File name: | Scan-Po01112019.jar |
Full analysis: | https://app.any.run/tasks/965ea134-c38e-4ef2-b91f-da5176a1d149 |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | January 11, 2019, 14:13:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/java-archive |
File info: | Java archive data (JAR) |
MD5: | 664A7C67C1BCAB3A507D567C3F0194FA |
SHA1: | FC53EA22BE718965D0D21A3AB4BADE23B3D6D22F |
SHA256: | 66A6B03ABE953E4A77C3EB71CA206597585F649C40E379251EAD1BD1FAC500DF |
SSDEEP: | 12288:Wy82+kLlDIalbsgD5wj5HI65VzN20KS8TWZ1HlcycOTOz+QqYrlA:Wb2+QlDnbsggH5VZBAyZ1C6qzgYrlA |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | META-INF/MANIFEST.MF |
---|---|
ZipUncompressedSize: | 63 |
ZipCompressedSize: | 65 |
ZipCRC: | 0x41f21051 |
ZipModifyDate: | 2019:01:11 10:50:04 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0808 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2944 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\Scan-Po01112019.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | explorer.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2180 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.3957265164144249670183621959121333.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
2860 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4949496496782934262.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2276 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4949496496782934262.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2504 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3039184657241482413.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3836 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3039184657241482413.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3464 | xcopy "C:\Program Files\Java\jre1.8.0_92" "C:\Users\admin\AppData\Roaming\Oracle\" /e | C:\Windows\system32\xcopy.exe | java.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extended Copy Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2444 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3208762929116561742.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3100 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3208762929116561742.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2040 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive875811607349819676.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2944 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive3208762929116561742.vbs | — | |
MD5:— | SHA256:— | |||
2944 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:E84F01E10DCF254579E45630BB7EA5D2 | SHA256:364E917613CE609D39497ED0B67BA5D2A1E09B687725562CF7F8984A57EED3A0 | |||
3464 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\README.txt | text | |
MD5:0F1123976B959AC5E8B89EB8C245C4BD | SHA256:963095CF8DB76FB8071FD19A3110718A42F2AB42B27A3ADFD9EC58981C3E88D2 | |||
2180 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:35211D7EF2C114ACFC036649929FACC1 | SHA256:407DCD8C432A32C41422E823588E1825FAD4F1B0E116785861402929DFD1E031 | |||
3464 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt | text | |
MD5:745D6DB5FC58C63F74CE6A7D4DB7E695 | SHA256:C77BA9F668FEE7E9B810F1493E518ADF87233AC8793E4B37C9B3D1ED7846F1C0 | |||
3464 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\bin\deploy.dll | executable | |
MD5:720EDC1469525DFCD3AE211E653D0241 | SHA256:BFF79FB05667992CC2BDA9BAE6E5A301BAF553042F952203641CCD7E1FC4552D | |||
3464 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\bin\decora_sse.dll | executable | |
MD5:94434B8739CB5CD184C63CEC209F06E2 | SHA256:ADF4E9CE0866FF16A16F626CFC62355FB81212B1E7C95DD908E3644F88B77E91 | |||
2944 | javaw.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2f | dbf | |
MD5:C8366AE350E7019AEFC9D1E6E6A498C6 | SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238 | |||
3464 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\COPYRIGHT | text | |
MD5:89F660D2B7D58DA3EFD2FECD9832DA9C | SHA256:F6A08C9CC04D7C6A86576C1EF50DD0A690AE5CB503EFD205EDB2E408BD8D557B | |||
3464 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\release | text | |
MD5:1BCCC3A965156E53BE3136B3D583B7B6 | SHA256:03A4DB27DEA69374EFBAF121C332D0AF05840D16D0C1FBF127D00E65054B118A |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1240 | javaw.exe | 181.215.247.224:9620 | — | IP-Connect LLC | UA | suspicious |
PID | Process | Class | Message |
---|---|---|---|
1240 | javaw.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 15 |
1240 | javaw.exe | A Network Trojan was detected | ET TROJAN Possible Adwind SSL Cert (assylias.Inc) |