analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

December 2018.jar

Full analysis: https://app.any.run/tasks/a701d9a0-9203-489b-be48-ed5c2382cc8b
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Malware Trends Tracker     >>>
Analysis date: February 19, 2019, 01:56:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adwind
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

154A4249906E970D5D0EBD86D2C73193

SHA1:

016CC33149D409E84F778D367BC1DE6A4E3A6774

SHA256:

276B4329E09F26573362CDF91207732D909094EC37ADF061B049EFE7A51E85A5

SSDEEP:

12288:HqZslH85Kj+whgUKTeZ/na8GP7bDqiInF3zdGQpduwNiLjxiK/iUlL3:KZ2c5CVOCZ/a8G2nFhGQpdXc4V0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 3296)
      • wscript.exe (PID: 2896)
      • reg.exe (PID: 3396)

    • Writes to a start menu file

      • WScript.exe (PID: 3296)

    • AdWind was detected

      • java.exe (PID: 2668)
      • java.exe (PID: 2456)

    • Loads dropped or rewritten executable

      • explorer.exe (PID: 2028)
      • wscript.exe (PID: 2896)
      • java.exe (PID: 2668)
      • cmd.exe (PID: 4024)
      • javaw.exe (PID: 3164)
      • javaw.exe (PID: 2984)
      • javaw.exe (PID: 3248)
      • java.exe (PID: 2456)
      • javaw.exe (PID: 3864)

    • Application was dropped or rewritten from another process

      • javaw.exe (PID: 3248)
      • java.exe (PID: 2668)
      • javaw.exe (PID: 3164)
      • javaw.exe (PID: 2984)
      • javaw.exe (PID: 3864)
      • java.exe (PID: 2456)

    • Uses TASKKILL.EXE to kill security tools

      • javaw.exe (PID: 3864)

    • Turns off system restore

      • regedit.exe (PID: 2424)

    • UAC/LUA settings modification

      • regedit.exe (PID: 2424)

    • Changes Image File Execution Options

      • regedit.exe (PID: 2424)

  • SUSPICIOUS

    • Executes scripts

      • javaw.exe (PID: 3248)
      • wscript.exe (PID: 2896)
      • cmd.exe (PID: 3392)
      • cmd.exe (PID: 3268)
      • cmd.exe (PID: 1700)
      • cmd.exe (PID: 1300)
      • cmd.exe (PID: 2388)
      • cmd.exe (PID: 3016)
      • cmd.exe (PID: 2860)
      • cmd.exe (PID: 3844)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2896)
      • java.exe (PID: 2668)
      • javaw.exe (PID: 3164)
      • javaw.exe (PID: 3864)
      • java.exe (PID: 2456)

    • Executes JAVA applets

      • explorer.exe (PID: 2028)
      • cmd.exe (PID: 4024)
      • javaw.exe (PID: 3164)
      • wscript.exe (PID: 2896)

    • Application launched itself

      • wscript.exe (PID: 2896)

    • Creates files in the user directory

      • wscript.exe (PID: 2896)
      • WScript.exe (PID: 3296)
      • javaw.exe (PID: 3164)
      • xcopy.exe (PID: 2552)

    • Connects to unusual port

      • WScript.exe (PID: 3296)
      • javaw.exe (PID: 3864)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 2552)

    • Starts itself from another location

      • javaw.exe (PID: 3164)

    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 3164)

    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 3164)

    • Uses TASKKILL.EXE to kill process

      • javaw.exe (PID: 3864)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:01:15 01:55:25
ZipCRC: 0xce1e8edb
ZipCompressedSize: 648181
ZipUncompressedSize: 950069
ZipFileName: vizdgrpkxd/resources/kpypwzxqxc
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
180
Monitored processes
83
Malicious processes
11
Suspicious processes
1

