File name:

December 2018.jar

Full analysis: https://app.any.run/tasks/a701d9a0-9203-489b-be48-ed5c2382cc8b
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Malware Trends Tracker     >>>
Analysis date: February 19, 2019, 01:56:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adwind
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

154A4249906E970D5D0EBD86D2C73193

SHA1:

016CC33149D409E84F778D367BC1DE6A4E3A6774

SHA256:

276B4329E09F26573362CDF91207732D909094EC37ADF061B049EFE7A51E85A5

SSDEEP:

12288:HqZslH85Kj+whgUKTeZ/na8GP7bDqiInF3zdGQpduwNiLjxiK/iUlL3:KZ2c5CVOCZ/a8G2nFhGQpdXc4V0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • WScript.exe (PID: 3296)

    • Changes the autorun value in the registry

      • wscript.exe (PID: 2896)
      • WScript.exe (PID: 3296)
      • reg.exe (PID: 3396)

    • AdWind was detected

      • java.exe (PID: 2668)
      • java.exe (PID: 2456)

    • Loads dropped or rewritten executable

      • java.exe (PID: 2668)
      • javaw.exe (PID: 3164)
      • javaw.exe (PID: 3248)
      • javaw.exe (PID: 2984)
      • explorer.exe (PID: 2028)
      • cmd.exe (PID: 4024)
      • wscript.exe (PID: 2896)
      • javaw.exe (PID: 3864)
      • java.exe (PID: 2456)

    • Application was dropped or rewritten from another process

      • java.exe (PID: 2668)
      • javaw.exe (PID: 3248)
      • javaw.exe (PID: 2984)
      • javaw.exe (PID: 3164)
      • javaw.exe (PID: 3864)
      • java.exe (PID: 2456)

    • UAC/LUA settings modification

      • regedit.exe (PID: 2424)

    • Uses TASKKILL.EXE to kill security tools

      • javaw.exe (PID: 3864)

    • Turns off system restore

      • regedit.exe (PID: 2424)

    • Changes Image File Execution Options

      • regedit.exe (PID: 2424)

  • SUSPICIOUS

    • Executes JAVA applets

      • explorer.exe (PID: 2028)
      • cmd.exe (PID: 4024)
      • wscript.exe (PID: 2896)
      • javaw.exe (PID: 3164)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2896)
      • javaw.exe (PID: 3164)
      • java.exe (PID: 2668)
      • javaw.exe (PID: 3864)
      • java.exe (PID: 2456)

    • Executes scripts

      • wscript.exe (PID: 2896)
      • javaw.exe (PID: 3248)
      • cmd.exe (PID: 3268)
      • cmd.exe (PID: 3392)
      • cmd.exe (PID: 1700)
      • cmd.exe (PID: 1300)
      • cmd.exe (PID: 3016)
      • cmd.exe (PID: 2388)
      • cmd.exe (PID: 3844)
      • cmd.exe (PID: 2860)

    • Creates files in the user directory

      • wscript.exe (PID: 2896)
      • WScript.exe (PID: 3296)
      • javaw.exe (PID: 3164)
      • xcopy.exe (PID: 2552)

    • Application launched itself

      • wscript.exe (PID: 2896)

    • Connects to unusual port

      • WScript.exe (PID: 3296)
      • javaw.exe (PID: 3864)

    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 3164)

    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 3164)

    • Starts itself from another location

      • javaw.exe (PID: 3164)

    • Uses TASKKILL.EXE to kill process

      • javaw.exe (PID: 3864)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 2552)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:01:15 01:55:25
ZipCRC: 0xce1e8edb
ZipCompressedSize: 648181
ZipUncompressedSize: 950069
ZipFileName: vizdgrpkxd/resources/kpypwzxqxc
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
180
Monitored processes
83
Malicious processes
11
Suspicious processes
1

Behavior graph

Click at the process to see the details
start javaw.exe no specs wscript.exe wscript.exe cmd.exe no specs javaw.exe no specs javaw.exe no specs java.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cscript.exe no specs cmd.exe no specs xcopy.exe cscript.exe no specs xcopy.exe no specs explorer.exe no specs reg.exe attrib.exe no specs attrib.exe no specs javaw.exe java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs taskkill.exe no specs cmd.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1300cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3398684689897327495.vbsC:\Windows\system32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1700cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4475825041377224933.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1812taskkill /IM mbam.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
2028C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2172taskkill /IM BullGuarScanner.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
2216taskkill /IM UserAccountControlSettings.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
2220taskkill /IM BgScan.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
2248taskkill /IM MSASCui.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
2252taskkill /IM mbamservice.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
2324taskkill /IM ClamTray.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
Total events
8 011
Read events
7 752
Write events
259
Delete events
0

Modification events

(PID) Process:(2896) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2896) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2896) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:ntfsmgr
Value:
"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar"
(PID) Process:(3296) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\RJLpCjHzcl
Operation:writeName:
Value:
false - 2/19/2019
(PID) Process:(3296) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:RJLpCjHzcl
Value:
wscript.exe //B "C:\Users\admin\AppData\Roaming\RJLpCjHzcl.vbs"
(PID) Process:(3296) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:RJLpCjHzcl
Value:
wscript.exe //B "C:\Users\admin\AppData\Roaming\RJLpCjHzcl.vbs"
(PID) Process:(3296) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3296) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3296) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3296) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
110
Suspicious files
10
Text files
81
Unknown types
15

Dropped files

PID
Process
Filename
Type
2668java.exeC:\Users\admin\AppData\Local\Temp\Retrive6189826551009875427.vbs
MD5:
SHA256:
3248javaw.exeC:\Users\admin\coepuxbomo.vbstext
MD5:
SHA256:
3248javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
2896wscript.exeC:\Users\admin\AppData\Roaming\RJLpCjHzcl.vbstext
MD5:
SHA256:
2984javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
3164javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
3296WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RJLpCjHzcl.vbstext
MD5:
SHA256:
4024cmd.exeC:\Users\admin\AppData\Local\Temp\output.txttext
MD5:
SHA256:
2668java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
2896wscript.exeC:\Users\admin\AppData\Roaming\ntfsmgr.jarjava
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
20
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3296
WScript.exe
178.239.21.25:3360
pm2bitcoin.com
Telekomunikacije Republike Srpske akcionarsko drustvo Banja Luka
BA
malicious
3864
javaw.exe
194.5.99.79:2888
FR
malicious

DNS requests

Domain
IP
Reputation
pm2bitcoin.com
  • 178.239.21.25
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
December 2018.jar