HTA JScript to PowerShell - Novter Malware Analysis

93,192

2,540 0

Published 2021-04-23

For more content, subscribe on Twitch! twitch.tv/johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: patreon.com/johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: [email protected]
Discord: johnhammond.org/discord
Twitter: twitter.com/_johnhammond
GitHub: github.com/JohnHammond

All Comments (20)

@mincraftfrontiersman 3 years ago

I never thought I'd be spending my friday afternoon watching a cross between seth rogen and louis c.k. analyze malware, but here we are.
@pinobeppo9287 3 years ago

"146 IPs, we could do this forever..." Well, I 'd definitively watch that! Please keep these malware analysis videos coming, they are great. I really enjoy seeing all the thought process behind the analysis.
@jameselliot9114 2 years ago

50:25 - "that's math" thank you for that profound insight
@AntoniGawlikowski 2 years ago

If anyone is using EQ for their computer sound, I found that cutting down 2k Hz range makes the sound much less obnoxious (a bit more swampy, but intelligible and sans all that awful highs). Hope that might help someone. Still, despite the sound problem, great video as usual! <3
@wesleyhall6727 3 years ago

"It builds character" I love it 😄
@GodModeMaker 3 years ago

Was just reading about MSHTA and you come up with this. Your timing is perfect John! Awesome xD
@CJMAXiK 3 years ago

As soon as I saw the Russian text I was screaming "SLOT MACHINES!!!" )) Really cool analysis, kudos!
@Krysstof 3 years ago

2 powershell tips for your future adventures: - you can use > to redirect output in a file, it is after all a "shell", instead of | out-file - parenthesis around something are evaluating that something and treat is a variable, so if you have an array built on the fly and want the first and third char [1,3]. in your case around 31:15 the variable $VerbosePreference is cast as string : [string]$VerbosePreference then with parenthesis around it, it avoids storing this into a variable to work with it, it's the equivalent of $a=[string]$VerbosePreference ; $a[1,3] when you do ([string]$VerbosePreference)[1,3] just my 2 cents :)
@StanLTU 2 years ago

I love these videos. I am learning so much about malware.
@monkz1813 1 year ago

Thankyou John and Thankyou for all of the free lessons! I appreciate it so much and have learned most of what I know to this day from you. Thankyou
@getellied 3 years ago

Oh my goodness, this was crazy Really interesting to see the cool (and shady, I guess) techniques they use John, ty for this video (and don't worry about the audio ;) )
@_DeProgrammer 3 years ago

If you use vscode instead of sublime it has a beautifier module and a bunch of other helpful modules and a built in console.
@peaceforever3661 3 years ago

This was awesome John. Love your content. A big fan.
@valterpereiracjr 10 months ago

You ROCK JH. Great job. Thank you!
@cacurazi 1 year ago

13:28 summery of .this (object): .this in JS will keep track of the instantiation of the code that is running. Like all the functions and variables that were being set/ instantiated. So, this object keeps track of all of the functions and vars that we have initially defined
@kenprochaska2286 2 years ago

I learn a ton everytime I watch one of your videos. You are da man!!!!
@lopiid 3 years ago

Well done John, thank you!
@alincraciunescu 3 years ago

Thank you, for this video!
@viam1101 3 years ago

Awesome video man, Appreciate it!