BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Adwind

adwind trojan
37
Global rank
58 infographic chevron month
Month rank
57 infographic chevron week
Week rank
0
IOCs

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Trojan
Type
Likely Mexico
Origin
1 January, 2012
First seen
18 November, 2024
Last seen
Also known as
Unrecom
Sockrat
Frutas
jRat
JSocket

How to analyze Adwind with ANY.RUN

Trojan
Type
Likely Mexico
Origin
1 January, 2012
First seen
18 November, 2024
Last seen

IOCs

Last Seen at
18 November, 2024
Malicious activity
build.jar
adwind
java
rat
remote
17 November, 2024
Malicious activity
www.mediafire.com
arch-scr
adwind
java
arch-html
15 November, 2024
Malicious activity
RNSM00317.7z
evasion
opendir
java
adwind
trojan
lokibot
stealer
apt10
apt
arch-scr
15 November, 2024
Malicious activity
RNSM00319.7z
evasion
ransomware
java
adwind
trojan
autoit
lokibot
stealer
arch-scr
15 November, 2024
Malicious activity
RNSM00322.7z
evasion
java
adwind
trojan
ransomware
lokibot
stealer
arch-scr
upx
14 November, 2024
Malicious activity
RNSM00353.7z
ransomware
evasion
java
adwind
trojan
arch-scr
12 November, 2024
Malicious activity
www.mediafire.com
arch-scr
adwind
java
arch-html
evasion
12 November, 2024
Malicious activity
www.mediafire.com
arch-scr
adwind
java
arch-html
11 November, 2024
Malicious activity
github.com
github
arch-exec
adwind
java
8 November, 2024
Malicious activity
RATNIGGA.jar
adwind
rat
remote
java
TRACK THEM ALL AT
Public Submissions
Last Seen at
18 November, 2024
Malicious activity
build.jar
adwind
java
rat
remote
17 November, 2024
Malicious activity
www.mediafire.com
arch-scr
adwind
java
arch-html
15 November, 2024
Malicious activity
RNSM00317.7z
evasion
opendir
java
adwind
trojan
lokibot
stealer
apt10
apt
arch-scr
15 November, 2024
Malicious activity
RNSM00319.7z
evasion
ransomware
java
adwind
trojan
autoit
lokibot
stealer
arch-scr
15 November, 2024
Malicious activity
RNSM00322.7z
evasion
java
adwind
trojan
ransomware
lokibot
stealer
arch-scr
upx
14 November, 2024
Malicious activity
RNSM00353.7z
ransomware
evasion
java
adwind
trojan
arch-scr
12 November, 2024
Malicious activity
www.mediafire.com
arch-scr
adwind
java
arch-html
evasion
12 November, 2024
Malicious activity
www.mediafire.com
arch-scr
adwind
java
arch-html
11 November, 2024
Malicious activity
github.com
github
arch-exec
adwind
java
8 November, 2024
Malicious activity
RATNIGGA.jar
adwind
rat
remote
java
TRACK THEM ALL AT
Public Submissions

Recent blog posts

post image
6 Common Persistence Mechanisms in Malware
watchers 323
comments 0
post image
Automated Interactivity: Stage 2
watchers 2186
comments 0
post image
HawkEye Malware: Technical Analysis
watchers 3149
comments 0

Contents

  • What is Adwind RAT?
  • General description of Adwind
  • Adwind RAT malware analysis
  • Adwind execution process
  • How to avoid infection by Adwind?
  • Distribution of Adwind
  • How to export process graph from the analysis of Adwind malware using ANY.RUN?
  • Conclusion

Recent blog posts

post image
6 Common Persistence Mechanisms in Malware
watchers 323
comments 0
post image
Automated Interactivity: Stage 2
watchers 2186
comments 0
post image
HawkEye Malware: Technical Analysis
watchers 3149
comments 0

What is Adwind RAT?

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords, and more.

First identified in January 2012, Adwind can’t be called a new malware, but it managed to become as popular as ransomware despite the age. In fact, in 2015, over 1,800 people purchased Adwind on its “official” website, making the site one of the most popular malware distribution platforms globally. It should be noted that Adwind poses a danger to users of all major operating systems, including Windows, Mac OS X, Linux, and BSD.

General description of Adwind

Initially discovered for the first time in 2012, the malware was known as Frutas and presumably originated in Mexico. For the initial year of Adwind’s existence, the creator released multiple versions, all distributed on Spanish hacker forums for free.

