File name: | BL-copy.jar |
Full analysis: | https://app.any.run/tasks/733085f4-1d24-432d-9658-4bfdffd00d9b |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | April 15, 2019, 07:43:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 5F713A5D6E168BE181044C1E7782F697 |
SHA1: | 7FC6FAA2424D80EEE4B9248EC26D9D0BDA356802 |
SHA256: | 170F17235E705F08EAE4D3FFED748593A2015B89E32555BEBFA14304E23BABAC |
SSDEEP: | 12288:CJgMahLg4+ORvsFAnlwPV70wjwv1dHPCcNvSj/IOA/3JY:GgMa1g4+ORvsDxkv1JPCoqDgfO |
.jar | | | Java Archive (78.3) |
---|---|---|
.zip | | | ZIP compressed archive (21.6) |
ZipFileName: | META-INF/MANIFEST.MF |
---|---|
ZipUncompressedSize: | 40 |
ZipCompressedSize: | 42 |
ZipCRC: | 0x2ed11cfb |
ZipModifyDate: | 2019:04:11 10:05:06 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3088 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\BL-copy.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | explorer.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
3380 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.37594194914469482131760969722602034.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
1076 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7921296258542596175.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3844 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7921296258542596175.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2244 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1187425034426688294.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3192 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1187425034426688294.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3060 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8452566407735326471.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1100 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8842370850047236830.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3520 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8452566407735326471.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2696 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8842370850047236830.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
(PID) Process: | (2036) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached |
Operation: | write | Name: | {FFE2A43C-56B9-4BF5-9A79-CC6D4285608A} {000214E4-0000-0000-C000-000000000046} 0xFFFF |
Value: 0100000000000000763B540D5FF3D401 | |||
(PID) Process: | (2036) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: Explorer.EXE | |||
(PID) Process: | (2036) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2036) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | @C:\Program Files\Windows Photo Viewer\photoviewer.dll,-3043 |
Value: Pre&view | |||
(PID) Process: | (2036) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached |
Operation: | write | Name: | {FFE2A43C-56B9-4BF5-9A79-CC6D4285608A} {00000122-0000-0000-C000-000000000046} 0xFFFF |
Value: 0100000000000000DEC45D0D5FF3D401 | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: DllHost.exe | |||
(PID) Process: | (2036) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList |
Operation: | write | Name: | a |
Value: DllHost.exe | |||
(PID) Process: | (2036) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList |
Operation: | write | Name: | MRUList |
Value: a | |||
(PID) Process: | (2036) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs |
Operation: | write | Name: | 1 |
Value: 7200650063006F006D006D0065006E006400650064006D0069006700680074002E006A0070006700000092003200000000000000000000007265636F6D6D656E6465646D696768742E6A7067202832292E6C6E6B0000660008000400EFBE00000000000000002A000000000000000000000000000000000000000000000000007200650063006F006D006D0065006E006400650064006D0069006700680074002E006A007000670020002800320029002E006C006E006B0000002C000000 | |||
(PID) Process: | (2036) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg |
Operation: | write | Name: | 0 |
Value: 7200650063006F006D006D0065006E006400650064006D0069006700680074002E006A0070006700000092003200000000000000000000007265636F6D6D656E6465646D696768742E6A7067202832292E6C6E6B0000660008000400EFBE00000000000000002A000000000000000000000000000000000000000000000000007200650063006F006D006D0065006E006400650064006D0069006700680074002E006A007000670020002800320029002E006C006E006B0000002C000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3088 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive1187425034426688294.vbs | — | |
MD5:— | SHA256:— | |||
3088 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:A8FDC8BA1F9D28B3474AE5769653B0B1 | SHA256:0D911101718FBBD14B0BFCA6D6377618D2C3DF5AD385B13D30716754F5DD1989 | |||
3380 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:4F8BF31E7C08BA2D23E4B98B8E49CDCA | SHA256:BB6F5BCCE3E72C6EB0973AD182FD24AEB31AEC509232542FF2E38BB0500CEF34 | |||
2692 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\COPYRIGHT | text | |
MD5:89F660D2B7D58DA3EFD2FECD9832DA9C | SHA256:F6A08C9CC04D7C6A86576C1EF50DD0A690AE5CB503EFD205EDB2E408BD8D557B | |||
2692 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\LICENSE | text | |
MD5:98F46AB6481D87C4D77E0E91A6DBC15F | SHA256:23F9A5C12FA839650595A32872B7360B9E030C7213580FB27DD9185538A5828C | |||
2692 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt | text | |
MD5:AB9DB8D553033C0326BD2D38D77F84C1 | SHA256:38995534DF44E0526F8C8C8D479C778A4B34627CFD69F19213CFBE019A7261BA | |||
3380 | java.exe | C:\Users\admin\AppData\Local\Temp\Retrive8452566407735326471.vbs | text | |
MD5:A32C109297ED1CA155598CD295C26611 | SHA256:45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7 | |||
3088 | javaw.exe | C:\Users\admin\AppData\Local\Temp\_0.37594194914469482131760969722602034.class | java | |
MD5:781FB531354D6F291F1CCAB48DA6D39F | SHA256:97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9 | |||
2692 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\README.txt | text | |
MD5:0F1123976B959AC5E8B89EB8C245C4BD | SHA256:963095CF8DB76FB8071FD19A3110718A42F2AB42B27A3ADFD9EC58981C3E88D2 | |||
3088 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive8842370850047236830.vbs | text | |
MD5:A32C109297ED1CA155598CD295C26611 | SHA256:45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3088 | javaw.exe | GET | 200 | 151.101.120.209:80 | http://central.maven.org/maven2/org/mozilla/rhino/1.7.7.2/rhino-1.7.7.2.jar | US | compressed | 1.18 Mb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3088 | javaw.exe | 151.101.120.209:80 | central.maven.org | Fastly | US | suspicious |
Domain | IP | Reputation |
---|---|---|
central.maven.org |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3088 | javaw.exe | A Network Trojan was detected | ET INFO JAVA - Java Archive Download |