It's honestly very exciting to see you analyze these various kinds malware. As a fresh college newbie heading into Information Assurance I'm really enjoying being able to actually watch someone take a step by step approach to how they understand and digest these programs. With my experience in Cyberpatriot I'm actually understanding a lot of what you're saying and recognizing many of the programs I was shown to use. Loving your work, please do continue! I am learning quite a bit! Regards, Amy
I don't know why I love watching your videos so much... But I do! Just a lowly JS product support engineer-no experience with cybersecurity/digital forensics-so I won't pretend I can follow along with everything, but it is really, really awesome to see such a nice, simple deconstructions of malware like this. Keep it up! :-D
These analysis vids are great ,super informative and informative. Stuff like this may be helpful somehow in my Computer Systems Engineering uni course.
Hey, your videos are great. For those of us getting into cybersecurity/digital forensics would you consider making a few videos going through how you configure your VMs to ensure your host machine or local network is not affected? Also covering what tools you use to do this analysis (such as ProcessHacker, FlyPaper and so on)?
I don't understand 95% of what you are talking about. But for some reason it makes me really excited. It's for sure a really good analysis, looking forward to this Chanel. Keep it up. PS: can you talk about you and your system config (VM's, Mac model etc...) in a future video? thanks
Awesome videos man, keep them coming, I can't have enough of this - you're just amazing. For future videos, can you please include in the description all the tools you've used for analyzing/reverse engineering the malware so it will be easier for us newbies to find everything in a single place and have a crack at it ourselves? Thanks in advance
you can use your firewall, e.g. Windows Defender (see here theunlockr.com/2013/06/11/how-to-block-websites-in-windows-8/). Or you can edit your /etc/hosts file directly to point the site at localhost.
+Colin Hardy Thanks for an interesting video. Hope You will find time to make more, and that Your channel gets the recognition it deserves.....At least You shouldn't have any problems finding new "subjects". Best regards
So if I got it right, the vba macro in the dropped docm file downloads the actual binary malware, I gather that one is a compiled resource? Can you detect in what language/enviroment its written in or just the "decompiled" assembler?
correct, the vba is a downloader which pulls the ransomware binary. the ransomware exe is written in c++ if i remember correctly. i use exeinfope to identify the likely language.
Hi Colin, I spent a bit of time looking into what is involved to be reasonably competent at this (even as a hobby) and it is hugely involved in terms of required skills, Assembly Language, C/C++, Python and JS that is a pretty big investment upfront, do you share this view? the unknown qty is how proficient you need to be in said languages. Can you recommend any programming books based around the above at all? Thanks
everyone has to start somewhere! my advice is to get tinkering. Practical Malware Analysis is a great book. I know plenty of malware analysts who don't code, but understanding what code does obviously helps.
If it is a pdf file then it puts a doc file on would it work if your offline because it won't be able to connect and download the exe to encrypt the files on your computer?
MORE! Your channel gives me all the satisfaction of analyzing malware without any of the work! I'd love to see a crypto miner analyzed. I could send you some samples.
i thought i replied to this, but maybe my comment failed. A great book is Practical Malware Analysis, or there are plenty of OpenCourseware platforms such as Lynda and Coursera. Going further, SANS provide excellent training.
Hey Colin...Excellent Videos. I'm not a paid subscriber of Virus total so I don't have the samples. Can I please these samples of Wannacry and jaff. I do have one sample of wannacry but that doesn't have the kill switch in it. I'm doing my analysis on linux tools like radare2 and bokken-hg. Thanks in advance. :)
Colin, can you please post up flypaper somewhere??? It's been taken down off of its official website and it's no where to be found. kernelmode.info claims to have it but its actually just malware lol.
I was sent this as 'Invoice.pdf', containing the word macro, didn't even go in the spam folder sadly. Domains are different to the ones you had. Interesting stuff, but scary.
~600 lines of VBA is a little over the top to download an exe. My main question is why, if there doing it to trick sandboxing, its not like its hidden or complied code. VBA is one of those things that should have been removed years ago, I understand why they keep it, but they could at least stop execution of exes. And thanks for your videos, they are great! I use about half the tools you do, however, the other half were of great help. I think it will only be a matter of time before we see ransomware on smart phones.
agree on the smartphone side. as for VBA, a lot of it is code re-use from other malware authors, other stuff in there is probably noise to put-off the likes of us trying to read and understand the programs execution. its all too easy for malware to do one thing in a sandbox and do another on an actual machine and hide that logic in noisy code that has you chasing your tail. So, less sandbox-evasion, more Analyst-evasion.
Nice Videos really Like the Reverse engineering of stuff Especially Viruses you should collaborate with this guy @danooct1 , he does Old viruses and User made ones ... Good Stuff :D Keep up the good Work !!
He i requesting you help me me Some one hacked my system like these .DOCM ransomware virus Please decrypt my files Or Just help me how to decrypt that Your video is soo good its help full tq
Shtefin ( shit hit the fan ) System of a down is an american band. Whoever wrote this is an american, a loaner and a stoner, with dirty brown hair, smokes pot drinks a little.
It's honestly very exciting to see you analyze these various kinds malware. As a fresh college newbie heading into Information Assurance I'm really enjoying being able to actually watch someone take a step by step approach to how they understand and digest these programs. With my experience in Cyberpatriot I'm actually understanding a lot of what you're saying and recognizing many of the programs I was shown to use. Loving your work, please do continue! I am learning quite a bit!
Regards, Amy
awesome! glad you enjoyed.
You need to upload more of this kinda stuff.
Then again, seems you've recently created your channel. Keep it up.
thanks!
Colin Hardy Yes more please
The way you go about going making your videos is something rather unique that you don't normally find often. Very well done, Very nice work!
thank you! much appreciated.
I don't know why I love watching your videos so much... But I do! Just a lowly JS product support engineer-no experience with cybersecurity/digital forensics-so I won't pretend I can follow along with everything, but it is really, really awesome to see such a nice, simple deconstructions of malware like this.
Keep it up! :-D
Sam Conran awesome! Glad you like the channel and appreciate the feedback. More to come for sure
These videos are fucking amazing! Good job, a shame there aren't many of these yet! Keep it up please!
thanks! i intend to.
These analysis vids are great ,super informative and informative. Stuff like this may be helpful somehow in my Computer Systems Engineering uni course.
Awesome. Especially for the discovery of Process Hacker (2). I used Process Explorer as tskmgr replacement, but this one is far more superior.
process hacker is awesome for sure.
i hope this channel will post many more videos with cyber security learing, im in computer science class and im interesting learning this
These videos are amazing. You speak at a PERFECT pace. And everything i've heard you say so far is right! A nerds dream :D Keep it up man!
I don't usually comment but amazing job, you made me very interested in the malware analysis world! +1 & subscribed.
thanks!!
Subbed, nice to see a professional creating content on youtube, hope you keep creating videos :)
thanks!
Hey, your videos are great. For those of us getting into cybersecurity/digital forensics would you consider making a few videos going through how you configure your VMs to ensure your host machine or local network is not affected? Also covering what tools you use to do this analysis (such as ProcessHacker, FlyPaper and so on)?
i certainly will, been meaning to do that for a while. watch this space.
Colin Hardy super
yeah would love to see this too.
Would be an interesting video.
The PC Security Channel [TPSC] TPSC hi there!
I don't understand 95% of what you are talking about. But for some reason it makes me really excited. It's for sure a really good analysis, looking forward to this Chanel. Keep it up.
PS: can you talk about you and your system config (VM's, Mac model etc...) in a future video? thanks
i will, thanks!
Awesome videos man, keep them coming, I can't have enough of this - you're just amazing.
For future videos, can you please include in the description all the tools you've used for analyzing/reverse engineering the malware so it will be easier for us newbies to find everything in a single place and have a crack at it ourselves? Thanks in advance
sounds good, thanks for the suggestion.
So much knowledge in one video!!!
Which Macbook are you using?
Also, I prithee more!
macbook pro 15" mid 2014 model.
You are genius person :) love to watch your videos I hope you will make soon new one :)
thanks!
Thanks for help for completing my virus programming..
Pass me this one for reverse.
How would you block a site or Ip from your computer?
you can use your firewall, e.g. Windows Defender (see here theunlockr.com/2013/06/11/how-to-block-websites-in-windows-8/). Or you can edit your /etc/hosts file directly to point the site at localhost.
We need more videos Colin!
+Colin Hardy
Thanks for an interesting video.
Hope You will find time to make more, and that Your channel gets the recognition it deserves.....At least You shouldn't have any problems finding new "subjects".
Best regards
thanks!
MORE!
Great work, enjoyed it a lot!
thanks!
nice vid...instant sub...hope you put up more vids...keep it up
thanks!
Great video. Really enjoy!
great video indeed, any idea where can i get the virus samples for the analysis?
If you check the mentioned domains on whois than all points to the same owner. Maybe it would be great to check him.
Can I ask what linux are you using? Btw... I Iove these videos! Really exciting to watch!
I have a few linux distros, but tend to use Remnux
So if I got it right, the vba macro in the dropped docm file downloads the actual binary malware, I gather that one is a compiled resource? Can you detect in what language/enviroment its written in or just the "decompiled" assembler?
correct, the vba is a downloader which pulls the ransomware binary. the ransomware exe is written in c++ if i remember correctly. i use exeinfope to identify the likely language.
