Malware analysis USPS_Tracking_9405503699300271857500.jar Malicious activity

Add for printing

download:	USPS_Tracking_9405503699300271857500.jar
Full analysis:	https://app.any.run/tasks/d8b95999-0b4a-471b-a3d7-a857e6d4a20b
Verdict:	Malicious activity
Threats:	Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	August 07, 2018, 22:05:00
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	adwind trojan opendir
Indicators:
MIME:	application/java-archive
File info:	Java archive data (JAR)
MD5:	2A8692CCC6728BD2F01F8B10E77438C3
SHA1:	A928CB05D5E88F58972C1E680550B6045DB4F6CE
SHA256:	5F6A89367EA3A4CA396022BC3179891D49BD732437270E7C7C62417696A3823E
SSDEEP:	6144:CSkbuMdrv39MBOrhOt5WP462zLvHijnL9sSRjkiWhSkuv9M1h9vjgNvFPKY84//X:C3HFv39kO46ELv+nL9sGTSTk83HhgZd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
FileZilla Client 3.31.0 (3.31.0)
Google Chrome (61.0.3163.91)
Google Update Helper (1.3.33.5)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Home and Business 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 (12.0.40660.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 (12.0.40660)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 (12.0.40660)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
Mozilla Firefox 55.0.3 (x86 en-US) (55.0.3)
Mozilla Maintenance Service (55.0.3)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Steam (2.10.91.91)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- AdWind was detected
  - java.exe (PID: 3464)
  - java.exe (PID: 2000)
- Loads dropped or rewritten executable
  - javaw.exe (PID: 2424)
  - java.exe (PID: 3464)
  - explorer.exe (PID: 1380)
  - javaw.exe (PID: 3708)
  - svchost.exe (PID: 836)
  - java.exe (PID: 2000)
  - iexplore.exe (PID: 3668)
  - iexplore.exe (PID: 2204)
  - iexplore.exe (PID: 2396)
  - iexplore.exe (PID: 3844)
- Application was dropped or rewritten from another process
  - javaw.exe (PID: 3708)
  - java.exe (PID: 3464)
  - javaw.exe (PID: 2424)
  - java.exe (PID: 2000)
- Changes the autorun value in the registry
  - reg.exe (PID: 792)
SUSPICIOUS
- Executes scripts
  - cmd.exe (PID: 2240)
  - cmd.exe (PID: 1180)
  - cmd.exe (PID: 3788)
  - cmd.exe (PID: 1652)
  - cmd.exe (PID: 2760)
  - cmd.exe (PID: 2376)
  - cmd.exe (PID: 2692)
  - cmd.exe (PID: 3416)
- Executes JAVA applets
  - explorer.exe (PID: 1380)
  - javaw.exe (PID: 2424)
- Starts CMD.EXE for commands execution
  - javaw.exe (PID: 2424)
  - java.exe (PID: 3464)
  - javaw.exe (PID: 3708)
  - java.exe (PID: 2000)
- Executable content was dropped or overwritten
  - xcopy.exe (PID: 3720)
  - javaw.exe (PID: 3708)
- Uses REG.EXE to modify Windows registry
  - javaw.exe (PID: 2424)
- Uses ATTRIB.EXE to modify file attributes
  - javaw.exe (PID: 2424)
- Starts itself from another location
  - javaw.exe (PID: 2424)
- Creates files in the user directory
  - xcopy.exe (PID: 3720)
  - vlc.exe (PID: 3700)
  - vlc.exe (PID: 1464)
  - explorer.exe (PID: 1380)
- Connects to unusual port
  - javaw.exe (PID: 3708)
- Starts Internet Explorer
  - explorer.exe (PID: 1380)
  - rundll32.exe (PID: 2332)
  - rundll32.exe (PID: 3192)
- Reads Internet Cache Settings
  - explorer.exe (PID: 1380)
INFO
- Application launched itself
  - firefox.exe (PID: 1224)
  - iexplore.exe (PID: 3256)
  - iexplore.exe (PID: 3864)
  - iexplore.exe (PID: 2396)
- Creates files in the user directory
  - firefox.exe (PID: 1224)
  - iexplore.exe (PID: 1032)
  - iexplore.exe (PID: 2204)
- Reads CPU info
  - firefox.exe (PID: 1224)
- Changes internet zones settings
  - iexplore.exe (PID: 1032)
  - iexplore.exe (PID: 3256)
  - iexplore.exe (PID: 3864)
  - iexplore.exe (PID: 3124)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3668)
  - iexplore.exe (PID: 1032)
  - iexplore.exe (PID: 2204)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 1032)
  - iexplore.exe (PID: 3256)
- Reads settings of System Certificates
  - pingsender.exe (PID: 2240)
  - iexplore.exe (PID: 3668)
- Dropped object may contain URL's
  - iexplore.exe (PID: 3668)
  - iexplore.exe (PID: 1032)
  - xcopy.exe (PID: 3720)
  - vlc.exe (PID: 3700)
  - iexplore.exe (PID: 2204)
  - vlc.exe (PID: 1464)
  - firefox.exe (PID: 1224)
  - iexplore.exe (PID: 3256)
- Changes settings of System certificates
  - iexplore.exe (PID: 1032)
  - iexplore.exe (PID: 3256)
- Reads internet explorer settings
  - iexplore.exe (PID: 3668)
  - iexplore.exe (PID: 2204)
- Dropped object may contain TOR URL's
  - iexplore.exe (PID: 3668)
- Modifies the open verb of a shell class
  - rundll32.exe (PID: 3192)
- Dropped object may contain Bitcoin addresses
  - iexplore.exe (PID: 2204)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0808
ZipCompression:	Deflated
ZipModifyDate:	2018:08:07 15:42:18
ZipCRC:	0xd916bc64
ZipCompressedSize:	78
ZipUncompressedSize:	80
ZipFileName:	META-INF/MANIFEST.MF

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2424	"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\USPS_Tracking_9405503699300271857500.jar"	C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe	—	explorer.exe
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14
3464	"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.132812575605584247522059171407252789.class	C:\Program Files\Java\jre1.8.0_92\bin\java.exe		javaw.exe
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14
2240	cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive9036956868913966174.vbs	C:\Windows\system32\cmd.exe	—	javaw.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3324	cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive9036956868913966174.vbs	C:\Windows\system32\cscript.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385
1180	cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5850616778466785587.vbs	C:\Windows\system32\cmd.exe	—	javaw.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
1660	cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5850616778466785587.vbs	C:\Windows\system32\cscript.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385
3720	xcopy "C:\Program Files\Java\jre1.8.0_92" "C:\Users\admin\AppData\Roaming\Oracle\" /e	C:\Windows\system32\xcopy.exe		javaw.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extended Copy Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3788	cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5819691653359187252.vbs	C:\Windows\system32\cmd.exe	—	java.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3792	cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5819691653359187252.vbs	C:\Windows\system32\cscript.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385
1652	cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8577679445477551878.vbs	C:\Windows\system32\cmd.exe	—	java.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

Add for printing

Total events

5 873

Read events

5 045

Write events

Delete events

Modification events

No data

Add for printing

Executable files

112

Suspicious files

242

Text files

181

Unknown types

125

Dropped files

PID	Process	Filename		Type
3464	java.exe	C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp		text
		MD5:4C07EDDF065346B914E1F5890FC61F5D	SHA256:E58B0653B55DF487F80021F74C487DE3FD2B62838F4561B2E82C65FE3271689A
2424	javaw.exe	C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp		text
		MD5:06AD0EEDA4B5D4E0DEB638DE888BE6C0	SHA256:2C02D4016A2DE1C6DC43622BD5F4B3CF5220D22666670D77819F8E71F10D3B47
3720	xcopy.exe	C:\Users\admin\AppData\Roaming\Oracle\LICENSE		text
		MD5:98F46AB6481D87C4D77E0E91A6DBC15F	SHA256:23F9A5C12FA839650595A32872B7360B9E030C7213580FB27DD9185538A5828C
3720	xcopy.exe	C:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt		text
		MD5:745D6DB5FC58C63F74CE6A7D4DB7E695	SHA256:C77BA9F668FEE7E9B810F1493E518ADF87233AC8793E4B37C9B3D1ED7846F1C0
3720	xcopy.exe	C:\Users\admin\AppData\Roaming\Oracle\bin\dcpr.dll		executable
		MD5:682CFD9431E5675900B04FEBE6CD4EB9	SHA256:80111E1D706741F5EF7F661835C3AA46664666425AA1B5F93103410F2BEE1213
3720	xcopy.exe	C:\Users\admin\AppData\Roaming\Oracle\bin\dt_socket.dll		executable
		MD5:138F156057245747692A68EBE50D52C2	SHA256:F0FD0268D6E410C05E7EE71AD9C96744CD5E4A97329F608041D7078FAEE24ED0
3720	xcopy.exe	C:\Users\admin\AppData\Roaming\Oracle\release		text
		MD5:1BCCC3A965156E53BE3136B3D583B7B6	SHA256:03A4DB27DEA69374EFBAF121C332D0AF05840D16D0C1FBF127D00E65054B118A
2424	javaw.exe	C:\Users\admin\AppData\Local\Temp\Retrive5850616778466785587.vbs		text
		MD5:A32C109297ED1CA155598CD295C26611	SHA256:45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7
3720	xcopy.exe	C:\Users\admin\AppData\Roaming\Oracle\bin\dt_shmem.dll		executable
		MD5:0744E6A5145AA945D89A16EAC835FAB2	SHA256:C417390F681276EC0D55D81A91B87EAE75CA245045F5C23E9B43550B708FB1A6
3720	xcopy.exe	C:\Users\admin\AppData\Roaming\Oracle\bin\awt.dll		executable
		MD5:775D4B37E0DDBFA0EB56DB38126FB444	SHA256:E5D4FC7D47A38A389884AF1EA5F06F7C61C5CDE6AFC154A23A3CB5A127DA1E34

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

116

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1224	firefox.exe	POST	200	93.184.220.29:80	http://ocsp.digicert.com/	US	der	471 b	whitelisted
1224	firefox.exe	POST	200	172.217.168.14:80	http://ocsp.pki.goog/GTSGIAG3	US	der	463 b	whitelisted
1224	firefox.exe	POST	200	93.184.220.29:80	http://ocsp.digicert.com/	US	der	471 b	whitelisted
1224	firefox.exe	POST	200	172.217.168.14:80	http://ocsp.pki.goog/GTSGIAG3	US	der	463 b	whitelisted
1224	firefox.exe	POST	200	93.184.220.29:80	http://ocsp.digicert.com/	US	der	471 b	whitelisted
1224	firefox.exe	POST	200	93.184.220.29:80	http://ocsp.digicert.com/	US	der	471 b	whitelisted
1224	firefox.exe	POST	200	172.217.168.14:80	http://ocsp.pki.goog/GTSGIAG3	US	der	463 b	whitelisted
1224	firefox.exe	POST	200	172.217.168.14:80	http://ocsp.pki.goog/GTSGIAG3	US	der	463 b	whitelisted
1224	firefox.exe	POST	200	172.217.168.14:80	http://ocsp.pki.goog/GTSGIAG3	US	der	463 b	whitelisted
1224	firefox.exe	POST	200	172.217.168.14:80	http://ocsp.pki.goog/GTSGIAG3	US	der	463 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1224	firefox.exe	2.16.186.50:80	detectportal.firefox.com	Akamai International B.V.	—	whitelisted
1224	firefox.exe	93.184.220.29:80	ocsp.digicert.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
1224	firefox.exe	216.58.207.78:443	safebrowsing.google.com	Google Inc.	US	whitelisted
1224	firefox.exe	216.58.215.238:443	safebrowsing-cache.google.com	Google Inc.	US	whitelisted
1224	firefox.exe	216.58.208.35:443	ssl.gstatic.com	Google Inc.	US	whitelisted
1224	firefox.exe	54.230.46.9:443	snippets.cdn.mozilla.net	Amazon.com, Inc.	US	whitelisted
3708	javaw.exe	95.168.176.139:4534	didobanty1.ddns.net	—	TR	malicious
1224	firefox.exe	52.41.78.152:443	tiles.services.mozilla.com	Amazon.com, Inc.	US	unknown
1224	firefox.exe	52.37.53.20:443	search.services.mozilla.com	Amazon.com, Inc.	US	unknown
1224	firefox.exe	172.217.168.14:80	ocsp.pki.goog	Google Inc.	US	whitelisted

DNS requests

Domain	IP	Reputation
detectportal.firefox.com	2.16.186.50 2.16.186.112	whitelisted
aus5.mozilla.org	52.37.241.214 54.148.132.67 52.27.206.225 35.162.46.217 54.70.185.30 34.208.7.8 34.210.48.174 35.166.207.87	whitelisted
a1089.d.akamai.net	2.16.186.112 2.16.186.50	whitelisted
balrog-aus5.r53-2.services.mozilla.com	35.166.207.87 34.210.48.174 34.208.7.8 54.70.185.30 35.162.46.217 52.27.206.225 54.148.132.67 52.37.241.214	whitelisted
tiles.services.mozilla.com	52.41.78.152 34.214.191.219 54.148.233.113 52.39.131.77 35.160.58.123 34.209.108.219 52.88.57.157 34.216.156.21	whitelisted
search.services.mozilla.com	52.37.53.20 54.148.43.57 52.24.130.228	whitelisted
search.r53-2.services.mozilla.com	52.24.130.228 54.148.43.57 52.37.53.20	whitelisted
tiles.r53-2.services.mozilla.com	34.216.156.21 52.88.57.157 34.209.108.219 35.160.58.123 52.39.131.77 54.148.233.113 34.214.191.219 52.41.78.152	whitelisted
snippets.cdn.mozilla.net	54.230.46.9	whitelisted
drcwo519tnci7.cloudfront.net	54.230.46.9	shared

Threats

PID	Process	Class	Message
3708	javaw.exe	A Network Trojan was detected	ET TROJAN Possible Adwind SSL Cert (assylias.Inc)

Add for printing

Process	Message
vlc.exe	core libvlc: one instance mode ENABLED
vlc.exe	core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
vlc.exe	es demux error: cannot peek
vlc.exe	es demux error: cannot peek
vlc.exe	es demux error: cannot peek
vlc.exe	es demux error: cannot peek
vlc.exe	es demux error: cannot peek
vlc.exe	es demux error: cannot peek
vlc.exe	es demux error: cannot peek
vlc.exe	es demux error: cannot peek

General Info

USPS_Tracking_9405503699300271857500.jar

2A8692CCC6728BD2F01F8B10E77438C3

A928CB05D5E88F58972C1E680550B6045DB4F6CE

5F6A89367EA3A4CA396022BC3179891D49BD732437270E7C7C62417696A3823E

6144:CSkbuMdrv39MBOrhOt5WP462zLvHijnL9sSRjkiWhSkuv9M1h9vjgNvFPKY84//X:C3HFv39kO46ELv+nL9sGTSTk83HhgZd

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AdWind was detected

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

Changes the autorun value in the registry

SUSPICIOUS

Executes scripts

Executes JAVA applets

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Uses REG.EXE to modify Windows registry

Uses ATTRIB.EXE to modify file attributes

Starts itself from another location

Creates files in the user directory

Connects to unusual port

Starts Internet Explorer

Reads Internet Cache Settings

INFO

Application launched itself

Creates files in the user directory

Reads CPU info

Changes internet zones settings

Reads Internet Cache Settings

Adds / modifies Windows certificates

Reads settings of System Certificates

Dropped object may contain URL's

Changes settings of System certificates

Reads internet explorer settings

Dropped object may contain TOR URL's

Modifies the open verb of a shell class

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings