Export JRAT/Adwind Config with x32dbg
In this blog post I'll explain how you can export the config of JRAT/Adwind to gather further insight into this kind of malware. The trick is, that you must be aware that JRAT/Adwind creates a fake JAR and config at the beginning to confuse analysts. Afterwards, the real config and JAR are run. Step 1: Start x32dbg Step 2: Open java.exe Step 3: Under Debug, choose "Change Command Line" Step 4: Point it to your suspected JRAT/Adwind JAR file Step 5: Create a Breakpoint on "CreateProcessInternalW" Hint: As mentioned earlier this Breakpoint will be hit multiple times since JRAT starts multiple processes (for example to detect AV solutions with the help of WMI etc.) so you should watch the Stack Windows of x32dbg to find the "real" call. Step 6: So after hitting the breakpoint multiple times you should see something like this: Adwind is about to start the real JAR and thus we can be sure that