How Does Malware Know It's Being Monitored? 

"hippity hoppity your code is now my property" 😂

Let’s make a malware just for fun 😂

Hi John I'm I want get the maldev academy course but they don't have account security 2fa or any paying 500$ with no account security I sent them a massage with no response

Very informative thanks, I have been interested in learning how to craft shellcode recently.

One extra trick: check for a file you placed somewhere else on the filesystem. If it does not exist, your executable is running on another computer or inside a sandbox. (But it does NOT protect against debugging though. You need something else for that)

9:00 remember, if you've got procmon rename it to prankmin or something, same for x64dbg, make it x69dgb or something, ida can be ide, something you'll remember but won't match a blacklist.

I hope we don't get put on a list by watching these sort of videos...

Is your correction in 14:07, correct? Previously in the video, at 12:06 it says "__readfsdword" for 32 bit.

You n danooct1 have been an inspiration for me to do CySec, still going through what I wanna focus mainly on, but I love both red/blue team jazz, so time will tell, mby I go purple team c: Thank you again, John, hope all good happens in your life

It strikes me that checking the time delta as a quick way of determining if the software is sandboxed would lead to a perverse incentive, where old and slow computers (and VMs or containers without many resources) can't get infected because the shellcode stager thinks it's a sandbox

Hey John, How it's going with OSEE, can you make a video about it?

8:10 - Nice, mine did the same too, but I think it's because you have submitted a debug build, cause if I compile it with “-s -O3” options the detection falls to just 1. Edit 1: I also tried submitting unoptimized bin with just “puts” and other stdio functions - and virus-total seems to flag it with the same 6 flags, so most of the problem are from submitting debug builds.

The GOAT strikes again ❤

Always got great videos

Your thumbnail predicted the Trump mugshot insider info?? 😂

could you not use this kind of behavior to spoof and make believe maleware that its inside a debug enviroment so it doesn‘t fire on a regular system?

Hey John I enjoy watching your videos. They are informative. There's a new malware called whiffy recon which infects vulnerable windows devices by wi-fi access point by scanning every 60 seconds and tries to triangulate a device's location. if you can find a sample code could you please do some analysis

Can you do full course about sliver c2 framework from zero? Thank you❤

I feel that runnung windbg may be a good method to sabotage malware.

YEA BOOOOOIIIII!!!!

Love it, great video. I think you talk at an excellent pace lol

Well, if I would be a blue-teamer, I'd just Ghidra into the binary and reverse the If statement. I can run it with a debugger attached but it can't run standalone. ^^

Sounds good 💯

lmao when malware know to make blacklist on its own

Do you also have a casio clock? Same as me if you say yes :P

try all debug detction methods in virustotal (don't include malware, just `if(isdebugged())puts("debugged");`)

Which is the best course for malware development Sector7 OR MalDevAcademy

NICEE

K, this has nothing to do with this video but figured this was the community to help answer a question. Seems Facebook has a phishing scam circulating thats proposed as a post on someones wall with a "guess whose died" car crash headline thats provides a link. Apparently, as John has shown/demoed, its the whole fake signin spoof workflow where your creds will then go to 💀. My question though is, all times Ive seen this the link has clearly been a vercel application which A) makes me think the jerkoff mastermind apparently has backend skills about as sophisticated as mine but more importantly B) wouldnt/shouldnt Vercel sniff this transparent nonsense out and put a quick rm -rf on things? And certainly, if anyone reads this and decides to phish the phisher, well, i applaud and respect da skills. But ya, mainly just seems weirder an apparent 'prod' malware thats breached FB would still carry a transparent vercel domain.

i clearly dont know what is going on

Damn Grey hats I love you

this is so simple that it is scary

Sounds good 💯

6:56 9:10

\tell us how to hack the Fed

Nice :D

Anyone got resource recommendations for learning the Sysinternals tools and WinDbg? Maybe John can start a series on them.

I have the sektor7 malware development course!

thanks cuz of u i bring some 66G db logs u deserve that ❤️

john please stop looking at me so scarily in these thumbnails

From India love you sir❤❤❤

I like to hear that out track song fearless.

How to convert it to useable shell code?

Hey Mr.John! I am a beginner in the field of cybersecurity. Could you please help me with some resources which help to start my career in offensive security. Thanks in advance!

John The way i see you You are one in a million ❤❤

This is amazing man, what a great video

good

Thank You John !! :)

This won't work, exe files are always checked if they are from a trusted publisher or not, UAC will probably block it if it runs on a different machine, even if the defender is turned off.

c and c++ can determine the array size if you initialize it in the same line. that said, bare arrays are deprecated. Use std:array. Why are you using boolean macros instead of the proper types? And why don't you just "return pPeb->BeingDebugged == 1;"

You often talk too quickly.

If john notices this comment [heart or comment]. Im convincing my mom to give my laptop back for cybersecurity and personally loves these videos. I regret using a chromebook. Luckily i have linux

Good to know about new tools and techniques

Couldn't you just read your own memory and look for soft breakpoints?