Posts

Export JRAT/Adwind Config with x32dbg

Bild
In this blog post I'll explain how you can export the config of JRAT/Adwind to gather further insight into this kind of malware. The trick is, that you must be aware that JRAT/Adwind creates a fake JAR and config at the beginning to confuse analysts. Afterwards, the real config and JAR are run. Step 1:  Start x32dbg Step 2:  Open java.exe Step 3:  Under Debug, choose "Change Command Line" Step 4:  Point it to your suspected JRAT/Adwind JAR file Step 5:  Create a Breakpoint on "CreateProcessInternalW" Hint: As mentioned earlier this Breakpoint will be hit multiple times since JRAT starts multiple processes (for example to detect AV solutions with the help of WMI etc.) so you should watch the Stack Windows of x32dbg to find the "real" call.  Step 6:  So after hitting the breakpoint multiple times you should see something like this: Adwind is about to start the real JAR and thus we can be sure that

Installing Rudra to analyze PCAPs and PE files

Bild
Every malware analyst struggles now and then to analyze PE files in a hopefully mostly automated way. While PEStudio  is definitely capable of doing this in a semi-automated way at least in my opinion it is highly unstable. Luckily, I found a project on GitHub called Rudra  which does an awesome job in analyzing PE files and PCAPs. Since it took me some time to figure out all dependencies I thought it would be a good idea to create a post to help fellow security guys installing this beast. Prerequisites While you can surely install it on Windows using Python I highly recommend a Linux server for this purpose. In my tutorial I'll use a Ubuntu Server 18.04 to get the job done. After installing the server, don't forget to run # sudo apt-get update # sudo apt-get upgrade Getting Rudra Clone the Rudra Repository from GitHub to your Ubuntu Server # git clone https://github.com/7h3rAm/rudra Installing the prerequesites To be honest, this is where the pain