Open Analysis Live! We analyze Adwind / JRAT malware using x64dbg and Java ByteCode Viewer. This was a subscriber request asking us to take a closer look at Adwind and how to extract the config...

Packed sample:
SHA256 - 937a18e19ad1579ffc5f9399830860c13fc9f54df4c3f4a0f9f15a658e02ddac
https://malshare.com/sample.php?action=detail&hash=f0abfd6d3fb0ba12a5d874b16ac753fc

Hybrid Analysis sandbox:
https://www.hybrid-analysis.com/sample/937a18e19ad1579ffc5f9399830860c13fc9f54df4c3f4a0f9f15a658e02ddac?environmentId=100

Decoy Adwind unpacked:
https://malshare.com/sample.php?action=detail&hash=c10199b8c0855b502d6edfe204bf7767

Adwind config:
https://pastebin.com/aq7K1GNY

Blog post on Adwind:
https://www.codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/

x64dbg:
https://x64dbg.com/#start

Java ByteCode Viewer:
https://bytecodeviewer.com/

Compile and run Java Class file
https://docs.oracle.com/javase/tutorial/getStarted/cupojava/win32.html

Java JAR basics
https://docs.oracle.com/javase/tutorial/deployment/jar/basicsindex.html

Python Adwind decryptor:
https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885

Feedback, questions, and suggestions are always welcome : )

Sergei https://twitter.com/herrcore
Sean https://twitter.com/seanmw

As always check out our tools, tutorials, and more content over at http://www.openanalysis.net