@@Fizcakesprite it's blatant almost every cheat has a tiny bit of malware in it even paid ones 🙂the cheat developers are just addicted to embedding malware at every stop
The main culprit is every time you open the start menu and type anything, that's all going to bing servers. You can disable that with a registry tweak.
@Penguin_BTW they would be on your too if you had firefox personally after using apple device way more anal porn populated hub website so. Maybe there is certain agendas
lol how do you think images get saved they are in binary computers dont use a magic! alot of things on your computer right now can be viewed in hex format🙂 hex editor is a great tool
this channel is great, you remind me a lot of danooct1, its like ive discovered him again lol. i think its mostly the voice but also the realm of content you both make.
Ngl finding the rare ultrawide video on youtube as an ultrawide user is an unexpected feeling of bliss, didn't even realize until I was 2/3 the way through lol
LuaJIT is not the payload, the .LUA file is. JIT means "Just In Time", which makes certain programming languages into something like Java, where a VM or JIT Interpreter can run some compiled code on the machine. Basically, the malware just used the JIT Interpreter to run that compiled .LUA file
Lua bytecode is stored in ".luac" files, not ".lua", and this bytecode can be run both by the JIT and vanilla lua. "JIT" really has nothing to do with this at all, it affects interpreter internals but from the outside it's identical to non-JIT lua (it's intentionally ABI compatible).
@@raskr8137 I just commented this because he ran the LuaJIT program by itself, but it's supposed to be ran with the Lua file as an argument. I don't believe he checked if he could get the Lua bytecode back into a readable Lua script. It seems like he believed that the LuaJIT executable was the payload, rather than it just being the one that runs the bytecode, which is the actual payload
@@raskr8137 also file extensions can be changed, and I called it bytecode because it looks non-human readable, as well as being ran by "LuaJIT", where JIT runs bytecode-compiled languages
11:06 - That black box mentioned in editing could be a encryption measure as Lain and the Desktop icons were nowhere to be found in the decryption but were there when you ran Cheat Lab at 6:23 and the instructions are for the C&C server to remove the box and send it to the author if I were to guess
What's really interesting about this is that the "malicious exe" here actually appears to be legit. It's just the Lua runtime. That means it's a known good executable, which won't be detected as malicious - because, on its own, it's not. On the other hand, the Lua file is definitely malicious. It's compiled Lua bytecode, rather than Lua script, which means you'd need to decompile it to understand it. Normally, Lua reads a script and internally compiles it into bytecode before running it, but you can also just supply precompiled bytecode and Lua will recognise the bytecode by the file signature, it then skips the compilation step, and runs it as-is. (Python can do this too, it's not just Lua) So, the .lua file is the actual malware. Because it's not an executable but is interpreted, this gives it an opportunity to evade anti-malware solutions, which would just see it as a data file while the exe in the same folder is considered trusted.
so couldn't malware companies like malwarebytes or kaspersky just make a list for any if all lua files and some how read the bytecode or script since this is apparently how people are getting around that?
You don't, most software will instantly recognize that. Software can look at the actual used hardware, which unless it's enterprise-grade, is usually virtualized stuff. 1: 'CPU is modern, virtualization is disabled' -Suspicious. 2: 'VMXNET network adapter.... (or similar for other hypervisors) 3: 'ACPI driver is one for VMs'...
Apparently the executable is "709" There was another 42 4D ("BM") at the end of that bitmap file that was cut off, maybe separate windows or part of the same file
very informative and prompts me to check network calls on my own machine hehe, very cool config which you have there would love to know more maybe a video on how to make a "hidden" virtual machine would be super nice or at least how you would approach hiding virtualisation
What's the difference between cheat software and malware? - Both need to use anti detection on kernel level (for multiplayer and gotcha games) - Both need to modify the system - Both need to be dynamically updated (artmoney not because you must search yourself in the game code) If you write a cheat for modern games, you use the same code as malware. There is no other way as to dynamically update the payload if you want to provide a cheat service for modern games.
