File name: | ORDER-CONFIRMATION-1X20ft.rar |
Full analysis: | https://app.any.run/tasks/bf362679-e3de-4d0d-9d58-1f580a28e0f5 |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | April 23, 2019, 13:36:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 6167787A58C6EF5B9830C76BE2D64788 |
SHA1: | 1C83E6EBCAF8121830DFD952D4A21F5A67813C57 |
SHA256: | 482A7AFC18199E76DBFF9132CFE5DFA13C256BE34E41696DBE11473E31D0E624 |
SSDEEP: | 12288:3uSnTTdBOMAipYHho5umXg0fn7iE8aYULPX2a1Gdl4tvoc+hXZtVX99c:39T+MANHho5umQ0fuE3xPX2aEdCr+hy |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3872 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ORDER-CONFIRMATION-1X20ft.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3156 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\Desktop\ORDER CONFIRMATION- 1X20ft.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | explorer.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
1892 | wscript C:\Users\admin\ahofotehjw.js | C:\Windows\system32\wscript.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2472 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\dKQJdKjHMk.js" | C:\Windows\System32\WScript.exe | wscript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
3516 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\konbsy.txt" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | wscript.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2112 | "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\admin\AppData\Roaming\dKQJdKjHMk.js | C:\Windows\System32\schtasks.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2052 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.224198876398740371810585005861539204.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
3396 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5093075799495635883.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4076 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4033588148741098404.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1820 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5093075799495635883.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3872 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3872.12360\ORDER CONFIRMATION- 1X20ft.jar | compressed | |
MD5:8C4CAF4DE8D855C0E693D57218276D65 | SHA256:18D7A908B4A312C3997A211DC99538F84D7864C82744FB4065D7E8291239FC23 | |||
3156 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:151A92E5268E9FAC5538746F00DC1F31 | SHA256:EEE555529CF21B1ABB490643FEA013810DF65902045F3BF587BB0B822FC94EFB | |||
2052 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:A11B6B4087B852252530E2A3BC68795A | SHA256:8B720FA10D792BE1155E1CB42D00FEDB023ECCAAB8678AD9C7AF1E31BF171E42 | |||
2044 | explorer.exe | C:\Users\admin\Desktop\ORDER CONFIRMATION- 1X20ft.jar | compressed | |
MD5:8C4CAF4DE8D855C0E693D57218276D65 | SHA256:18D7A908B4A312C3997A211DC99538F84D7864C82744FB4065D7E8291239FC23 | |||
3516 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:4E5E01CE8A26F4C21C935179BA886EB3 | SHA256:8076483AAE30465F15EEE2598D3452AF0B64502879711E7A5BCBB99BF041DBA1 | |||
1892 | wscript.exe | C:\Users\admin\AppData\Roaming\dKQJdKjHMk.js | text | |
MD5:DD2EF71B0927A110A556AB75680F2086 | SHA256:1F5E9E6B4B6D52E3946E7213228AFE22E9C9B0B7701EC03B86488CD239A4D5F1 | |||
2472 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dKQJdKjHMk.js | text | |
MD5:DD2EF71B0927A110A556AB75680F2086 | SHA256:1F5E9E6B4B6D52E3946E7213228AFE22E9C9B0B7701EC03B86488CD239A4D5F1 | |||
3156 | javaw.exe | C:\Users\admin\ahofotehjw.js | text | |
MD5:77F8E236E3217711D4AA5BA46C48BB57 | SHA256:4C1A5C70D8453E8CA3EB2013DE990AF1AC72DAE2B84C7464FBB063B5B4C71D42 | |||
1892 | wscript.exe | C:\Users\admin\AppData\Roaming\konbsy.txt | java | |
MD5:2E9F11535E5204871181A7D4585E831E | SHA256:4A1DF941F6C6AAF5B99844066B9AE23C47FCFEC996F5142CE44C2CC26B50F24B | |||
2832 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\release | text | |
MD5:1BCCC3A965156E53BE3136B3D583B7B6 | SHA256:03A4DB27DEA69374EFBAF121C332D0AF05840D16D0C1FBF127D00E65054B118A |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2472 | WScript.exe | 194.5.98.8:7755 | unknownsoft.duckdns.org | — | FR | malicious |
1040 | javaw.exe | 91.192.100.30:6496 | emacomplex.duckdns.org | SOFTplus Entwicklungen GmbH | CH | malicious |
Domain | IP | Reputation |
---|---|---|
unknownsoft.duckdns.org |
| malicious |
emacomplex.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |