analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://104.168.147.151/shipping_label.jar

Full analysis: https://app.any.run/tasks/172dbb05-5d73-4280-aee2-d2a51598d9d1
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Analysis date: July 11, 2019, 12:55:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adwind
trojan
Indicators:
MD5:

EAD173165FAACA2FC71D730D2B12A32C

SHA1:

FD5C6234646150AF18B517A6A0A05032EDEE24D2

SHA256:

5FFBDF0D867B08B92460AAE558801C4207455D8591E99F6E0AE76BF810B3AA42

SSDEEP:

3:N1Kt0LaN3CiEMy:CWc3XEMy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • javaw.exe (PID: 3112)
      • iexplore.exe (PID: 3360)
      • java.exe (PID: 3720)
      • iexplore.exe (PID: 2976)
      • javaw.exe (PID: 2612)
      • java.exe (PID: 2764)
    • AdWind was detected

      • java.exe (PID: 3720)
      • java.exe (PID: 2764)
    • Application was dropped or rewritten from another process

      • javaw.exe (PID: 3112)
      • javaw.exe (PID: 2612)
      • java.exe (PID: 3720)
      • java.exe (PID: 2764)
    • Changes the autorun value in the registry

      • reg.exe (PID: 756)
    • ADWIND was detected

      • javaw.exe (PID: 2612)
  • SUSPICIOUS

    • Creates files in the user directory

      • javaw.exe (PID: 3112)
      • xcopy.exe (PID: 540)
    • Executes scripts

      • cmd.exe (PID: 4020)
      • cmd.exe (PID: 3728)
      • cmd.exe (PID: 3988)
      • cmd.exe (PID: 2620)
      • cmd.exe (PID: 2520)
      • cmd.exe (PID: 2268)
      • cmd.exe (PID: 3000)
      • cmd.exe (PID: 3080)
    • Executes JAVA applets

      • javaw.exe (PID: 3112)
      • iexplore.exe (PID: 2976)
    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 3112)
      • java.exe (PID: 3720)
      • javaw.exe (PID: 2612)
      • java.exe (PID: 2764)
    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 540)
      • javaw.exe (PID: 2612)
    • Starts itself from another location

      • javaw.exe (PID: 3112)
    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 3112)
    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 3112)
    • Uses WMIC.EXE to obtain a system information

      • javaw.exe (PID: 2612)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2976)
    • Changes internet zones settings

      • iexplore.exe (PID: 2976)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2976)
    • Creates files in the user directory

      • iexplore.exe (PID: 3360)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
74
Monitored processes
27
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe javaw.exe no specs #ADWIND java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs xcopy.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs reg.exe attrib.exe no specs attrib.exe no specs #ADWIND javaw.exe #ADWIND java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2976"C:\Program Files\Internet Explorer\iexplore.exe" http://104.168.147.151/shipping_label.jarC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3360"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2976 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3112"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\39MW4ZMP\shipping_label[1].jar" C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeiexplore.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
3720"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.81426012499458468148761571953701615.classC:\Program Files\Java\jre1.8.0_92\bin\java.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
3728cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7139452674834598788.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1580cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7139452674834598788.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
4020cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4012157548609802446.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2568cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4012157548609802446.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
540xcopy "C:\Program Files\Java\jre1.8.0_92" "C:\Users\admin\AppData\Roaming\Oracle\" /eC:\Windows\system32\xcopy.exe
javaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3988cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8700481059035014078.vbsC:\Windows\system32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
898
Read events
833
Write events
62
Delete events
3

Modification events

(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{3B71BECD-A3DB-11E9-B506-5254004A04AF}
Value:
0
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307070004000B000C0038000100DF01
Executable files
111
Suspicious files
11
Text files
83
Unknown types
20

Dropped files

PID
Process
Filename
Type
2976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
2976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2976iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFCF62FE9BF3B1ACD5.TMP
MD5:
SHA256:
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\39MW4ZMP\shipping_label[1].jarjava
MD5:4FF27E151B1AA586757D2BDDAE3F86F4
SHA256:BAA8EA144CB1B4933A502D20DFEF7E57847B62D0B43CCE7F774E84FFE515C5E0
2976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071120190712\index.datdat
MD5:F4658EC7A767A9473706D7104EA10362
SHA256:E6F492D6891E99DA6752055F7691B6E027DBC856328347FA544C005CF81E27C6
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:0747E139018D4E2D37E033ED260FD07C
SHA256:68E9A4AB26B9C93A49F5B1003BBE04B0553F16C1B813B2342999F8CE8BAA25C4
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019071120190712\index.datdat
MD5:C64E85A69A264C897EBE3225A5F327B1
SHA256:9EF41706447B04D15887368DA1F8C6C184CCEE7B7E451B77C30A757500492ACE
2976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{3B71BECE-A3DB-11E9-B506-5254004A04AF}.datbinary
MD5:A9307E069997CB1BA1F751CDDB94D587
SHA256:A8DC78541120CD14F52A5B6858D55B7437492DEA5D3C64559A19644B7BFC1F44
3112javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:3ED02BBE0C4D5E7B1AF34A24CDD522E8
SHA256:DA9A76CF131723232F2D16ECF550CF8AEE37379F27F6169DFF47A6C2F198406D
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:B2D73EB0634F1EF4FF65D4C2B4067FC7
SHA256:B92691991F8F8AE0AD8B7FC472E70B6BE6E87C4A29E74DC190444B388EB16363
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3360
iexplore.exe
GET
200
104.168.147.151:80
http://104.168.147.151/shipping_label.jar
US
java
469 Kb
unknown
2976
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2976
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2612
javaw.exe
85.217.171.128:1010
BelCloud Hosting Corporation
BG
malicious
3360
iexplore.exe
104.168.147.151:80
Hostwinds LLC.
US
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
2612
javaw.exe
A Network Trojan was detected
ET TROJAN Possible Adwind SSL Cert (assylias.Inc)
2612
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Java.Adwind.cu
2612
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Java.Adwind.cu
No debug info