Unknowcrypter and Fudcrypt are strongly linked and either the actor creating both services is the same or they are working together.
In order to use the service and encrypt Java/JS files it is necessary to use a windows application and a valid account.
The sample from the campaign "The Story of Manuel’s Java RAT" 5b7192be8956a0a6972cd493349fe2c58bc64529aa1f62b9f0e2eaebe65829be
is the perfect candidate to be dissected.
Looking at the JS code, the first interesting part is the "obfuscation" function for the payload.
The variable hp_pavilion is the final payload which it is base64 encoded.
Below is the snippet code from fudcrypt:
After decoding the payload stored in hp_pavilion, there is again another round of base64 encoded strings, which are stored in LongText1 and LongText
LongText1 is just a base64 encoded and the output is a JS script which I will analyse later.
LongText is the malicious payload, the Java RAT, which it is base64 encoded but some characters needs to be swapped, in this case "@>" with "A".
This is the exact same behaviour than in Fudcrypt:
Then, the script checks if Java Run Environment is installed. If not, this is download from hxxp://www.thegoldfingerinc[.]com/images/jre.zip
Fudcrypt does exactly the same and in the same manner. See the code from fudcrypt
Lastly, the Java RAT is made persistent via the Registry key "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntfsmgr which it is the same exactly registry key name used by fudcrypt.
The remaining part is the script linked to the LongText1. This is script, after deobfuscation, leads to a JS script which is a worm name vjw0rm.
Although this code is not used, it has C2 capabilities.
To summarise: unknowncrypter and fudcrypter are the same crypter service but using to different script languages as output for the obfuscation. The only difference is the C2 capabilities which are gathered by two different malware, one for JS while the other is for VBS.
The analysis of the JavaRAT payload, which it is Adwind, is here