File name: | 01_extracted.js |
Full analysis: | https://app.any.run/tasks/b0c2f7ad-5d95-40ab-aeea-2d28b3dab199 |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | April 23, 2019, 15:04:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF, LF line terminators |
MD5: | 2FC1E3599E8D33A092DE0E3DE6CFF94D |
SHA1: | 46DAA805DEB7C01797848B53145899BBAA8522EF |
SHA256: | 49882AD3ED6764939D6BA21AED24A856BAEEC62CF464EF962B882B7F3AC3A62C |
SSDEEP: | 12288:Kuba1I7qpVAr5vHcT+J6hIDY8DvwpzIfi7NLy/nhPEHx+jYZz2N:l7earZ8aJ6Ngvw6q7Y/N |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3896 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\01_extracted.js" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1528 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\haVWQSZpPZ.js" | C:\Windows\System32\WScript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2416 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\motsarzou.txt" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | WScript.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
2676 | "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\admin\AppData\Roaming\haVWQSZpPZ.js | C:\Windows\System32\schtasks.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2844 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.91774062587660845381287482612000496.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
756 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3689012818716793384.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4008 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3689012818716793384.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2552 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6928291892481832010.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3840 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6928291892481832010.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1300 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive972697996981897005.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2416 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:8961975A3991590E270725F011C6B2A4 | SHA256:F32C457E6F43D549F1780B03FD6C501DF3BD3AD97A4DC24FE7B6DD5AB3F80B54 | |||
2844 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:15F19FF82BB83B4EDB2FCDD97A2B556A | SHA256:6180B3E56210CD45BC6D83D5531EF13352E229621B61F14089BA71030FE144AC | |||
644 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\COPYRIGHT | text | |
MD5:89F660D2B7D58DA3EFD2FECD9832DA9C | SHA256:F6A08C9CC04D7C6A86576C1EF50DD0A690AE5CB503EFD205EDB2E408BD8D557B | |||
3896 | WScript.exe | C:\Users\admin\AppData\Roaming\haVWQSZpPZ.js | text | |
MD5:A300C1D84B98A750BBA94000423FFD1E | SHA256:34BC7EE0D21BB03F0484DDAA36BD78E81697A09BFFAE84F4128548A2785DA071 | |||
1528 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\haVWQSZpPZ.js | text | |
MD5:A300C1D84B98A750BBA94000423FFD1E | SHA256:34BC7EE0D21BB03F0484DDAA36BD78E81697A09BFFAE84F4128548A2785DA071 | |||
3896 | WScript.exe | C:\Users\admin\AppData\Roaming\motsarzou.txt | java | |
MD5:391FB12FF60F4628C5D93BE224E9E836 | SHA256:9EAF0BB4FD5EB9860D3AFD3F1561A9294E9276CD108A87DF3DEA98BE288A2B50 | |||
644 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\LICENSE | text | |
MD5:98F46AB6481D87C4D77E0E91A6DBC15F | SHA256:23F9A5C12FA839650595A32872B7360B9E030C7213580FB27DD9185538A5828C | |||
644 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\Welcome.html | html | |
MD5:27CF299B6D93FACA73FBCDCF4AECFD93 | SHA256:3F1F0EE75588DBBA3B143499D08AA9AB431E4A34E483890CFAC94A8E1061B7CF | |||
2844 | java.exe | C:\Users\admin\AppData\Local\Temp\Retrive2470582717529241871.vbs | text | |
MD5:A32C109297ED1CA155598CD295C26611 | SHA256:45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7 | |||
2416 | javaw.exe | C:\Users\admin\AppData\Local\Temp\_0.91774062587660845381287482612000496.class | java | |
MD5:781FB531354D6F291F1CCAB48DA6D39F | SHA256:97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 194.5.98.8:7755 | unknownsoft.duckdns.org | — | FR | malicious |
— | — | 185.101.94.172:5500 | graced.duckdns.org | Mike Kaldig | DE | malicious |
1528 | WScript.exe | 194.5.98.8:7755 | unknownsoft.duckdns.org | — | FR | malicious |
2416 | javaw.exe | 185.101.94.172:5500 | graced.duckdns.org | Mike Kaldig | DE | malicious |
Domain | IP | Reputation |
---|---|---|
unknownsoft.duckdns.org |
| malicious |
graced.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |