 Hello everybody and welcome back. We're doing it again. We're doing another YouTube In this video, I want to do something a little bit of fun a little bit of funky The last couple videos the malware analysis video people seem to really enjoy and really like And the recent giveaway video for Fawaz's try hack me room People seem to really like that I kind of went in cold going in blind not exactly knowing what was going on and for having me Suffer and figure it out all along the way So what we're doing in this video is a good synthesis of the two like that like a little butterfly thing So let's get to it. I'll hop over to my computer screen here and we'll get to the fun stuff So here I am in my good old terminal boy And I'm gonna LS in the current directory that I'm in which is called notepad.js because I have this peculiar file here Notepad.js. So this is a little artifact, right? This is a little something something that we found and I want to take a gander of what this thing is Obviously file is going to tell me like hey, this is plain text. It's ASCII It has some long lines in there and it was originally found on a windows host, right? Hence js It is not in fact javascript, but it is jscript one of those Sweet little scripting languages that will inherently run natively on windows So it's a little spooky little spooky wookie, but let's take a gander at what this thing is So I'll fire up my sublime text editor here and I've got this notepad.js file And you can see that there's some fun stuff going on. So, uh, let's I'm not I'm not actually save this right I'm gonna save this as original notepad.js just so I can kind of maintain that backup And I'll save another copy of it as a de obfuscated because obviously while I'm looking at this thing I'm gonna need to make some sense of it. So let's do it And again, I don't exactly know where this is going to go I started this process and then I was like, you know what this might make a stellar video So, uh, let's get cranking and uh figure out what we might be doing here We are running jscript code and we have some variables defined That are nonsense like jdf ff jf And it seems to create a string with gf as kind of a variable maybe indicated in powershell syntax with, uh, random zeros and ones and plus signs So I'm not exactly positive what this might be doing I don't know if it's adding these numbers together for some reason um But some of them I see end in like a plus plus or a plus on their own So that wouldn't actually be adding anything but that goes on for a long while like check out my scroll bar here down at the bottom We're cruising for quite some time. So that it might be something, uh, nido benito Let's uh, oh, there's a pipe there also at the end on that that last one here So maybe that's going to do something wonky Let's call that gf Let's call that that gf variable because that's apparently all that we know so far and this gf variable If it were in fact powershell, what i'm going to do is i'm actually going to fire up a Virtual box because I've got a windows vm that I kind of want to poke around and and see if I can get anything Nice with this, uh, let's explore that powershell. Actually, I could probably do it on powershell on my linux host Actually, do I have that? Well that will that just kind of behave? Oh, well a little powershell down here Can you do it? Can you do it? Can you do it for me? Thank you. Let's uh, make that profile blue So I know that I'm in a different shell there and okay, let's uh slap in that gf code Copy and paste that Poop it in right there and yeah, it's like I don't know what to do with these plus signs, dude I feel you on that one, man so gf variable although it seemingly ends Like that is inside of A parentheses like array or tuple thing. So I'm pretty sure If that ends but it ends here, maybe that's maybe the second one. There's tl fkl msdf How would you pronounce that talk from most of That's got to be a gf continued continued There we go. Okay, so let's save those and uh, looks like we do things with them With these functions here. So let's start to figure out what those actually are. Oh, that's actually being passed into this ebb gawk fell So Let's see what our good friend ebb gawk fell does Where's he referenced? Okay scrolling down. There's not a lot to this. This is actually just 75 lines of code. So we might have some fun with this here, but let's see what we do Uh ebb gawk fell That function splits on plus signs And joins them together With ones Okay, so I think if this is just essentially javascript code I mean, obviously it's j script, but it has the same engine structure as Javascript then doing the streaming string manipulation stuff Like this should be something that I could just do in node Like node j s to be able to kind of test this server side in locally. So let's try that if I put my power shell away Can I do a little node j s in here? All right. I'm in a prompt so I can console.log Hello world. Oh, actually, let's you know what? Let's get something better. There we go. Okay, cool. All right, it works Let's take this giant line and let's call that gf slap that in Okay Now I've got my gf There he is And let's get this function Split on We'll call this like split No, I want to search for that and replace it, please. So split plus How about that? Let's actually take that function and also slap that in here. So now I have my good friend split plus And we would need to pass in some strings So the plus signs are going to end up being essentially replaced with once That kind of clues me in that It's probably going to be binary code Yeah Yeah, it is. Okay. So, um, then we also need to do that on our little Gf continued here. So Slap that in Now let's do a little split plus and they were adding on split plus gf continued Plus plus Gf continued and now we have this whole thing Okay, so let's awkwardly try and copy this entire string and let's save this as just another randomness. Uh, let's just call this Gf variable