleep. Holy crap. I'm going to pause the video and let this thing think and finish. I'm sorry. He's got to be, oh my gosh. Okay. It finished. Uh, two, two security vendors flag. This is malicious. So, uh, we could, we could, we could do some work. We could, uh, try and amp this up, spread the word. Everybody pump the stock, try and, uh, try and showcase this video where we're diving into back end soft, which looks like any, either a new rendition, uh, this new, this version number is, is higher than the one that we saw on Twitter back in March 2020. But, obviously this is going through a certain amount of matrioshka doll nested onion payloads, working through all those different little launchers and stages to eventually get to this, which is very, very clearly little rat commanding control server and crypto coin stealer. And, hey, now you know the addresses. So, uh, look out for those and make sure that those don't make their way into your ledger or, or whatever. I don't know, I don't know Bitcoin words and stuff, but, uh, that's that. I think we, we had a lot of fun in this. I hope I hope you had fun. I know I had fun. There was a, I thought it was very, very cool to literally see the functionality for swiping and like slide a hand, switching up Bitcoin addresses because that is something I've heard of, right? Obviously in conversations and in theory, but like doing this kind of through the clipboard is, is again, neat, but scary. And, uh, hey, it can be done, right? And that's, that's a danger and that sort of thing. The thing about cryptocurrency is that like, once you send something, once you make a payment, it's gone. It's, it's forever deplenished or it is, it has been sent out into the ether. No pun intended or the void. So, but who might, who might, what am I saying? I don't know anything about cryptocurrency. So whatever. I'm kidding. I like to think that I'm a little professional. I hope, but that's beautifier, really handy. You're totally right. You can use it when you want to do your own little obfuscation. You don't want to exactly go through it all by hand because obviously checking out stage one.js manually would have sucked. So good to automate that. And maybe we can have some fun with some tooling and this sort of thing, but I hope you had fun in this video. I've been talking for way too long and we should probably tune out. So thank you so much. I hope you enjoyed this video. Hope we still had some fun energy and we were having a good time here with some, uh, little malware, Vipersoft X Redux 2.0 remix, uh, for backend soft. So, uh, thanks so much for watching everybody. If you enjoyed this video, please do all those YouTube algorithm things. I would love to see you like the video. Please, please, please. Thank you. I would love to see you leave a comment. Let me know what you think. Let me know what you thought of this malware. If you've ever seen anything like this, if you have malware of your own or some peculiar shady code you'd like to send along, I have repeatedly said it and I will continue to say it. Please send me malware. Please, please. And it's going to be on my tombstone. It's my yearbook quote. Please send me malware. I have fun with this and it helps grow the YouTube content farm. And hit the bell, subscribe. I would be super duper grateful. I'd love to see you kind of keep track of the content and thanks so much. Thanks so much everybody. Thanks so much for watching. I love you. I'll see you in the next video. Take care.