Closed DigiAngel closed 4 years ago
Can you give me more details? What executions did you select? And please provide a download link without login.
Oh yea....sorry about that. Tried to have it run...but that was it. File is here:
https://transfer[.]sh/GbeVv/PO6671.jar
I can provide a screenshot if needed (it's a VM and not running currently). Thank you!
You need to select executions before running threadtear. This file looks like it was obfuscated with Allatori. Will maybe make an execution for this obfuscator.
Awesome....so since it's obfuscated there's nothing to execute....ok cool thank you!
I think you didn't understand me correctly. The file was obfuscated with an obfuscator called Allatori. To deobfuscate files you have to select executions in threadtear and click "Run". Right now I'm working on a deobfuscator for Allatori. You can't reverse class name / member name obfuscation, as you can't retrieve the original names, but string obfuscation and flow obfuscation (unnecessary jumps in the bytecode) CAN be reversed.
I added an allatori string deobfuscator, as well as an exiry date remover. Now concerning your jar file: Turns out it's a "Quarallax Payload". I think it simply executes the driver.dll.
OMG I'm an idiot...I didn't realize you had to add things to execute...thank you so much!
It's a malicious file..results just show run was finished and nothing else.
https://app.any.run/tasks/49e499f0-f924-47ee-8bac-2695c3a24c15/