analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

INFORMATION 0025.jar

Full analysis: https://app.any.run/tasks/dee32d14-db66-4a21-83bf-5f340d73c22e
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Analysis date: February 18, 2019, 15:30:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adwind
trojan
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

C8AD3699922AA0191264573C363EAA08

SHA1:

FDC440E4052358CA989C26FD6A079575B458DC22

SHA256:

18E6D4EFFE5CF424807DA733149AB7B53199AE7E11F596DDAF40FF4062E50288

SSDEEP:

12288:GcIW+VwbbZYX5z43jP3Lt2RNP2YrCoOyHJcE0BwzPDA5QsGew:GcmWlQWzP3Z2RNP2g6B6Gw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • AdWind was detected

      • java.exe (PID: 3276)
    • Loads dropped or rewritten executable

      • explorer.exe (PID: 116)
      • java.exe (PID: 3276)
      • javaw.exe (PID: 2828)
    • Application was dropped or rewritten from another process

      • java.exe (PID: 3276)
      • javaw.exe (PID: 2828)
  • SUSPICIOUS

    • Creates files in the user directory

      • javaw.exe (PID: 2828)
      • xcopy.exe (PID: 3660)
    • Executes JAVA applets

      • explorer.exe (PID: 116)
      • javaw.exe (PID: 2828)
    • Starts CMD.EXE for commands execution

      • java.exe (PID: 3276)
    • Executes scripts

      • cmd.exe (PID: 3988)
      • cmd.exe (PID: 3836)
    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 3660)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0808
ZipCompression: Deflated
ZipModifyDate: 2019:02:18 11:16:08
ZipCRC: 0x90b9b878
ZipCompressedSize: 64
ZipUncompressedSize: 62
ZipFileName: META-INF/MANIFEST.MF
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaw.exe no specs java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs xcopy.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2828"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\INFORMATION 0025.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
3276"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.81483024951691536626370875767049767.classC:\Program Files\Java\jre1.8.0_92\bin\java.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
3988cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7948274045363897456.vbsC:\Windows\system32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2412cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7948274045363897456.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3836cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1068575237735304703.vbsC:\Windows\system32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2268cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1068575237735304703.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3660xcopy "C:\Program Files\Java\jre1.8.0_92" "C:\Users\admin\AppData\Roaming\Oracle\" /eC:\Windows\system32\xcopy.exe
java.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
116C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
73
Read events
73
Write events
0
Delete events
0

Modification events

No data
Executable files
101
Suspicious files
4
Text files
44
Unknown types
6

Dropped files

PID
Process
Filename
Type
3276java.exeC:\Users\admin\AppData\Local\Temp\Retrive7948274045363897456.vbs
MD5:
SHA256:
2828javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:589E4072CA5276BC318F5B2AFFF649B5
SHA256:B1CD46DFA12E4C4308FF206D05533B87939FC0ED16216F4F575CABDD9831F506
3276java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:3D84DC480E57336209C229CBB826FBE5
SHA256:A4EC342DEA35346C0F1FEB8D07C5C6D79E651EC1C0233CC0B59989EA36349865
3660xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\LICENSEtext
MD5:98F46AB6481D87C4D77E0E91A6DBC15F
SHA256:23F9A5C12FA839650595A32872B7360B9E030C7213580FB27DD9185538A5828C
2828javaw.exeC:\Users\admin\AppData\Local\Temp\_0.81483024951691536626370875767049767.classjava
MD5:781FB531354D6F291F1CCAB48DA6D39F
SHA256:97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9
3660xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txttext
MD5:AB9DB8D553033C0326BD2D38D77F84C1
SHA256:38995534DF44E0526F8C8C8D479C778A4B34627CFD69F19213CFBE019A7261BA
3660xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\COPYRIGHTtext
MD5:89F660D2B7D58DA3EFD2FECD9832DA9C
SHA256:F6A08C9CC04D7C6A86576C1EF50DD0A690AE5CB503EFD205EDB2E408BD8D557B
3660xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\Welcome.htmlhtml
MD5:27CF299B6D93FACA73FBCDCF4AECFD93
SHA256:3F1F0EE75588DBBA3B143499D08AA9AB431E4A34E483890CFAC94A8E1061B7CF
3660xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txttext
MD5:745D6DB5FC58C63F74CE6A7D4DB7E695
SHA256:C77BA9F668FEE7E9B810F1493E518ADF87233AC8793E4B37C9B3D1ED7846F1C0
3660xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\bin\eula.dllexecutable
MD5:6F1188DF337E62427791C77EA36E6EEF
SHA256:DEC4F2F32EDC45F70E7119C9E52C4CEF44BB9AA627DBEC1EE70F61D37468556B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info