analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

shipping.label.jar

Full analysis: https://app.any.run/tasks/a06e0f48-d1ac-4322-9563-d102cb1770ef
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Analysis date: July 11, 2019, 14:29:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adwind
trojan
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

2AFF4A2F9C042587F817463AD1FE9101

SHA1:

467A4E9B74BE140F830F4D05B3E8C545ACCCDC09

SHA256:

45689EC828B35B9AE006ACA9287B109AB3F0539F149F8A1D1760DDB5EC467BB2

SSDEEP:

12288:77pK2tOKclh5ZhA74yZ3hc+YSF1keYYP9VogFsOZo/TRpo:Xw2MVDE4yZRcw7Md/9C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • AdWind was detected

      • java.exe (PID: 3716)
      • java.exe (PID: 3216)
    • Loads dropped or rewritten executable

      • explorer.exe (PID: 124)
      • javaw.exe (PID: 3336)
      • java.exe (PID: 3716)
      • javaw.exe (PID: 3296)
      • java.exe (PID: 3216)
    • Application was dropped or rewritten from another process

      • javaw.exe (PID: 3336)
      • java.exe (PID: 3716)
      • java.exe (PID: 3216)
      • javaw.exe (PID: 3296)
    • Changes the autorun value in the registry

      • reg.exe (PID: 3176)
    • ADWIND was detected

      • javaw.exe (PID: 3296)
  • SUSPICIOUS

    • Creates files in the user directory

      • javaw.exe (PID: 3336)
      • xcopy.exe (PID: 3672)
    • Starts CMD.EXE for commands execution

      • java.exe (PID: 3716)
      • javaw.exe (PID: 3336)
      • java.exe (PID: 3216)
      • javaw.exe (PID: 3296)
    • Executes JAVA applets

      • explorer.exe (PID: 124)
      • javaw.exe (PID: 3336)
    • Executes scripts

      • cmd.exe (PID: 4084)
      • cmd.exe (PID: 3964)
      • cmd.exe (PID: 3800)
      • cmd.exe (PID: 3808)
      • cmd.exe (PID: 3064)
      • cmd.exe (PID: 3384)
      • cmd.exe (PID: 2828)
      • cmd.exe (PID: 2132)
    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 3336)
    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 3672)
      • javaw.exe (PID: 3296)
    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 3336)
    • Starts itself from another location

      • javaw.exe (PID: 3336)
    • Uses WMIC.EXE to obtain a system information

      • javaw.exe (PID: 3296)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: META-INF/MANIFEST.MF
ZipUncompressedSize: 53
ZipCompressedSize: 55
ZipCRC: 0x8423b824
ZipModifyDate: 2019:06:20 13:31:19
ZipCompression: Deflated
ZipBitFlag: 0x0808
ZipRequiredVersion: 20
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
74
Monitored processes
27
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaw.exe #ADWIND java.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cscript.exe no specs xcopy.exe no specs xcopy.exe explorer.exe no specs reg.exe attrib.exe no specs attrib.exe no specs #ADWIND javaw.exe #ADWIND java.exe cmd.exe no specs cmd.exe no specs cscript.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3336"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\shipping.label.jar.zip"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
explorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
3716"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.96298185949923173440951606721397874.classC:\Program Files\Java\jre1.8.0_92\bin\java.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
3964cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2155199795951945614.vbsC:\Windows\system32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4084cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1537239535432474626.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3120cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2155199795951945614.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3096cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1537239535432474626.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3800cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6911198821018429426.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3808cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5085569119826637817.vbsC:\Windows\system32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3060cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6911198821018429426.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3240cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5085569119826637817.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
290
Read events
288
Write events
2
Delete events
0

Modification events

(PID) Process:(3176) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:yVlLVVfiXgC
Value:
"C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\admin\ptFqBlthrXL\UxTGFXKCbws.igqvqh"
(PID) Process:(3296) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
javaw.exe
Executable files
110
Suspicious files
11
Text files
75
Unknown types
15

Dropped files

PID
Process
Filename
Type
3336javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:BF1E692D31FFD3E38BB514D34DB2DBBD
SHA256:D8BCDB67A873AE701C40B6F71AE8FA93FEA100F7C90A1251E34F5EC2A56B5F45
3336javaw.exeC:\Users\admin\AppData\Local\Temp\Retrive6911198821018429426.vbstext
MD5:A32C109297ED1CA155598CD295C26611
SHA256:45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7
3716java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:B5FF6D453E17B434F0AE58AF86B0E79C
SHA256:D54F64BFB848338F828C578506FA121AAABAE7069A6A23C49073536D5F705FCA
3672xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\releasetext
MD5:1BCCC3A965156E53BE3136B3D583B7B6
SHA256:03A4DB27DEA69374EFBAF121C332D0AF05840D16D0C1FBF127D00E65054B118A
3716java.exeC:\Users\admin\AppData\Local\Temp\Retrive2155199795951945614.vbstext
MD5:3BDFD33017806B85949B6FAA7D4B98E4
SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6
3336javaw.exeC:\Users\admin\AppData\Local\Temp\Retrive1537239535432474626.vbstext
MD5:3BDFD33017806B85949B6FAA7D4B98E4
SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6
3672xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\COPYRIGHTtext
MD5:89F660D2B7D58DA3EFD2FECD9832DA9C
SHA256:F6A08C9CC04D7C6A86576C1EF50DD0A690AE5CB503EFD205EDB2E408BD8D557B
3336javaw.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:C8366AE350E7019AEFC9D1E6E6A498C6
SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
3336javaw.exeC:\Users\admin\AppData\Local\Temp\_0.96298185949923173440951606721397874.classjava
MD5:781FB531354D6F291F1CCAB48DA6D39F
SHA256:97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9
3672xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txttext
MD5:745D6DB5FC58C63F74CE6A7D4DB7E695
SHA256:C77BA9F668FEE7E9B810F1493E518ADF87233AC8793E4B37C9B3D1ED7846F1C0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3336
javaw.exe
GET
200
151.101.36.209:80
http://central.maven.org/maven2/org/mozilla/rhino/1.7.7.2/rhino-1.7.7.2.jar
US
compressed
1.18 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3336
javaw.exe
151.101.36.209:80
central.maven.org
Fastly
US
suspicious
3296
javaw.exe
85.217.171.128:1010
BelCloud Hosting Corporation
BG
malicious

DNS requests

Domain
IP
Reputation
central.maven.org
  • 151.101.36.209
whitelisted

Threats

PID
Process
Class
Message
3336
javaw.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
3296
javaw.exe
A Network Trojan was detected
ET TROJAN Possible Adwind SSL Cert (assylias.Inc)
3296
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Java.Adwind.cu
3296
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Java.Adwind.cu
No debug info