Hacker's Gave me a Game and I Found a Virus

Подписаться 603 тыс.

Просмотров 388 тыс.

50% 1

A hacker put malware on a Discord server that I hang out on, so naturally I downloaded it to see what it did. Instead of just running the software, I tried to reverse engineer it to get a peek underneath the hood at the assembly and see what was going on. I quickly found out there was MUCH more than what meets the eye with this malware.
🛒 GREAT BOOKS FOR THE LOWEST LEVEL🛒
Blue Fox: Arm Assembly Internals and Reverse Engineering: amzn.to/4394t87
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation : amzn.to/3C1z4sk
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software : amzn.to/3C1daFy
The Ghidra Book: The Definitive Guide: amzn.to/3WC2Vkg
🏫 COURSES 🏫
Learn to code in C at lowlevel.academy
🔥🔥🔥 SOCIALS 🔥🔥🔥
Low Level Merch!: www.linktr.ee/lowlevellearning
Follow me on Twitter: / lowleveltweets
Follow me on Twitch: / lowlevellearning
Join me on Discord!: / discord

Наука

Опубликовано:

31 дек 2022

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 519

@acuifex Год назад

Now imagine what's it like for malware researchers. You go trough all of those hoops every day, just to find out that it's an xmr miner

@astronemir Год назад

It runs monero miner while waiting for something better.

@Kristukas1337 Год назад

let me guess not a big computer guy?

@mraloush8959 Год назад

@@Kristukas1337 average chris with python as his pfp acting like he knows everything. you probably tell your classmates you're a hacker

@Kristukas1337 Год назад

@@mraloush8959 I think the video on your channel speaks for itself

@claritix101 Год назад

@@Kristukas1337 lmao

@SpeckyYT Год назад

The creativity of the hacker to just name the game as an already existing one

@Rice7th Год назад

ooo ciao specky!

@aziskgarion378 Год назад

One that of a game that is very known and has a known indie developer. That's like writing FnaF 17, and people recognizing the user is not Scott Cawthon. Pretty sure the guy who wrote the malware isn't the same one who is spreading it.

@bombie Год назад

no way its the real specky

@whisconsin Год назад

@@aziskgarion378 To be fair, nowadays FNAF is community run, as Scott Cawthon retired.

@monhi64 Год назад

LLL had edited the vast majority of that scammer messages text so that no one actually typed that URL in and got scammed so I just assumed he (LLL) named it after a known game to be more anonymous. But yeah it’s definitely possible that’s the one part of the URL he didn’t change you never know

@billigerfusel Год назад

I could enjoy a 30 minute video on this topic.

@Suivezlegeek01 Год назад

True

@mehedimi Год назад

Yeah me too

@workforsurvive.1557 Год назад

Lol and so i can 😆

@slingshot99 Год назад

Count me in

@Boogie_the_cat Год назад

I would as well.

@bit0fun Год назад

Might not have been the hack of the century, but still interesting to learn what they were attempting to do. Could maybe do a video in the future trying to dig into it a bit more? Maybe even an overview on how to write a deobfuscator? Would be neat

@IlyesCodes Год назад

Yes pls

@noeaguilar4521 Год назад

I second that

@truestopguardatruestop164 Год назад

Yes

@kebman Год назад

It's the Hack of the ... Last Five Minutes! :D

@tamnker8465 Год назад

I wonder if chatGPT could deobfuscate… Hmmm…

@KunningFox Год назад

1:26 Looks like the malware maker uses Sprinthost's technical domain to host the virus. The subdomain is the username of the client. It might be a good idea to inform the hosting provider that one of their clients uses their servers for malicious purposes. The clients must provide the scan of their passport (or other documents if it's a legal entity) in order to use their services.

@luckichan Год назад

yeah i saw that too but its not really worth it tbh well if i wanted to maybe for the lulz yk

@Renni-kg6vf 6 месяцев назад

@@luckichan ???

@luckichan 6 месяцев назад

@@Renni-kg6vf the domain is known for malware

@shimadabr Год назад

A longer video explaining the intricacies of your discovery process would be awesome.

@LowLevelLearning Год назад

Noted!

@pancak3 Год назад

@@LowLevelLearning this video is kinda useless since this wasnt sent by a human. it was a mass dm tool which has responses for everything

@spoils8179 Год назад

@@pancak3 but useful nonetheless because some people have no idea that this happens. Also an idea on what not to do, or how to run it in a decent environment.

@fwilhe Год назад

Nice. Tell us more about the sandbox tool at 1:45. Is that something I should know about? I was expecting a VM, is this some wrapper for a (cloud?) VM? What considerations do you make before running sketchy binaries to avoid them breaking out of the sandbox and affecting the host system?

@fwilhe Год назад

@@Finkelfunk thanks I never heard of that before

@zafmafattack Год назад

Sandboxes designed for malware are pretty much normal virtual machines with extra features to help with analysis. Sandbox escape malware isn't usually an issue for the analysis environment if other precautions have been taken like making an isolated network segment (with a managed switch you can create vlans)

@CunningBard Год назад

thoughts on windows sandbox?

@kirill9064 Год назад

@@tacokoneko Sandboxie-Plus. It is open source too.

@natsudragneelthefiredragon Год назад

@@tacokoneko But its still on YOUR device...

@ZarkWiffle Год назад

A friend of mine got hit with a similar scheme but this one stole passwords and other data from chromnium browsers. Once I found the malwares put requests I may or may not have uploaded a few hundred fields of fake generated data into their server.

@vinylSummer Год назад

Should've made an sql injection

@balllord3546 Год назад

@@vinylSummer stealers dont store data in sql dbs most of the time and if they do it is most likely sanitized so wouldnt work

@ggsap 4 месяца назад

@@vinylSummer what is this? the 90s? if they smart enough to develop such kind of software they surely wont have a sql injection vuln lol

@TowelPanel1852 Год назад

FYI, the first stage is called a dropper because it downloads/drops malware from another computer onto yours

@CallousCoder Год назад

“I just ran it” and that actually is often the easier thing to do. Because some code can indeed be hellishly obfuscated or even compressed and/or encrypted and to reverse engineer that can take ages. Just running it, whilst having wireshark logging and memory dumping the data segments and on Linux I live to run strace or Solaris truss as well. And see what kernel calls with what data are done. Now I never reversed engineered malware but mainly copy protection and old unsupported software (statue of limitations has passed 😂), or create cheats in games (a lot of that on this channel too) and debug unsupported code that still ran (and probably still is).

@heroclix0rz Год назад

Would be good to explain in as much detail as possible what steps you take to ensure a virus will not be run on your main machine and will definitely be isolated to the sandbox of your choice. Don't want a random 14 year old feeling invincible, only to get their mom's laptop pwned because they don't know how to put a VM in the DMZ.

@ryans3979 Год назад

He isn't using a VM machine in this video

@ToxicAtom Год назад

considering the sandbox he uses isn't running on his network and instead is an open web-based platform designed for inspecting malware, I'm pretty sure nobody will get the wrong idea from this video

@akirekoko7415 Год назад

@@ToxicAtom ninja

@khalilovitch_ Год назад

Great video, I would enjoy a detailed explanation of your approach to reverse engineer the binary

@LowLevelLearning Год назад

Coming soon!

@kebman Год назад

@@LowLevelLearning Looking forward to it!

@9superswords630 Год назад

There are a lot of good malware reversing researchers here on youtube. Many don't like to/are not capable of jumping into IDA. This is great!

@Rottenham12345 Год назад

It would be great to see a detailed video on how you reverse engineered this. You speak through your process so casually when it’s actually super impressive stuff you’re doing that I’m sure a lot of us would like to better understand

@balllord3546 Год назад

what details do you need he pretty much explained it all.

@casquinha132 Год назад

Because it's not super impressive, you just lack background.

@Rottenham12345 Год назад

@@balllord3546 there is a difference between a summary and a detailed explanation my friend.

@bigdraco3006 Год назад

all he did was look at strings in ida and run it in a sandboxer tho xd

@balllord3546 Год назад

@@Rottenham12345 bigdraco literally said all he did. this is literally all he did there is no more detail to mention unless u want to look at the sandbox’s analysis more as he didn’t unpack the final stage

@NutflX Год назад

i almost fell for this a few months ago but the part that made it believeable was it from one of my friends hacked accounts. and he was developing a basic platformer so i didnt think twice about it. i only realised once a cmd opened and discord restarted to the login page.

@TheTacticalTuna Год назад

That sucks, did you just reinstall windows after that?

@stevenglikin3219 Год назад

That's like "almost" falling for an irs scam when you already gave them 500$ of gift cards

@ValchyGaming Год назад

Great video man, super interesting

@davidmurphy563 Год назад

".ru" what a surprise.

@jp4_ Год назад

php file's named bebra as well which is a russian meme so

@bill8126 2 месяца назад

anyone from anywhere could rent that russian hosting. So it doesn't usually say about hacker nationality

@mbrofoc 2 месяца назад

xD...

@mbrofoc 2 месяца назад

@@bill8126yeap. Some people need to see the host map around the world and realize that you don't need any identification docs about you to buy host😂

@gridfighter 2 месяца назад

This is actually a great topic. I have a few games that are open source but the only remaining versions of them are infected. So here I am learning how to decompile them to remove the malicious part and compile them again.

@jumanji4037 Год назад

This is really interesting, the entire idea of reverse engineering and looking for those hard coded urls and files is really smart. I’d love to see a course on decompiling executables and understanding their purpose. Happy new year!

@softwarelivre2389 Год назад

Doesn't work if it obfuscates URLs (like calling a parse function from some weird encoding made just for that purpose), or if if just uses good old plain encrypting/decrypting on the go. But network analysis should capture it just fine.

@ChrisTheCringe Год назад

In a real world scenario, viruses would have that URL obfuscated. It wouldn't be that easy.

@balllord3546 Год назад

@@ChrisTheCringe true.

@KaneYork Год назад

@@ChrisTheCringe this was a real world sample!! The first stage just didn't use advanced protections like the 2nd did

@evoredy Год назад

great workflow! love ida also!

@olteanumihai1245 Год назад

more of this would be awesome

@griefinnub3745 Год назад

love this vid! more please

@fridosteffers891 Год назад

Happy new year! Thanks for sharing this very nice piece of information! There’s a lot to learn I guess 😀 Keep them coming, I’m hooked 😉

@LowLevelLearning Год назад

Thank you! You too!

@aimeblack Год назад

man you have cool job, i wish i know how you do or where did you learn all of that. Its so cool.

@pr0xythegodofhax Год назад

thanks for making a video about this, you never fail to amaze me :) love reverse engineering

@LowLevelLearning Год назад

Glad you liked it!

@pr0xythegodofhax Год назад

@@LowLevelLearning also what's the name of the online sandbox you used?

@vyldim3401 Год назад

0:33 Folders named \Cryptor\Loader runpe huh? Really subtle hacker, reaaaaly subtle

@LowLevelLearning Год назад

Yeah they left a TON of build artifacts in that loader. Wild.

@TheMaryusz91 Год назад

Really nice and clear content, thank you to make people mora aware of how this kind of attacks work! 🙂

@iuhere Год назад

whoa , this is new content or am i missing such content on your channel, may be youtube is filtering such content of your channel to not show in my noti... they might be watching me (or my history) 🤣 as if... anyways great video , never thought of skipping as every second of the video was nicely curated and data being pitched in simple way. the comic timing was awesome and fairly placed with the context of the video. Keep up the good work, simply put enjoyed this one.

