{"id":2393,"date":"2026-05-13T15:52:05","date_gmt":"2026-05-13T13:52:05","guid":{"rendered":"https:\/\/cyber-detect.com\/reverse-analysis-of-malware-distributed-by-the-supply-chain-attack-on-jdownloader\/"},"modified":"2026-05-13T16:19:36","modified_gmt":"2026-05-13T14:19:36","slug":"reverse-analysis-of-malware-distributed-by-the-supply-chain-attack-on-jdownloader","status":"publish","type":"post","link":"https:\/\/cyber-detect.com\/en\/reverse-analysis-of-malware-distributed-by-the-supply-chain-attack-on-jdownloader\/","title":{"rendered":"[Reverse] Analysis of malware distributed by the Supply-chain attack on JDownloader"},"content":{"rendered":"
\n
<\/div>\n<\/div><\/div><\/div>\n\n
\n

The JDownloader website was compromised in early May 2026 and distributed a modified version of the Windows and Linux installers of JDownloader (https:\/\/www.bleepingcomputer.com\/news\/security\/jdownloader-site-hacked-to-replace-installers-with-python-rat-malware\/<\/a>)<\/em>, a Supply-Chain attack. This type of supply chain compromise attack is particularly formidable, as it exploits the legitimacy of the official website to infect unsuspecting users.<\/p>\n<\/div><\/div><\/div>\n\n

\n

The compromised versions of the JDownloader installer contain a loader (stage 2) that executes a Python RAT (stage 3) after disabling the antivirus software on the infected machine. <\/p>\n<\/div><\/div><\/div>\n\n

\n

<\/p>\n<\/div><\/div><\/div>\n\n

\n
\"\"<\/figure>\n<\/div><\/div><\/div>\n\n
\n

Attack summary<\/em><\/p>\n<\/div><\/div><\/div>\n\n

\n

We present here an analysis of this malware (md5: d3b398a757b424f91e645985ade00516)based on the results of our Gorille analysis engine. Gorille will verify the integrity of JDownloader installers by comparing functionalities with previously identified malicious functionalities.<\/p>\n<\/div><\/div><\/div>\n\n

\n

<\/p>\n<\/div><\/div><\/div>\n\n

\n

<\/p>\n<\/div><\/div><\/div>\n\n

\n

Identifying the malicious function with Gorille<\/h2>\n<\/div><\/div><\/div>\n\n
\n

<\/p>\n<\/div><\/div><\/div>\n\n

\n
\"\"<\/figure>\n<\/div><\/div><\/div>\n\n
\n

Main view of Gorille analysis<\/em><\/p>\n<\/div><\/div><\/div>\n\n

\n

<\/p>\n<\/div><\/div><\/div>\n\n

\n

The installer is detected by Gorille as sharing common code with several different malware. It successfully identified a malicious modification of the JDownloader installer. https:\/\/demo.gorille.tech\/file\/detail\/6a0483aafa6bd8c8ea7e71a4?publicToken=EDzRHRCguQnhVVUeB6b5ECJ_uqlVTGJjZYbWZLfAxOQ<\/a><\/a><\/p>\n<\/div><\/div><\/div>\n\n

\n
\"\"<\/figure>\n<\/div><\/div><\/div>\n\n
\n

Description of similarities in Gorille analysis<\/em><\/p>\n<\/div><\/div><\/div>\n\n

\n
\"\"<\/figure>\n<\/div><\/div><\/div>\n\n
\n

Display of Gorille similarity addresses \u2013 reverse engineering aid<\/em><\/p>\n<\/div><\/div><\/div>\n\n

\n

<\/p>\n<\/div><\/div><\/div>\n\n

\n

<\/p>\n<\/div><\/div><\/div>\n\n

\n

Gorille analysis goes further by targeting the problematic functionality in the compromised JDownloader installer code. To do this, simply list the addresses identified as malicious code. These addresses in the compromised JDownloader installer code target a very specific area of the installer: the sub_1400019e0 function.<\/p>\n<\/div><\/div><\/div>\n\n

\n
\"\"<\/figure>\n<\/div><\/div><\/div>\n\n
\n

Malicious function in the JDownloader installer <\/em><\/p>\n<\/div><\/div><\/div>\n\n

\n

This function notably performs a PEB walk to hide API calls \u2014 a highly suspicious behavior common to many malware \u2014 that Gorille is capable of detecting. This function notably performs a PEB walk to hide API calls \u2014 a highly suspicious behavior common to many malware \u2014 that Gorille is capable of detecting. <\/p>\n<\/div><\/div><\/div>\n\n

\n

<\/p>\n<\/div><\/div><\/div>\n\n

\n

<\/p>\n<\/div><\/div><\/div>\n\n

\n

Gorille put us on the right track to begin analysis<\/h2>\n<\/div><\/div><\/div>\n\n
\n

The explainability of Gorille results allows us to retrieve the exact locations it considers suspicious, enabling the function to be linked to functions that may have already been analyzed by reverse engineering teams. Here we immediately identified the API hashing function through similarity with other malware using the same type of functionality. <\/p>\n<\/div><\/div><\/div>\n\n

\n

<\/a><\/a>Here we immediately identified the API hashing function through similarity with other malware using the same type of functionality.<\/p>\n<\/div><\/div><\/div>\n\n

\n

<\/p>\n<\/div><\/div><\/div>\n\n

\n

<\/p>\n<\/div><\/div><\/div>\n\n

\n

<\/a>In-depth analysis of the malicious function<\/h2>\n<\/div><\/div><\/div>\n\n
\n

In this sub_1400019e0 function, we distinguish hidden calls to APIs, notably WriteFile and ShellExecute. We also identify a decryption loop: an xor that decrypts two files with the key ectb<\/p>\n<\/div><\/div><\/div>\n\n

\n
\"\"<\/figure>\n<\/div><\/div><\/div>\n\n
\n