analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DHL_AWB01183002803PDF.jar

Full analysis: https://app.any.run/tasks/4eb19a08-4070-4359-98f7-92d6e4dc56bc
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Analysis date: February 11, 2019, 07:08:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adwind
trojan
loader
pony
fareit
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

4CED22D460F81ABCDA49C915A696D917

SHA1:

94F930878E458CB15F78B1827E38AA7213077C1A

SHA256:

8EE9B938D532E7F02ADB8FC03FC94217BA7AC85AFD3BC8CB6E820B8D35BFEB20

SSDEEP:

12288:Bg/mgehOaxen0NK8za6LZewi9vQxKRgyBNgjJ/0zRf0FprsUNy4Rw1gS9kyHR6/F:BWmgeh/0EuuZorgSNg1/0CLsJRYQR6/F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • java.exe (PID: 2184)
      • javaw.exe (PID: 3004)
      • explorer.exe (PID: 284)
      • javaw.exe (PID: 4088)
      • java.exe (PID: 2456)
    • Application was dropped or rewritten from another process

      • javaw.exe (PID: 3004)
      • java.exe (PID: 2184)
      • javaw.exe (PID: 4088)
      • java.exe (PID: 2456)
      • YWdITwsDrrV3268713871111220767.exe (PID: 2892)
    • AdWind was detected

      • java.exe (PID: 2184)
      • java.exe (PID: 2456)
    • Changes the autorun value in the registry

      • reg.exe (PID: 3652)
    • ADWIND was detected

      • javaw.exe (PID: 4088)
    • Downloads executable files from the Internet

      • javaw.exe (PID: 4088)
    • Uses SVCHOST.EXE for hidden code execution

      • YWdITwsDrrV3268713871111220767.exe (PID: 2892)
    • Detected Pony/Fareit Trojan

      • svchost.exe (PID: 3400)
    • Connects to CnC server

      • svchost.exe (PID: 3400)
    • Actions looks like stealing of personal data

      • svchost.exe (PID: 3400)
  • SUSPICIOUS

    • Executes JAVA applets

      • explorer.exe (PID: 284)
      • javaw.exe (PID: 3004)
    • Starts CMD.EXE for commands execution

      • java.exe (PID: 2184)
      • javaw.exe (PID: 3004)
      • javaw.exe (PID: 4088)
      • java.exe (PID: 2456)
      • svchost.exe (PID: 3400)
    • Executes scripts

      • cmd.exe (PID: 3788)
      • cmd.exe (PID: 3616)
      • cmd.exe (PID: 3960)
      • cmd.exe (PID: 3644)
      • cmd.exe (PID: 3564)
      • cmd.exe (PID: 3812)
      • cmd.exe (PID: 3420)
      • cmd.exe (PID: 1028)
      • javaw.exe (PID: 4088)
    • Creates files in the user directory

      • javaw.exe (PID: 3004)
      • xcopy.exe (PID: 3876)
    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 3876)
      • javaw.exe (PID: 4088)
    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 3004)
    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 3004)
    • Starts itself from another location

      • javaw.exe (PID: 3004)
    • Connects to unusual port

      • javaw.exe (PID: 4088)
    • Reads Internet Cache Settings

      • svchost.exe (PID: 3400)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • javaw.exe (PID: 4088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: META-INF/MANIFEST.MF
ZipUncompressedSize: 59
ZipCompressedSize: 61
ZipCRC: 0xfd277bcc
ZipModifyDate: 2019:02:11 03:14:20
ZipCompression: Deflated
ZipBitFlag: 0x0808
ZipRequiredVersion: 20
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
77
Monitored processes
30
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaw.exe no specs java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs xcopy.exe explorer.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs reg.exe attrib.exe no specs attrib.exe no specs #ADWIND javaw.exe java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs wmic.exe no specs wscript.exe no specs ywditwsdrrv3268713871111220767.exe no specs #PONY svchost.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3004"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\DHL_AWB01183002803PDF.jar.zip"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
2184"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.84427779594737156551203694291456928.classC:\Program Files\Java\jre1.8.0_92\bin\java.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
3616cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7285564079824304826.vbsC:\Windows\system32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
760cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7285564079824304826.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3788cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4867990700114557245.vbsC:\Windows\system32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2320cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4867990700114557245.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3876xcopy "C:\Program Files\Java\jre1.8.0_92" "C:\Users\admin\AppData\Roaming\Oracle\" /eC:\Windows\system32\xcopy.exe
java.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
284C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3960cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6623336059589115407.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2468cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6623336059589115407.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
1 048
Read events
1 031
Write events
17
Delete events
0

