{
	"id": "5a7149bd-08e6-4250-ad67-c7f229f4600b",
	"created_at": "2026-04-06T00:21:46.701095Z",
	"updated_at": "2026-04-10T03:21:16.760301Z",
	"deleted_at": null,
	"sha1_hash": "9fc03d70474ec2bf2f99283bdcb5c0d6453714ed",
	"title": "AlienSpy Payload Analysis | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 731415,
	"plain_text": "AlienSpy Payload Analysis | Proofpoint US\r\nBy August 14, 2015 Thoufique Haq\r\nPublished: 2015-08-15 · Archived: 2026-04-05 16:28:02 UTC\r\nThe media recently reported [1] on a potential targeted cyberattack on Alberto Nisman, an Argentine prosecutor who\r\nwas found dead under mysterious circumstances. The file purportedly found on his phone was reported by the\r\nArgentine media to be named “Estrictamente Secreto y Confidencial.pdf.jar”, and as discovered and reported by the\r\nresearcher Marquis-Boire, a file was indeed uploaded to VirusTotal [2] with the same name. The file was uploaded\r\nfrom Argentina and the upload is time stamped to “2015-05-29 18:48:24”. The file is JAR (Java Archive) file and is a\r\nvariant of the AlienSpy Remote Access Trojan, or RAT.\r\nAlienSpy RAT supports multiple platforms, and payloads can be crafted for Windows, Linux, Mac OS X and Android\r\noperating systems. However, contrary to popular reporting, the JAR file may not have been intended as a payload for\r\nthe prosecutor’s Android phone. Android payloads are typically APKs (Android Application Package) or native\r\nbinaries compiled for ARM processors. While technically possible, it is not trivial to get JAR payloads to run on an\r\nAndroid operation system without installing a Java emulation engine. Instead, it is more likely that the payload was\r\nintended to be loaded on a desktop environment but may have been inadvertently downloaded on the Android phone,\r\npossibly through email or another vector.\r\nProofpoint threat analysts obtained a copy of the purported payload in order to examine it more closely, and this post\r\nwill follow the process of that analysis. There already exist several good analyses on the AlienSpyRAT [3] [4], and\r\ngood work has also been done writing decoders and configuration extractors for it [5]. This post will therefore focus\r\non aspects of AlienSpy that have not been previously examined in detail in these other sources.\r\nTechnical Analysis\r\nAlienSpy payloads seen in the wild are typically obfuscated using Allatori, a commercial obfuscation product for\r\nJava that makes the code unreadable to prying eyes in order to evade easy detection. This particular payload was\r\nhowever packaged in an additional layer of obfuscation, which is not commonly seen in recent in-the-wild payloads\r\nfor AlienSpy. The file structure of the top-level payload is shown in Figure 1.\r\nFigure 1: Structure of top-level JAR payload\r\nNote the large “Favicon.ico” file, not typically seen within JAR archives. When looking at the code it becomes clear\r\nthat it is in fact an embedded JAR file that is loaded and executed in turn. The contents of the file are loaded using the\r\nhttps://www.proofpoint.com/us/threat-insight/post/You-Dirty-RAT\r\nPage 1 of 7\n\nmethod getResourceAsStream(), saved in a temporary path and then launched using the command “java –jar\r\npayload.jar”.\r\nFigure 2: Code snippets showing JAR file being unpacked from Favicon.ico\r\nThe JAR file that is unpacked and loaded has a structure that is commonly seen with Allatori-obfuscated files. (Fig.\r\n3) Allatori obfuscates class and variable names, making them difficult to read, and encrypts the original payload in a\r\nresource object.\r\nThere is also an embedded PDF file in the JAR archive called “Estrictamente Secreto y Confidencial.pdf” as seen in\r\nFigure 3. This is a decoy document that is launched in the foreground as the AlienSpy payload is executed, although\r\nthe decoy document itself was found to be blank.\r\nFigure 3: Structure of embedded JAR file with Allatori obfuscation\r\nA demo version of Allatori v5.1 is used in this instance. The payload is encrypted using an RC4 encryption scheme.