Dot x Yeah, that's fine Okay, um, I'm I know there's a pipe there at the end But I'm going to ignore that for now right at this very moment I kind of want to see if this is in fact binary So, you know what? Let's let's open a little web browser and go to the most leet website that there is asky2hex.com And let's see if this binary actually comes out to be anything. It's probably going to be like A binary file. Okay asky2hex.com. What's going on? What's how you doing? Where are you at? Who are you? Who? Where are you? Uh, rapid tables could do it. ASCII table could do it. Let's go to that rapid tables That's not gonna do it for me How is there not an ASCII2hex.com? I see it like in different representations of ASCII the word to and then Oh, I gotta split these on like that. Oh, oh, look at that. Look at that That looks like PowerShell code to do funky stuff All right, let's save that as a gf PowerShell .ps1 Yeah, and we will need to obfuscate that later Let me table that for now, uh, because we haven't exactly finished making sense of our good old notepad j s but we do know that This eventually becomes PowerShell code. I don't know what these other functions are doing though So, uh, let's figure that out Um, we basically figured out these things. We basically figured out those Now let's see what else we got. I don't exactly know where to go with this truth be told. Um Script full name Script full name replacing the script phone. Is that going to take the path? I feel like that's going to get the path Because script full name is going to be the absolute path and then you're replacing the script name with nothing So I think it's just getting the path of this Path Let me replace that. I'm pretty sure w script out full name Will be the absolute path of this program or this running script and then we're removing the script file name with nothing I just repeated myself to make sure I got that point across. I'm pretty sure That's the path Or folder for This script How about that? So it checks if the folder for this script is equal to this thing, which we know is set to Something's username app data roaming So let's change that to App Or current user App data roaming i'm going to be using long verbose variable names here So I can actually understand what this is doing Um And if this is actually able to retrieve the username, it's probably going to be like w script shell or something I have a feeling uh and script full name. This is just going to be okay Full script path Okay, so this checks if the folder for this script is The current user app data roaming then it will Do nothing So it's probably already where it wants to be otherwise it goes ahead and cmd slash copy um copies This currently running script to current user app data roaming and it overwrites it Okay, so let's say copy command for that copy command to move Script to app data roaming Dunzo, okay, so then that is also still included here in this uh else statement And that Is seemingly going to run a command seemingly run that function. Uh, so let's call that run command Makes sense. Okay. That's clearing some of it up now Okay, so we are going to run command on all of this stuff But I don't know what these functions are yet So var vm gazunith Get object. This is probably w script Oh, oh no Oh no Well this function right here that kind of makes sense already l gamut That is just going to end up reversing the string So we can call that reverse string and Our new gel foe That bad boy is going to take this and just concatenate those together Doing some good antivirus evasion doing some obfuscation ladies and gentlemen, so Let's slap all that together And our little node interpreter And let's just make that that And since that literally just returns this we can just kind of replace all occurrences of that With this Make our lives easier here. Oh god I just straight up removed it Piss that in do it. Okie dokie. So we don't need that function anymore and Get object and reverse string is just going to end up doing how many times do we use reverse string? a few but If that's just going to end up being reversed in this get object command, I'm pretty sure that's just going to end up being w script dot shell So let's take that string and reverse it I'm just do this in python because I don't know the syntax for it in node off the top of my head And this must be like a new Cs cls id like the class id things and windows I am not too sharp on that But we should have our windows vm crank in here So let's see If I can do that exact same thing Can I uh invoke a class by like buy a power shell or something to do that? To like simulate this exact same functionality in w script that I don't know I'm going to assume that this is w script dot shell because it has this run function So let me do that. I'm just going to call this w script shell And then it runs that command I don't know why it saves this as a variable because it doesn't seem to do anything Um, and then we have a registry persistence thing reg add with a cmd slash c hq current user software microsoft windows current version run Adding the value lul Lul lol hackers gonna lul Um, it makes it as a string and adds in our current user app data roaming with our script name. Okay, so Eventually this notepad.js file does want to be in current user app data roaming under its name So I will call this function persist in registry And this must be uh reg add command For persistence good enough Okie dokie Split plus is good Let's figure out what our jkkw functions doing Actually, I want to know what this thing is Do we end up calling this is that different from that is a different cls id If that's the right terminology, I might be saying that wrong Let's start from the top. Let's take a step back. Let's kind of remind ourselves where we came from, you know We do a get object What class has dot username? in w script Gosh Oh, I so wish I oh Cortana. What are you stinking doing? Uh, let's find out w script get username How to get username with vbs Dot network Is that it? Uh, is there a windows like cls id lookup thing? cls id keys uh I guess we could look in like the registry for those classes, but Is it an app id? Is there a list of these? Okay, so cls id's look like a guid And these do not look like guids do they? No maybe Uh, how about an app id? What the heck's an app id? Sorry for that epilepsy guys windows app id list Identifies the app id guid that corresponds to the names executable um Community malforensics that sounds kind of cool. That sounds like what I want Application id is those don't seem to be I think it is a cls id But how do I get a? Explorer shell explorer network. What would all these be like in? a w script class or like in A object How's the windows doing? I don't care Please leave me alone in cortana Please get out of my house. Oh god. This is gonna move so slow windows in a virtual machine while I'm recording Okay You know what let's just right click please And create a new little text file Come on. You can do it. You can do it. Oh, you did it. Okay New text file something something Something something dot j s Yep, do it. All right. Let's uh edit this. I'm waiting for windows defender to be like virus I create a single j script file. It's just like no Um Can I message box that out in j script? I don't know I genuinely don't know let me make this bigger so you guys with eyes can see it because Oh control plus and notepad stinking works Are you kidding me? I always thought I had to go into like format to like You know change the whole thing Like change the whole font. All right. Let's double click on that. Yep. Open it with the windows base script post, please Die Three one object expected Oh, duh. I I just want that Please does message box do it? No Uh Wscript.shell echo is a thing if this is in fact wscript.shell. I'm pretty sure Hello Once again, let's go for even better Now we're talking boys And needs a freaking semicolon. I guess it's j script, right? Come on Does that need Parentheses gosh, I wish I were so much better at this object is not to excuse me Okay, you know what let's let's move on I think Let's just keep cruising This guy's gonna do something funky. This is gonna get Seemingly power shell power In reverse right p o w e r at power shell. This is literally just generating the string for power shell And it's reversing it. So this can totally be replaced with just the string power shell Imagine that Let's replace all those Let's totally nerf that function since we don't need it anymore and let's see where else it's running power show Oh, wow It runs power show right at the very top with our gf variable that we knew was power shell code Okay, it's all coming together ladies and gentlemen This is slowly becoming actually understandable, which is nice, uh, but we don't know about this thing yet I don't know what path that is ultimately. It's just the same one. I don't I don't know what like cls id or whatever the thing is it's getting it's getting the object that allows us to get the username But that's literally it. So I don't think we need to We don't need to waste our time On that ladies and gentlemen, let's get back to the good old power shell code I think now that we've made a good understanding of this Let's just call this the w script network as that is seemingly the only thing that, uh This is going to end up being This so we can kill that entire function yet again And now that reverse string is going to give us that new whatever that Csl id is can I just look for that? Oh, I need to kind of reverse it. Don't I let's look for this Let's do like a Let's google that bad boy get object that thing malicious code hacker Oh We're going to the spooky scary parts of the internet ladies and gentlemen boys and girls strap in here Where's our where's my little get object? new id The control f for that. It's not even here whatsoever. Okay Uh, I don't like these advertisements. We still can't believe You didn't see this here folks This wasn't in a john hammond video booking confirmation booking that thing new shipment dot vbs and some hybrid analysis malware Detected to siri kata alert Created guarded memory stuff. Yeah, I mean, this isn't the exact same thing that I'm looking at though, right? It's a visual basic script file Wait, is that the same hash that I had Is that the same hash? It's vbs though. It's totally not It's totally completely different Let me go back to my, uh Let's get back to my terminal here Let me just do a shot 256 some hash on our original notepad js No, it's just d9 at the very start and that was dfbe That does some weird stuff though. You can tell by the way that it is Look at that process tree. That's insane Gotta love it man Gotta love some good malware Oh, Joe sandbox got some good stuff and they're using a New object. I need to stop. I know I need to stop We're going down rabbit holes that we really don't need to be because we kind of know where this goes next so Where else do we use reverse string? Just there What is this function? Did we never clear that? Oh, no, it's power shell. It's more power shell. We didn't finish um Let's take this and let's reverse it So back in our python. I'm gonna slap that in and What did I do that wrong? iex This is the original string Reverse it Am I do I have that syntax wrong? I just did this What is happening? Please sub reversed Right Oh, oh, there's separate strings. I'm a Dumbo So this this all needs to be put together first. I'm I'm just stupid. I'm sorry. I was totally misreading that This is why you need like syntax highlighting everybody. That's why you got to open up a little b python Now we're cool. Okay. There we go Let's say a can equal that thing all added together and now I have that original string and then I can Reverse that and now it's actually stinking readable Incredible all right So jkw Can be totally replaced with Gosh dang it. I lost the string that And let's make sure that that is uh Actually regular expression accepted Do it Oh, that's a mess. Oh god. Why did I do that? Does that have a It has a new line in it for some reason so we don't need to reverse string anymore But we know that that was piped in like the gf the gf variable was piped into this right so That's just gonna end up executing that power shell code So we got vb script network. Let's reverse this thing too just for our just for our good safekeeping Finish up this script. So we kind of know everything that this thing does and it's not not a mystery We can get rid of our reverse script function And this is basically the obfuscated. So let's call this like ran command Our string plus doesn't need to exist anymore a reverse string is only being defined Now it's no longer being called Run command persistent registry string plus and everything and then there's a little persistent Okay, I think at this point we can call this done We are 30 minutes into the video and we have finished up with this j script code We have known and figured out that this gf variable is doing some peculiar stuff in binary And you can actually see that in this power shell code because it ends up taking Every line every portion of this That's that percent sign is a for loop alias and power shell and for every single binary byte here It gets a string value from it and converts it from binary. So it's 2 in 32 with base 2 Right being said there So it knows it's binary and it joins together as a string And then it runs iex and has a little neat obfuscation and that you can throw back to Literally stink in anywhere in power show code and power show will still do it So it invoke expression iex being the alias for invoke expression on all of that binary Wow Why did we do this guys? So let's get that power show code going. All right, you know, let's start to let's start to de obfuscate this thing de obfuscated power shell also known as gf So let's do a ping so we Ping until we have internet connection Is that right We only send one ping every time. Let's try that in a A genuine power shell. I could probably do that on windows again, but you know what? I'm sorry. I could probably do that in my linux power shell again. I'm pretty sure that command will be understood and ran Let's uh Let's make this bigger. I think I think 36 is big enough. How about you? How about you? What do you think? Let's slap that in Okay, yeah ping is gonna run quiet. So What was that command? I was probably doing some sketchy stuff. So if I'm using wimic to os get Random port on an internal ip address something xsl. No one knows what john was up to that day What else we got Then we get this t56 fg variable And we get a enum protocall type to that thing. What is that? Let's find out what that is slap that in What is our t56 fg tls 12? Oh, we're doing some tls stuff everybody Let's uh put that guy back And let's say tls 12 How about that? So we got a The security protocol and we're doing maybe some encryption stuff. We're gonna end up doing some system management automation amsi you Is this an amsi bypass? Oh, it is Oh my gosh, it is is that It sets the value To null and true Holy cow Yo that that I hope that's an amsi bypass amsi bypass Let's uh Bring these back to normalcy I should probably have just done a fine and replace for this rather than do it by hand, but uh, you know Get field amsi and it failed non Oh non public static So it's getting Those fields That it's going to be replaced with pub as we saw And then it adds in static set value null to true Uh, and then it goes to do some web client stuff. So I don't exactly think there's anything more to that Is that literally all it takes? Let me try Let's do a sanity check. Let's just run amsi utils in our windows vm to see if amsi is running currently Which it is Dope dip and dots. That's kind of what it should be doing. So now let's slap in that amsi bypass here And no it didn't like that it weirded me out because that's not like I don't think that's all that you need to do for an amsi bypass. I feel like that's a little small I don't know. Uh, maybe it does something else Because it doesn't store that in anything. It literally doesn't Sorry, I'm flailing my windows around with alt tab. Let's uh, let's go back Service point manager. It sets the security protocol to tls 12 And then we get a tty. So Let's uh slap those together So we can read that just fine And that needs to be brought into iex In which case that just makes tty be a web client object. Yeah Uh tty is a web client object. So we can download stuff And then we do some reflection Shambly loaded visual basic mv Can equal a microsoft visual basic interaction call by name down. That's kind of a cool trick. I've never actually seen that set up That way you don't have the full like new object net dot web client dot download string It just kind of calls it it's gonna at least a little bit separated and that way you could do more obfuscation on this That's kind of neat I'm sorry Look at that url everybody I'm sorry all right, so Holy cow. You don't you don't see that anywhere else. I've been here ladies and gentlemen. This is where it's really at. All right sketchy url Sketchy url. We're gonna download string from attack.jpg. Let's see if that bad boy's still a thing. You know what I'm on linux, you know I'm a ballsy guy Does that literally still exist? Yo, yo hit me with it Give it to me. I want it. Let's curl it down Okay, okay, here we go. Let's output that to a good ol attack.jpg Oh What you see there boys Aske tax. Yeah, what do you think? What do you think? Loading image shush shush sublime tax. No, no, no, no, no. Let's make that. Let's make that real Aske And it's probably it's is that passed to iex honestly Oh, it's gonna. Yeah, it's gonna end up passing it to iex after it filters it out so We'll call that thing Raw payload and how about that? Because that's going to end up taking the contents from this splitting it on percent signs and then for every single object there It's going to consider it to be hex and then Join them all together. Oh, oh, oh, oh, it's okay. So they are all hex and it's gonna bring it all together. So Um Let's call that final payload Yeah, yeah And then it invokes it. So we're up to stage three ladies and gentlemen. Let's check out attack dot jpeg Dot text and Okie dokie This is just like a url encoded thing because it's hex and with the percent signs. So You know what? Let's uh, let's let's make a little mess here. Let's call uh, uh Reverse or let's call it like stage three Stage three dot python. We'll do a little user bin invoke Environment python, uh, let's open our attack dot jpeg dot text Uh, do you want his bites? I don't exactly care. Honestly. Well, let's do a little context manager because I'm on the internet and people are gonna yell at me So with open that thing as handle. Let's do handle dot read Actually, let's save that and I don't want it to be bites guys, you know I decided I thought really long and hard about it and I thought it's just not worth it Who cares about encoding and stuff? So we get all that we do the contents. We do contents dot split by parentheses and let's get a little p print So we can see that displayed Nice, let's do uh from peep in imp and peep hint. That's exactly how you say it And let's run that stage three dot python. Excuse me Syntax error. What are you going on about? I forgot a parentheses. That's exactly why you were totally right. I was wrong. Um, okay Now we got all that stuff There's a lot dude. It's pretty big All right, let's uh, let's strip that uh, because it might be some other noise and nonsense in there and let's uh start To convert those to hex. So let's do int of Wait a second. Yeah four x in that let's do int of x base 16 and Now we got the actual hex numbers um, and let's say What do you want to call that? I mean those are bites. Aren't they not? Let's just convert it convert to character convert to character, please it's gonna it's gonna give me Python code. It's gonna give me power shell code. I'm sorry So character all those now, let's join that all together and let's do a little print on that guy Sorry, sorry, I'm frantically moving my windows around and now we've got this Does it ever end? Let's uh, tee that out to a good old stage four dot ps1 And let's see what we got here Oh, so this is a good trick This is going to end up being iex because it's just taking the character erase from it and it sets alias of that thing to iex so Yeah powers. Let's get back to power shell and just show you that like look It's iex Invoke expression ladies and gentlemen. Let's call it what it is Call a speed a speed or whatever the cool kids say these days So sal that thing can just let it because sal is set alias Command let's set alias trying to be spooky again guys Sorry flailing around uh set alias to iex just set iex to what it is guys don't don't beat around the bush here with me You know what you're up against. I'm just kidding. I don't have any idea what I'm doing. Um This is beautiful Take a look at this system dot app add add add add add add our astras astra Yeah, do a little app domain passing it to iex All right, let's nerf that thing real quick Uh app domain We can remove that little replace syntax here because it's stupid in a waste of time so That's going to give us app domain. We'll call that that I will use the dollar sign here just think oh no no that's going to clobber that variable and that's going to be bad so So this though can be current domain And I know that this is going to end up building us out to have the capability of Reflection and I see literally yet another payload in here. I'm pretty sure in this hex And that's going to be disgusting. So let's see what we got um This has some white space in it for no reason And String of this can equal all that does that ever get replaced with anything? Yeah replaces at signs with zeros Let's do that ladies and gentlemen. I'm just going to Steal that code and like once again slapping in python I I did copy and paste that I swear I did I literally hit control control control shift c control shift v That's how you can help being paced Are you just not letting me do it? I right click paste it. Okay. It's too big 20,000 201,000 characters selected. Oh, I see now. I understand the dilemma That might be actually something difficult for you to do Because there's a lot of data in there. So I would tell sublime text to do it But that might be a horrendous idea Does this only do the exact same thing? It does Uh, so let's try that after we replace All the other things invoke null null with replace at sign at sign with Vo so it's just going to end up running invoke And you can see the iex there so Let's remove that replace And nerf this thing to get to invoke So we do a kernen vain invoke iex This is going to end up being a Let's just say that's going to get a Like module. I don't care whatever it's called Load so it loads it reflectively I might be wrong in that Explanation but we do replace all that And this thing is going to end up being This original string modified and pulled into bytes Basically, I'm assuming just converted out of hex It looks like right I'll zoom out here Because this function is going to Take the parameter split it And remove all of these Periods and parentheses, but those aren't in there whatsoever. Are they not? Let's take this big long thing Let's uh Copy and paste and do another sublime text window and let's try and do that find and replace and literally break everything Let's do it at signs Oh, dear god Sublime text is already chugging along and let's replace them with zeros Control alt enter to find and replace alt And let's see if sublime text crashes Let's monster break he's chugging along Gotta help us That was a real bad idea Why did I do that? I knew I knew like all along and you guys were telling me like john don't do it Don't don't put that evil on sublime text Shit, I never even saved like the original stage four So did I? I never even like made a copy of uh Stage four dot ps1 Because it's original. Oh Oh, did it do it? Oh my gosh All right, here we go Um Let's call it like payload four dot text. Let's call it dot hex Nice work sublime text. We gave you time to recover. We gave you the time of your life And you really came through I really appreciate that man. What else we got here Waves dot that thing Is this doing some like process injection? Is this gonna like So we're obviously gonna end up loading some c sharp binary or dot net assembly thing that we could probably expand and look at Um, but waves is probably going to end up being like the namespace of the class And that weird thing and this function will likely end up doing something But it's taking notepad dot exe and loading More code in which has to be this thing. So I wonder if that That's got to be something new. That's got to be like some process injection. I think I think you know, I think Mmm Let's mess with this Um Function though, but there let me get back to payload four because there literally is no Stuff in this There there there is no parentheses period period in that I don't think there is but That's what we end up doing with this seemingly will end oak and become c sharp Uh, so let's take that And let's write another power shell script. Actually, let me pause the video. Oh god. What's happening? I didn't mean to copy paste it. Please don't do it terminal. Okay Goodbye python If I didn't kill sublime text, I certainly killed you Let me pause the video for a quick second. I checked some notifications on my phone All right, we're back at it Let's see what we got left. Where are we at? I remember I'm trying to remember We have payload four dot hex. So let's make a, uh, um, recover payload four dot x Oh, no, I want that to have a python extension because it's going to be a python script Um, so we can copy basically the same thing we did from here except we're going to end up using binaski And we will in fact read it as a binary or bytes. So that way we could get payload four dot hex and then We have the contents. So let's do a print binaski dot unhex lefi of The contents which should be bytes already. So Theoretically, I should get a bunch of binary data spat out on my screen, which I do. Excellent. Um, so let's save that as stage five Bro, bro, we're going we're going for a wild ride here. And let's just open like a stage five dot exe Write that in bytes as handle Or as H because we already use handle. So let's do it h dot write stage five write Properly spelled right. Ha imagine that English English words python three recover There we go. Now I have a stage Five dot exe that is a dll. You know, we were we were close guys. We were close. Let's call that stage five dot Dot dll Okie dokie, uh, let's let's maybe modify that script to have the same thing Um, so before we dive into that, let me uh, clean these up. So let's convert to hex Um Let's put this function away because we kind of know what it's doing already. This will be um Can I call that stage five like c sharp bytes? Oh god sublime text Come back to me c sharp bytes Um, and then we load that in Loaded library And that will probably end up executing Or imported load library, I guess, uh, I'm not I'm not using the right like terminology and lingo to describe all this But now that we've imported that library that c sharp dll that we can understand and explore with il spy or dn spy Waves is something that is seemingly now brought into our context. So We're going to end up probably injecting or doing something peculiar be with this function here inside of that into notepad.exe so Uh, before we dive into that, let's go explore this, uh Let's go explore that dll file let's go back to our terminal here And Python has came back to us everybody Hallelujah. Um, let's run il spy in here and Do I want to close that virtual machine? I'm sketched out that it's still kind of like eating up memory and stuff and this video This video's gotten pretty fun. You know, I think Yeah, let's do it. Let's let's open up that il spy real quick See how we do okay and forgive my forgive my malware present in here Uh, what did I call this notepad? js yeah, yeah, yeah stage 5.dll What do we got assembly title music? Can I zoom in on this please? Can I I want to edit this so you people can actually see it? Seriously, how do I Options yes display Uh font size bigger than that, please All right now You can see it. I hope Let's see what we got here stage 5 dll Using runtime compiler services and interrupt services. So we're probably going to be doing some memory stuff Uh assembly title is music, uh, which I think repeatedly said but that's kind of funny If especially if waves is what's kind of doing. Oh my goodness. Look at this All right references. Is there anything to read in here melons What is this Obviously a system. Oh god, please don't please don't actually pour all that out right now It pulls in some kernel 32 stuff. Can I get anything out of melons? No We've got any resources in here. What is this? Does it draw icons? Is it gonna like actually pretend to look like What is it? What are in these man? Are these pictures are these images? I'm gonna run foremost on this just to be wacky Uh, sorry Spastic terminal as usual. Let me uh, let me do a little foremost on my good good friend stage 5 Let's see if we got anything in there. No, just a dll We could do like a bin walk like a hard bin walk, uh, but I don't know Let's see what we got. Okay. Okay. There's a lot of randomness in this. I don't like this We're in over our heads now ladies and gentlemen Holy crap, there is so much stuff in this What is this costura? I see that I've seen that before my gosh This is all obfuscated Anyway, let's get let's look into waves because honestly that this function is the one that we know It gets executed and ran so Which is the one? But let's totally for the moment ignore all that other noise But i'm sure there's plenty of stuff to dive into in there. We end up running waves dot t4 h jug Which is that And we run our good y7 8 h j Which is that uh 5 5 So It takes a string Which we know is notepad.exe And it decompresses As a gzip The bytes that are passed in So this decompressed G strip gzip. Sorry Is gonna end up doing more stuff That's very messy Little switch cases here Other randomness, um Let's uh Let's try and just take that binary data. Let's try and take that hex data and decompress it as a gzip And then understand what that toto function is going to end up doing because i'm sure it's going to do something spooky It might do some uh process injection because this new payload Is what we are running with that function and we haven't Decoded that yet So let's set sublime text on another wild goose chase To replace all of these at signs With null bytes Here you go everybody I don't know why iLspy keeps giving me tool tips. That's very annoying. Stop it iLspy Okay Go sublime text Now you can leave your comments everybody you can tell me like john just you said john Just use arch just use vim just uh completely rewrite the kernel Yeah, I could but why Waves inject dot hex I suppose is what we will call that and Let's Convert that out of hex they do convert it out of hex. Do they not? They do They do so that's going to end up being a gzip stream as we know now Um Let's should we python it up again or should we do something like cybershaft? Let's do a little cybershaft, you know let's Let's appeal to the masses There we go Slap that in Do a sweet little from hex A whole lot of nonsense Let's get a little gun zip as I like to call it And now we have this thing Oh, and it's another executable. Oh, oh, oh, all right. I don't know if you can see it Uh, we get the little notification. Hey this program cannot be ran in DOS mode Got another binary ladies and gentlemen. All right. Let's save this thing download dot dat um What is this is this stage six or something right now? Let's call it a dll Yes, save it Let's move our downloads Download stage Six dll over here and let's see if it is in fact a dll. Nope. It's not we were wrong. God man over two guys Let's call this an exe um Oh And that Is not a dot net assembly So I would not be able to do My good ol il spy or dns spy Cheats I'm gonna have to actually reverse it with giidra or aija or hopper and oh goodness. I don't want to Let's see what you do with strings Now we're starting to get into the stuff that i'm not good at rich buy rich buy That was a weird one. I see rich buy at the very very top here. Is this going to end up being like a crypto miner or something? That would be nice like if we came all this way and it was like nah, I'm just a crypto miner Is there any like indication of monero? Is there any indication of coin hive? All these strings are useless man Where are we going? Oh Now we see stuff Network down message size is just going to end up being like c2 File exists file too large Those are like genuine Messages though argument out of domain Too many files open in system. Those aren't normal. I don't think core exit process Sunday Monday Tuesday Wednesday Thursday Friday Saturday Why does malware always include the dates? I'm sure it's in like some library that gets pulled in but it's always just so funny to me and see that in strings Um, where's the good stuff guys? Oh Is this going to be like a c thing? Is this going to see it be a c plus plus thing? cmd.exe Doing some event viewer Keystrokes is this doing like a keyboard logging? I don't know what's happening right now Key 3.db logins.json the firefox stored logins not oh Is a little info stealer trying to grab browser information cash stuff license code tech improperly spelled license I know like you guys might think i'm dumb For just looking at strings, but seriously you can get a lot of like glistening Remcos started by watchdog. What is that? What is that? What is remcos? Remcos rat Remcos rat. Is that what i'm dealing with right now? Is this it? Do we find it? Remote control and surveillance software Updated yesterday 17th of 2021 february I said those out of order What? What is this? Is this like the latest version because that would be kind of cool in a horrific way You know me like that'd be kind of slick In a horrible nightmarish way I appreciate This malware going outright and telling me What it's called though You know, I really am thankful for you just saying oh remcos. We got restarted Some registry locations remcos fee. Oh my gosh Breaking security net we see you is that like a safe site? Is that like a is that like a good good thing? Or is that just straight up shady? I don't I genuinely don't know I genuinely don't know so We specialize in advanced ethical hacking Guys, this is too cool What? That's remcos there Vioto keelager Poseidon mailer Holy cow Why have I never heard of this before? This is insane They have so much stuff Oh, of course a small free video game. Why not? Is it all open source? Are you for real? Oh, no, no, no, no, okay Let me let me let me keep looking to remcos because we're the remcos professional download remcos free limited functionality Read the instruction manual. I kind of want to do that control your personal computer from a remote location or Not your personal computer Or someone else's personal computer or server Or data center Runs on any windows Encrypts the connections This is unreal guys I'm glad we got here like within the hour Remote control the screen remote chat Control center, this is Maybe I'm hyping this up a little too much, you know Maybe maybe I maybe my inner youtuber is just getting a little too excited about things that aren't all that exciting but Look at this My inner youtuber shut up john John what the what the heck are you talking about shut up? You're not a youtuber There is seemingly nothing else all that interesting in here the copyright though Dinkumware. I'm pretty sure I've seen that around. I think it's just part of a module, isn't that? Dinkumware Yeah, these are the c libraries to be able to do Peculiar stuff And not even that I think I'm pretty sure these have a genuine purpose Dinkumware. Yeah. Oh, no, there's just a premier supplier of actual c in c++ libraries so You know There's that padding padding padding padding padding What is there anything else peculiar and interesting in this? Or have we just kind of found the smoking gun to be like nope, that's remote control That's Remcos Remcos I like oh, that's got to be what the buy is for like hey Go buy the actual program rather than using this crack software that you found on the spooky wookie dark web Remcos is another rat Four units got some stuff on it back in 2017 Here they are using it with a macro dock I like that it's called remi dot exe and the screenshot And they obfuscated a little bit too. Oh, it's packed with impress Or maybe the older version was I didn't see like a upx string. I actually haven't heard of impress before though So I will have to add that to my mental repertoire Obfuscation of the matter practically ended after the two pack At that point we just stopped obfuscating We thought it was good enough According to their website breaking security. This version was just released last month relative to that article Wow What a wild ride guys Now that we've Now that we kind of diagnosed this as Remcos We We went a long way to get here Look at these the usage though Like hey, we got all these machines that you were monitoring the event logs for you You can start. Oh, you could start all the other programs if you want. Oh, no, no other other software I'm sorry. Okay. I thought it would be like just drop the key logger in place More and more applications like Remcos are being released publicly luring new perpetrators with their easy usage. Yeah that's like Some iocs here Oh, we've got some iocs from this video That that funky url we saw earlier What else do we see in here? I uh go away. Thanks trend. Micro's got some good stuff. This is in december of 2019 Germany based security firm breaking secure Germany based firm sick breaking security. I don't know if I could You know Uh coronavirus bam That was in 2019 though Wait, what the heck this email is from April 3rd 2020 and this article is released 2019 Can you see the future trend micro? I know you guys were good, but I didn't know you were that good Startup persistence, of course bypasses av Maintains persistence Injects into a legitimate windows process like notepad.exe as we saw Information theft stealing all potential of those firefox cache and windows cache as it's at the backdoor commands spooky Holy cow. I want to learn more about remcos 3.1 3.1.0. This is the one that came out like yesterday though Optimized improved be faster Fix agent crash Copy ip address Wow Did it say the version did it say when we were running strings in there? Did it say The version remcos remcos Remcos v. Oh, it cuts it out Remcos v something it's got to be filled in by the actual No You know what let's do a little hopper guys. You know what we might as well. We're already this far into it Um, did I actually open hopper or did I just open my virtual machine again hopper, please? Uh, I'm sorry. I'm okay Um, we want to go to notepad j s With our stage 6.exe. I think is where we are We'll go to our entry point here Um, and let's try and understand this sub That thing that thing that thing I want to find the strings Where you ended up saying remcos version rem cos version You can see even more Policy system enable lua. Oh, oh, that's just trying to add in like the rdp stuff I want To see this version number Where do you put me? Remcode version 3.10 pro. Oh my gosh Literally released yesterday That is insane I can't even I don't even want to like edit this video because I want to get this out like right away Show people some of this cool stuff Wow That was a wild ride everybody. I think that's as far as I want to go. Um I I think we've diagnosed that okay. This is a Remote control remote access trojan through layers and layers of payloads and obfuscation I hope you had fun on that safari ride through Javascript or j script through power shell through c sharp through an executable that isn't going to end up being a dotnet assembly And doing some of that detective work to go find this thing out on the internet I think that truth be told and I'll be honest. I didn't I this was not staged beforehand I saw this j script and I'm like this would make a really good video so I just dove in and recording and I literally haven't seen this before and this honestly has been really cool I don't know what else to say or do in this video But I hope that this was a lot of fun And I hope that this even takes it further than what we did in that last malware analysis video I know a lot of people love those or they'll love that video and hopefully we can do a lot more But we did some cool stuff in this and I think that was a blast. I think that was fun If you guys haven't Done all the youtube algorithm things and you enjoyed this video. Please please please Leave a comment, you know, say whatever you'd like. Hopefully something nice. Um Maybe like the video. I'd be super appreciative of that if you could subscribe and I've been doing my homework I've been learning a little bit about kind of the whole youtube subscription thing youtube algorithm thing and uh hitting the bell Actually means that hey, you're gonna get the notifications for real not just be totally absorbed and lost in the abyss of the youtube Machine and that will you'll actually be able to get notified when I when I post new videos So if you like this stuff and you want to keep coming back, I would really really appreciate that And this has been a ton of fun everybody. So thank you. Thank you. Thank you. Thank you for coming to hang out Um, I'll see you in the next video. Hopefully we can do more stuff like this But uh, I love you Take care. I'll see you in the next video. No video outro because I'm just gonna straight up upload this Love you. Goodbye