Since last December, when I blogged the first time about Qrypter, I've been tracking Adwind malware using this service.
@abuse.ch wrote a very interesting post about the providers hosting the C2 infrastructure which is being used by malware encrypted with Qrypter.
Since a few weeks Qrypter has migrated to a new platform and doesn't use Tor any more
The new version of Qrypter uses a Java application running locally, which encrypts the files.
In order to use the application, the user must be registered and buy a license (credits).
I wanted to check if there is any substantial change in how the malware is encrypted with the service, hence I took a look to a recent sample. The behaviour analysis doesn't really show any difference.
While debugging the malware I can see the different Java processes executed until the final payload is decrypted and executed
In the end the configuration for the command and controlled is obtained the same way than with previous Qrypter version
During the analysis process, I can see the typical Adwind behaviour executing VB scripts for checking AV installed, local firewall and making itself persistent via the registry
Qthelegend, the new Qrypter, has not really change in terms of how the malware is encrypted.