download: | shipping.label.jar |
Full analysis: | https://app.any.run/tasks/a06e0f48-d1ac-4322-9563-d102cb1770ef |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | July 11, 2019, 14:29:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/java-archive |
File info: | Java archive data (JAR) |
MD5: | 2AFF4A2F9C042587F817463AD1FE9101 |
SHA1: | 467A4E9B74BE140F830F4D05B3E8C545ACCCDC09 |
SHA256: | 45689EC828B35B9AE006ACA9287B109AB3F0539F149F8A1D1760DDB5EC467BB2 |
SSDEEP: | 12288:77pK2tOKclh5ZhA74yZ3hc+YSF1keYYP9VogFsOZo/TRpo:Xw2MVDE4yZRcw7Md/9C |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | META-INF/MANIFEST.MF |
---|---|
ZipUncompressedSize: | 53 |
ZipCompressedSize: | 55 |
ZipCRC: | 0x8423b824 |
ZipModifyDate: | 2019:06:20 13:31:19 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0808 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3336 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\shipping.label.jar.zip" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | explorer.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
3716 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.96298185949923173440951606721397874.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
3964 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2155199795951945614.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4084 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1537239535432474626.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3120 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2155199795951945614.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3096 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1537239535432474626.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3800 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6911198821018429426.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3808 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5085569119826637817.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3060 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6911198821018429426.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3240 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5085569119826637817.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
(PID) Process: | (3176) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | yVlLVVfiXgC |
Value: "C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\admin\ptFqBlthrXL\UxTGFXKCbws.igqvqh" | |||
(PID) Process: | (3296) javaw.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: javaw.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
3336 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:BF1E692D31FFD3E38BB514D34DB2DBBD | SHA256:D8BCDB67A873AE701C40B6F71AE8FA93FEA100F7C90A1251E34F5EC2A56B5F45 | |||
3336 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive6911198821018429426.vbs | text | |
MD5:A32C109297ED1CA155598CD295C26611 | SHA256:45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7 | |||
3716 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:B5FF6D453E17B434F0AE58AF86B0E79C | SHA256:D54F64BFB848338F828C578506FA121AAABAE7069A6A23C49073536D5F705FCA | |||
3672 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\release | text | |
MD5:1BCCC3A965156E53BE3136B3D583B7B6 | SHA256:03A4DB27DEA69374EFBAF121C332D0AF05840D16D0C1FBF127D00E65054B118A | |||
3716 | java.exe | C:\Users\admin\AppData\Local\Temp\Retrive2155199795951945614.vbs | text | |
MD5:3BDFD33017806B85949B6FAA7D4B98E4 | SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6 | |||
3336 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive1537239535432474626.vbs | text | |
MD5:3BDFD33017806B85949B6FAA7D4B98E4 | SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6 | |||
3672 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\COPYRIGHT | text | |
MD5:89F660D2B7D58DA3EFD2FECD9832DA9C | SHA256:F6A08C9CC04D7C6A86576C1EF50DD0A690AE5CB503EFD205EDB2E408BD8D557B | |||
3336 | javaw.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2f | dbf | |
MD5:C8366AE350E7019AEFC9D1E6E6A498C6 | SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238 | |||
3336 | javaw.exe | C:\Users\admin\AppData\Local\Temp\_0.96298185949923173440951606721397874.class | java | |
MD5:781FB531354D6F291F1CCAB48DA6D39F | SHA256:97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9 | |||
3672 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt | text | |
MD5:745D6DB5FC58C63F74CE6A7D4DB7E695 | SHA256:C77BA9F668FEE7E9B810F1493E518ADF87233AC8793E4B37C9B3D1ED7846F1C0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3336 | javaw.exe | GET | 200 | 151.101.36.209:80 | http://central.maven.org/maven2/org/mozilla/rhino/1.7.7.2/rhino-1.7.7.2.jar | US | compressed | 1.18 Mb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3336 | javaw.exe | 151.101.36.209:80 | central.maven.org | Fastly | US | suspicious |
3296 | javaw.exe | 85.217.171.128:1010 | — | BelCloud Hosting Corporation | BG | malicious |
Domain | IP | Reputation |
---|---|---|
central.maven.org |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3336 | javaw.exe | A Network Trojan was detected | ET INFO JAVA - Java Archive Download |
3296 | javaw.exe | A Network Trojan was detected | ET TROJAN Possible Adwind SSL Cert (assylias.Inc) |
3296 | javaw.exe | A Network Trojan was detected | MALWARE [PTsecurity] Backdoor.Java.Adwind.cu |
3296 | javaw.exe | A Network Trojan was detected | MALWARE [PTsecurity] Backdoor.Java.Adwind.cu |