Analyzing Adwind / JRAT Java Malware

Open Analysis Live! We analyze Adwind / JRAT malware using x64dbg and Java ByteCode Viewer. This was a subscriber request asking us to take a closer look at Adwind and how to extract the config... ----- OALABS DISCORD https://discord.gg/6h5Bh5AMDU OALABS PATREON https://www.patreon.com/oalabs OALABS TIP JAR https://ko-fi.com/oalabs OALABS GITHUB https://github.com/OALabs UNPACME - AUTOMATED MALWARE UNPACKING https://www.unpac.me/#/ ----- Packed sample: SHA256 - 937a18e19ad1579ffc5f9399830860c13fc9f54df4c3f4a0f9f15a658e02ddac https://malshare.com/sample.php?action=detail&hash=f0abfd6d3fb0ba12a5d874b16ac753fc Hybrid Analysis sandbox: https://www.hybrid-analysis.com/sample/937a18e19ad1579ffc5f9399830860c13fc9f54df4c3f4a0f9f15a658e02ddac?environmentId=100 Decoy Adwind unpacked: https://malshare.com/sample.php?action=detail&hash=c10199b8c0855b502d6edfe204bf7767 Adwind config: https://pastebin.com/aq7K1GNY Blog post on Adwind: https://www.codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/ x64dbg: https://x64dbg.com/#start Java ByteCode Viewer: https://bytecodeviewer.com/ Compile and run Java Class file https://docs.oracle.com/javase/tutorial/getStarted/cupojava/win32.html Java JAR basics https://docs.oracle.com/javase/tutorial/deployment/jar/basicsindex.html Python Adwind decryptor: https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885 Feedback, questions, and suggestions are always welcome : ) Sergei https://twitter.com/herrcore Sean https://twitter.com/seanmw As always check out our tools, tutorials, and more content over at http://www.openanalysis.net