Hi Colin, I spent a bit of time looking into what is involved to be reasonably competent at this (even as a hobby) and it is hugely involved in terms of required skills, Assembly Language, C/C++, Python and JS that is a pretty big investment upfront, do you share this view? the unknown qty is how proficient you need to be in said languages. Can you recommend any programming books based around the above at all? Thanks
everyone has to start somewhere! my advice is to get tinkering. Practical Malware Analysis is a great book. I know plenty of malware analysts who don't code, but understanding what code does obviously helps.
You should do analysis live on youtube :)
good idea! thanks :)
Hi. I would like to see your environment, vm, tools you use and how (some introduction), and where you get virus samples :)
Ill put together a video in the near future about lab set up.
Bro you don't have enough videos for me to watch 😳😔👎 please upload more asap lol great to watch
Thank you
Nick Jeffrey thanks!
Ive notice that you aparently run multiple OS at same time, and change them like multi tasking, how's that?
Alan Scharaiber I use VMware fusion on a mac, it makes running multiple vms seamless
If it is a pdf file then it puts a doc file on would it work if your offline because it won't be able to connect and download the exe to encrypt the files on your computer?
MORE! Your channel gives me all the satisfaction of analyzing malware without any of the work! I'd love to see a crypto miner analyzed. I could send you some samples.
ill be covering lots more samples in other videos, watch this space
I know that this is a off topic question but do I get the wannacry virus if even though I'm not using the computer?
if your computer is connected to other infected machines, then potentially.
I could never understand why Office doesn't give you the option to disable macro execution but still enable you to see the macro code.
Where can I learn more about this from a beginners stand point? I get what's going on but i'd love to know more about what youre talking about.
i thought i replied to this, but maybe my comment failed. A great book is Practical Malware Analysis, or there are plenty of OpenCourseware platforms such as Lynda and Coursera. Going further, SANS provide excellent training.
what hypervisor do you use?
Is there a reason you use Process Hacker over Process Explorer?
Just a question, where I can find PDFEXTRACT? Thanks
its part of the origami framework code.google.com/archive/p/origami-pdf/wikis/GettingStarted.wiki or, just grab a copy of remnux and its all there.
keep up the good work.
How you would run the python script at the end in windows?
same. assuming you have python installed
Hey Colin...Excellent Videos.
I'm not a paid subscriber of Virus total so I don't have the samples. Can I please these samples of Wannacry and jaff. I do have one sample of wannacry but that doesn't have the kill switch in it. I'm doing my analysis on linux tools like radare2 and bokken-hg.
Thanks in advance. :)
Scrap that :) I got the samples now.
does mac os safe for this terror?? (wanna cry ransomware)
mac is not affected
thankfully, thanks for information
Where does the tor link send you?
Are u using a MacBook or a mac pro?. Can a MacBook be so smooth with VMs?
the JPEG in that "This document is protected" screen is strong(artifacts) LUL
why does everything use 445?
Thank you very much
Colin, can you please post up flypaper somewhere??? It's been taken down off of its official website and it's no where to be found. kernelmode.info claims to have it but its actually just malware lol.
I was sent this as 'Invoice.pdf', containing the word macro, didn't even go in the spam folder sadly. Domains are different to the ones you had. Interesting stuff, but scary.
interesting. let me know if i can help you analyse it.
~600 lines of VBA is a little over the top to download an exe. My main question is why, if there doing it to trick sandboxing, its not like its hidden or complied code. VBA is one of those things that should have been removed years ago, I understand why they keep it, but they could at least stop execution of exes. And thanks for your videos, they are great! I use about half the tools you do, however, the other half were of great help. I think it will only be a matter of time before we see ransomware on smart phones.
agree on the smartphone side. as for VBA, a lot of it is code re-use from other malware authors, other stuff in there is probably noise to put-off the likes of us trying to read and understand the programs execution. its all too easy for malware to do one thing in a sandbox and do another on an actual machine and hide that logic in noisy code that has you chasing your tail. So, less sandbox-evasion, more Analyst-evasion.
Nice Videos really Like the Reverse engineering of stuff Especially Viruses you should collaborate with this guy @danooct1 , he does Old viruses and User made ones ... Good Stuff :D Keep up the good Work !!
at least they have good taste in music
hi
He i requesting you help me me
Some one hacked my system like these
.DOCM ransomware virus
Please decrypt my files
Or
Just help me how to decrypt that
Your video is soo good its help full tq
If you know exactly what exe i can do it.
i got ya 2k yayyyy like i got screenshot
Shtefin ( shit hit the fan ) System of a down is an american band. Whoever wrote this is an american, a loaner and a stoner, with dirty brown hair, smokes pot drinks a little.
my name jaff