File name:	client.jar
Full analysis:	https://app.any.run/tasks/063c777b-f72c-48c2-9c2e-29dab1ae0dc0
Verdict:	Malicious activity
Threats:	Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 29, 2024, 22:02:42
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	adwind java stealer rat remote backdoor
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	D091E0C194AA72DA2A697D269F67EBA1
SHA1:	615843C2DF96A019CC2C495DD219A050CC4BFA06
SHA256:	53A690981032AF4FC1BA3162EBBAC61EB03FBD14392A5BC9FD7781ECA1F8DE9B
SSDEEP:	24576:/YjCH4q8AVpNhdqFlH5KEOpoMe/vCMyvKSwHKx3CjEewl7+2RlU:/YjCH4q8AVpNhdaH5KBpoMSvCMyvKSwB

ZipRequiredVersion:	20
ZipBitFlag:	0x0808
ZipCompression:	Deflated
ZipModifyDate:	2024:11:29 22:49:42
ZipCRC:	0x5a7c0dba
ZipCompressedSize:	1751
ZipUncompressedSize:	4422
ZipFileName:	IIllIlIlI/lIlIIIlIl/IIllII/IlllIIlI/llIllIlllllllIIIIlI.class


(PID) Process:	(2212) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(2332) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	Home
Value:

PID	Process	Filename		Type
2212	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin		—
		MD5:—	SHA256:—
4320	javaw.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account.db		sqlite
		MD5:A45465CDCDC6CB30C8906F3DA4EC114C	SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
4320	javaw.exe	C:\Users\admin\AppData\Local\Temp\imageio8656205670201255848.tmp		image
		MD5:060F557100559AC8251D9A4430C53031	SHA256:6F3608CE89DF7DF417A805E289E69E7D4026A0FA247387D3753E7858BDD99E76
4320	javaw.exe	C:\Users\admin\.plugins\.libraries\jna70		compressed
		MD5:B22EF746FD14C702E5BD29B466C6312B	SHA256:121F7A1D3AA9F538FD4710FD3A2175A7F062E1260D3E2DF83752512A28F290D6
4320	javaw.exe	C:\Users\admin\AppData\Local\Temp\tmpus7439296857933654159upl		compressed
		MD5:B22EF746FD14C702E5BD29B466C6312B	SHA256:121F7A1D3AA9F538FD4710FD3A2175A7F062E1260D3E2DF83752512A28F290D6
4320	javaw.exe	C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\83aa4cc77f591dfc2374580bbd95f6ba_bb926e54-e3ca-40fd-ae90-2764341e7792		binary
		MD5:C8366AE350E7019AEFC9D1E6E6A498C6	SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
4320	javaw.exe	C:\Users\admin\AppData\Local\Temp\sqlite-unknown-cb8b0d06-bb84-40cf-8c8c-e7abdb242193-sqlitejdbc.dll		executable
		MD5:98EAC6AD76D39E73967252542F6F40E4	SHA256:51CC105F172859E6866F3CAD5C99188663BE503CD4BB618C946B0C83FAABF0B8
4320	javaw.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data.db		binary
		MD5:A45465CDCDC6CB30C8906F3DA4EC114C	SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
4320	javaw.exe	C:\Users\admin\AppData\Local\Temp\tmpus1336807705342512050upl		compressed
		MD5:137A448313D5B6D19279833D841B3590	SHA256:DE349716E627E245E4B17FD487DBA4033DBC92E5E22FB950C25514700334F97E
2212	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmp		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
524	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
524	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4264	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1576	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4264	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
2212	firefox.exe	POST	200	184.24.77.62:80	http://r11.o.lencr.org/	unknown	—	—	whitelisted
2212	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
2212	firefox.exe	POST	200	142.250.186.99:80	http://o.pki.goog/s/wr3/yvU	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
524	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1576	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
524	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
524	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1576	RUXIMICS.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.184.238	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	23.35.229.160 88.221.169.152	whitelisted
only-decreased.gl.at.ply.gg	147.185.221.17	unknown
self.events.data.microsoft.com	52.182.143.214	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Potentially Bad Traffic	ET INFO playit .gg Tunneling Domain in DNS Lookup
2192	svchost.exe	Misc activity	ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
4320	javaw.exe	A Network Trojan was detected	BACKDOOR [ANY.RUN] Adwind TCP Initial Pcaket

.jar	\|	Java Archive (78.3)
.zip	\|	ZIP compressed archive (21.6)

General Info

client.jar

D091E0C194AA72DA2A697D269F67EBA1

615843C2DF96A019CC2C495DD219A050CC4BFA06

53A690981032AF4FC1BA3162EBBAC61EB03FBD14392A5BC9FD7781ECA1F8DE9B

24576:/YjCH4q8AVpNhdqFlH5KEOpoMe/vCMyvKSwHKx3CjEewl7+2RlU:/YjCH4q8AVpNhdaH5KBpoMSvCMyvKSwB

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ADWIND has been detected

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Starts CMD.EXE for self-deleting

ADWIND has been detected (SURICATA)

SUSPICIOUS

Uses WMIC.EXE to obtain Windows Installer data

Accesses product unique identifier via WMI (SCRIPT)

Connects to unusual port

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Uses REG/REGEDIT.EXE to modify registry

Hides command output

Runs PING.EXE to delay simulation

INFO

Creates files in the program directory

Reads security settings of Internet Explorer

Application based on Java

Creates files or folders in the user directory

Reads the computer name

Checks supported languages

Reads the machine GUID from the registry

Manual execution by a user

Create files in a temporary directory

Application launched itself

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings