{
	"id": "f0659615-e489-494a-861c-26008f521ab5",
	"created_at": "2026-04-06T00:09:24.760498Z",
	"updated_at": "2026-04-10T03:22:07.261135Z",
	"deleted_at": null,
	"sha1_hash": "678181576d180b62b2ac4e47618359352622ee7b",
	"title": "Python decryptor for newer AdWind config file - replicated from this Java version https://github.com/mhelwig/adwind-decryptor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39481,
	"plain_text": "Python decryptor for newer AdWind config file - replicated from this\r\nJava version https://github.com/mhelwig/adwind-decryptor\r\nBy herrcore\r\nArchived: 2026-04-05 16:22:20 UTC\r\n#!/usr/local/bin/env python\r\n######################################################################################################\r\n##\r\n## Decrypts the AdWind configiration files!\r\n## ** May also work for other files **\r\n##\r\n##\r\n## All credit to Michael Helwig for the original Java implementation:\r\n## https://github.com/mhelwig/adwind-decryptor\r\n##\r\n## See his blog here:\r\n## https://www.codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/\r\n##\r\n##\r\n## Author: @herrcore\r\n##\r\n######################################################################################################\r\n# pip install javaobj-py3 not javaobj\r\ntry:\r\nimport javaobj\r\nexcept:\r\nprint \"You need to install javaobj-py3... try pip install javaobj-py3\"\r\nfrom Crypto.Cipher import AES\r\nfrom Crypto.PublicKey import RSA\r\nhttps://gist.github.com/herrcore/8336975475e88f9bc539d94000412885\r\nPage 1 of 3\n\nimport argparse\r\nimport sys\r\ndef __read_file(file_path):\r\nwith open(file_path, \"rb\") as fp:\r\ndata = fp.read()\r\nif not data:\r\nprint \"Error: file %s could not be read\" % file_path\r\nsys.exit(-1)\r\nreturn data\r\ndef main():\r\nparser = argparse.ArgumentParser(description=\"Decrypt AdWind configuration files.\")\r\nrequiredNamed = parser.add_argument_group('required named arguments')\r\nrequiredNamed.add_argument('--rsa_file', dest=\"rsa_file\", default=None, help=\"Specify path to the serialized RSA KeyRep file\r\nrequired=True)\r\nrequiredNamed.add_argument('--aes_file', dest=\"aes_file\", default=None, help=\"Specify path to the AES file (RSA encrypted)\"\r\nrequired=True)\r\nrequiredNamed.add_argument('--config_file', dest=\"config_file\", default=None, help=\"Specify path to the encrypted config file\r\nrequired=True)\r\nargs = parser.parse_args()\r\nrsa_data = __read_file(args.rsa_file)\r\naes_data = __read_file(args.aes_file)\r\nconfig_data = __read_file(args.config_file)\r\n# deserialize the KeyRep RSA file\r\npobj = javaobj.loads(rsa_data)\r\n# extract RSA DES key from deserilized class\r\nrsa_priv_bytes = ''.join([chr(y\u00260xff) for y in pobj.encoded._data])\r\nrsa_priv_crypt = RSA.importKey(rsa_priv_bytes)\r\naes_key_data = rsa_priv_crypt.decrypt(aes_data)\r\n## Split on '\\x00' and remove the first bit as it's padding\r\n## If this fails we could fall back to hard coded: aes_key = aes_key_data[:-16]\r\nhttps://gist.github.com/herrcore/8336975475e88f9bc539d94000412885\r\nPage 2 of 3\n\naes_key = aes_key_data.split('\\x00')[-1]\r\n# default java aes is ECB with null iv\r\niv = b'\\x00'*16\r\naes_crypt= AES.new(aes_key, AES.MODE_ECB, iv)\r\nptxt_config = aes_crypt.decrypt(config_data)\r\nprint ptxt_config\r\nif __name__ == '__main__':\r\nmain()\r\nSource: https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885\r\nhttps://gist.github.com/herrcore/8336975475e88f9bc539d94000412885\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885"
	],
	"report_names": [
		"8336975475e88f9bc539d94000412885"
	],
	"threat_actors": [],
	"ts_created_at": 1775434164,
	"ts_updated_at": 1775791327,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/678181576d180b62b2ac4e47618359352622ee7b.pdf",
		"text": "https://archive.orkl.eu/678181576d180b62b2ac4e47618359352622ee7b.txt",
		"img": "https://archive.orkl.eu/678181576d180b62b2ac4e47618359352622ee7b.jpg"
	}
}