Unraveling the IcedID Malware Stager & Phishing Email

In my opinion, reading out the wacky variable names adds an extra layer of entertainment on top of the already great content

Hey! It's time for my 15 minutes of fame! Thank you for these educational vids, and thanks for the emails acknowledging my email/letting me know you would make this video.
I got about as far as John did 15 minutes into the video, and at the time my javascript knowledge was so tenuous I couldn't figure out what happened next. My apologies to you all for not getting far enough to download the DLL from the attackers' server. Since my coworker/boss/nemesis was a little more vigilant after a previous (less interesting) phishing attack (that had worked), they did not detonate this payload and we never saw the later stages.
Given that Zero2Auto course is only about $200, I'm absolutely gonna look into that. This series is some of my favorite cybersecurity education, along with the videos teaching DIY lab setups and playing around with pentesting them, and I'd pay at least that much to learn how to do my own in-depth malware analysis.
P.S. even if I had been a little more skilled, I probably still wouldn't have downloaded the DLL; it's my understanding that some of the variables set in the url identify the target and would probably result in my coworker getting more attention from future campaigns

One day I'm gonna be on this level of CS

Would love more malware analysis / deobfuscation videos! They are really interesting and I'm absolutely hooked, even though I don't always completely understand how they're constructed.
Hope you'll post more, even if we've seen the malware before

I enjoy this type of video, more of these, please!
I receive millions of this type of malware in my email and I do go through them but the way you do it is fun and I like it a lot!

Love the way you unpacked the entire thing. Mind blowing lol. The amount of experience and skill it takes to get to this level.

Thank´s so much for this kind of walktroughs. It made me wanna get more into this.

I absolutely adore the methodical dissection of code and your method of stepping through it with the jokes. Legend!

I love it 👍
greetz from Germany

Those variable and function names will drive anyone crazy. I was really hoping it would somehow end up with Opposite("Always coming from take me down")

Very informative thanks 👍

Never thought that the technique I used as a kid to up my word count in word by changing the font colour would be used by malware, since it seems so obvious now as an adult

This video rocks. Thanks, John! :D

Great work! You always come out with some really informative and educational videos! Love it!

As a JS dev, it hurt my soul when you got the window error

i love it when you do malware analysis

I am just waiting to receive my first phishing attempt so I could also try to dissect my first malware for analysis

Love these kind of vids. Have you ever done similar videos with the samples from the malware traffic analysis site?

Love the content John!

It's good that window defender caught and flagged this

Awesome content and well presented, well worth a watch

This was so enjoyable to watch, thanks for sharing 😁

Great Stuff John

My favourite video of phishing

I love your videos! I also couldn’t stop laughing with the function names doorpowlove lovekarolpumps😂😂

Okayy finna watch this before the majority hehe

Thank you very much for your valuable information

If only everyone knew shenanigans when they saw it... such as such a polite ask to enable all the doom from the file. It looks innocent enough if you simply didn't know any better.

I did enjoy this one, thanks man!

Pre-watch prediction: houdini.
The obfuscation method was interesting. Certainly confusing to read, but I imagine it would make it easier to detect based on signature.
Prediction: :(

Thanks John👍

thanks for the well made videos.

thanks john, and again i learned something new :)

hi john

The tag is backwards and an hta file. Nice

God I wish the obfuscated code I've come across was this easy to dissect.

Insightful

LoadsLikeVidieo 👍

good day, enjoyed as always. is ooknibs still a thing?

I love it when someone tries to understand my malware
I DO NOT KNOW HOW TO CODE THIS IS NOT MY MALEARE ALL JOKS

@John Hammond can you share a sample of the maldoc if possible ?

Hello. I’m completely new to the space of cybersecurity, like no background in IT at all. What would you recommend for a beginner like me.

Oh John, you read js source code better than a JS developer xD

But where did you get that shirt?

Nice stuff, an absolutely entertaining series
Is there a way to submit some malware I got for analysis?

why did you give such reaction on 25:22 timeline

feel like these are acronyms, doorLikeLike = DLL?

[DISCLAIMER]: Video is too good...

Couldn't you just replace that eval with console.log?

Him at 25:22 😂🤣😹 LOL

🤘🏻🤘🏻

Hey John... maybe I'm late to the party and thinking something that goes without saying for others. I'm also not yet totally code-smart and running off of a kindof general analysis, but is it possible to re-examine this from the following angle:
Is the while loop decrypting the long string in dowGirlDow, pointing back to the index within the doorPowNext string? Obfuscation via cipher, then use of the while loop to decipher a payload?
Or am I off base? Or stating something obvious?

Nice stuff.
Looks like stuff i could do too though...
How much does this kind of work pay? 🙃

The first comment about a bot farm pushing what looks like an investment scam is very entertaining.

I don't understand why malware writers go to this effort to obfuscate their code. Do they think it'll bypass Windows Defender? It clearly doesn't, we saw it get caught right away. I feel like this is barely more effective at evading antivirus than if they didn't attempt at all. Am I wrong?
It seems like "stages" are such a common theme in these videos, but what would prevent the DLL at the end of the video from being detected before it is run? What difference does it make how many steps they take before downloading and executing it if the buck stops there? Don't the stages just present more opportunities for detections of the various files created along the way? Wouldn't the obfuscation set off red flags for heuristic searches because of how obviously different from ordinary software they are with all the nonsense and gibberish?

Just close your eyes and listen to "doorPowDow"

❤

Arch nemesis 😅

can u please share the copy of this file. need to experiment on it

I have Parrot OS Security Edition I Can Hack useing Ready Scripts

It says windows user in russian so… Russian virus? 10:50

RIP VK

bro these function and variable names got me confused as a mf

Yo dude , malware creator is Russian speaking person

why are you pronouncing copeland as "copelagen"? 😅😅

😂☠️🎃👎🏆🎖️🏅🥉🥈🥇🥇😂😂😂😂👎👎🥴🥴🥴🥴🥴🥴🥴🥴🥴🥴👏👏👏👏👏👏👏👏

enough with the ads. this makes for cringe content and i don't want to watch anymore.

yes my g

Why do they register domain names instead of using the static public ip of the server they hosted? Is using that "bad"? Or use some unmoderated pastebin alternative if such exists.
Would it be possible for a script to download some kind of "onion site curl" and get the payload using onion sites instead, given that onion sites are harder to shutdown?

May I ask why you chose windows 10? I was assuming you’d use a Linux. I also assumed that most malware would be created on Linux. I’m a noob