The feature-set of the original version was somewhat limited as compared to the latest iteration of the virus. As such, in 2012, Adwind RAT could capture screenshots, steal passwords from selected online services, open specific web pages and take screenshots, as well as display pop-up messages.

In 2013, the creator of the malware released a new version, changing its name to Adwind. The new version added support for Android OS and started to gain traction outside of the Spanish hacker community, becoming a popular tool worldwide. Following the popularity of the malware, the author has set up a YouTube channel to post tutorials for other cybercriminals. During the same year, the first-ever case of Adwind malware used in a targeted attack was documented in Pacific Asia. In November 2013, the malware was rebranded as UNRECOM and sold to Unrecom Soft. The rebranded version of Adwind retained all functionality of the previous iteration.

In 2014, the source code of Adwind was leaked. As a result, it became available online free of charge, becoming a popular tool among cybercriminals who widely used the cracked versions in attacks during 2014 and 2015, further contributing to the overall popularity of Adwind. In response to the leak, the “official” version of Adwind Trojan was significantly upgraded and re-released as AlienSpy in October 2014. The Adwind RAT v3.0 learned to auto-detect sandboxes, gained cryptographically secured communication with the control server, and became capable of detecting and disabling antiviruses.

Finally, in 2015, the malware was renamed once again, becoming a JSocket RAT. As a malware-as-a-service, Adwind RAT is sold to users for a fixed fee charged monthly as a subscription and could be purchased at JSocket.org until the website became unavailable. The price depends on the package which the user chooses.

Based on the analysis, Adwind requires active actions from the potential victim to start the execution process. As such, being delivered in a malicious .JAR file, the malware won’t be able to execute itself until the victim double-clicks on the attachment.

Adwind RAT malware analysis

ANY.RUN interactive service enables researchers to perform the analysis of the execution process of Adwind Trojan in a secure environment in multiple formats, including video.

adwind execution process graph

Figure 1: Visual process graphs generated by ANY.RUN help to simplify and speed up research work

text report of the Adwind malware analysis Figure 2: ANY.RUN creates customizable text reports allowing researchers to share the results of the simulation easily

Adwind execution process

In the case of our simulation, after a user opened the malicious .jar file, the malware started execution through Java virtual machine. This initial process executed the js script, which ran one more js script and another .jar file.

JS script also used Task Scheduler to run itself later. Jar file started a series of malicious activities such as using attrib.exe to mark files or folders as hidden, running VBS script files, changing the autorun value in the registry, and more. It has been noted that sometimes Jar file runs a series of taskkill commands to shutdown processes by their names based on a list containing names of system processes, names of common Anti-virus programs, and analyzing programs wireshark.exe, procexp.exe, processhacker.exe, and so on. It should be noted that this malware doesn't work without installed Java.

How to avoid infection by Adwind?

Exhibiting caution when handling emails from unknown senders is a reliable way to prevent contamination since Adwind trojan requires a victim to interact with the malicious file to enter an active phase. Therefore, never downloading attachments in suspicious emails is a sure way to stay safe when you are dealing with any malicious objects such as ransomware, RAT, or others. In addition, preventing .JAR files from running in %AppData%[random folder name], and prohibiting the creation of .JAR in the same folder can be considered a good security measure.

Distribution of Adwind

Adwind RAT is distributed in mail spam campaigns the same as AZORult or Remcos and has two general attack vectors. It can be delivered to the victim's machine as an email attachment in the form of a malicious file such as a PDF or a Microsoft Office file.

The other attack vector is a malicious URL that redirects the victim to a website from where Adwind is downloaded.

How to export process graph from the analysis of Adwind malware using ANY.RUN?

Analysts can export the process graph from a task to SVG format if they want it to share. Just click on the "Export" button and choose "Export Process Graph (SVG)" in the drop-down menu.

adwind process graph Figure 3: Adwind's process graph exported in SVG format

Conclusion

Distributed as a malware-as-a-service, the Adwind RAT v3.0 has become one of the most popular RATs and targets users of all major operating systems worldwide.

Not only is the “official” paid version of the malware is known to have created a massive following, but several slightly outdated but still very powerful cracked, free-to-use versions are readily available online on the underground hacking forums together with ransomware. As a result, today, Adwind remains a serious, active, and, perhaps, even growing threat.

HAVE A LOOK AT

Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
WarmCookie screenshot
WarmCookie
badspace
WarmCookie is a backdoor malware that cyber attackers use to gain initial access to targeted systems. It is often distributed through phishing emails, frequently using job recruitment lures to entice victims into downloading and executing the malware.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
GuLoader screenshot
GuLoader
guloader
GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More