@pedroaviladressler310 Год назад

very intelligent od someone to drop an malware disguised as a game, on a programming discord community

@blankspace1959 Год назад

this was awesome, I would like to see this more in depth . keep up the wonderful work.

@pewdthedark5269 Год назад

really like this video and explanation

@JUIYKI Год назад

Nice video man, be careful with your IP

@Pedakin Год назад

This is why I can’t just “throw on a video” around people for everyone to watch. This is the kind of shit I like.

@wChris_ Год назад

actually your IP doesnt matter! just restart your router and you will get a new one. leaking your IP address is only an issue if you have a static one which im 99.99% sure you dont have.

@LowLevelLearning Год назад

DHCP be like

@wChris_ Год назад

@@LowLevelLearning DHCP only assigns private IPs to your devices connected to your router. You probably have heard that we are running out of IPs and for the most part this is true, but to combat that issue NAT was invented, which resolves this issue by translating your private IP address into the public IP everyone see on the internet. This way IP addresses are not wasted to end users who realy dont need them.

@wChris_ Год назад

@@LowLevelLearning you can check that you really only have 1 IP by searching 'what is my IP' or something similar on multiple devices.

@Sevenhens Год назад

@@wChris_ ISPs give out residential IPs by DHCP themselves (hence why your IP can change when you restart your router).

@GedasTM Год назад

Finding playtesters will now be even more difficult 😟

@ashfaquekhan7282 Год назад

can you please make some tutorials, or a roadmap video on how to get started with low level programming and what should a normal beginner level coder do to learn the extreme basics stuff like reversing a software and how to read it , not only for knowledge purpose but as a career too

@billyjoejimbob75 Год назад

That's funny. Always wondered why nobody ever took my old DOS screensavers back in the 90s. Then I realized they thought everyone on the internet was out to get them.

@idogaming3532 Год назад

What do DOS screensavers have to do with this?

@nachosncheez2492 Год назад

reverse engineering series ? tips and tricks and longer beginner to advanced videos?

@shayanaayan6533 Год назад

Me looking up reverse engineering malware.. Because i downloaded a pre activated software i need for my work... And here i am... Learning something new throughout the vid Thank You 💯

@baali9097 Год назад

So would you say Ida got your back. Love the content

@cpaw Год назад

I wish one of my friends knew about scams like this before he lost his whole online presence due to a virus

@lynx1436 Год назад

There's been a virus around on discord working kind of the same way as this although it gets access to accounts and someone text the hacked accounts friends from it which makes it so people dont think about downloading the file and running it. My best friend had this happen to them and the hacker sent the file to me from their account and i almost fell for the trap, my friend is too stupid to make a game so was skeptical from the start ahha

@Wannabe-channeL Год назад

Because of the hacker like this. As an indie game developer, it’s hard to find someone to play my game and they started accusing me of being a scam 😔

@shapelessed 4 месяца назад

"Hacker is gave me a game" - What a great and completely correctly written title.

@badfitz66 Год назад

I got a similar one once, but from a friend, who was actually in gamedev at the time, so I didn't question it. I downloaded and ran it and noticed that: 1. it opened the nodejs terminal for a split second 2. i was suddenly and suspiciously logged out of discord I suspect it was some sort of keylogger (most likely injected itself into discord hence the nodejs stuff, logged me out, and waited for me to put my login details again). I of course deleted the virus and nuked discord before reinstalling.

@nanahiiragi723 Год назад

If it closed discord that means your token was stolen. Discord (and other apps) have some protections in place for having the token stolen, so it only stores the token in a readable state when closed. But, logging out refreshes the token, so it also injects itself into discord to capture new tokens when you log in again. They also are usually stealers (or at least, include stealers, because why not), usually stealing saved passwords from browsers, crypto apps, tokens of other applications, saved credit card details, etc first.

@balllord3546 Год назад

@@nanahiiragi723 this simply is not true (that discord has protections for having your token stolen

@slavic_commonwealth Год назад

@@balllord3546 nope. if you run virus, then your discord token can be easily stolen

@gtxg. Год назад

@@nanahiiragi723 tokens are stored in cookie, cookie is easily grabbed

@balllord3546 Год назад

@@gtxg. no theyre stored in localStorage

@SkippyDa Год назад

I had a similar thing, got send to a website to download their game, reverse engineered it, was a basic cookie/discord session stealer, including the non obfuscated code.

@ryyott Год назад

Bro could have given you a legit game with a silent miner compiled into it and most people would have no idea. Weird hacker with absolute no idea...

@giftfromyoutube Год назад

Man I would sit and watch a 3hours full video on this issue without getting tired. I loved it. Some more pls

@Righy_offic Год назад

Bro got out of there as fast as he could 💀

@user-hp1zj2qu6j Год назад

the last thing you must do: DDOS THEM.

@jaroldsabillon7689 Год назад

I would love to learn how to do some of this stuff! Where can I get started? Additionally, would something like Virtual Box work to run the virus? If not what do you use?

@spaghettispaghetto Год назад

great vid very informative keep ooon

@LowLevelLearning Год назад

Glad you liked it

@farukdz2084 7 месяцев назад

it feels amazing to understand assembly language

@the_person Месяц назад

This is cool, also helped me discover the strings program and what it does :DDD

@honokasawada9170 Год назад

Please make a video on obfuscation, I would love to learn more about it!!!

@romanstingler435 Год назад

love your content

@toperri 8 месяцев назад

just found this channel and I can't stop watching his videos

@beastly_neon Год назад

There was a similar malware campaign from 6 months ago where they ask people to check their game and it check, saved passwords, discord auth token, cryptocurrency information, etc to a russian ip. My friend got hit by it and they stole discord token and ran it using a automated to script to further distribute the malware to all server and his friends

@technomind88 Год назад

I liked the part where you "found their IP address"

@not_herobrine3752 Год назад

reminds me of the time i wanted to watch a movie and ended up finding out that its a piece of shitty malware with a stupider method of delivering its payload

@starseer986 Год назад

would be nice if you explained some of the other stuff more, like why it took a desktop screenshot.

@bill8126 2 месяца назад

for example bank app shortcuts or something valueable

@crimsonblitz2795 Год назад

Happy new year my friend. 😊

@LowLevelLearning Год назад

You too!!

@crimsonblitz2795 Год назад

@@LowLevelLearning Thank you. 😊

@sgmvideos5175 Год назад

That's reason why so hard to actually make people test my games everyone thinks it's virus T_T

@minirop Год назад

I miss the time where the discord malwares where simply stealing your discord token to get access to your account by sending it to a webhook. I had fun times spamming the webhooks with disgusting imagery.

@balllord3546 Год назад

these still exist

@minirop Год назад

@@balllord3546 sad then. I only got crypto miners in the past year or so.

@ThatNiceDutchGuy Год назад

I had this several times already. It installed Windows, it was full of monitoring user metrics.

@MrSpace5260 Год назад

it would be so good if you said "nice mining simulator" 😂

@baladi921 Год назад

Short and Sweet.

@0xhhhhff Год назад

Happy new year btw

@LowLevelLearning Год назад

Happy new year

@OliveGardenWorker Год назад

i could watch a 5 hour video of this dude just reverse engineering viruses

@chadengineer Год назад

Nice video, you should do more videos about this IDA tool, it's really interesting

@LowLevelLearning Год назад

More to come!

@Littlefighter1911 Год назад

I've received a very interesting malware once, that was a Java file, but all classes and functions were renamed to sound like they were part of a game. (Like "Map", "House", "Inventory", etc.) But if you looked into the classes you could see by the behavior that this wasn't a game at all. So be careful when trying to assume things from using string. Some madman might have been smart enough to just rename everything.

@ThatNiceDutchGuy Год назад

Yes or appended some sneaky code into legit classes.

