e7cf02ad880e8ebb37134c5370189bd2620ce1bf60794aa8776db6ccc4d4f0f7

Metadata

SHA256: e7cf02ad880e8ebb37134c5370189bd2620ce1bf60794aa8776db6ccc4d4f0f7
Difficulty: medium
Platform: Windows
Tags: jphp jvm d3f@ck loader stage 2
Likes: 1
Views: 3
Submitter: struppigel

Analysis

Goal

Decompile the main malware code and figure out where it downloads the next stage. If the download URL is not available anymore, the deaddrop URL will suffice.
This ZIP archive is downloaded by this InnoSetup sample. You may want to start analyzing there.

Description

This is a JPHP sample, it runs on the JVM. With some tweaks you can decompile the JPHP code with standard Java bytecode decompilers.

Recommended Tools

recaf

Solutions

JPHP Malware Analysis - "Soft-Activator" by xusheng

1

Sample