{
	"id": "057bdbe0-4c5b-4589-ae88-a30ba81c37de",
	"created_at": "2026-04-06T00:11:02.416242Z",
	"updated_at": "2026-04-10T13:11:41.145624Z",
	"deleted_at": null,
	"sha1_hash": "89d39391f1a8bd8007731bebd329e8483bcaf670",
	"title": "Export JRAT/Adwind Config with x32dbg",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 341674,
	"plain_text": "Export JRAT/Adwind Config with x32dbg\r\nBy MlwrDssctng\r\nPublished: 2018-08-08 · Archived: 2026-04-05 18:09:09 UTC\r\nIn this blog post I'll explain how you can export the config of JRAT/Adwind to gather further insight into this kind\r\nof malware. The trick is, that you must be aware that JRAT/Adwind creates a fake JAR and config at the\r\nbeginning to confuse analysts.\r\nAfterwards, the real config and JAR are run.\r\nStep 1: \r\nStart x32dbg\r\nStep 2: \r\nOpen java.exe\r\nhttps://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html\r\nPage 1 of 4\n\nStep 3: \r\nUnder Debug, choose \"Change Command Line\"\r\nStep 4: \r\nPoint it to your suspected JRAT/Adwind JAR file\r\nStep 5: \r\nCreate a Breakpoint on \"CreateProcessInternalW\"\r\nhttps://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html\r\nPage 2 of 4\n\nHint: As mentioned earlier this Breakpoint will be hit multiple times since JRAT starts multiple processes (for\r\nexample to detect AV solutions with the help of WMI etc.) so you should watch the Stack Windows of x32dbg to\r\nfind the \"real\" call. \r\nStep 6: \r\nSo after hitting the breakpoint multiple times you should see something like this:\r\nAdwind is about to start the real JAR and thus we can be sure that the real config must be somewhere in memory.\r\nStep 7: \r\nSwitch to Memory Map and rightclick and click \"Find pattern\"\r\nStep 8: \r\nSince I've seen Adwind/JRAT configs multiple times, I know that the word \"DELAY_INSTALL\" is found\r\nsomewhere in the config so let's search for this string since it's pretty unique. You will find multiple matches:\r\nhttps://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html\r\nPage 3 of 4\n\nStep 9: \r\nDouble click on them to open the CPU View and look if it is the right config. Hint: If the DNS_SERVER in the\r\nconfig is pointing to 127.0.0.1 you are looking at the dummy config which is not what you are looking for so\r\nrepeat step 8 until you catch the right one.\r\nStep 10: \r\nOnce you found the right config mark the text, right click on it, choose \"Binary\" and \"Save to file\"\r\nCongratulations! You exported your first Adwind/JRAT config!\r\nSource: https://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html\r\nhttps://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html"
	],
	"report_names": [
		"export-jratadwind-config-with-x32dbg.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434262,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/89d39391f1a8bd8007731bebd329e8483bcaf670.pdf",
		"text": "https://archive.orkl.eu/89d39391f1a8bd8007731bebd329e8483bcaf670.txt",
		"img": "https://archive.orkl.eu/89d39391f1a8bd8007731bebd329e8483bcaf670.jpg"
	}
}