It's honestly very exciting to see you analyze these various kinds malware. As a fresh college newbie heading into Information Assurance I'm really enjoying being able to actually watch someone take a step by step approach to how they understand and digest these programs. With my experience in Cyberpatriot I'm actually understanding a lot of what you're saying and recognizing many of the programs I was shown to use. Loving your work, please do continue! I am learning quite a bit! Regards, Amy
I don't know why I love watching your videos so much... But I do! Just a lowly JS product support engineer-no experience with cybersecurity/digital forensics-so I won't pretend I can follow along with everything, but it is really, really awesome to see such a nice, simple deconstructions of malware like this. Keep it up! :-D
These analysis vids are great ,super informative and informative. Stuff like this may be helpful somehow in my Computer Systems Engineering uni course.
Awesome videos man, keep them coming, I can't have enough of this - you're just amazing. For future videos, can you please include in the description all the tools you've used for analyzing/reverse engineering the malware so it will be easier for us newbies to find everything in a single place and have a crack at it ourselves? Thanks in advance
Hey, your videos are great. For those of us getting into cybersecurity/digital forensics would you consider making a few videos going through how you configure your VMs to ensure your host machine or local network is not affected? Also covering what tools you use to do this analysis (such as ProcessHacker, FlyPaper and so on)?
I don't understand 95% of what you are talking about. But for some reason it makes me really excited. It's for sure a really good analysis, looking forward to this Chanel. Keep it up. PS: can you talk about you and your system config (VM's, Mac model etc...) in a future video? thanks
you can use your firewall, e.g. Windows Defender (see here theunlockr.com/2013/06/11/how-to-block-websites-in-windows-8/). Or you can edit your /etc/hosts file directly to point the site at localhost.
+Colin Hardy Thanks for an interesting video. Hope You will find time to make more, and that Your channel gets the recognition it deserves.....At least You shouldn't have any problems finding new "subjects". Best regards
MORE! Your channel gives me all the satisfaction of analyzing malware without any of the work! I'd love to see a crypto miner analyzed. I could send you some samples.
If it is a pdf file then it puts a doc file on would it work if your offline because it won't be able to connect and download the exe to encrypt the files on your computer?
So if I got it right, the vba macro in the dropped docm file downloads the actual binary malware, I gather that one is a compiled resource? Can you detect in what language/enviroment its written in or just the "decompiled" assembler?
correct, the vba is a downloader which pulls the ransomware binary. the ransomware exe is written in c++ if i remember correctly. i use exeinfope to identify the likely language.
Hi Colin, I spent a bit of time looking into what is involved to be reasonably competent at this (even as a hobby) and it is hugely involved in terms of required skills, Assembly Language, C/C++, Python and JS that is a pretty big investment upfront, do you share this view? the unknown qty is how proficient you need to be in said languages. Can you recommend any programming books based around the above at all? Thanks
everyone has to start somewhere! my advice is to get tinkering. Practical Malware Analysis is a great book. I know plenty of malware analysts who don't code, but understanding what code does obviously helps.
Nice Videos really Like the Reverse engineering of stuff Especially Viruses you should collaborate with this guy @danooct1 , he does Old viruses and User made ones ... Good Stuff :D Keep up the good Work !!
i thought i replied to this, but maybe my comment failed. A great book is Practical Malware Analysis, or there are plenty of OpenCourseware platforms such as Lynda and Coursera. Going further, SANS provide excellent training.
I was sent this as 'Invoice.pdf', containing the word macro, didn't even go in the spam folder sadly. Domains are different to the ones you had. Interesting stuff, but scary.
~600 lines of VBA is a little over the top to download an exe. My main question is why, if there doing it to trick sandboxing, its not like its hidden or complied code. VBA is one of those things that should have been removed years ago, I understand why they keep it, but they could at least stop execution of exes. And thanks for your videos, they are great! I use about half the tools you do, however, the other half were of great help. I think it will only be a matter of time before we see ransomware on smart phones.
agree on the smartphone side. as for VBA, a lot of it is code re-use from other malware authors, other stuff in there is probably noise to put-off the likes of us trying to read and understand the programs execution. its all too easy for malware to do one thing in a sandbox and do another on an actual machine and hide that logic in noisy code that has you chasing your tail. So, less sandbox-evasion, more Analyst-evasion.
Hey Colin...Excellent Videos. I'm not a paid subscriber of Virus total so I don't have the samples. Can I please these samples of Wannacry and jaff. I do have one sample of wannacry but that doesn't have the kill switch in it. I'm doing my analysis on linux tools like radare2 and bokken-hg. Thanks in advance. :)
Colin, can you please post up flypaper somewhere??? It's been taken down off of its official website and it's no where to be found. kernelmode.info claims to have it but its actually just malware lol.
He i requesting you help me me Some one hacked my system like these .DOCM ransomware virus Please decrypt my files Or Just help me how to decrypt that Your video is soo good its help full tq
Shtefin ( shit hit the fan ) System of a down is an american band. Whoever wrote this is an american, a loaner and a stoner, with dirty brown hair, smokes pot drinks a little.
![[TH] 2024 PMSL SEA W2D5 | Fall | พลาดวันนี้ จะต้องเสียใจ](http://i.ytimg.com/vi/A5-Cuo12p6A/mqdefault.jpg)
You need to upload more of this kinda stuff.
Then again, seems you've recently created your channel. Keep it up.
thanks!
Colin Hardy Yes more please
It's honestly very exciting to see you analyze these various kinds malware. As a fresh college newbie heading into Information Assurance I'm really enjoying being able to actually watch someone take a step by step approach to how they understand and digest these programs. With my experience in Cyberpatriot I'm actually understanding a lot of what you're saying and recognizing many of the programs I was shown to use. Loving your work, please do continue! I am learning quite a bit!
Regards, Amy
awesome! glad you enjoyed.
The way you go about going making your videos is something rather unique that you don't normally find often. Very well done, Very nice work!
thank you! much appreciated.
These videos are fucking amazing! Good job, a shame there aren't many of these yet! Keep it up please!
thanks! i intend to.
I don't know why I love watching your videos so much... But I do! Just a lowly JS product support engineer-no experience with cybersecurity/digital forensics-so I won't pretend I can follow along with everything, but it is really, really awesome to see such a nice, simple deconstructions of malware like this.
Keep it up! :-D
Sam Conran awesome! Glad you like the channel and appreciate the feedback. More to come for sure
These analysis vids are great ,super informative and informative. Stuff like this may be helpful somehow in my Computer Systems Engineering uni course.
Awesome. Especially for the discovery of Process Hacker (2). I used Process Explorer as tskmgr replacement, but this one is far more superior.
process hacker is awesome for sure.
So much knowledge in one video!!!
i hope this channel will post many more videos with cyber security learing, im in computer science class and im interesting learning this
These videos are amazing. You speak at a PERFECT pace. And everything i've heard you say so far is right! A nerds dream :D Keep it up man!
I don't usually comment but amazing job, you made me very interested in the malware analysis world! +1 & subscribed.
thanks!!
Awesome videos man, keep them coming, I can't have enough of this - you're just amazing.
For future videos, can you please include in the description all the tools you've used for analyzing/reverse engineering the malware so it will be easier for us newbies to find everything in a single place and have a crack at it ourselves? Thanks in advance
sounds good, thanks for the suggestion.
Hey, your videos are great. For those of us getting into cybersecurity/digital forensics would you consider making a few videos going through how you configure your VMs to ensure your host machine or local network is not affected? Also covering what tools you use to do this analysis (such as ProcessHacker, FlyPaper and so on)?
i certainly will, been meaning to do that for a while. watch this space.
Colin Hardy super
yeah would love to see this too.
Would be an interesting video.
The PC Security Channel [TPSC] TPSC hi there!
Subbed, nice to see a professional creating content on youtube, hope you keep creating videos :)
thanks!
I don't understand 95% of what you are talking about. But for some reason it makes me really excited. It's for sure a really good analysis, looking forward to this Chanel. Keep it up.
PS: can you talk about you and your system config (VM's, Mac model etc...) in a future video? thanks
i will, thanks!
MORE!
Great video. Really enjoy!
Great work, enjoyed it a lot!
thanks!
We need more videos Colin!
Thanks for help for completing my virus programming..
Pass me this one for reverse.
You are genius person :) love to watch your videos I hope you will make soon new one :)
thanks!
keep up the good work.
Which Macbook are you using?
Also, I prithee more!
macbook pro 15" mid 2014 model.
How would you block a site or Ip from your computer?
you can use your firewall, e.g. Windows Defender (see here theunlockr.com/2013/06/11/how-to-block-websites-in-windows-8/). Or you can edit your /etc/hosts file directly to point the site at localhost.
+Colin Hardy
Thanks for an interesting video.
Hope You will find time to make more, and that Your channel gets the recognition it deserves.....At least You shouldn't have any problems finding new "subjects".
Best regards
thanks!
MORE! Your channel gives me all the satisfaction of analyzing malware without any of the work! I'd love to see a crypto miner analyzed. I could send you some samples.
ill be covering lots more samples in other videos, watch this space
nice vid...instant sub...hope you put up more vids...keep it up
thanks!
Can I ask what linux are you using? Btw... I Iove these videos! Really exciting to watch!
I have a few linux distros, but tend to use Remnux
Bro you don't have enough videos for me to watch 😳😔👎 please upload more asap lol great to watch
Thank you
Nick Jeffrey thanks!
Thank you very much
If you check the mentioned domains on whois than all points to the same owner. Maybe it would be great to check him.
I could never understand why Office doesn't give you the option to disable macro execution but still enable you to see the macro code.
the JPEG in that "This document is protected" screen is strong(artifacts) LUL
If it is a pdf file then it puts a doc file on would it work if your offline because it won't be able to connect and download the exe to encrypt the files on your computer?
You should do analysis live on youtube :)
good idea! thanks :)
Ive notice that you aparently run multiple OS at same time, and change them like multi tasking, how's that?
Alan Scharaiber I use VMware fusion on a mac, it makes running multiple vms seamless
So if I got it right, the vba macro in the dropped docm file downloads the actual binary malware, I gather that one is a compiled resource? Can you detect in what language/enviroment its written in or just the "decompiled" assembler?
correct, the vba is a downloader which pulls the ransomware binary. the ransomware exe is written in c++ if i remember correctly. i use exeinfope to identify the likely language.
great video indeed, any idea where can i get the virus samples for the analysis?
Hi Colin, I spent a bit of time looking into what is involved to be reasonably competent at this (even as a hobby) and it is hugely involved in terms of required skills, Assembly Language, C/C++, Python and JS that is a pretty big investment upfront, do you share this view? the unknown qty is how proficient you need to be in said languages. Can you recommend any programming books based around the above at all? Thanks
everyone has to start somewhere! my advice is to get tinkering. Practical Malware Analysis is a great book. I know plenty of malware analysts who don't code, but understanding what code does obviously helps.
Nice Videos really Like the Reverse engineering of stuff Especially Viruses you should collaborate with this guy @danooct1 , he does Old viruses and User made ones ... Good Stuff :D Keep up the good Work !!
Is there a reason you use Process Hacker over Process Explorer?
why does everything use 445?
I know that this is a off topic question but do I get the wannacry virus if even though I'm not using the computer?
if your computer is connected to other infected machines, then potentially.
Hi. I would like to see your environment, vm, tools you use and how (some introduction), and where you get virus samples :)
Ill put together a video in the near future about lab set up.
Where can I learn more about this from a beginners stand point? I get what's going on but i'd love to know more about what youre talking about.
i thought i replied to this, but maybe my comment failed. A great book is Practical Malware Analysis, or there are plenty of OpenCourseware platforms such as Lynda and Coursera. Going further, SANS provide excellent training.
at least they have good taste in music
Are u using a MacBook or a mac pro?. Can a MacBook be so smooth with VMs?
How you would run the python script at the end in windows?
same. assuming you have python installed
Just a question, where I can find PDFEXTRACT? Thanks
its part of the origami framework code.google.com/archive/p/origami-pdf/wikis/GettingStarted.wiki or, just grab a copy of remnux and its all there.
what hypervisor do you use?
Where does the tor link send you?
does mac os safe for this terror?? (wanna cry ransomware)
mac is not affected
thankfully, thanks for information
I was sent this as 'Invoice.pdf', containing the word macro, didn't even go in the spam folder sadly. Domains are different to the ones you had. Interesting stuff, but scary.
interesting. let me know if i can help you analyse it.
~600 lines of VBA is a little over the top to download an exe. My main question is why, if there doing it to trick sandboxing, its not like its hidden or complied code. VBA is one of those things that should have been removed years ago, I understand why they keep it, but they could at least stop execution of exes. And thanks for your videos, they are great! I use about half the tools you do, however, the other half were of great help. I think it will only be a matter of time before we see ransomware on smart phones.
agree on the smartphone side. as for VBA, a lot of it is code re-use from other malware authors, other stuff in there is probably noise to put-off the likes of us trying to read and understand the programs execution. its all too easy for malware to do one thing in a sandbox and do another on an actual machine and hide that logic in noisy code that has you chasing your tail. So, less sandbox-evasion, more Analyst-evasion.
Hey Colin...Excellent Videos.
I'm not a paid subscriber of Virus total so I don't have the samples. Can I please these samples of Wannacry and jaff. I do have one sample of wannacry but that doesn't have the kill switch in it. I'm doing my analysis on linux tools like radare2 and bokken-hg.
Thanks in advance. :)
Scrap that :) I got the samples now.
hi
Colin, can you please post up flypaper somewhere??? It's been taken down off of its official website and it's no where to be found. kernelmode.info claims to have it but its actually just malware lol.
i got ya 2k yayyyy like i got screenshot
He i requesting you help me me
Some one hacked my system like these
.DOCM ransomware virus
Please decrypt my files
Or
Just help me how to decrypt that
Your video is soo good its help full tq
If you know exactly what exe i can do it.
Shtefin ( shit hit the fan ) System of a down is an american band. Whoever wrote this is an american, a loaner and a stoner, with dirty brown hair, smokes pot drinks a little.
my name jaff