@pixel690 Год назад

interesting, the "games" i receive off of random people on discord are usually a packed nodejs program that attaches some sort of discord logger onto your client that sends them any sensitive information you may input into discord such as passwords, credit card details, etc via a webhook

@phoenixplays2800 Год назад

that may be Doenerium off of github, hate to see it

@DccToon Год назад

wait, the person named "not a hacker" reminds me of when i created my discord account, i called it "not a hacker" but then i decided to change it

@paradoxclover8799 Год назад

Wow. I actually received a DM with a request like this a while ago, I told them I would soon and I promptly forgot about it a few minutes later. They asked if I had played it the next day or the day after and I told them I was busy (I wasn't busy I was just too lazy to play it). I forgot about that person and the game a few minutes later after replying. I didn't know that was a scam until now!

@theejoshhh Год назад

I fell for this one myself! Not sure why I ran the file, I was like 99% sure it was a hacker but they messaged me from a friend's account that I hadn't spoken to in a while. Not sure exactly what happened in the background but I'm relatively certain they stole my cookies. I found them logged into my discord and kicked them off almost immediately before wiping my whole system.

@NOT_A_ROBOT Год назад

oh hey that's totally not my evil hacker clone in the thumbnail!

@Leonhart_93 Год назад

Very fascinating! I know roughly how your average malware operates, but I love more intricate stuff and specifics.

@sebgamingkid Год назад

This is why i block connections for software that i don't 100% trust before i run it even if tested with an antivirus

@ItsaGlitch1 Год назад

this happened to me, but they stole my passwords

@TheMiningLeon Год назад

I reverse engineered an .exe compiled python cookie logger, got bros webhook and spammed it

@Miles-co5xm Год назад

Just wanted to check it someone can reverse my malware, thank you!

@hubhikarilives Год назад

Cyber is so fun to study like this

@romoney Год назад

when will they find out that games have many folders and files for it to run

@Purlime Год назад

man really uses light mode and dark mode at the same time

@grayhacer Год назад

Is there a real software to check if any malware can disable your antivirus?

@necudavamkazem Год назад

Make this a storytime series

@GL455_ 11 месяцев назад

Cool stuff!

@jumper0122 Год назад

I could watch videos of malware analysis all day. I'd love to see more of it!

@kebman Год назад

There's a reason I clicked this video instead of Fun Meme Video No 1003.

@emeraldArmy4267 Год назад

Buy a Course then. I bought it was soo cool

@Voorhees-Jason Год назад

I gotten that type of DM's like 4 times from random people. I ignore them generally but, the very last guy that tried, I was curious of what the scam was since it was the same pattern as I know there is scams on discord. I asked him what kind of game it was blah blah blah. He did not give me much info so I confronted him about how is it that I get DM's from different people with the exact same story. He never replied lol.

@lunareclipse363 Год назад

I have seen malware that steals your discord token and uses your account to spam your friends with the same message that got you (probably not the only thing it does).

@jacobp.2024 Год назад

All that work just to harmlessly mine Minero. I'm honestly impressed he didn't take it any farther.

@bouncyduckk Год назад

he knew it was malware before he even checked it💀 as soon as he saw the file size he knew

@ahmedahmedx9600 Год назад

Please can you tell me where/how you learn all of this ? Is there any courses free/paid will take me to this level so i can reverse engineering malwares

@marouaniAymen Год назад

Excellent video, what is the tool for the sandbox that did you use, is it a VM (windows on Virtual Box for example) ?

@alexestefan7521 Год назад

Guessing the game requires admin privileges like anything else on windows

@Majkieboy Год назад

Long form reverse engineering stuff would be great. That's the field I'm trying to get into at the moment. Need more malware to practice on however.

@ivanignacio2353 26 дней назад

how is called that app that you used for sandboxing? Great video

@annareichelt5997 Год назад

I consider myself somewhat critical when it comes to downloading and executing software from unknown sources, but man, I would've definitly been the idiot who downloaded that "game" to be nice. Thanks for reminding me that 1. Malware could be anywhere and 2. I am an idiot