Analyzing Adwind / JRAT Java Malware

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hi folks and welcome to another episode of open analysis live so today what we're gonna do is we're going to take a look at a sample that a subscriber practic Mehta sent in he wanted us to take a look at adwin or jay rat it's a java-based rat and I think it's commercially available or it's sold it's configurable and it has some interesting properties of course the fact that it's written in Java is pretty interesting to start out with but there's also some other cool stuff going on with the Packer with the sample that protects on us in addition to the fact that it's written in Java they've actually used a java-based packer called Q Ripper to pack the sample so in the video today we're gonna take a look at how the krypter kind of works I'm not gonna go too deep into it but we'll at least take a quick pass at it and then we'll also talk about some quick tricks that you guys can use to quickly get the config out of adwin if you don't want to like manually do you off escape the whole thing there's a few tricks that will get it to but first before we do that a few housekeeping things so I first off I want to give a shout out to Duncan Ogilvie I think he's one of the developers for x64 debug but either way he's leaving some really helpful tips on different tricks that you can use when you're using x64 debug I've pinned a couple of his comments so thanks for watching on can really awesome and I'm definitely using tricks that he send in and also showed it to Sergey diabla who's been leaving a lot of comments on a lot of our videos so I'm a little strange but Muslim super helpful so thanks to you as well and thanks to everyone else who's leaving comments as well but just a special shout out for those too and also as I've mentioned before Sean and I are working on a separate project so that's why we're not posting every week but we're still aiming for a video a week but this other project is sort of taking some time so just stay tuned for that it is coming and we are working on it every time you see us miss a video a week it just means that we're working on this other thing so hopefully sometime soon we can announce that ok so without further ado let's take a look at our sample here so the first thing I did when I got this odwin sample is I just threw it in hybrid analysis because I wanted to take a look at the process tree here so we can see there's a lot of stuff going on here and once we start getting into this and analyzing it some of this will make sense but right now the main thing to keep in mind here is that it is Java so we are going to see it being executed via the java exe so it's interpreted and we're also want to pay special attention to the that there are multiple Java executions here so this is our original pac---- jar that's the sample that I was given and then you can see that we're executing something that was dropped in temp and we're executing it as a jar and if we follow this process tree down there's another Java executable being launched in user profile and a bunch of stuff happening and if you kind of look at it quickly it looks like some of these processes here are duplicated down here so that might be important later on so with that in mind let's pop over to our VM and I'll show you how I have this set up for analyzing Java so today we're using a Windows 7 x86 VM with Java installed on it we have process Explorer here running as administrator as per usual and I have the admin jar copy did the desktop here now a couple of things before we dive into it the first being that Java is interpreted as I mentioned before so the way this works is you write Java code and then it's compiled into an intermediate language called Java bytecode and then that bytecode is actually interpreted by the Java executable so it's kind of like a script almost you can think of it like that it's not a script but you can think of it as if it is like a script and this is kind of important for how we execute it and how we set our hooks and stuff like that so in order to actually run the jar we need a Java executable installed so as I mentioned we have Java installed in this VM and just to show you guys we have it installed here in Program Files Java JRE 1.8 bin and then Java dot exe so that's the exe that's actually going to be running this jar file right here so the quick way that I want to approach this is I want to open the Java exe in a debugger and lean on some of the skills that we already have because we know how to do be executable and I'm not super familiar with Java and I don't really know how to hook up a Java debugger so I'd rather just debug the exe and let it run the Java do its own thing and we'll just see what API access it's using to interact with windows so let's pop open our x64 debug which is x-33 debug on this VM because it's a 32-bit VM so we'll open the java exe here so what we're going to do is we're going to change the command line arguments here so that this exe is actually running the admin jar so do we do a dash jar and then we want to send it the path to this file right here so I'm going to find path here there we go so now when this exe runs it's going to run this adwin sample as a jar now if you're not familiar with the command-line arguments for java dot exe they're fully documented and i will link to a small tutorial on running java applications in the description of the video below okay so now that we have this set the next thing we that we want to do is we want to reload our program here so now we're actually running the adwin jar and i want to set a breakpoint on create process internal w like we always do and the reason why is because if we just pop back to our browser here what I'm doing is I want to set a breakpoint on create process internal so that when this process here is created we stop execution and we can take a look at what this file is here we can actually copy it over and take a look at it and also we don't go any further we can sort of stop our analysis and start poking around basically so that's why I'm setting on creat proces internal again this might be a little unorthodox for those of you who are more familiar with Java malware the reason why I'm doing this is because I'm super familiar with how to debug executables so why not use the skills that I already have to try and take some shortcuts when looking at this Java sample so that's why I'm doing it so let's use one of these tips that Duncan left for us so we'll do debug advanced run until expression create process internal W okay now normally it would run until you hit that breakpoint but we already have a breakpoint on entry point so we have to just click run once more so we're running here and we've hit our first breakpoint on create process internal and if we look at the arguments that are sent to create process internal on the stack here so let's just scroll over a bit we can see that we're starting Java dot exe with the jar command and we are running a file that has been dropped in the temp directory let's go and grab that file one thousand six one thousand six dot class we'll just copy this and we'll paste it onto our desktop here okay so if we're add this now there's one more thing I want to note here even though this has the class extension which is a Java bytecode cloud file we're seeing that it's actually run as a jar so the thing about Java is it doesn't really care about the extension of the file if you run it with this switch jar it's gonna run it as a jar not as a glass file so that's important to note that this might be some weird thing that the developer is done or something strange is happened here where the file is being referred to as a jar even though it says class so we're gonna just change the extension of this later on to jar and we're gonna talk a little bit of what what a jar is and sort of dig into this file and see what's going on so for right now we don't have to proceed any further will actually kill our execution here we don't want to create that extra process and let's take a look at this file here in a java decompiler so the first thing we need to do is we need to rename it so let's just - our desktop and we'll move and we'll call it stage 1 da jar so now we have stage 1 jar so like I said at the beginning of the video compiled Java is actually an intermediate language called bytecode and it's actually pretty easy to decompile so I've installed something called bytecode viewer here which is a tool and open source tool I'll link in the description of the video below and it'll do the D compiling for us so we can just run it it's a little bit weird I think there's a couple errors yeah you get some angry stuff going on here but it'll still run it's fine and we can drag our stage one over here and take a look at what's going on so let's make this bigger and so what it's done is it's actually decompiled this jar into all the folders and files here it looks like they're nice and obfuscated so these are class files if I scroll over you can see class and like I'm at route for class well is compiled by code and you can think of the jar as the program but really what it is is it's actually a zip that combines a whole bunch of class files into a package and for each jar there's gonna be a manifest which tells you what the main class is so here's our manifest here and it's gonna tell us what the main classes here so operational jurat is the class that's actually being called when you run the jar file so we can go over to operational Jay rat and take a look at it now this tool leaves something to be desired you have like a split view where they show you some D compiled version here some D compiled version here I guess maybe you can compare them but what I'm gonna do is I'm gonna rearrange this a little bit so that our first pane is byte code here and our second pane is none and I'll kill this and I'll open it up again there we go so we have a bit of a better view here it's just something about the defaults that for this tool kind of trying to fix it a little bit so we can see here if you're not familiar with Java syntax it's not a big deal it's super close to C so it's actually probably one of the most intuitive and easy programming language is to use if you used object-oriented programming in any other language and even though I'm not an expert in Java at all I can still kind of figure out what's going on there are a lot of libraries that are relied on when you're compiling Java all of them have pretty intuitive names and of course the dot notation is similar to C++ so you can cut into it what's going on again just to recap you have the jar which is a package of compiled Java files in the jar there's a manifest file the manifest file tells you which file the execution starts with so we saw in the manifest file that operational j-rok was the first file so we went into operational j-rod and now we're looking at the decompiled bytecode by looking at that we can see that W and then this long class name something Zed is the class that's actually being called by main so we can see here's our W folder and if we look this is definitely obfuscated like they've thrown in this weird string man in the sky is just repeated again and again and again but at the end here you can see that there is a letter at the end of this man in the sky so this is like a a a B etc etc there's one down here called Z or Z if you're American and if we go to it we can see the decompile bytecode here but the thing is this obfuscation is making it really hard to see what's going on so I actually did something at this point this is a pretty unique confiscation string I'm gonna Google for it and see if I can't find someone who's already done an analysis of this so that's actually a good tip if you're trying to reverse engineer a piece of malware that's super popular like a commercial piece of malware that's being sold so there's a lot of it out there there's probably gonna be a couple good blog posts on this before you look at it and so sometimes you can lean on that for a little bit of help and in this case I certainly did there's an excellent blog post here on decrypting jay rat and you can see that in this blog post the same office gation was used in these files this guy who wrote the blog post had a pretty cool idea just to like replace the obfuscation with a regular expression so that's what I'm gonna do here and I'll show you guys