File name: | a.jar |
Full analysis: | https://app.any.run/tasks/2cb29a8b-2aea-4b71-9aa0-3c80d06a8cd0 |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | February 19, 2019, 10:40:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 5B87BD2DFDEB6A6C2B51DE962AC2945D |
SHA1: | D48B69D2F8E7AD728CCECBDBC7315FB6DFC6B082 |
SHA256: | 2C6A6E6B7B1B6941399D3FC3B8ECFBAEA31850D4E1133166F84DC9874CB4079F |
SSDEEP: | 12288:HYqnXmgGJt18ph3+hTtHY/zOqN2Jmw7C+kyuc7stFkATtwlZwI5AH9Zb:4IJGJt18ph+vHYH+H7Hkyu4stFdylZwx |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:02:17 23:55:16 |
ZipCRC: | 0x0dd4ade0 |
ZipCompressedSize: | 657322 |
ZipUncompressedSize: | 989480 |
ZipFileName: | lkeiwpjwsk/resources/nxxcfqxixh |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3496 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\a.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | explorer.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
3448 | wscript C:\Users\admin\jpyyggvpwh.js | C:\Windows\system32\wscript.exe | javaw.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3916 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\RvjhpEuAWq.js" | C:\Windows\System32\WScript.exe | wscript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2124 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\cwaujcdziq.txt" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | wscript.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
3708 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.58924269459507471786012846004111217.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | — | javaw.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
2408 | "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\admin\AppData\Roaming\RvjhpEuAWq.js | C:\Windows\System32\schtasks.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2236 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5769781369438068702.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2752 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5769781369438068702.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3956 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5105303207271362277.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2920 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5105303207271362277.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3496 | javaw.exe | C:\Users\admin\jpyyggvpwh.js | text | |
MD5:27F0354BFC7AA1357DD94662D9D36EC3 | SHA256:1C827A0E2FACDC41C00B936DFC74594619FF5C63034E8F74E0C35926217A7653 | |||
2124 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:F243178163D6A77E84317A36585485DF | SHA256:812D1F7EB84074E92286F9070EB5F0DD8CC9DC3AAAE0230F439EB1E9BFA51C43 | |||
3496 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:2AB4B0E7FA14DFC8AD11FA18769EE7F9 | SHA256:C8FA8B88A4947A83211AF4AA0F0E46A73728B7CBC721AA4265067D5730401EDD | |||
3916 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RvjhpEuAWq.js | text | |
MD5:D914C9D661A58458C950EDE3F05F2FED | SHA256:D50906EFE47D0ACE11944C05E575B4FAC3E96FA1F6CAECFC626F31D7A8581825 | |||
3448 | wscript.exe | C:\Users\admin\AppData\Roaming\cwaujcdziq.txt | java | |
MD5:FE6EBC49F2AD0BEE0BD4E6C47548F8F5 | SHA256:47BAFC2314A970C9184799671B59119F530DDEFFD83D4B4DC1292AC9B316EFFF | |||
3448 | wscript.exe | C:\Users\admin\AppData\Roaming\RvjhpEuAWq.js | text | |
MD5:D914C9D661A58458C950EDE3F05F2FED | SHA256:D50906EFE47D0ACE11944C05E575B4FAC3E96FA1F6CAECFC626F31D7A8581825 | |||
3708 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:6F3B00BD8E34C2370E19457A7656B9F6 | SHA256:7E164DA61997A91D646094E49CCF4308B9FC69F91473CFF928DBB10394732659 | |||
2892 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\release | text | |
MD5:1BCCC3A965156E53BE3136B3D583B7B6 | SHA256:03A4DB27DEA69374EFBAF121C332D0AF05840D16D0C1FBF127D00E65054B118A | |||
2124 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive5769781369438068702.vbs | text | |
MD5:3BDFD33017806B85949B6FAA7D4B98E4 | SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6 | |||
3708 | java.exe | C:\Users\admin\AppData\Local\Temp\Retrive5435077321860944890.vbs | text | |
MD5:A32C109297ED1CA155598CD295C26611 | SHA256:45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3916 | WScript.exe | 41.217.29.235:7755 | unknownsoft.hopto.org | Spectranet | NG | unknown |
2612 | javaw.exe | 95.213.251.165:7031 | — | OOO Network of data-centers Selectel | RU | malicious |
Domain | IP | Reputation |
---|---|---|
unknownsoft.hopto.org |
| malicious |