analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.dropbox.com/s/1i0j6s8a87aetm2/Credit%20Card%20Authorization.pdf.jar?dl=0

Full analysis: https://app.any.run/tasks/ea879bb3-4fe0-4e20-9d70-4651677b94ec
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Malware Trends Tracker     >>>
Analysis date: April 25, 2019, 15:51:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adwind
trojan
Indicators:
MD5:

155D12DC85D69E5C08305731DFDF7E73

SHA1:

3B69B802416B7F85EA0D777AD2A2A5CEC703D969

SHA256:

085F0D4EB426EAAC2BF2FB4AA9E5CFFC25841B72EF5697E19191D1092C6CC18C

SSDEEP:

3:N8DSLcVHGkuTa030q9Q6RCQSeERPsXrV:2OLHk1qK6PURPsXrV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 4036)
      • reg.exe (PID: 3824)

    • Uses Task Scheduler to run other applications

      • WScript.exe (PID: 4036)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3604)

    • Writes to a start menu file

      • WScript.exe (PID: 4036)

    • AdWind was detected

      • java.exe (PID: 2876)
      • java.exe (PID: 3504)

    • Loads dropped or rewritten executable

      • iexplore.exe (PID: 1388)
      • java.exe (PID: 2876)
      • wscript.exe (PID: 3384)
      • javaw.exe (PID: 3716)
      • explorer.exe (PID: 2036)
      • javaw.exe (PID: 3640)
      • svchost.exe (PID: 812)
      • javaw.exe (PID: 3452)
      • java.exe (PID: 3504)

    • Application was dropped or rewritten from another process

      • javaw.exe (PID: 3640)
      • java.exe (PID: 2876)
      • javaw.exe (PID: 3716)
      • javaw.exe (PID: 3452)
      • java.exe (PID: 3504)

  • SUSPICIOUS

    • Starts Internet Explorer

      • explorer.exe (PID: 2036)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2228)

    • Creates files in the user directory

      • wscript.exe (PID: 3384)
      • javaw.exe (PID: 3716)
      • WScript.exe (PID: 4036)
      • xcopy.exe (PID: 2948)

    • Executes scripts

      • javaw.exe (PID: 3640)
      • wscript.exe (PID: 3384)
      • cmd.exe (PID: 1100)
      • cmd.exe (PID: 2664)
      • cmd.exe (PID: 2900)
      • cmd.exe (PID: 2568)
      • cmd.exe (PID: 3144)
      • cmd.exe (PID: 3296)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 3376)

    • Executes JAVA applets

      • explorer.exe (PID: 2036)
      • wscript.exe (PID: 3384)
      • javaw.exe (PID: 3716)

    • Application launched itself

      • wscript.exe (PID: 3384)

    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 3716)
      • java.exe (PID: 2876)
      • java.exe (PID: 3504)
      • javaw.exe (PID: 3452)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 2948)

    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 3716)

    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 3716)

    • Starts itself from another location

      • javaw.exe (PID: 3716)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1388)

    • Changes internet zones settings

      • iexplore.exe (PID: 3152)

    • Application launched itself

      • iexplore.exe (PID: 3152)
      • chrome.exe (PID: 2228)

    • Creates files in the user directory

      • iexplore.exe (PID: 1388)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
102
Monitored processes
57
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs javaw.exe no specs wscript.exe no specs wscript.exe javaw.exe no specs #ADWIND java.exe schtasks.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cscript.exe no specs cmd.exe no specs xcopy.exe cscript.exe no specs svchost.exe no specs explorer.exe no specs reg.exe attrib.exe no specs attrib.exe no specs javaw.exe #ADWIND java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3152"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1388"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3152 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2228"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
2108"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6fa60f18,0x6fa60f28,0x6fa60f34C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
2252"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2408 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
2484"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=964,15029044412879511854,9697648263475175853,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=1642180786742422191 --mojo-platform-channel-handle=916 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
1880"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=964,15029044412879511854,9697648263475175853,131072 --enable-features=PasswordImport --service-pipe-token=2537467805371948377 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2537467805371948377 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1984 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2952"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=964,15029044412879511854,9697648263475175853,131072 --enable-features=PasswordImport --service-pipe-token=17292334668482777086 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17292334668482777086 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
1524"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=964,15029044412879511854,9697648263475175853,131072 --enable-features=PasswordImport --service-pipe-token=1699695938151817537 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1699695938151817537 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2132 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3092"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=964,15029044412879511854,9697648263475175853,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=6818326567952493601 --mojo-platform-channel-handle=3608 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Total events
2 981
Read events
2 733
Write events
0
Delete events
0

Modification events

No data
Executable files
110
Suspicious files
394
Text files
252
Unknown types
30

Dropped files

PID
Process
Filename
Type
3152iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3152iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1388iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@dropbox[1].txt
MD5:
SHA256:
1388iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
MD5:
SHA256:
1388iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\41I7MH4N\Credit%20Card%20Authorization.pdf[1].jar
MD5:
SHA256:
3152iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF6A3A1C6B023B7B36.TMP
MD5:
SHA256:
3152iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF95BF940B4264BE96.TMP
MD5:
SHA256:
3152iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF2763ADE36E7304BE.TMP
MD5:
SHA256:
3152iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{FC29BD34-6771-11E9-B63D-5254004A04AF}.dat
MD5:
SHA256:
3152iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFE3C3AB745C31050D.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
85
DNS requests
34
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2228
chrome.exe
GET
200
172.217.130.73:80
http://r4---sn-2gb7sn7r.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.76.9.72&mm=28&mn=sn-2gb7sn7r&ms=nvh&mt=1556207426&mv=m&pl=25&shardbypass=yes
US
crx
842 Kb
whitelisted
2228
chrome.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAU5fm3dSuY9dJCdoTinHgw%3D
US
der
471 b
whitelisted
2228
chrome.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
US
der
471 b
whitelisted
2228
chrome.exe
GET
302
172.217.22.78:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
502 b
whitelisted
3152
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2228
chrome.exe
172.217.22.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2228
chrome.exe
172.217.16.131:443
www.google.com.ua
Google Inc.
US
whitelisted
3152
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2228
chrome.exe
172.217.23.131:443
www.gstatic.com
Google Inc.
US
whitelisted
2228
chrome.exe
172.217.23.174:443
clients1.google.com
Google Inc.
US
whitelisted
1388
iexplore.exe
104.16.100.29:443
cfl.dropboxstatic.com
Cloudflare Inc
US
shared
1388
iexplore.exe
162.125.66.1:443
www.dropbox.com
Dropbox, Inc.
DE
shared
2228
chrome.exe
172.217.23.173:443
accounts.google.com
Google Inc.
US
whitelisted
2228
chrome.exe
172.217.22.78:80
redirector.gvt1.com
Google Inc.
US
whitelisted
2228
chrome.exe
162.125.66.1:443
www.dropbox.com
Dropbox, Inc.
DE
shared

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.dropbox.com
  • 162.125.66.1
shared
cfl.dropboxstatic.com
  • 104.16.100.29
  • 104.16.99.29
shared
dns.msftncsi.com
  • 131.107.255.255
shared
clientservices.googleapis.com
  • 172.217.22.3
whitelisted
www.google.com.ua
  • 172.217.16.131
whitelisted
accounts.google.com
  • 172.217.23.173
shared
clients1.google.com
  • 172.217.23.174
whitelisted
ssl.gstatic.com
  • 172.217.22.3
whitelisted
www.gstatic.com
  • 172.217.23.131
whitelisted

Threats

PID
Process
Class
Message
2228
chrome.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
2228
chrome.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2228
chrome.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.dropbox.com/s/1i0j6s8a87aetm2/Credit%20Card%20Authorization.pdf.jar?dl=0