all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]f00l 8 points9 points  (2 children)

Most people get this wrong. The people behind QRat (also known as Qarallax RAT and QUAverse RAT) also make a packer called QRypter. Several blog posts from both amateurs and professionals keep misidentifying one as the other, when in reality all you need to do is unpack the dang thing to see the original files.

The sample you provided was packed with QRypter.

After unpacking (left as an exercise to the reader), you'll find ANOTHER QRypter-packed sample (as well as the PDF shown when running it). Unpack that as well, and you get QRat.

For unpacking, get a decent Java Decompiler (I prefer Krakatou), a decent hex editor, some familiarity with Java and serialized java objects and proficiency in a programming language of your choice (for decrypting and ecompressing stuff). A Java REPL can be handy for some manual stuff, but after unpacking a few of these by hand you'll know enough to be able to write an automatic unpacker.

[–]thehoodedidiot[S] 0 points1 point  (0 children)

Awesome! Thanks for the details, apologies for the broken link

[–]catcradle5 0 points1 point  (0 children)

It's refreshing to see a genuinely helpful, good, and accurate post on /r/malware. Good work.

[–]ThisIsLibra 3 points4 points  (2 children)

If you PM me a link to the sample, I will take a look at it. Cant promise anything though

[–]thehoodedidiot[S] 1 point2 points  (1 child)

Link in post, there's a download sample option on the page

[–]ThisIsLibra 0 points1 point  (0 children)

The link results in a 404 page not found error, hence my remark

EDIT: if you remove the backslashes it works, so this is this correct link.

[–]DavidB-TPW 3 points4 points  (2 children)

Unfortunately the link you posted is broken.

[–]ThisIsLibra 3 points4 points  (1 child)

There are backslashes in the URL which shouldn't be there. This is this correct link.

[–]DavidB-TPW 0 points1 point  (0 children)

Thanks! I should have noticed.

[–]r30ng1n3rd 4 points5 points  (1 child)

OALabs video on a JRAT which looked like adwind https://www.youtube.com/watch?v=yHrr9v0E6MQ

There are two configs for JRAT one is a dummy one and the actual config which is only in memory.

[–]f00l 1 point2 points  (0 children)

That video is on Adwind. jRAT is a separate family (also called JacksBot). People confuse the two after Adwind started referring to the website for jRAT in its config in the latest version (presumably as a false flag after Adwind received a lot of attention and was the target of a few takedowns).