\r\n(Fig. 4) The first clue that it is RC4 is the 256-byte array that is initialized with positional values 0-255 (0x00 –\r\n0xFF). The array is then scrambled in the subsequent loop with the key stored in the variable “iiIIIIIiII4”. This 256-\r\nbyte array is the substitution box or “Sbox” used in the RC4 encryption scheme.\r\nhttps://www.proofpoint.com/us/threat-insight/post/You-Dirty-RAT\r\nPage 2 of 7\n\nFigure 4: RC4 encryptions scheme used to decrypt the final AlienSpy payload\r\nThe RC4 key is constructed from a combination of a dynamic and a static string. The static string is hardcoded in the\r\ncode with the value “H3SUW7E82IKQK2J2J2IISIS”. The dynamic portion of the string is a 8 byte value that is\r\nextracted from the resource section the object called “ID”. The dynamic portion of the key is randomly generated at\r\nbuild time of the payload. The combined RC4 in this instance was “oVs0Jp7kH3SUW7E82IKQK2J2J2IISIS”. We\r\nhave also observed various other static keys being used with AlienSpy in samples seen in the wild.\r\nOnce decrypted the following file structure is observed in the final decrypted AlienSpy JAR payload, revealing a\r\nwide range of features. These features can be further extended through secondary plugins the attacker can choose to\r\npush down to the victim’s machine.\r\nhttps://www.proofpoint.com/us/threat-insight/post/You-Dirty-RAT\r\nPage 3 of 7\n\nFigure 5: Structure of final decrypted payload\r\nThe AlienSpy RAT is very powerful in the hands of an attacker. Some of the key features supported by the RAT\r\ninclude:\r\nCollection of system information for fingerprinting and displaying on the attacker’s controller dashboard\r\nFile system, process and registry explorer with ability to view and modify\r\nAbility to run console commands\r\nKeylogging to capture user inputs\r\nAbility to download and execute secondary payloads\r\nCredential theft from various browser stores\r\nAbility to spy on victim through screenshots, webcam, microphone\r\nAbility to RDP ( Remote Desktop) to infected clients\r\nAbility to mine various type of digital currency such as bitcoin, litecoin, dogecoin etc.\r\nThe config.xml file seen in the decrypted structure in Figure 5 contains the configuration of the RAT. The extraction\r\nconfiguration is shown below:\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?\u003e\r\nhttps://www.proofpoint.com/us/threat-insight/post/You-Dirty-RAT\r\nPage 4 of 7\n\n\u003c!DOCTYPE properties SYSTEM \"[http://java.sun.com/dtd/properties.dtd[\"\u003e\r\n\u003cproperties\u003e\r\n\u003ccomment\u003eAlienSpy\u003c/comment\u003e\r\n\u003centry key=\"pluginfolder\"\u003ecOzdAJCuee\u003c/entry\u003e\r\n\u003centry key=\"reconnetion_time\"\u003e3000\u003c/entry\u003e\r\n\u003centry key=\"ps_hacker\"\u003efalse\u003c/entry\u003e\r\n\u003centry key=\"restore_system\"\u003efalse\u003c/entry\u003e\r\n\u003centry key=\"pluginfoldername\"\u003ecOzdAJCuee\u003c/entry\u003e\r\n\u003centry key=\"dns\"\u003edeyrep24.ddns.net\u003c/entry\u003e\r\n\u003centry key=\"install_time\"\u003e3000\u003c/entry\u003e\r\n\u003centry key=\"port2\"\u003e1040\u003c/entry\u003e\r\n\u003centry key=\"port1\"\u003e1030\u003c/entry\u003e\r\n\u003centry key=\"taskmgr\"\u003efalse\u003c/entry\u003e\r\n\u003centry key=\"vmware\"\u003etrue\u003c/entry\u003e\r\n\u003centry key=\"jarname\"\u003edocumentos\u003c/entry\u003e\r\n\u003centry key=\"msconfig\"\u003efalse\u003c/entry\u003e\r\n\u003centry key=\"mutex\"\u003ewMiSl1X1o423a2hh45Uifk8duasdf2S\u003c/entry\u003e\r\n\u003centry key=\"install\"\u003etrue\u003c/entry\u003e\r\n\u003centry key=\"instalar\"\u003etrue\u003c/entry\u003e\r\n\u003centry key=\"vbox\"\u003etrue\u003c/entry\u003e\r\n\u003centry key=\"password\"\u003eca19d6a81d35685b87547898c5e000a5fc9be554\u003c/entry\u003e\r\n\u003centry key=\"NAME\"\u003eLocalhost\u003c/entry\u003e\r\n\u003centry key=\"extensionname\"\u003ejHs\u003c/entry\u003e\r\n\u003centry key=\"prefix\"\u003eofficce\u003c/entry\u003e\r\n\u003centry key=\"jarfoldername\"\u003e0o86gb96\u003c/entry\u003e\r\n\u003centry key=\"uac\"\u003efalse\u003c/entry\u003e\r\n\u003centry key=\"win_defender\"\u003efalse\u003c/entry\u003e\r\nhttps://www.proofpoint.com/us/threat-insight/post/You-Dirty-RAT\r\nPage 5 of 7\n\n\u003centry key=\"connetion_time\"\u003e3000\u003c/entry\u003e\r\n\u003centry key=\"folder\"\u003e0o86gb96\u003c/entry\u003e\r\n\u003centry key=\"jar\"\u003edocumentos\u003c/entry\u003e\r\n\u003centry key=\"pluginextension\"\u003ejHs\u003c/entry\u003e\r\n\u003centry key=\"registry\"\u003e389032\u003c/entry\u003e\r\n\u003centry key=\"ps_explorer\"\u003efalse\u003c/entry\u003e\r\n\u003centry key=\"p2\"\u003e1040\u003c/entry\u003e\r\n\u003centry key=\"p1\"\u003e1030\u003c/entry\u003e\r\n\u003centry key=\"registryname\"\u003e389032\u003c/entry\u003e\r\n\u003centry key=\"wireshark\"\u003efalse\u003c/entry\u003e\r\n\u003centry key=\"desktop\"\u003etrue\u003c/entry\u003e\r\n\u003centry key=\"nickname\"\u003eofficce\u003c/entry\u003e\r\n\u003c/properties\u003e\r\nThe configuration stores various settings such as the remote server and port to connect to, install paths, VM and\r\nsecurity tools detection, registry persistence location, and others. It is interesting to note some Spanish language\r\nstrings in the settings, such as “documentos,” which hint at the origins of the attacker.\r\nThe AlienSpy RAT authenticates to the remote command and control server using a connection password. The\r\nconnection password in this instance is listed in the configuration as the value\r\n“ca19d6a81d35685b87547898c5e000a5fc9be554”.  This value is a SHA1 hash of the string “7854”.  The\r\nsignificance of this password to the attacker is unknown but it may serve as good reference for future attack pivots\r\nsince attackers often reuse settings by habit.\r\nTimeline of events\r\nThis timeline of the analyzed sample is constructed based on the various time stamps observed on the files, with the\r\ncaveat knowledgeable attackers are capable of altering digital timestamps.\r\nhttps://www.proofpoint.com/us/threat-insight/post/You-Dirty-RAT\r\nPage 6 of 7\n\nConclusion\r\nAttacks in the digital world are often a consequence of ongoing events in the real world.  It is unclear whether this\r\nattack payload has any relevance to death of Alberto Nisman, but the payload analyzed nonetheless shows how the\r\nimmense capability that a malware payload provides. RATs such as AlienSpy constitute powerful surveillance tools\r\nthat would enable them to observe and collect information on the communications and actions of adversaries, making\r\nthem attractive to state actors and cybercriminals alike. As we continue to observe ‘crossover’ in the traditional\r\ntargeting of state actors and cybercriminals, public and private organizations need to be on alert for phishing and\r\nother attacks designed to deliver RATs such as AlienSpy onto client systems.\r\nPayload hash:\r\naa9aa05af8df2cc99eb936e2d17623a68abdbb60606bb097379457c4a3760116\r\nReferences:\r\n[1] http://motherboard.vice.com/read/malware-hunter-finds-spyware-used-against-dead-argentine-prosecutor\r\n[2]\r\nhttps://www.virustotal.com/en/file/aa9aa05af8df2cc99eb936e2d17623a68abdbb60606bb097379457c4a3760116/analysis/\r\n[3] http://blog.idiom.ca/2015/03/AlienSpy-java-rat-overview.html\r\n[4] http://www.fidelissecurity.com/sites/default/files/FTA_1015_AlienSpy_FINAL.pdf\r\n[5] https://github.com/idiom/IRScripts/blob/master/AlienSpy-decrypt-v2.py\r\nSource: https://www.proofpoint.com/us/threat-insight/post/You-Dirty-RAT\r\nhttps://www.proofpoint.com/us/threat-insight/post/You-Dirty-RAT\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/You-Dirty-RAT"
	],
	"report_names": [
		"You-Dirty-RAT"
	],
	"threat_actors": [],
	"ts_created_at": 1775434906,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9fc03d70474ec2bf2f99283bdcb5c0d6453714ed.pdf",
		"text": "https://archive.orkl.eu/9fc03d70474ec2bf2f99283bdcb5c0d6453714ed.txt",
		"img": "https://archive.orkl.eu/9fc03d70474ec2bf2f99283bdcb5c0d6453714ed.jpg"
	}
}