Export JRAT/Adwind Config with x32dbg

In this blog post I'll explain how you can export the config of JRAT/Adwind to gather further insight into this kind of malware. The trick is, that you must be aware that JRAT/Adwind creates a fake JAR and config at the beginning to confuse analysts.

Afterwards, the real config and JAR are run.

Step 1: 

Start x32dbg


Step 2: 

Open java.exe

Step 3: 

Under Debug, choose "Change Command Line"

Step 4: 

Point it to your suspected JRAT/Adwind JAR file

Step 5: 

Create a Breakpoint on "CreateProcessInternalW"




Hint: As mentioned earlier this Breakpoint will be hit multiple times since JRAT starts multiple processes (for example to detect AV solutions with the help of WMI etc.) so you should watch the Stack Windows of x32dbg to find the "real" call. 

Step 6: 

So after hitting the breakpoint multiple times you should see something like this:


Adwind is about to start the real JAR and thus we can be sure that the real config must be somewhere in memory.


Step 7: 

Switch to Memory Map and rightclick and click "Find pattern"


Step 8: 

Since I've seen Adwind/JRAT configs multiple times, I know that the word "DELAY_INSTALL" is found somewhere in the config so let's search for this string since it's pretty unique. You will find multiple matches:


Step 9: 

Double click on them to open the CPU View and look if it is the right config. Hint: If the DNS_SERVER in the config is pointing to 127.0.0.1 you are looking at the dummy config which is not what you are looking for so repeat step 8 until you catch the right one.

Step 10: 

Once you found the right config mark the text, right click on it, choose "Binary" and "Save to file"


Congratulations! You exported your first Adwind/JRAT config!




Kommentare

Kommentar veröffentlichen

Beliebte Posts aus diesem Blog

Installing Rudra to analyze PCAPs and PE files

Bild
Every malware analyst struggles now and then to analyze PE files in a hopefully mostly automated way. While PEStudio  is definitely capable of doing this in a semi-automated way at least in my opinion it is highly unstable. Luckily, I found a project on GitHub called Rudra  which does an awesome job in analyzing PE files and PCAPs. Since it took me some time to figure out all dependencies I thought it would be a good idea to create a post to help fellow security guys installing this beast. Prerequisites While you can surely install it on Windows using Python I highly recommend a Linux server for this purpose. In my tutorial I'll use a Ubuntu Server 18.04 to get the job done. After installing the server, don't forget to run # sudo apt-get update # sudo apt-get upgrade Getting Rudra Clone the Rudra Repository from GitHub to your Ubuntu Server # git clone https://github.com/7h3rAm/rudra Installing the prerequesites To be honest, this is where the pain
Mehr anzeigen