Modification events

(PID) Process:(3652) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CAMqcoFAsHStwFntWvFWF
Value:
"C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\admin\CneOzYCpIVRcSvDYP\xQDnjoriRCkuI.XzXxpVaUGPxrbLVRnw"
(PID) Process:(4088) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
javaw.exe
(PID) Process:(284) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:Key:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:Key:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2892) YWdITwsDrrV3268713871111220767.exeKey:HKEY_CURRENT_USER
Operation:writeName:
Value:
-boot
(PID) Process:(3400) svchost.exeKey:HKEY_CURRENT_USER\Software\WinRAR
Operation:writeName:HWID
Value:
7B45354532344639322D354246452D343735422D393239312D3832363331334130353245417D
(PID) Process:(3400) svchost.exeKey:HKEY_CURRENT_USER\Software\WinRAR
Operation:writeName:Client Hash
Value:
FF2EC9DE1C03EF4B513780134E575DB2
(PID) Process:(3400) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3400) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
111
Suspicious files
10
Text files
74
Unknown types
15

Dropped files

PID
Process
Filename
Type
2184java.exeC:\Users\admin\AppData\Local\Temp\Retrive4867990700114557245.vbs
MD5:
SHA256:
3004javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:AC4629A45A5425A9D51543CC232CD975
SHA256:EC0EB0104F2DC652FB242B6A6741585988ADE18B5B6556A32A94CFFD0BBA24F3
3876xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txttext
MD5:745D6DB5FC58C63F74CE6A7D4DB7E695
SHA256:C77BA9F668FEE7E9B810F1493E518ADF87233AC8793E4B37C9B3D1ED7846F1C0
2184java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:5C72561A7F13597F66F4E3BFC4826670
SHA256:EDE8AF915D40F9E0AE0D5169D189F346711EC881721E9B9E015F66A4E514DE04
3876xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\releasetext
MD5:1BCCC3A965156E53BE3136B3D583B7B6
SHA256:03A4DB27DEA69374EFBAF121C332D0AF05840D16D0C1FBF127D00E65054B118A
3876xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\bin\bci.dllexecutable
MD5:6D8D8A26450EE4BA0BE405629EA0A511
SHA256:7945365A3CD40D043DAE47849E6645675166920958300E64DEA76A865BC479AF
3876xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\LICENSEtext
MD5:98F46AB6481D87C4D77E0E91A6DBC15F
SHA256:23F9A5C12FA839650595A32872B7360B9E030C7213580FB27DD9185538A5828C
3004javaw.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:C8366AE350E7019AEFC9D1E6E6A498C6
SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
2184java.exeC:\Users\admin\AppData\Local\Temp\Retrive7285564079824304826.vbstext
MD5:3BDFD33017806B85949B6FAA7D4B98E4
SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6
3876xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\bin\dcpr.dllexecutable
MD5:682CFD9431E5675900B04FEBE6CD4EB9
SHA256:80111E1D706741F5EF7F661835C3AA46664666425AA1B5F93103410F2BEE1213
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4088
javaw.exe
GET
200
185.25.21.31:80
http://powerfm.gr/whatsapp1.exe
GR
executable
267 Kb
suspicious
3400
svchost.exe
POST
200
89.33.237.76:80
http://daune-automobile.ro/javalit/gate.php
RO
binary
20 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3400
svchost.exe
89.33.237.76:80
daune-automobile.ro
T-Mobile Czech Republic a.s.
RO
malicious
4088
javaw.exe
194.5.98.56:5532
www.alhaji.ml
FR
malicious
4088
javaw.exe
185.25.21.31:80
powerfm.gr
Lancom Ltd.
GR
suspicious

DNS requests

Domain
IP
Reputation
www.alhaji.ml
  • 194.5.98.56
malicious
powerfm.gr
  • 185.25.21.31
suspicious
daune-automobile.ro
  • 89.33.237.76
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ml Domain
4088
javaw.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.ml) in TLS SNI
4088
javaw.exe
A Network Trojan was detected
ET TROJAN Possible Adwind SSL Cert (assylias.Inc)
4088
javaw.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3400
svchost.exe
A Network Trojan was detected
ET TROJAN Fareit/Pony Downloader Checkin 2
3400
svchost.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
3400
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Pony encrypted POST Data Request
3400
svchost.exe
Potentially Bad Traffic
ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
3400
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Pony encrypted C2 Response
3400
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Fareit/Pony CnC Server stdResponse
1 ETPRO signatures available at the full report
No debug info