Thursday, May 10, 2018

qthelegend: the new Qrypter for Adwind

Since last December, when I blogged  the first time about Qrypter, I've been tracking Adwind malware using this service. 

@abuse.ch wrote a very interesting post about the providers hosting the C2 infrastructure which is being used by malware encrypted with Qrypter.


Since a few weeks Qrypter has migrated to a new platform and doesn't use Tor any more












The new version of Qrypter uses a Java application running locally, which encrypts the files.



In order to use the application, the user must be registered and buy a license  (credits). 






I wanted to check if there is any substantial change in how the malware is encrypted with the service, hence I took a look to a recent sample. The behaviour analysis doesn't really show any difference. 





While debugging the malware  I can see the different Java processes executed until the final payload is decrypted and executed



In the end the configuration for the command and controlled is obtained the same way than with previous Qrypter version






During the analysis process, I can see the typical Adwind behaviour executing VB scripts for checking AV installed, local firewall and making itself persistent via the registry













Qthelegend, the new Qrypter, has not really change in terms of how the malware is encrypted.