Malware analysis Quotation Request 140919,pdf,doc.jar Malicious activity

Add for printing

File name:	Quotation Request 140919,pdf,doc.jar
Full analysis:	https://app.any.run/tasks/6eb8c741-7500-4b2a-bb22-aaad956c69a0
Verdict:	Malicious activity
Threats:	Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	March 14, 2019, 14:08:13
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	adwind trojan
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	D028EEC1F1CB59D4193B5FF44FF21249
SHA1:	5A90D7D561170EB80FE815ED325EE58E997CD480
SHA256:	79965D1A6937D952AC6F693FCDA9B0DF20C52E979C33C98AA798A34D5901A79E
SSDEEP:	24576:x+maTro/Xmxvs77w652WHkGHBazushHWtDuSKCdCzrbn:xoT4XhAyHBTslWxmRzn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Uses Task Scheduler to run other applications
  - WScript.exe (PID: 2444)
- Changes the autorun value in the registry
  - WScript.exe (PID: 2936)
  - WScript.exe (PID: 2444)
  - javaw.exe (PID: 4024)
  - wscript.exe (PID: 2416)
  - reg.exe (PID: 2356)
- Loads the Task Scheduler COM API
  - schtasks.exe (PID: 2472)
- Writes to a start menu file
  - WScript.exe (PID: 2444)
- AdWind was detected
  - java.exe (PID: 3140)
  - java.exe (PID: 2176)
- Loads dropped or rewritten executable
  - javaw.exe (PID: 3620)
  - javaw.exe (PID: 4024)
  - javaw.exe (PID: 2996)
  - java.exe (PID: 3140)
  - javaw.exe (PID: 3468)
  - javaw.exe (PID: 2908)
  - explorer.exe (PID: 284)
  - java.exe (PID: 2176)
  - wscript.exe (PID: 2416)
  - WScript.exe (PID: 2936)
- Application was dropped or rewritten from another process
  - java.exe (PID: 2176)
  - java.exe (PID: 3140)
  - javaw.exe (PID: 2908)
  - javaw.exe (PID: 4024)
  - javaw.exe (PID: 2996)
  - javaw.exe (PID: 3468)
  - javaw.exe (PID: 3620)
- UAC/LUA settings modification
  - regedit.exe (PID: 972)
- Turns off system restore
  - regedit.exe (PID: 972)
- Uses TASKKILL.EXE to kill security tools
  - javaw.exe (PID: 2908)
- Changes Image File Execution Options
  - regedit.exe (PID: 972)
SUSPICIOUS
- Executes scripts
  - javaw.exe (PID: 2996)
  - wscript.exe (PID: 2416)
  - WScript.exe (PID: 2936)
  - cmd.exe (PID: 3704)
  - cmd.exe (PID: 3476)
  - cmd.exe (PID: 3344)
  - cmd.exe (PID: 1528)
  - cmd.exe (PID: 3720)
  - cmd.exe (PID: 2916)
  - cmd.exe (PID: 4008)
  - cmd.exe (PID: 1076)
- Executes JAVA applets
  - explorer.exe (PID: 284)
  - WScript.exe (PID: 2936)
  - javaw.exe (PID: 4024)
  - wscript.exe (PID: 2416)
  - javaw.exe (PID: 3468)
- Application launched itself
  - wscript.exe (PID: 2416)
  - javaw.exe (PID: 4024)
- Creates files in the user directory
  - WScript.exe (PID: 2936)
  - wscript.exe (PID: 2416)
  - WScript.exe (PID: 2444)
  - javaw.exe (PID: 4024)
  - javaw.exe (PID: 3468)
  - xcopy.exe (PID: 3532)
- Connects to unusual port
  - WScript.exe (PID: 2444)
  - javaw.exe (PID: 3620)
  - javaw.exe (PID: 2908)
- Starts CMD.EXE for commands execution
  - javaw.exe (PID: 3468)
  - java.exe (PID: 3140)
  - javaw.exe (PID: 2908)
  - java.exe (PID: 2176)
- Uses REG.EXE to modify Windows registry
  - javaw.exe (PID: 3468)
- Uses ATTRIB.EXE to modify file attributes
  - javaw.exe (PID: 3468)
- Executable content was dropped or overwritten
  - xcopy.exe (PID: 3532)
- Starts itself from another location
  - javaw.exe (PID: 3468)
- Uses TASKKILL.EXE to kill process
  - javaw.exe (PID: 2908)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipFileName:	pxsyiitazy/resources/uibdetopiv
ZipUncompressedSize:	1763368
ZipCompressedSize:	1095625
ZipCRC:	0x950e32e2
ZipModifyDate:	2019:03:13 16:22:03
ZipCompression:	Deflated
ZipBitFlag:	-
ZipRequiredVersion:	20

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

302

Monitored processes

145

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2996	"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\Quotation Request 140919,pdf,doc.jar"	C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe	—	explorer.exe
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14
2416	wscript C:\Users\admin\yswwlopujq.js	C:\Windows\system32\wscript.exe		javaw.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385
2936	"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\zXRZGbOium.js"	C:\Windows\System32\WScript.exe		wscript.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385
2444	"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\IyFfaseYOW.js"	C:\Windows\System32\WScript.exe		WScript.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385
4024	"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ddmqonik.txt"	C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe		WScript.exe
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14
2472	"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\admin\AppData\Roaming\IyFfaseYOW.js	C:\Windows\System32\schtasks.exe	—	WScript.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3620	"C:\Program Files\Java\jre1.8.0_92\bin\javaw" -jar "C:\Users\admin\AppData\RoamingServer1674728148.jar"	C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe		javaw.exe
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14
3468	"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\nmfbsimf.txt"	C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe	—	wscript.exe
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14
3140	"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.307951137944934341718850383538757394.class	C:\Program Files\Java\jre1.8.0_92\bin\java.exe		javaw.exe
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14
3476	cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7860878797415626823.vbs	C:\Windows\system32\cmd.exe	—	javaw.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

Add for printing

Total events

2 630

Read events

2 383

Write events

247

Delete events

Modification events


(PID) Process:	(2416) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(2416) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(2936) WScript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(2936) WScript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(2936) WScript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	ntfsmgr
Value: "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ddmqonik.txt"
(PID) Process:	(2444) WScript.exe	Key:	HKEY_CURRENT_USER
Operation:	write	Name:	vjw0rm
Value: FALSE
(PID) Process:	(2444) WScript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	0IDR124VF6
Value: "C:\Users\admin\AppData\Roaming\IyFfaseYOW.js"
(PID) Process:	(2444) WScript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(2444) WScript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(4024) javaw.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Server
Value: C:\Program Files\Java\jre1.8.0_92\bin\javaw -jar "C:\Users\admin\AppData\RoamingServer1674728148.jar"

Add for printing

Executable files

110

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3468	javaw.exe	C:\Users\admin\AppData\Local\Temp\Retrive2594086255150999555.vbs		—
		MD5:—	SHA256:—
3140	java.exe	C:\Users\admin\AppData\Local\Temp\Retrive487587211144863209.vbs		—
		MD5:—	SHA256:—
3620	javaw.exe	C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp		text
		MD5:C90B006F9A82253334D61E7E31E801F9	SHA256:F30A125F078D328FEA60F20BD5FE93708429E84F144452831709D307ED0F9D87
2996	javaw.exe	C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp		text
		MD5:5158650A2CC999BFE944B58BAF244A9F	SHA256:A03673B6407074757F893A778EC65E632D575EF30B09C6998078158BB796974C
4024	javaw.exe	C:\Users\admin\AppData\RoamingServer1674728148.jar		compressed
		MD5:94744B9845E5F391CCA7260098BBE1A2	SHA256:171C05A83078824F27B9CB3AB2B152579EDFEFAEA4C1DEA5E690A5367C0E67D3
3468	javaw.exe	C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp		text
		MD5:D5CC0DA6756C050EE615645550EB8173	SHA256:EB07ADCAD971F682B53A07952A4446929044C9E0EEDF9F48E65AA905E68C8505
2936	WScript.exe	C:\Users\admin\AppData\Roaming\ddmqonik.txt		compressed
		MD5:37B1429E7E0671BD1A61E99DD86CFF71	SHA256:F5B8CA4D2D55CD0FBD08AC098FC5EBF2F588881976605C91B50433E4CF4C5CCB
4024	javaw.exe	C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp		text
		MD5:3653573B078AAA74BE4DE6B4405196C5	SHA256:BF806D42AD5DEBF1B81E1AFF4A719FC354EB164560CA87D72D03FA7753AFC5D1
3140	java.exe	C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp		text
		MD5:AF2D26816D4EB0C70C3DEC36DC0EC2C5	SHA256:EC4DB87AF4A3D1F9822620C0EB5F4A994A814715D4747729002F8ABAEB8D4775
2996	javaw.exe	C:\Users\admin\yswwlopujq.js		text
		MD5:D10D4FC91BD0B52345567287B13B9959	SHA256:3A266FDDF140E0F6B13270C682BCFEC18BB1DAF7F64B2AEF8734A2F34AF8654B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3620	javaw.exe	41.217.25.9:7744	unknownsoft.hopto.org	Spectranet	NG	unknown
2444	WScript.exe	41.217.25.9:7755	unknownsoft.hopto.org	Spectranet	NG	unknown
2908	javaw.exe	185.165.153.199:18	lexdeerex.duckdns.org	—	NL	malicious

DNS requests

Domain	IP	Reputation
unknownsoft.hopto.org	41.217.25.9	malicious
dns.msftncsi.com	131.107.255.255	shared
lexdeerex.duckdns.org	185.165.153.199	malicious

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
—	—	Misc activity	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
—	—	Misc activity	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Add for printing

No debug info

General Info

Quotation Request 140919,pdf,doc.jar

D028EEC1F1CB59D4193B5FF44FF21249

5A90D7D561170EB80FE815ED325EE58E997CD480

79965D1A6937D952AC6F693FCDA9B0DF20C52E979C33C98AA798A34D5901A79E

24576:x+maTro/Xmxvs77w652WHkGHBazushHWtDuSKCdCzrbn:xoT4XhAyHBTslWxmRzn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses Task Scheduler to run other applications

Changes the autorun value in the registry

Loads the Task Scheduler COM API

Writes to a start menu file

AdWind was detected

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

UAC/LUA settings modification

Turns off system restore

Uses TASKKILL.EXE to kill security tools

Changes Image File Execution Options

SUSPICIOUS

Executes scripts

Executes JAVA applets

Application launched itself

Creates files in the user directory

Connects to unusual port

Starts CMD.EXE for commands execution

Uses REG.EXE to modify Windows registry

Uses ATTRIB.EXE to modify file attributes

Executable content was dropped or overwritten

Starts itself from another location

Uses TASKKILL.EXE to kill process

INFO

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings