File name: | Quotation Request 140919,pdf,doc.jar |
Full analysis: | https://app.any.run/tasks/6eb8c741-7500-4b2a-bb22-aaad956c69a0 |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | March 14, 2019, 14:08:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | D028EEC1F1CB59D4193B5FF44FF21249 |
SHA1: | 5A90D7D561170EB80FE815ED325EE58E997CD480 |
SHA256: | 79965D1A6937D952AC6F693FCDA9B0DF20C52E979C33C98AA798A34D5901A79E |
SSDEEP: | 24576:x+maTro/Xmxvs77w652WHkGHBazushHWtDuSKCdCzrbn:xoT4XhAyHBTslWxmRzn |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | pxsyiitazy/resources/uibdetopiv |
---|---|
ZipUncompressedSize: | 1763368 |
ZipCompressedSize: | 1095625 |
ZipCRC: | 0x950e32e2 |
ZipModifyDate: | 2019:03:13 16:22:03 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2996 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\Quotation Request 140919,pdf,doc.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | explorer.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2416 | wscript C:\Users\admin\yswwlopujq.js | C:\Windows\system32\wscript.exe | javaw.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2936 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\zXRZGbOium.js" | C:\Windows\System32\WScript.exe | wscript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2444 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\IyFfaseYOW.js" | C:\Windows\System32\WScript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
4024 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ddmqonik.txt" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | WScript.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2472 | "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\admin\AppData\Roaming\IyFfaseYOW.js | C:\Windows\System32\schtasks.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3620 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw" -jar "C:\Users\admin\AppData\RoamingServer1674728148.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
3468 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\nmfbsimf.txt" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | wscript.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
3140 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.307951137944934341718850383538757394.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
3476 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7860878797415626823.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
(PID) Process: | (2416) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2416) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2936) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2936) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2936) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | ntfsmgr |
Value: "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ddmqonik.txt" | |||
(PID) Process: | (2444) WScript.exe | Key: | HKEY_CURRENT_USER |
Operation: | write | Name: | vjw0rm |
Value: FALSE | |||
(PID) Process: | (2444) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | 0IDR124VF6 |
Value: "C:\Users\admin\AppData\Roaming\IyFfaseYOW.js" | |||
(PID) Process: | (2444) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2444) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (4024) javaw.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | Server |
Value: C:\Program Files\Java\jre1.8.0_92\bin\javaw -jar "C:\Users\admin\AppData\RoamingServer1674728148.jar" |
PID | Process | Filename | Type | |
---|---|---|---|---|
3468 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive2594086255150999555.vbs | — | |
MD5:— | SHA256:— | |||
3140 | java.exe | C:\Users\admin\AppData\Local\Temp\Retrive487587211144863209.vbs | — | |
MD5:— | SHA256:— | |||
3620 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:C90B006F9A82253334D61E7E31E801F9 | SHA256:F30A125F078D328FEA60F20BD5FE93708429E84F144452831709D307ED0F9D87 | |||
2996 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:5158650A2CC999BFE944B58BAF244A9F | SHA256:A03673B6407074757F893A778EC65E632D575EF30B09C6998078158BB796974C | |||
4024 | javaw.exe | C:\Users\admin\AppData\RoamingServer1674728148.jar | compressed | |
MD5:94744B9845E5F391CCA7260098BBE1A2 | SHA256:171C05A83078824F27B9CB3AB2B152579EDFEFAEA4C1DEA5E690A5367C0E67D3 | |||
3468 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:D5CC0DA6756C050EE615645550EB8173 | SHA256:EB07ADCAD971F682B53A07952A4446929044C9E0EEDF9F48E65AA905E68C8505 | |||
2936 | WScript.exe | C:\Users\admin\AppData\Roaming\ddmqonik.txt | compressed | |
MD5:37B1429E7E0671BD1A61E99DD86CFF71 | SHA256:F5B8CA4D2D55CD0FBD08AC098FC5EBF2F588881976605C91B50433E4CF4C5CCB | |||
4024 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:3653573B078AAA74BE4DE6B4405196C5 | SHA256:BF806D42AD5DEBF1B81E1AFF4A719FC354EB164560CA87D72D03FA7753AFC5D1 | |||
3140 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:AF2D26816D4EB0C70C3DEC36DC0EC2C5 | SHA256:EC4DB87AF4A3D1F9822620C0EB5F4A994A814715D4747729002F8ABAEB8D4775 | |||
2996 | javaw.exe | C:\Users\admin\yswwlopujq.js | text | |
MD5:D10D4FC91BD0B52345567287B13B9959 | SHA256:3A266FDDF140E0F6B13270C682BCFEC18BB1DAF7F64B2AEF8734A2F34AF8654B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3620 | javaw.exe | 41.217.25.9:7744 | unknownsoft.hopto.org | Spectranet | NG | unknown |
2444 | WScript.exe | 41.217.25.9:7755 | unknownsoft.hopto.org | Spectranet | NG | unknown |
2908 | javaw.exe | 185.165.153.199:18 | lexdeerex.duckdns.org | — | NL | malicious |
Domain | IP | Reputation |
---|---|---|
unknownsoft.hopto.org |
| malicious |
dns.msftncsi.com |
| shared |
lexdeerex.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |