GraxCode
commented
4 years ago Can you give me more details? What executions did you select? And please provide a download link without login.
Closed DigiAngel closed 4 years ago
GraxCode
commented
4 years ago Can you give me more details? What executions did you select? And please provide a download link without login.
DigiAngel
commented
4 years ago Oh yea....sorry about that. Tried to have it run...but that was it. File is here:
https://transfer[.]sh/GbeVv/PO6671.jarI can provide a screenshot if needed (it's a VM and not running currently). Thank you!
GraxCode
commented
4 years ago You need to select executions before running threadtear. This file looks like it was obfuscated with Allatori. Will maybe make an execution for this obfuscator.
DigiAngel
commented
4 years ago Awesome....so since it's obfuscated there's nothing to execute....ok cool thank you!
GraxCode
commented
4 years ago I think you didn't understand me correctly. The file was obfuscated with an obfuscator called Allatori. To deobfuscate files you have to select executions in threadtear and click "Run". Right now I'm working on a deobfuscator for Allatori. You can't reverse class name / member name obfuscation, as you can't retrieve the original names, but string obfuscation and flow obfuscation (unnecessary jumps in the bytecode) CAN be reversed.
GraxCode
commented
4 years ago I added an allatori string deobfuscator, as well as an exiry date remover. Now concerning your jar file: Turns out it's a "Quarallax Payload". I think it simply executes the driver.dll.
DigiAngel
commented
4 years ago OMG I'm an idiot...I didn't realize you had to add things to execute...thank you so much!
It's a malicious file..results just show run was finished and nothing else.
https://app.any.run/tasks/49e499f0-f924-47ee-8bac-2695c3a24c15/