what that looks like so in order to decompile all the files together we can just go into file and then do you compile and save all classes and we're gonna get to choose where we want to save the file so we're gonna save it as stage one in the desktop and then we're gonna get to choose our D compiler here so we're gonna use CF r which is pretty decent one should give us what we need it's gonna take a minute to decompile here and then once it's done we'll see the file on the desktop here okay so another we D compiled it let's pop over to our host our command show will unzip this and we'll do some regular expressions to replace all of the office Gatien here in the files and then we'll take a look at it in sublime and take a closer look at the code and see what's going on okay so back on our host here we'll do an LS you can see that we've copied our stage one zip over so we'll unzip it and now we have a bunch of these files here so they're in the W directory so if we CD into W here and what we're gonna do is we're gonna use some bash shell commands here to replace these filenames with the repeated man of the sky string with only one man in the sky string so we're gonna use a for loop here to loop through every Java file and for each Java file we're gonna take the name of the file we're gonna pass it through said which is like a replace batch command and we're gonna replace man in the sky here with nothing so at the end of this we should have instead of man sky repeating a million times only one man in the sky and then the little letter at the end of each file here so let's do an LS okay so we fixed that up now the second thing we need to do is use another bash command line to replace repeated man in the sky strings inside each file so not only do we need to replace the file names but also the references to the file names inside these files so to do that we're gonna use another command here find again the exact same thing we're a new find all the files with star dot Java so all these files here and we're gonna use said again but instead of doing set on the file name we're gonna do set on the actual file itself and we're gonna place man in the sky here with only one man in sky so let's do that so now that that's done let's open all these files in sublime and take a closer look so remember when we were looking at our j rat class file it was telling us that man and sky zed was the file that was actually being executed by that class so now we've open it up now a lot of this looks kind of garbled because the D compiler isn't amazing but I think we should be able to make sense of this now keep in mind that while I was going through this I was also looking at that excellent blog which I will link in the description below which was super helpful in figuring out what's going on here but the first thing we want to do is we see a bunch of stuff going on here we can see some strings here which might be interesting but let's start at the front here we have a bunch of classes and they're doing something on null so let's take a look at this class here so it's me and the sky I so where's our I here right here so we open it up and we can see there is some more strings in here it's kind of interesting and we see some silly stuff going on here so you see here how there are a bunch of strings and they're being assigned to these variables which look like keywords so this is something to do with the D compiler I don't understand it but what I see here is things that should be keywords in Java are actually being used as variable names again I don't know why this is happening but it makes this confusing a look at so it's probably useful to kind of rename these years okay so now it looks a little bit better there's no more keywords being used as variables anywhere that we see this class name here being referenced super we're going to know that it's actually var Drive so let's pop back to the Zed file here and we'll see where those are referenced so we saw super is reference right here and against uber is var drive and we see this is var box so where is this being used it's being used here and void is of our download there we go so we've kind of replaced C so now we can see that this whole thing is actually that Drive string so this is gonna sort of make things look a little bit easier here and then this is the download is the download string and for our box is the box string okay so before we go any further I want to walk back to the VM and show you guys that these aren't actually references to other files inside that jar so if we pop back here to our VM frame and expand this and then look in the tree we can see that those files drop top box mega downloaded sky that drive are actually files that are contained inside that jar that we extracted so these strings actually reference files inside the jar so it looks like they're probably acting on them somehow maybe they are encrypted or compressed somehow and that's what I wanted to get a look at next I want to see what's actually being done to them so in order to do that we're going to need to use some intuition here because this Java code is definitely not be compiled correctly but I'll try and make the best of it to try and explain how it all fits together the first thing to do is rename these variables so that they have the right references I'm just renaming these so that some of this starts to make sense once we dig into the classes because with everything obfuscated with generic names it's gonna be too hard to follow as we go deeper and deeper into each class because there's a lot of nested classes here so we need to kind of rename stuff as we go to try and remember what it referenced here we've renamed a couple things and we can see that these are used again down here ok so the next thing we want to clean this up a little bit here we have object to reference to object 6 reference to object so I'm just gonna take this reference out here and I'm going to rename this here object 6 so the reason why I'm doing this is because now we can see that both download and box are being assigned to something in object 6 which is this instantiation of this class here so what we probably want to do is take a look at this class and see what's going on so that is maintenance guy l okay now we see something interesting so now we can see we scroll down a little bit and we can see that the person actually describes what we're talking about so it opens the RSA private key repository class which is serialized in SkyDrive so we saw that it uses the RSA key to decrypt the AES key which is stored in Dropbox which we also saw and then it uses the AES key to decrypt a mega download which we saw and if we pop back here I think that the order is mixed up a little bit so we are seeing Dropbox is the final file that's being decrypted and mega download is the one that has the AES key in it so the Java file that we're looking at is a little bit flipped from the blog post but it's enough for us to figure out what's going on here so what I've done is I've actually recreated this algorithm in Python I won't bore you guys with the details of writing that I'll just paste it in here so the way it works is it reads in those three files we pass them as command-line arguments ABC realises what was in the RSA data file and then it pulls out the RSA private key out of that deserialized file and then from there it decrypts the AES file that contains the AES key so once we have the AES key we take off some of the padding because there's some extra padding being done in Java and then from there we decrypt the last file which contains a configuration file I'll show you guys in a second so the only thing that's important to note here is I had a little bit of research and the default AES decryption mode for Java so if you don't supply any parameters for AES the default mode is ECB and they use an IV of 16 null bytes so of course usually you would specify unique IV and you would specify the AES encryption mode but Java allows you to build an AAS encryption and decryption class without specifying these so these are actually default parameters I found this actually through trial and error took a little bit of time to figure that out so when we want to re implement this algorithm it's important to note that you have to specify these that's the only kind of tricky part about this the rest of it is quite straightforward the other cool thing that I want to mention here is I found a python library Java obj age is actually Java deserialization library for Python so we can actually deserialize that file other than that this is pretty straightforward like I said I'll link it in the description below and without further ado let's test it out on this jar file that we've extracted here so back on the command line here do an LS here we have the i/o in Decrypter python file now here's an important thing to note when we D compiled these class files using this tool it created a zip file but that zip file didn't include the extra data that was in the jar file so what I'm gonna do is I'm actually going to copy this jar file over and like I mentioned before a jar files even though they have the jar extension it's actually just a zip file that contains all of these compiled class files as well as the manifest file so if you change the extension from jardín zip you can just unzip it and of course we need to unzip it because we need to access these files here so we can actually just feed them to the Python tool so what I'm gonna do here is I'm going to grab a stage one jar and I'm gonna copy it over to my hosts as well okay so let's take a look here through an LS so we can see that we have the stage one jar so let's rename that move stage one dot jar and we'll call it stage one underscore jar and we will unzip it here so now that we've unzipped it so we can see these files are now accessible so let's use the Python tool and we'll see if we can't actually decrypt that file and see what's in it use the help file see what we do so we do our essay alright run it and it prints out a little bit of XML here and if we read this XML we can see this reference is some more fun which if we look up here we can see these files were also extracted so you see here these are other files that are extracted and they're referenced in this XML so we can see a server path password encrypted and private password so if we take kind of a leap here and say like maybe they're using the same encryption scheme a second time and again this is backed up by the blog post but it's a pretty safe assumption you hear something that's a private password an encrypted password and something else that sounds a lot like the RSA private key the encrypted AES key and the config file so let's actually try and run this a second time on these files and see what happens so our private password sounds like our RSA private key so let's change this to be the RSA private key and the AES file sounds like the password encrypted and the server path is the last one so let's assume that that's maybe a config file here now I've done this before and I know that this will actually decrypt a jar file so I'm gonna send the results to stage to jar because I don't want it all printing out to the screen here so if we take a look at X stuff - see - and 100 of stage - we can see the first few bytes RPK which is the magic byte for a zip file and again a jar is just a zip file so now we have a stage to jar that we can take a look at and see what it's doing so let's make a new folder called stage - and we'll unzip this second jar there and see what it's doing okay so it looks like there's some maybe obfuscated classes in here it's like there's some libraries that have been compiled in which looks good and there are some resources here look it's our it's our old friend two keys one configuration file I wonder if they're using the same encryption method again you know this looks like a little bit more friendly jar to look at let's take a look at the manifest here so server dot may not start it's the first class file that's actually being run and this actually looks like the add wind jar unpacked and what I'm going to do is I'm going to run that encryption scheme again on these resources here and we'll see if we can't figure out what's going on here with these extra files so I'm going to assume that perky one is the RSA key that just makes sense I mean key one key to and a configuration file that it seems so intuitive okay and it prints out what looks like a configuration file for add wind that's what's encrypting this config something to note here the network configuration stuff is set to localhost so here's where we take a pause and we talk about the difference between add wind and queue rip there the encrypter so doing a little bit of research here it looks like this jar is in fact the adwin jar matches up with a lot of public blog posts on add wind the classes match up when you dig into them and this configuration file is a well-known configuration file format for adwin however it's a dummy config this is actually one of the tricks that the adven developers are using now they actually drop a fake adwin jar in the temp directory and execute it with the dummy config and it doesn't really do much on the system then they continue on and they actually dynamically load using like some reflection and some other really complex stuff that we're not going to cover in this video a legitimate copy of add wind with a real config so let's go back to the sandbox run and we'll see in the process tree some of this will start to make sense so if we pop back here here's where we are we've actually analyzed this jar file that was run in the temp directory and if you look at what's actually spawned from this you can see cmd.exe is run and a bunch of other stuff but if we look down here and we see this second run of java we can see that this also drops a class in the temp directory where a bunch of stuff is run but then if we look down the process tree a whole bunch more things happen after this second drop in the temp directory and this is a Java file that's being run from user profile so doing some investigation not of the actual Java itself but looking at how it runs in the sandbox it looks like all of this here is actually just fake add wind now there's a weakness here that we're going to exploit they've given a unpacked hadwin sample to analyze even though it's a dummy copy it's going to have a lot of attributes that the real adwin sample has so we can actually use those attributes against the real adwin sample so I'm going to show you guys how to do this next and this is the big trick for those of you stuck around through all that analysis here's the actual trick to analyzing adwin so if we go back and look here at our command line we know that at some point they're going to decrypt a configuration file that is going to at least have some of these strings in it and we also know from looking at our process tree that when they actually run the real version of adwin it's gonna be run from user profile and it's gonna be run not with the dot jar extension so what I'm going to do is I'm going to set up this scenario using our pact file the original sample I'm gonna move it into user profile and I'm gonna rename it with just some random extension I'm going to run it again with x64 debug and I'm going to hook create process internal and when I see it try and create this second jar here I'm going to actually look through memory and see if I can't find that configuration file with the real config values in it and that's the real trick here this trick is pretty well known and the developers don't seem to really be able to do anything about it so we don't feel so bad about releasing this particular trick the takeaway here would be that a lot of the time even if you're doing a lot to encrypt configuration files for your malware at some point it's probably going to exist in memory regardless of what you do and this is especially true for Java or interpreted languages where you don't have as much lower level control without doing a lot of extra work so for these interpreted languages this is usually true where you can probably pull stuff out of memory quite easily so without further ado let's go back to our VM and we'll see if we can't make this work okay so the first thing we want to do is we want to make a random directory and user profile and then copy the admin jar over to another file with just a random extension so we're just gonna use like a DW so we'll first make sure okay so we've made our directory and then we'll copy just a DW so we just call it a DW a DW so now that we've copied that over let's x64 debug again and we're going to load up Java dot exe and we're gonna give it that new path to the new jar that we just copied over I think I said in my recent here yeah and I want to change the command line arguments so we'll do a dash jar and it's an ADW and we called it PWD okay so we're gonna run java dot exe - jar user profile ADW aw aw and that's the original add wind packed jar file so just like we saw in the process tree a second ago and we'll reload that so now we're gonna do our trick again but at this time instead of using the one-shot break point that I used before we're gonna use an actual break point on create process internal W because we're probably gonna have to hit that a couple times to get the config to show up in memory so we're gonna use our VP W ok so we set our break point on create process internal W and now we're just going to run we go to the entry point and we're gonna run again and we should hit create process internal so we've hit it here and if we look at the argument being passed to create process internal it is for a jar and the jar is the same class thing that we saw before so this is probably the dummy version of admin in the temp folder so what we're gonna do is we're going to just keep running I'm gonna see if we hit something else with create process internal so the reason why we do this is because we want the add wind sample to execute a little bit further into the process tree before we go and start looking for stuff in memory so we have an actual exception here happening let's just take a quick peek in memory I don't remember this happening before but maybe we've executed far enough for us to actually get that configuration file in memory so we'll come over here and we'll do a search and remember if we go back and look at the dummy configuration file let's try and find a string in there that we can use to search in memory so here's our dummy configuration file so I would normally search for something like Network but that might be a common string I think a much less common string would be something like delay install so I'm going to search for that string in memory here ok and we didn't get any references to it so it means that we haven't actually executed far enough in the program so that's ok so we'll click on here and see if we can't get to our break point so we've hit create process internal here again so let's take a second look here and see if we've got the configuration file in memory this time okay so now we have some hits so let's go and take a look here at what we have in memory so now we have a configuration file and if we scroll up a bit here we actually have some data in the network this is not a dummy configuration file so this is the quick trick now we went through this whole long tutorial just to show you guys a few tricks for like how to decompile java how to look at it just some background but really if you're looking at adwin this is the only thing you have to do it really only takes like a minute you just run a debugger put a breakpoint on create process internal allow it to step through and start the dummy jar then allow it to hit the next process that it starts which is a C script process I think and then just look in memory for one of the strings for the configuration file and you can pull it out so let's copy this configuration file out to a txt file now so we can take a look at it so to do that we're going to just highlight the strings here I think it's quite large yeah alright so we can see the closing bracket here so now that we have that all highlighted we can do a right-click binary and then save to file and we'll just save it to the desktop here as config CFG txt and now that it's saved we can open it up and here's our configuration file dumped out and nice and easy for us to look at I won't go into detail with what's going on with each one of these entries in the config file but if you recall we already dumped out a clean version of the adwin jar and now we have a real config file so we could in theory put those together and sort of run into sandbox to see what's going on or we can take some time and look at the Java files for add wind with the D compiler read through them and see what's going on and how they match up with each one of these entries in the configuration file but as we usually do on this channel I'll leave that for an exercise for you guys to do at home what I will do is I will link a copy of the unpacked adwin jar in the description of the video below as well as the sample so you can download those and I'll put a copy of this text file up on a gist and I'll link to that as well so you guys can play around with that so I know this has been a little bit different because we're looking at Java instead of compiled binaries and I know that we jump to some conclusions while we were looking at the decompile Java because if you compiler kind of missed some stuff and I think when I did the Find and Replace I might have messed up some strings so I know that that was in the cleanest but I think that's kind of a realist of you how I looked at the before I prepared the video I did as much work as quickly as I could with the decompiled Java then I searched for the blog post and I kind of put the two together and that's actually kind of a simulation of how we do things for real this video is probably closer to a real-life example of what we'd be doing when we're reverse engineering something especially something that's known and so common like add wind so hopefully you found that interesting and hopefully you found some tips in here that you guys can use for other samples there isn't really a lot of java malware out there I mean it's it's super in common actually believe some of the tricks might be useful in other scenarios especially keeping in mind that when you have interpreted languages like Java or scripting languages which are run by an exe that interprets the code you can always use your fundamental skills where you are interacting with the binary with a debugger and hooks to take a look at how that script or the intermediate language is actually interacting with Windows so even if you don't understand the language that the malware is written in you can at least kind of get somewhere with it using those fundamentals and then you might have to build on top of that so that's kind of part of what I wanted to demonstrate here with odwin and also the fact that you guys now have a nice little trick if you guys have to deal with adwin in the wild you have this trick to dump out the configuration files so hopefully this is useful for you guys thanks so much to protect for sending in the sample it's definitely a good one kind of interesting to do something a little bit different so thanks for that for sure and of course another huge shout out to Michael Holick who is the author of the original blog post that I was talking about who did the original Java D obfuscators also a huge shout out to an unnamed source in a frozen Norway who helped me a lot on some of the cue ripped or encryption stuff so I didn't put that in this video because that's something I don't think I want to go into depth with because it could be used to improve the tool I don't want to do QA for free from malware developers so I didn't put that in the video and I think that we're able to produce a good video without including that but a huge thank you to that anonymous source for pointing me in the right direction and didn't want to be named but thank you very much hat tip to you so with that I do want to say keep those comments coming they're amazing keep the samples coming remember if you aren't subscribed to subscribe down below turn on the little bell for notifications well try to do one video a week I'm not very good at keeping up with that but we're trying to fully we can keep this up and until next week keep exposing the mechanics behind the malware and stay curious

Info

Channel: OALabs

Views: 8,894

Rating: 4.9153438 out of 5

Keywords: malware, adwind, jrat, java, bytecode viewer, java decompile, x64dbg, config, malware analysis, debugging, qrypter, open analysis live, openanalysis.net

Id: yHrr9v0E6MQ

Channel Id: undefined

Length: 33min 23sec (2003 seconds)

Published: Mon Mar 26 2018