The rest of that file is also part of the image, that's why the image was mostly black. To get this, you can just remove the header before the magic, the rest is your image. It probably sends screenshots because they may contain a lot of sensitive info. The lua was in bytecode, you can certainly disassemble that back to lua code if you try ;)
how did you get the packets being sent from a qemu VM? I am curious because that seems VERY useful and for a while, I have been wanting to do the same thing you are doing in this video
this was an awesome watch and got me messing around with MITM inspecting everything lol. also youre the first half british half american sounding person ive ever heard. (not trying to be mean lol)
That's the reason, why you either only download from trusted sources, or use open source software like cheat engine, or you use a seperate computer and dont care if yo have a virus
it's pretty funny that people think of privacy in the internet, while windows or a browser they're using is sending tons of requests to various servers. im not only talking about "evil" bing or windows, just about overall software which connects to the internet. there could be some operating systems which dont do that, like distros of linux
Nah, they all do that. You can only protect youself by mitming your connection and writing up huillion of filters. And there basically goes your internet, because you'll inevitably end up switching to whitelist mode, blocking everything, including all kinds of "cloud" solutions. I can't even see avatars or proper nicknames on youtube because googlagol uses its spyhosts to deliever code that loads those. It's a pain even for cypherpunks, let alone normies, so no, no linux distro will ever do this the proper way. Also you will r**ed with captcha. Funniest thing is that goolagol still knows a lot about me. All it takes is to crossreference activity and analyze what I consume and what I produce online. You are 100% trackable and identifyable until you are completely silent (emit no data) and use disposable internet endpoints in order to consume data. No distro can regulate this for you.
Hey, I built cheat engine 7.5 from source; I've ran it a few times, and nothings gone wrong; Though I suspect it still might be doing something, my pc has gotten slightly slower, but no malware found; Is it safe?
Love to see new people trying to learn on the fly. :) Welcome to the malware world, bud. ;) The lua script isn't a cloaking technique, it's just a prescript to pull the .exe which is then guised as a .dll.
hey my name's eric too also you can likely use a code analyzer to see the operation of an exe's process. at 10:39 this looks like hex data hope this helps ;)
Hey how did you setup mtimproxy to capture the traffic of applications? Mine only displays data sent by browser, discord, games etc but applications i download off the internet and ran doesn't show up in mtim even tho ive set the proxy server in settings and downloaded their cert. Would appreciate if you could tell me how you set yours up or a guide somewhere thanks!
Try proxmox, theres option to put "host" option as your cpu and it probably wont trigger an vm detection. Also hyper-v should work, most malwares dont know about hv existence
I like to test malware samples on VMs and every time I worry about the virus some how finding its way out of the VM into my actual computer. Surely VM software must have some kind of protection against that? Or I could be wrong. I mostly use VirtualBox but sometimes I use VMWare if an OS refuses to work in VirtualBox for some reason or other.
it can happen sometimes, but it's pretty rare. just don't use shared folders, and make sure hyperv isnt compromised somehow via mods or tweaks but if you are going to release serious malware or a lot at once, cloud vm is the way to go, or a dedicated machine
Omg I installed cheat engine like 6 years ago to change values on fnaf ultimate custom night, and since then, my computer has gotten slow and gotten blue screens of death for like no reason at all. Should I be concerned? What do I do?
cheat engine is not the same as cheat lab. cheat engine is not malicious software. cheat engine will get you instabanned if you try to change the memory on a game with anticheat in progress. the point of a cheat like this is that it uses some ridiculous workarounds and disguises itself so the anticheat thinks nothing is wrong. while also giving you malware
Would love to know what KVM/Host XML tweaks you did to convince windows its not a VM. I have only done the basic stuff myself. I don't really play online games and never cheat, just doing the VM thing because I love Linux and well, I could. lol
You can't, you can partially hide it, but by hiding it you usually just make it more obvious. Like trying not to be seen by a police officer by covering your face with a ski-mask...
youtube videos advertising “cheat lab” have been everywhere in the past few months and they are all just the same video with different music and ai thunbnails
Cheat Engine is legit (as long as you download it from the official site). I would not suggest using it on any multiplayer games, ethics aside it's easily detectable and can lead to bans.
Probably not, since VM escaping malware is so insanely rare and dependent on being run on the right version and type of hypervisor that it's hardly a concern.
it would've been easier if windows didn't send millions of requests to ms servers...
And I would have gotten away with it if it weren't for the red spies in the base!
@@3ofSpades A red spy's in the base?!
@@NicoTheCinderaceWe need to protect the briefcase!
or ppl knew how to use filters...
@@muscletype2 Yo, a little help here?
Thank you for investigating cheat lab! I've been wondering what the malware embedded into it does, and now I finally know what it actually does!
Why are people after me?
@@Fizcakesprite what
@@bubgamingandvlogs3870 Balls
@@Fizcakesprite it's blatant almost every cheat has a tiny bit of malware in it even paid ones 🙂the cheat developers are just addicted to embedding malware at every stop
@@Fizcakesprite what
Just look at all the packets that windows is sending, windows itself is spyware lol
The main culprit is every time you open the start menu and type anything, that's all going to bing servers. You can disable that with a registry tweak.
@@EricParker Could you make a video on that? thanks.
@@EricParker how I can do that? you should make a video about that :)
@@EricParker disabling search indexing?
disabling telemetry i think, that option to disable it is in winaero tweaker
This dude is an antivirus lol
No I'm
This right here. This guy's apparently just Symantec Endpoint Protection, but in person form.
You know you can trust a guy when you see him open up the ol Firefox
Yeah, the same devs who think transitioning kids is OK. I'm sure they have your best interests in mind. Most chromium based browsers are better.
@@Stix_Zidinia You seem obsessed with trans people. They are always on your mind.
@Penguin_BTW they would be on your too if you had firefox personally after using apple device way more anal porn populated hub website so. Maybe there is certain agendas
@@Stix_Zidiniaso do you have anything to actually add to the conversation or
@Stix_Zidinia Even though thinking that is being clowns, it doesn't have any connection to the confidence.
I would love to see how you set up the VM, seems very interesting for learning how to reverse engineer rats
The Lua file you opened was Lua bytecode. It is Lua, but in a compiled form.
Please do a tutorial on the Network Monitoring.
Yes please
I am not a 100% sure but I think you can do that with a program called Http-toolkit
i didnt know you could somehow get out of a hex a screenshot, great job man!
lol how do you think images get saved they are in binary computers dont use a magic! alot of things on your computer right now can be viewed in hex format🙂 hex editor is a great tool
@@ValipPowathat 1st sentence is fucking crazy.
@@cesj1 ong bro had a stroke while typing that
@@krazidev1133 tf you mean you had a stroke while typing that? you didn't type that 💀this comment section is cooked ngl
@@henzkyou're illiterate lmfao
this channel is great, you remind me a lot of danooct1, its like ive discovered him again lol. i think its mostly the voice but also the realm of content you both make.
Ngl finding the rare ultrawide video on youtube as an ultrawide user is an unexpected feeling of bliss, didn't even realize until I was 2/3 the way through lol
I’m not sure what to say other than that this is cool, and I hope to see more like this in the future. I’m gonna go watch a bunch of your videos.
LuaJIT is not the payload, the .LUA file is. JIT means "Just In Time", which makes certain programming languages into something like Java, where a VM or JIT Interpreter can run some compiled code on the machine.
Basically, the malware just used the JIT Interpreter to run that compiled .LUA file
Lua bytecode is stored in ".luac" files, not ".lua", and this bytecode can be run both by the JIT and vanilla lua. "JIT" really has nothing to do with this at all, it affects interpreter internals but from the outside it's identical to non-JIT lua (it's intentionally ABI compatible).
@@raskr8137 I just commented this because he ran the LuaJIT program by itself, but it's supposed to be ran with the Lua file as an argument. I don't believe he checked if he could get the Lua bytecode back into a readable Lua script. It seems like he believed that the LuaJIT executable was the payload, rather than it just being the one that runs the bytecode, which is the actual payload
@@raskr8137 also file extensions can be changed, and I called it bytecode because it looks non-human readable, as well as being ran by "LuaJIT", where JIT runs bytecode-compiled languages
we love eric virus analasis
best comment, been watchin for 3 years now
Can you make a tutorial on how to setup the proxy that captures packets?
If i had to guess its possible those pixels at the top of the image are possibly pixel steganography hiding some form of data such as username
Let's all love lain
Was that a Fnaf 3 refrence?
Correct
didn't know you were uploading again, love the content!
11:06 - That black box mentioned in editing could be a encryption measure as Lain and the Desktop icons were nowhere to be found in the decryption but were there when you ran Cheat Lab at 6:23 and the instructions are for the C&C server to remove the box and send it to the author if I were to guess
What's really interesting about this is that the "malicious exe" here actually appears to be legit. It's just the Lua runtime. That means it's a known good executable, which won't be detected as malicious - because, on its own, it's not.
On the other hand, the Lua file is definitely malicious. It's compiled Lua bytecode, rather than Lua script, which means you'd need to decompile it to understand it. Normally, Lua reads a script and internally compiles it into bytecode before running it, but you can also just supply precompiled bytecode and Lua will recognise the bytecode by the file signature, it then skips the compilation step, and runs it as-is. (Python can do this too, it's not just Lua)
So, the .lua file is the actual malware. Because it's not an executable but is interpreted, this gives it an opportunity to evade anti-malware solutions, which would just see it as a data file while the exe in the same folder is considered trusted.
so couldn't malware companies like malwarebytes or kaspersky just make a list for any if all lua files and some how read the bytecode or script since this is apparently how people are getting around that?
how did you disable the virtualisation thing so the VM doesnt know that its in a VM?
You don't, most software will instantly recognize that.
Software can look at the actual used hardware, which unless it's enterprise-grade, is usually virtualized stuff.
1: 'CPU is modern, virtualization is disabled' -Suspicious.
2: 'VMXNET network adapter.... (or similar for other hypervisors)
3: 'ACPI driver is one for VMs'...
@@someguy4915 makes sense
I'd be curious about how to stealth a VM from software detecting it too
Loving the Lain wallpaper ;)
Let's all love Lain!
YWNBAW
Apparently the executable is "709"
There was another 42 4D ("BM") at the end of that bitmap file that was cut off, maybe separate windows or part of the same file
very informative and prompts me to check network calls on my own machine hehe, very cool config which you have there would love to know more maybe a video on how to make a "hidden" virtual machine would be super nice or at least how you would approach hiding virtualisation
i know next to nothing about computers but even i could follow this with basic knowledge of how malware works :) good job super interesting
Couldn't you check ACPI table to detect vms? Not sure if you can get around that with vmware products
What's the difference between cheat software and malware?
- Both need to use anti detection on kernel level (for multiplayer and gotcha games)
- Both need to modify the system
- Both need to be dynamically updated (artmoney not because you must search yourself in the game code)
If you write a cheat for modern games, you use the same code as malware. There is no other way as to dynamically update the payload if you want to provide a cheat service for modern games.
The rest of that file is also part of the image, that's why the image was mostly black. To get this, you can just remove the header before the magic, the rest is your image. It probably sends screenshots because they may contain a lot of sensitive info.
The lua was in bytecode, you can certainly disassemble that back to lua code if you try ;)
how did you get the packets being sent from a qemu VM? I am curious because that seems VERY useful and for a while, I have been wanting to do the same thing you are doing in this video
Use vSphere or Hyper-V and this is a default feature (Mirror Ports).
cool video dude. I love that MITMPROXY software, that looks super useful - reminds me of WPE Pro back in the day.
this was an awesome watch and got me messing around with MITM inspecting everything lol.
also youre the first half british half american sounding person ive ever heard. (not trying to be mean lol)
How do you make a stealthy VM?
Du you have any resources on hand to stealth a VM like the one you used?
Would be handy in some situations.
I endorse cheating....
In single player games.
You deserve everything you get after trying to cheat in multiplayer games.
That's the reason, why you either only download from trusted sources, or use open source software like cheat engine, or you use a seperate computer and dont care if yo have a virus
it's pretty funny that people think of privacy in the internet, while windows or a browser they're using is sending tons of requests to various servers.
im not only talking about "evil" bing or windows, just about overall software which connects to the internet.
there could be some operating systems which dont do that, like distros of linux
Nah, they all do that. You can only protect youself by mitming your connection and writing up huillion of filters. And there basically goes your internet, because you'll inevitably end up switching to whitelist mode, blocking everything, including all kinds of "cloud" solutions. I can't even see avatars or proper nicknames on youtube because googlagol uses its spyhosts to deliever code that loads those. It's a pain even for cypherpunks, let alone normies, so no, no linux distro will ever do this the proper way. Also you will r**ed with captcha.
Funniest thing is that goolagol still knows a lot about me. All it takes is to crossreference activity and analyze what I consume and what I produce online. You are 100% trackable and identifyable until you are completely silent (emit no data) and use disposable internet endpoints in order to consume data. No distro can regulate this for you.
And you don't seem to understand 6:44
the lain bg really shows you this guy knows what they're doing
Also, lain my beloved
Hey, I built cheat engine 7.5 from source;
I've ran it a few times, and nothings gone wrong;
Though I suspect it still might be doing something, my pc has gotten slightly slower, but no malware found;
Is it safe?
cheat engine is not cheat lab, not related, cheat engine is a legit piece of utility
@@felicityc thanks
what is the program to the right where u can see the stuff and all of that.
Where do you get your virus samples from, btw?
Can you liink the thing you used to actually tell you what all the traffic means no encryption? i noticed it was the one thing you didnt include.
Really interesting analysis, found another gem on youtube
Love to see new people trying to learn on the fly. :) Welcome to the malware world, bud. ;)
The lua script isn't a cloaking technique, it's just a prescript to pull the .exe which is then guised as a .dll.
It was interesting to see, how malfare functions!
Thanks for the video!
why does he sound like tristan tate
English accent mixed with a USA accent
Top T
because he is
im curious about if you have any specific special configuration for ur vm, i see ur using virt-manager
Howd you set up your stealth vm?
how you setuped a netweok monitor for vm? i use too arch btw
Does it by hand still proceeds to be better then avast
I think that strange top bar isn't secret data, it looks a lot like the missing part of the taskbar. Just to the left a bit and shortened
the letters you where seeing are opcodes, better known as shellcode, you can directly execute them from programs without any decoding needed.
hey my name's eric too
also you can likely use a code analyzer to see the operation of an exe's process.
at 10:39 this looks like hex data
hope this helps ;)
that lua file might be luajit bytecode, you can decode it
and you can see if it's bytecode if it starts with \27 (the escape char, not literal \27)
Hey how did you setup mtimproxy to capture the traffic of applications? Mine only displays data sent by browser, discord, games etc but applications i download off the internet and ran doesn't show up in mtim even tho ive set the proxy server in settings and downloaded their cert. Would appreciate if you could tell me how you set yours up or a guide somewhere thanks!
Some third party applications ive downloaded that i know/wont function without connecting to their servers etc does not show up in mtim proxy
How did u hide the VM from the os?
i think he hid it from the executable not from the OS probably some middleware spoofing intercept calls to check for vm and return false information
Try proxmox, theres option to put "host" option as your cpu and it probably wont trigger an vm detection. Also hyper-v should work, most malwares dont know about hv existence
you know what would be funny
somehow making viruses believe my actual machine is just a virtual machine
so the virus just ignores it
lol
great informative video. very cool to see the binary conversion into png, was interesting to see what they were looking for.
Would you be able to show us how you create such a VM and/or the mitmproxy with the custom ssl cert?
What is your vm config? How do you get your vm to look real?
Am interested in the setup of the monitoring. There are a couple of uses I want to try out
I like to test malware samples on VMs and every time I worry about the virus some how finding its way out of the VM into my actual computer. Surely VM software must have some kind of protection against that? Or I could be wrong. I mostly use VirtualBox but sometimes I use VMWare if an OS refuses to work in VirtualBox for some reason or other.
it can happen sometimes, but it's pretty rare.
just don't use shared folders, and make sure hyperv isnt compromised somehow via mods or tweaks
but if you are going to release serious malware or a lot at once, cloud vm is the way to go, or a dedicated machine
underrated channel, great video!
How do you delete the app?
Omg I installed cheat engine like 6 years ago to change values on fnaf ultimate custom night, and since then, my computer has gotten slow and gotten blue screens of death for like no reason at all. Should I be concerned? What do I do?
cheat engine is not the same as cheat lab. cheat engine is not malicious software. cheat engine will get you instabanned if you try to change the memory on a game with anticheat in progress. the point of a cheat like this is that it uses some ridiculous workarounds and disguises itself so the anticheat thinks nothing is wrong. while also giving you malware
how did you disguise the VM?
Hi, if possible could you tell me how you made the virtual machine think it isn't, if so this would be very useful Thank you!
Everyone time you see a hacker in a game you just think "These guys are idiots" when you see what the software is actually doing.
so is cheat engine fine or is cheat lab and engine the same thing?
Cheat Engine is fine, Cheat Lab is the problem
I'd love to see you make some tutorials in the future!
How can you disguise a VM like that?
Thank you for another wonderful vid!
i downloaded cheat lab on my real computer a year ago. I scanned it a few months after, and it had PUP malware.
McAfee (lol) has a full wroteup, "Redline Stealer: A Novel Approach"
can someone explain to me what this did other than send a screenshot to somewhere. ig i'm missing the point of this malware.
what system do you use
Very cool video to see even if i didn't knew cheat lab existed
Did you do a man in the middle on yourself to view the packets
Would love to know what KVM/Host XML tweaks you did to convince windows its not a VM.
I have only done the basic stuff myself. I don't really play online games and never cheat, just doing the VM thing because I love Linux and well, I could. lol
How do you set up the vms so no one can detect it?
You can't, you can partially hide it, but by hiding it you usually just make it more obvious.
Like trying not to be seen by a police officer by covering your face with a ski-mask...
that is the most sketchy cheat software I've ever seen
youtube videos advertising “cheat lab” have been everywhere in the past few months and they are all just the same video with different music and ai thunbnails
Is cheat engine safe?
Cheat Engine is legit (as long as you download it from the official site).
I would not suggest using it on any multiplayer games, ethics aside it's easily detectable and can lead to bans.
yeh but decline the ads
@@meowmeowzza yeah I did skip the ads.
@@EricParker cheating on multiplayer games is unfair, and annoying anyways
@@EricParker Is extremeinjector safe?
can you look at "star multi tool"?
please share a video of full setup , thank you in advance
can i get some help setting this up? please and ty
probably uses screen shots in c2 for user previews. Basically imagine TH-cams videos layout but each thumbnail is a Screencap
i have no clue what bro is talking about, yet somehow still watched the entire thing
2:42 couldnt this be a byte array
Hey Eric, just out of curiosity - do you add anything special to ur VMs xml to protect the host from vm escape malware and that sorta stuff?
Probably not, since VM escaping malware is so insanely rare and dependent on being run on the right version and type of hypervisor that it's hardly a concern.
I love your videos even though I don’t understand most of the stuff you say ❤️
can you do a video how to make a virtual machine this stealthy?
Were you referencing fnaf 3?
.i have it on my pc how can i delete it pls
bro thx so much! 1st video i can watch fullscreen without black borders. i also use ultrawide
Id love to see that network tool more !
is MITM safe?