File name: | Nouveau.jar |
Full analysis: | https://app.any.run/tasks/fb08a685-8243-4ce1-a823-469ea2f514a2 |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | February 11, 2019, 08:10:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | C23912EABB94BC8E237231012F4A5B80 |
SHA1: | 22C22F9B587C57387A5848F4BCD3F7F1A147142F |
SHA256: | 94A65D3616639DC1B52FD7942276A475C45D6C280799B958497155A6B46AEF8C |
SSDEEP: | 12288:sR03cqHwusgi42wUaXqHRKC4Sr7uDGpY+Fqm/+DozJ9BcE/dfZkpgjCBF/PP5xgN:sOcGvd2w8MPS2iAm/+DozJHh/kpgjWpc |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3468 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Nouveau.jar.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3352 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa3468.20105\jre-8u201-windows-x64.jar | C:\Program Files\WinRAR\WinRAR.exe | — | WinRAR.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3708 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\Desktop\jre-8u201-windows-x64.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | explorer.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
3228 | wscript C:\Users\admin\auqtoxxxcf.vbs | C:\Windows\system32\wscript.exe | javaw.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2740 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\nOEIXYweyr.vbs" | C:\Windows\System32\WScript.exe | wscript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
3528 | "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version 2> C:\Users\admin\AppData\Local\Temp\output.txt | C:\Windows\System32\cmd.exe | — | wscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2204 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | cmd.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2840 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | wscript.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2768 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.5095062297411482163979030849212189.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
3804 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1230924861210978264.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
(PID) Process: | (3468) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3468) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3468) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3468) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Nouveau.jar.rar | |||
(PID) Process: | (3468) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3468) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3468) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3468) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (116) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList |
Operation: | write | Name: | a |
Value: WinRAR.exe | |||
(PID) Process: | (116) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList |
Operation: | write | Name: | MRUList |
Value: a |
PID | Process | Filename | Type | |
---|---|---|---|---|
2768 | java.exe | C:\Users\admin\AppData\Local\Temp\Retrive2451347384801487964.vbs | — | |
MD5:— | SHA256:— | |||
3708 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:56B384916A58966E0B50BD375004C9B7 | SHA256:D6F658313A46D7DCF7529BB82AA913A710D48209EBD8AA89D94D2D9BB2BD0E8D | |||
2204 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:F24A5140EE9B62E19A29C6F75375AD95 | SHA256:E5B5E59E8ED618C3162746510F9AC3DA503DAF0A141DCDEAC8830BEE4EC80205 | |||
2840 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:F6A859C9D6051259B29FE8B5FF4C742D | SHA256:5CA6350994E0F3A1D659ACE31CEE9A6492741AD5DFA4557F990C2D8CCE72A68E | |||
3468 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3468.20105\jre-8u201-windows-x64.jar | compressed | |
MD5:7C1FCE87F5E2EDC6D659779EA764DB83 | SHA256:BF9E93CF79A31E582BC70E817FBB7036EDD07FC8A353358A1ADA2D4EB7420D5A | |||
3468 | WinRAR.exe | C:\Users\admin\Desktop\jre-8u201-windows-x64.jar | compressed | |
MD5:7C1FCE87F5E2EDC6D659779EA764DB83 | SHA256:BF9E93CF79A31E582BC70E817FBB7036EDD07FC8A353358A1ADA2D4EB7420D5A | |||
3228 | wscript.exe | C:\Users\admin\AppData\Roaming\nOEIXYweyr.vbs | text | |
MD5:F5335AA5EB922D7D3EFB290453FA45F7 | SHA256:055EEC0F62C712DAD78C47BCC82E5FD7906918CB6603AF786D0F610B4819D675 | |||
3708 | javaw.exe | C:\Users\admin\auqtoxxxcf.vbs | text | |
MD5:C6C7188B62BA55F61079905E440BEC5D | SHA256:F675909D117B16E8FFFAC9549952E60A1C92059E613AF4886DC6FC2EFEC29111 | |||
3528 | cmd.exe | C:\Users\admin\AppData\Local\Temp\output.txt | text | |
MD5:FCF81EDEAE4E8C13E8B099A9EE455E27 | SHA256:0CCC5DDB797429E5625AEDB2ECEE3F42E97221264CD69D5FF53A094F72FE5D7B | |||
3228 | wscript.exe | C:\Users\admin\AppData\Roaming\ntfsmgr.jar | java | |
MD5:A0B52C4568CD247FA59BF99815AD1852 | SHA256:6868AC1C75D13CCB24C6FFADA8C8259EDCB139F9E717D4E4C412F2BC0C0C9A41 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2740 | WScript.exe | POST | — | 5.206.225.115:7788 | http://5.206.225.115:7788/is-ready | NL | — | — | malicious |
2740 | WScript.exe | POST | 404 | 5.206.225.115:7788 | http://5.206.225.115:7788/is-ready | NL | xml | 345 b | malicious |
— | — | POST | 404 | 5.206.225.115:7788 | http://5.206.225.115:7788/is-ready | NL | xml | 345 b | malicious |
2740 | WScript.exe | POST | 404 | 5.206.225.115:7788 | http://5.206.225.115:7788/is-ready | NL | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2740 | WScript.exe | 5.206.225.115:7788 | — | Dotsi, Unipessoal Lda. | NL | malicious |
— | — | 5.206.225.115:7788 | — | Dotsi, Unipessoal Lda. | NL | malicious |
PID | Process | Class | Message |
---|---|---|---|
2740 | WScript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |
2740 | WScript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA |
2740 | WScript.exe | A Network Trojan was detected | MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan |
2740 | WScript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |
2740 | WScript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA |
2740 | WScript.exe | A Network Trojan was detected | MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan |
2740 | WScript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |
2740 | WScript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA |
2740 | WScript.exe | A Network Trojan was detected | MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan |
— | — | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |