KOVTER Malware Analysis - Fileless Persistence in Registry

Dude the most valuable point to this video for me, that keeps me watching and wanting more, is that you show your process and explain your reasoning as well as the deductions for each stage. Feels like a master class or high level university lecture, but without the typical boredom or theory.

John says: "sorry for the long video"
Me: " MAKE IT LONGER, I WANT IT!"

We all underappreciate how good this man is at naming variables.

Malware Analysis is literally my favorite playlist on TH-cam. Never watched anything more interesting/entertaining, keep up the awesome work!

Thanks John for hosting this stuff, diving into it, and giving the constant reminder that it's OK to use your brain and nerd out about really complex IT problems.

34 mins into the video, and I am just mind blown how deep this embedded code goes... Absolutely amazing job refactoring and de-obfuscating. Some of the best i've ever seen.

Every time you went "this is getting awfully long" or "I know this might not be all that interesting" I was like... Doooooooooooood no this is da stuff. Good one John :)

Just wanted to say thank you for the time and effort you put into your content. For a young guy in IT, you’ve made this stuff super accessible, and I can’t wait to attend the upcoming Snyk CTF! You’re a goddamn inspiration John! ❤️

Really appreciate you taking the time to explain the shortcuts here John!

That was indeed a long video, but also quite interesting to watch how you do this. I keep learning from your videos, thanks for sharing John!

Really appreciate the lengthy videos. This is a fantastic dive and great way to get into your headspace. Very easy to follow your thought process here.

This is my new favorite TH-cam channel. Can't believe I hadn't come across this sooner. Very competent and thorough analysis and deobfuscation in these videos. Really quality stuff.

You have a brilliantly clear mind! It's a pleasure attending your lectures.

- So how do we call this thing?
- Programmers every time: hmm..'test' sounds fitting.

You actually taught me a ton. I guess because you are also learning that it makes the process easier for me to grasp? Or maybe because I know everything you are saying now. Years ago I was very clueless but I had never seen the fileless process outlined so simply. A world of gratitude from this girl.

As someone with next to no experience in malware and very little in programming in general, i find that you make these super easy to understand and teaches at the same time

Great work, John! Thanks for sharing your experience with the community

I am loving these Malware Analysis vids, and all of the knowledge that is poured out in these vids.

Great video! I love these breakdown videos. Really interesting. It’s crazy how someone developed this.

John John John.... I just discovered your channel few days back and I am totally hooked... Your Content is brilliant captivating and very well presented. Thanks for your Obviously incredible hard work that you put into this!

Super interesting video! Being a Linux guy wanting to get into Malware analysis, I always learn a ton from your videos. Thank you!
It takes a lot of confidence and skillz to do this (mostly) live while working through the challenge and still looking like the expert that you are. Keep up the great work.

Thank You John. It is a pleasure to watch your videos! I always learn something :)

Yay, i really enjoy your longer videos. :D

Love this long form videos, great stuff!

I’ve never seen one of your videos before. This is super interesting, thank you. Subscribed 😁

Another great video. Really interesting to see how you approach this.

Will be my first real Con CTF !! Thanks John!

its like solving a puzzle, didn't expect, id watch the whole video, awesome content also that technical document was so great

Watched the whole thing. Learned a lot. Thank you!

Thank you, this was awesome. I didn't even notice how long it was.

I initially mistakenly read the title as "Flawless Persistence in Registry," but after completing the video am thinking that misread title is actually applicable. Snyk is awesome though, and I'm actually happy to see the section near the beginning about it explicitly. I really want to see this field of study gain popularity, because it's still unfortunately relatively overlooked IMO.

Screw YT! Didn’t even get a notification that 3 videos have been uploaded 😒

Your Vids, especially these investigations, are awesome. Very informative

really great man.... time flies while watching your tutorial.....

Many thanks mate. Very informative and exciting stuff!

Amazing work as always!

Wow, I didnt think investigating malware could give same engaged feeling like CSI or other crime shows.... John has talent explaining things with captivating tone of voice.

This is so, so interesting . I learn a lot from watching you, David Bombal, darknet diaries and network chuck . It’s great to see your process, learn important terminology and techniques as I am at the start of my cybersecurity journey. This is amazing to see how you guys solved this mystery ! Thanks ☺️

John, have you looked into using a beautify extension when working with malicious JavaScript? It saves a lot of time and allows you to dig into the functionality of the code much faster instead of manually removing the minification.

Awesome content Mr. Hammond!

That trailer feature is really useful, also signing up for that CTF :)

Enjoying your videos all the way from Kenya

I love watching this dude videos. Might take a while to get through. Though something about him just makes me want to keep watching and learning.

I was almost screaming at you about that big blob of text looked like hex values, thankfully you figured it out yourself! xD

KOVTER always brings me back, no AV would ever find it, easiest way to find it was do a string search on the reg for ";eval" and just killing every reg entry.

Watched the whole video thought it was interesting, Thank you for the educational video!

Good stuff, thanks for the content!

Malware Finds a New Place to Hide: Graphics Cards

What a piece of work. KOVTER is amazing as well :)

it's been years since i've seen Delphi even mentioned. Back in the late 80's early 90's i used it to write programs to use with Web Compass (note here: web compass back then was a crawler, not malware. It was actually a decent one considering we really didn't have search engines online back then) for my business. Talk about memories.

i love this stuff. i give my full attention understand everything john says and does and try to create links but it seems there are nearly endless things to learn. i think reverse engineering is really cool.

The powershell comments! LOL! I was yelling at my monitor. Happens to all of us!

Great Contents as Always 😍😍😍

I had a mini heart attack when you decided to run the stage 2 JS directly and almost missed the second eval... and my friends call me a risk-taker for clicking links aimlessly, haha. Great video as always, thank you John :)

thank u for everything john!!

The Snyk CTF looks very interesting for sure. 👀 Might give it a go!

I don't understand any of this but it was fascinating following along with the big brains doin big brain stuff. Next level+

I have no idea what I'm watching but i love it.

Thank you Sensei 🙏

Great vid, thanks!

I really want to get started in this field and help people that are in over their heads like I am currently. I just have no idea what tools and who to pay to help or how to get ahold of them. Is there a list of tools you use or recommend? I read a lot about your exploits on the news and your TH-cam channel is proof of prowess. Keep up the good work and any fileless bots or RAT coverage would be a godsend, maybe someday I'll find out what pluages me for about two years now.

This was fun!

Avast - undetected. Thanks, Avast, now I know you won't protect me against Kovter.

very nice, very crazy - thanks for this nice video :3

Man, I love watching ginger seth rogan. Genuinely getting me addicted to malware analysis.

Will definitely check you out on Twitch. I just started streaming there as well. Games for now so I can just chill :P
Awesome video as always! Thanks :)

I will admin I thought the numbers in the shellcode were ip addresses since they ran up to 255 but not higher. Aside from that I have been thoroughly entertained, seeing this kind of analysis and also the wrap up including Virustotal, bringing it back to the "end user experience" as far as using common ways of checking for vulnerabilties without digging into the code yourself.

Nice John can I give you a tip for the SEO put the title in the first line of your description.

I enjoy your content

good channel and Rearly good videos John

I love your(blind analysis videos I vas thin on first all videos are first look

The first time I watched this video, I was so bored that I left before even the deob started. I just watched the hta to powershell video and it, code was also extracted from reg. That's why I was able to push throught the early part because I was fascinated by the same technique used here. :D

I'm convinced that if you and The Lockpicking Lawyer teamed up, there isn't a single facility on this planet you wouldn't be able to break into.

Wow. Very impressive.

Love it!

Thank you Mr Hammond this has been very very interesting and also may explain some of the problems I've had in the past with memory usage and registry creep. I'm thinking that I would like to know what kind of registry scanners would locate these types of malware?

Wow those powershell comments in the shellcode were really sneaky haha! I also thought they were ascii bytes powershell decided to decode and give us like python does sometimes...

The PE file you got from Caleb is corrupted (more specifically the e_lfanew value in the DOS Stub) and cannot run. That value affects how the file type gets parsed. That's why no AV detects it.

was interesting. thanks

I'm sure you know this but in Sublime Text you can press Ctrl+d with a variable highlighted and it will select the next one in the file. This saves you from doing ctrl+f on every var :)

John, you are my hero 🥰.

sometimes when i'm working on a project, i'll just hear hammond's voice "ok then we pipe that to grep" or some other thing that I don't understand and it ends up working

I've signed up for the SnykCon and the CTF, should be fun. Can't wait for the video.

I have been trying to get your terminal theme, I installed zShell and exa but I can't seem to get it to look like yours? Did you install some theme, or have custom colors set in terminator?

GOOD INFO!!

Oh no...a TH-camr with their hands on their head, on a frustrated fashion!!!
This MUST be important!

THE HAIR you look like anime heros XD love that

I've been watching your videos for quite a while now and I thought you were quite a Malware Analysis genius. Then I saw Caleb's help and contribution to fully analyze that piece of code.
He's the genius, finally you're Not THAT good !
I'm joking of course, please forgive me 🤭
Thanks for your great Work, very inspiring ! And thanks John for the hosting and the montage. Ahahah
Cheers Mate !

38:11 I trusted Sublimetext when it colored them gray :D

Fileless malwares are the most advanced types of dangerous malwares for which each and every antivirus and security software companies needs to give serious attention and improve there detection and removal capabilities and mechanism

Hey John, my ears can't allow me to grasp the correct name of the zsh extension you are using to color the output of `ls`. Which one is it? D:

Awesome video! Does anyone know the outro music?

I have no idea what I've just watched, but hey, here I am at the end of the video.

thank you

Your malware analysis videos are very interesting!

Dose windows use cmd prompt ...if I have any running in task manger could I force stop them safely is my ?

16:21 Uh-Oh! They've downgraded Windows XP. Now you can only ever have *one window* open at any time!

Thalaiva ❤️

dam you, thought I was a proper techie until I watched this, now I have imposter syndrome ;-) great work mate!

are you using a theme for sublime i want mine to look like yours && i can’t figure out how to change it