analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

remittance.jar

Full analysis: https://app.any.run/tasks/3980f6da-1f0d-4a64-86fa-f036f2a60f77
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 10:07:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adwind
trojan
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

A908C7A72CE7F998456015242E2B7094

SHA1:

E8C67B8EC3CDCB8696678FEB53445CC1409DA03E

SHA256:

4A8B86392285F36C182819207C4AE55F5403638B20F5478A1A6EEDAD2CC73EA2

SSDEEP:

12288:2a64A7JzeHrXktywL4D1EvEUp7tC/UWyMil9fxwOWk/faV8Gnam+l:2aJegUtyOY1HucMWgf9/faWzm+l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AdWind was detected

      • java.exe (PID: 2456)

    • Loads dropped or rewritten executable

      • java.exe (PID: 2456)
      • explorer.exe (PID: 352)
      • javaw.exe (PID: 992)

    • Application was dropped or rewritten from another process

      • javaw.exe (PID: 992)
      • java.exe (PID: 2456)

  • SUSPICIOUS

    • Executes JAVA applets

      • explorer.exe (PID: 352)
      • javaw.exe (PID: 992)

    • Creates files in the user directory

      • javaw.exe (PID: 992)
      • xcopy.exe (PID: 928)

    • Starts CMD.EXE for commands execution

      • java.exe (PID: 2456)
      • javaw.exe (PID: 992)

    • Executes scripts

      • cmd.exe (PID: 3092)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 1560)
      • cmd.exe (PID: 1952)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 928)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0808
ZipCompression: Deflated
ZipModifyDate: 2019:10:13 18:28:09
ZipCRC: 0x7ab21bb0
ZipCompressedSize: 77
ZipUncompressedSize: 79
ZipFileName: META-INF/MANIFEST.MF
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
13
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaw.exe no specs #ADWIND java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs xcopy.exe xcopy.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
992"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\remittance.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
2456"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.15786537428637148862792846910763893.classC:\Program Files\Java\jre1.8.0_92\bin\java.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
3092cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7172412022984758350.vbsC:\Windows\system32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4000cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7172412022984758350.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1560cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3140285509300336721.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2716cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3140285509300336721.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2088cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5130246921841400916.vbsC:\Windows\system32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3472cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5130246921841400916.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1952cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8894730060264252027.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2584cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8894730060264252027.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
153
Read events
149
Write events
4
Delete events
0

Modification events

(PID) Process:(352) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
107
Suspicious files
10
Text files
69
Unknown types
15

Dropped files

PID
Process
Filename
Type
992javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:5717B6ABB141AA08E54CF007B0C14836
SHA256:CF7CDD01A9E2817972905D80A8E135DD269A5CD3194EE176BA8431D347C83475
2456java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:548323B555033EF05E8BF92B86463A13
SHA256:0320203D8E327BD8F4097A77198F3E1B68E759538666AF33B84169254C929EC2
928xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\Welcome.htmlhtml
MD5:27CF299B6D93FACA73FBCDCF4AECFD93
SHA256:3F1F0EE75588DBBA3B143499D08AA9AB431E4A34E483890CFAC94A8E1061B7CF
928xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\COPYRIGHTtext
MD5:89F660D2B7D58DA3EFD2FECD9832DA9C
SHA256:F6A08C9CC04D7C6A86576C1EF50DD0A690AE5CB503EFD205EDB2E408BD8D557B
928xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\LICENSEtext
MD5:98F46AB6481D87C4D77E0E91A6DBC15F
SHA256:23F9A5C12FA839650595A32872B7360B9E030C7213580FB27DD9185538A5828C
992javaw.exeC:\Users\admin\AppData\Local\Temp\Retrive3140285509300336721.vbstext
MD5:3BDFD33017806B85949B6FAA7D4B98E4
SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6
992javaw.exeC:\Users\admin\AppData\Local\Temp\_0.15786537428637148862792846910763893.classjava
MD5:781FB531354D6F291F1CCAB48DA6D39F
SHA256:97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9
928xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\bin\bci.dllexecutable
MD5:6D8D8A26450EE4BA0BE405629EA0A511
SHA256:7945365A3CD40D043DAE47849E6645675166920958300E64DEA76A865BC479AF
2456java.exeC:\Users\admin\AppData\Local\Temp\Retrive7172412022984758350.vbstext
MD5:3BDFD33017806B85949B6FAA7D4B98E4
SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6
928xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\bin\decora_sse.dllexecutable
MD5:94434B8739CB5CD184C63CEC209F06E2
SHA256:ADF4E9CE0866FF16A16F626CFC62355FB81212B1E7C95DD908E3644F88B77E91
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
remittance.jar