File name: | December 2018.jar |
Full analysis: | https://app.any.run/tasks/a701d9a0-9203-489b-be48-ed5c2382cc8b |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | February 19, 2019, 01:56:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 154A4249906E970D5D0EBD86D2C73193 |
SHA1: | 016CC33149D409E84F778D367BC1DE6A4E3A6774 |
SHA256: | 276B4329E09F26573362CDF91207732D909094EC37ADF061B049EFE7A51E85A5 |
SSDEEP: | 12288:HqZslH85Kj+whgUKTeZ/na8GP7bDqiInF3zdGQpduwNiLjxiK/iUlL3:KZ2c5CVOCZ/a8G2nFhGQpdXc4V0 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:01:15 01:55:25 |
ZipCRC: | 0xce1e8edb |
ZipCompressedSize: | 648181 |
ZipUncompressedSize: | 950069 |
ZipFileName: | vizdgrpkxd/resources/kpypwzxqxc |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3248 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\December 2018.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | explorer.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2896 | wscript C:\Users\admin\coepuxbomo.vbs | C:\Windows\system32\wscript.exe | javaw.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3296 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\RJLpCjHzcl.vbs" | C:\Windows\System32\WScript.exe | wscript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
4024 | "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version 2> C:\Users\admin\AppData\Local\Temp\output.txt | C:\Windows\System32\cmd.exe | — | wscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2984 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | cmd.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
3164 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | wscript.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2668 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.287532955983208163937933932914640162.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | — | javaw.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
3268 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2270502614830253341.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3824 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2270502614830253341.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3392 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6189826551009875427.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2668 | java.exe | C:\Users\admin\AppData\Local\Temp\Retrive6189826551009875427.vbs | — | |
MD5:— | SHA256:— | |||
2668 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:B29D9DB03146877342AF3FF3FE343447 | SHA256:F2B1733D5D5960C05E56D49848A3BCDACEF5FA710EB6840C320358814F4A255A | |||
3248 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:3AA28671D0C25308C73FBF40199E6AEC | SHA256:E5503B949EDF00849F01977CA4D73E131FED68F728E30EE854357FB9FA0FF748 | |||
4024 | cmd.exe | C:\Users\admin\AppData\Local\Temp\output.txt | text | |
MD5:FCF81EDEAE4E8C13E8B099A9EE455E27 | SHA256:0CCC5DDB797429E5625AEDB2ECEE3F42E97221264CD69D5FF53A094F72FE5D7B | |||
2896 | wscript.exe | C:\Users\admin\AppData\Roaming\RJLpCjHzcl.vbs | text | |
MD5:0D7B96AFC1F73593795098B02C8ADD7B | SHA256:9D0E41E61EF52E97A14DD4D3EFD1C45FF0222603DACD3CF378BD0942870E6034 | |||
3296 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RJLpCjHzcl.vbs | text | |
MD5:0D7B96AFC1F73593795098B02C8ADD7B | SHA256:9D0E41E61EF52E97A14DD4D3EFD1C45FF0222603DACD3CF378BD0942870E6034 | |||
2896 | wscript.exe | C:\Users\admin\AppData\Roaming\ntfsmgr.jar | java | |
MD5:150D79B9C0E6F048ED484C8B62C6577E | SHA256:D955FABE038293E0DA532581202F6BB6F67A9900CAFEECFC8A013E9E150D26EA | |||
2984 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:1D656D4F667DB4B054A5D77937475A65 | SHA256:6EB6E7D65EC7AA9C720CD7076C3CB63423FF5A3652A6E96938AB62E1F3D0B174 | |||
3248 | javaw.exe | C:\Users\admin\coepuxbomo.vbs | text | |
MD5:31DB4FC726371E082E51A06903A7D197 | SHA256:6B25E6B47AAA791D3225B4B8327772768ACCA1D9B75970E4836BC5F57567C75E | |||
3164 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:85DC286CB6C9C7A6C9EF28B24BB9161D | SHA256:5702DF154999CD02F392F64757498C489E306164B9825562C868FC99B611277A |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3296 | WScript.exe | 178.239.21.25:3360 | pm2bitcoin.com | Telekomunikacije Republike Srpske akcionarsko drustvo Banja Luka | BA | malicious |
3864 | javaw.exe | 194.5.99.79:2888 | — | — | FR | malicious |
Domain | IP | Reputation |
---|---|---|
pm2bitcoin.com |
| malicious |