Behavior graph

Click at the process to see the details
start javaw.exe no specs wscript.exe wscript.exe cmd.exe no specs javaw.exe no specs javaw.exe no specs java.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cscript.exe no specs cmd.exe no specs xcopy.exe cscript.exe no specs xcopy.exe no specs explorer.exe no specs reg.exe attrib.exe no specs attrib.exe no specs javaw.exe java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs taskkill.exe no specs cmd.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3248"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\December 2018.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
2896wscript C:\Users\admin\coepuxbomo.vbsC:\Windows\system32\wscript.exe
javaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3296"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\RJLpCjHzcl.vbs" C:\Windows\System32\WScript.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
4024"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version 2> C:\Users\admin\AppData\Local\Temp\output.txtC:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2984"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version C:\Program Files\Java\jre1.8.0_92\bin\javaw.execmd.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
3164"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exewscript.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
2668"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.287532955983208163937933932914640162.classC:\Program Files\Java\jre1.8.0_92\bin\java.exejavaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
3268cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2270502614830253341.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3824cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2270502614830253341.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3392cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6189826551009875427.vbsC:\Windows\system32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
8 011
Read events
7 752
Write events
0
Delete events
0

Modification events

No data
Executable files
110
Suspicious files
10
Text files
81
Unknown types
15

Dropped files

PID
Process
Filename
Type
2668java.exeC:\Users\admin\AppData\Local\Temp\Retrive6189826551009875427.vbs
MD5:
SHA256:
2668java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:B29D9DB03146877342AF3FF3FE343447
SHA256:F2B1733D5D5960C05E56D49848A3BCDACEF5FA710EB6840C320358814F4A255A
3248javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:3AA28671D0C25308C73FBF40199E6AEC
SHA256:E5503B949EDF00849F01977CA4D73E131FED68F728E30EE854357FB9FA0FF748
4024cmd.exeC:\Users\admin\AppData\Local\Temp\output.txttext
MD5:FCF81EDEAE4E8C13E8B099A9EE455E27
SHA256:0CCC5DDB797429E5625AEDB2ECEE3F42E97221264CD69D5FF53A094F72FE5D7B
2896wscript.exeC:\Users\admin\AppData\Roaming\RJLpCjHzcl.vbstext
MD5:0D7B96AFC1F73593795098B02C8ADD7B
SHA256:9D0E41E61EF52E97A14DD4D3EFD1C45FF0222603DACD3CF378BD0942870E6034
3296WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RJLpCjHzcl.vbstext
MD5:0D7B96AFC1F73593795098B02C8ADD7B
SHA256:9D0E41E61EF52E97A14DD4D3EFD1C45FF0222603DACD3CF378BD0942870E6034
2896wscript.exeC:\Users\admin\AppData\Roaming\ntfsmgr.jarjava
MD5:150D79B9C0E6F048ED484C8B62C6577E
SHA256:D955FABE038293E0DA532581202F6BB6F67A9900CAFEECFC8A013E9E150D26EA
2984javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:1D656D4F667DB4B054A5D77937475A65
SHA256:6EB6E7D65EC7AA9C720CD7076C3CB63423FF5A3652A6E96938AB62E1F3D0B174
3248javaw.exeC:\Users\admin\coepuxbomo.vbstext
MD5:31DB4FC726371E082E51A06903A7D197
SHA256:6B25E6B47AAA791D3225B4B8327772768ACCA1D9B75970E4836BC5F57567C75E
3164javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:85DC286CB6C9C7A6C9EF28B24BB9161D
SHA256:5702DF154999CD02F392F64757498C489E306164B9825562C868FC99B611277A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
20
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3296
WScript.exe
178.239.21.25:3360
pm2bitcoin.com
Telekomunikacije Republike Srpske akcionarsko drustvo Banja Luka
BA
malicious
3864
javaw.exe
194.5.99.79:2888
FR
malicious

DNS requests

Domain
IP
Reputation
pm2bitcoin.com
  • 178.239.21.25
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
December 2018.jar