download: | Invoice2230.zip |
Full analysis: | https://app.any.run/tasks/bad75944-2aad-42a0-bcfb-6fbd6bd274ac |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | August 13, 2019, 15:36:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 825D349347D39EA3D83013CF9EF2D2FB |
SHA1: | D5A2DC80098F5805F4B7E6D7FCD158234ACDAEE2 |
SHA256: | 2ECBA2D985DF9C35ED87326E8944132964DC791012BE367248A6F922639FB574 |
SSDEEP: | 12288:jWieAYnyp3c994L3wCNc9L5BkXOX/uNsIhwPbdClzhUhoUt+i:jpqno3Qy3wCuBk+vMfhubslehX5 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Invoice 1180.js |
---|---|
ZipUncompressedSize: | 1028101 |
ZipCompressedSize: | 670035 |
ZipCRC: | 0xea0befd4 |
ZipModifyDate: | 2019:08:09 02:50:13 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2160 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Invoice2230.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1244 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2160.12546\Invoice 1180.js" | C:\Windows\System32\WScript.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
4068 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\ttmPnejtED.js" | C:\Windows\System32\WScript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
3268 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\gblxsjccg.txt" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | WScript.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2504 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.73298240719649498688781574956772989.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
2488 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8781430371351909717.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2588 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8781430371351909717.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3724 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6976597835969152408.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3288 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive9059885213087008245.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2816 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6976597835969152408.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1244 | WScript.exe | C:\Users\admin\AppData\Roaming\gblxsjccg.txt | java | |
MD5:0DBB14BC09E5167CA689F251716CEF2E | SHA256:C846DDCA6E78133FB55D936DF30155121896490A90D4F8016511D79061822D9C | |||
2160 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2160.12546\Invoice 1180.js | text | |
MD5:FCCAA8C23A950FA6C31AB36314722F48 | SHA256:E87DF51C654F822071EF034DFA4ECFB83268E7F502B876F17D710FF83402694C | |||
3268 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:A43FCA7F0206468147EEF25655C46517 | SHA256:500B440185B3ABC23B5BB1F9B1221A9ABAA424D50EADBE13591CC9FF21206274 | |||
4068 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ttmPnejtED.js | text | |
MD5:144B919DFB66EF43A7FC013151EE9D12 | SHA256:D5378C6995A5452FE355A14F3D31A71981C0F140D7E8B0576C8A1607DA5D0284 | |||
1244 | WScript.exe | C:\Users\admin\AppData\Roaming\ttmPnejtED.js | text | |
MD5:144B919DFB66EF43A7FC013151EE9D12 | SHA256:D5378C6995A5452FE355A14F3D31A71981C0F140D7E8B0576C8A1607DA5D0284 | |||
2504 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:11CCBEF3C026ED8C7DA6E3704244A4B3 | SHA256:2D9CA683D3AE53A28ABE9041F3DFDA669F3525E13FE470CC72CF7C034223652D | |||
4028 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\COPYRIGHT | text | |
MD5:89F660D2B7D58DA3EFD2FECD9832DA9C | SHA256:F6A08C9CC04D7C6A86576C1EF50DD0A690AE5CB503EFD205EDB2E408BD8D557B | |||
3268 | javaw.exe | C:\Users\admin\AppData\Local\Temp\_0.73298240719649498688781574956772989.class | java | |
MD5:781FB531354D6F291F1CCAB48DA6D39F | SHA256:97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9 | |||
3268 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive9059885213087008245.vbs | text | |
MD5:A32C109297ED1CA155598CD295C26611 | SHA256:45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7 | |||
4028 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\README.txt | text | |
MD5:0F1123976B959AC5E8B89EB8C245C4BD | SHA256:963095CF8DB76FB8071FD19A3110718A42F2AB42B27A3ADFD9EC58981C3E88D2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4068 | WScript.exe | POST | — | 67.207.93.17:7744 | http://pluginsrv.duckdns.org:7744/is-ready | US | — | — | malicious |
4068 | WScript.exe | POST | — | 67.207.93.17:7744 | http://pluginsrv.duckdns.org:7744/is-ready | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4068 | WScript.exe | 67.207.93.17:7744 | pluginsrv.duckdns.org | Digital Ocean, Inc. | US | malicious |
2572 | javaw.exe | 37.48.92.195:1350 | — | LeaseWeb Netherlands B.V. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
pluginsrv.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2572 | javaw.exe | A Network Trojan was detected | AV TROJAN Malicious SSL certificate detected (Adwind Fake Oracle Cert) |
2572 | javaw.exe | A Network Trojan was detected | AV TROJAN Malicious SSL certificate detected (Adwind Fake Oracle Cert) |
2572 | javaw.exe | A Network Trojan was detected | MALWARE [PTsecurity] Backdoor.Java.Adwind.cu |
4068 | WScript.exe | A Network Trojan was detected | ET TROJAN WSHRAT CnC Checkin |
4068 | WScript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |
4068 | WScript.exe | A Network Trojan was detected | MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm |
4068 | WScript.exe | A Network Trojan was detected | ET TROJAN WSHRAT CnC Checkin |
4068 | WScript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |
4068 | WScript.exe | A Network Trojan was detected | MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm |