[futex]

Hello all,

I need help to analyse a adwind malware, it's coded in java, but all java decompiler failed to retrieve the java code (for example jd-gui just show class name) and his bytecode is quite hard to analyse.

I have find a McAfee analysis they sucess to retreive the java code, but they don't explain how they do. If someone have a idea, i'm interest to know

https://www.virustotal.com/fr/file/f701 ... /analysis/
and
https://www.virustotal.com/fr/file/ccca ... /analysis/

Thank you!

[jurg]

Use a proper decompiler (https://github.com/Storyyeller/Krakatau is quite good) and you should get decent decompiled code.

Those two files are JSocket. To get to the actual payload you need to decrypt them - KevTheHermits AlienSpy-script in https://github.com/kevthehermit/RATDecoders decodes the payload but doesn't store it - just extracts the config. It is trivial to modify the script to store the payload as well. Both the dropper and actual payload are obfuscated with Allatori, function names and class names are randomized.

[futex]

Great Krakatau decompile it easily. Thank you jurg!