File name: | jenqtgIyHB_newaso-1.vbs |
Full analysis: | https://app.any.run/tasks/5b3a80a3-e16c-4ff3-8990-619fb98dce2c |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | January 11, 2019, 11:44:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | D060268AC9DED5AEF4EF02EC8746B855 |
SHA1: | B7DDADAEF636F912E57A522B952EBBA81F208E94 |
SHA256: | 97D49480DF6CCB207504396EDD8C99A342FFD4CA8F14A2C3B46054628FBBFB92 |
SSDEEP: | 12288:G6N6PsB9/Sv1Im0xdCP3EG8m6UHd8J01N7mVXpVLlMnaNhUmj6EZ9e/g4S6K3CeI:GMCwRy0C0GyUc077aXOpnECI4SHK |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2960 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\jenqtgIyHB_newaso-1.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2336 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\UwwogLCzsN.vbs" | C:\Windows\System32\WScript.exe | WScript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 Modules
| |||||||||||||||
3128 | "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version 2> C:\Users\admin\AppData\Local\Temp\output.txt | C:\Windows\System32\cmd.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3888 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | cmd.exe | |||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 Modules
| |||||||||||||||
3344 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | WScript.exe | |||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 Modules
| |||||||||||||||
3816 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.92975766311239084736571209146325359.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | ||||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 Modules
| |||||||||||||||
308 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1114622237184961528.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2796 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1114622237184961528.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2464 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4596543679496563502.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2916 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4596543679496563502.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
|
(PID) Process: | (2960) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2960) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2336) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\UwwogLCzsN |
Operation: | write | Name: | |
Value: false - 1/11/2019 | |||
(PID) Process: | (2336) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | UwwogLCzsN |
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\UwwogLCzsN.vbs" | |||
(PID) Process: | (2336) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | UwwogLCzsN |
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\UwwogLCzsN.vbs" | |||
(PID) Process: | (2960) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | ntfsmgr |
Value: "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar" | |||
(PID) Process: | (2336) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2336) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (2336) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2336) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3344 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive4596543679496563502.vbs | — | |
MD5:— | SHA256:— | |||
3816 | java.exe | C:\Users\admin\AppData\Local\Temp\Retrive1493447988114851523.vbs | — | |
MD5:— | SHA256:— | |||
2960 | WScript.exe | C:\Users\admin\AppData\Roaming\UwwogLCzsN.vbs | text | |
MD5:98F00B8887BEB982534929376695D20E | SHA256:7679E6EB17505C8C4315D5D5C43A20AFD0069E3F0E922C37A3D783D06B7CB5E8 | |||
3128 | cmd.exe | C:\Users\admin\AppData\Local\Temp\output.txt | text | |
MD5:FCF81EDEAE4E8C13E8B099A9EE455E27 | SHA256:0CCC5DDB797429E5625AEDB2ECEE3F42E97221264CD69D5FF53A094F72FE5D7B | |||
3816 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:53A9A43C54613DA3B9672F14D98BA59F | SHA256:23016A5A99ABC3C5CC07FEA44081E4AA8D4A6B934C9958799F20AB59A8E8A5B3 | |||
2960 | WScript.exe | C:\Users\admin\AppData\Roaming\ntfsmgr.jar | java | |
MD5:CDEE1E867980580A55BC34BC240FB12B | SHA256:43778130F1A0DF96AF4CEC920046FFC6CB65E0BFD6E76213E17D299B313DBA35 | |||
2336 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UwwogLCzsN.vbs | text | |
MD5:98F00B8887BEB982534929376695D20E | SHA256:7679E6EB17505C8C4315D5D5C43A20AFD0069E3F0E922C37A3D783D06B7CB5E8 | |||
3344 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:7FC9B7A143A73B5C951FC9E3851717C2 | SHA256:6FA6AF19405D987A6EE4908F9EFDC78F2AA7ABA734B2FD8B354D4CF5C2CC6F5B | |||
3888 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:CC20DF1F19EE88B0D3EB22CBB412373A | SHA256:59B437F7C58A03DCADCF37691D7E240C9D9CE73D9FE4A3098094276EEECF9C2F | |||
3344 | javaw.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2f | dbf | |
MD5:C8366AE350E7019AEFC9D1E6E6A498C6 | SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 195.138.255.24:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D | DE | der | 471 b | whitelisted |
— | — | GET | 200 | 195.138.255.24:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D | DE | der | 727 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1884 | gup.exe | 37.59.28.236:443 | notepad-plus-plus.org | OVH SAS | FR | whitelisted |
— | — | 195.138.255.24:80 | ocsp.usertrust.com | AS33891 Netzbetrieb GmbH | DE | whitelisted |
3752 | javaw.exe | 185.125.205.77:7524 | asorock0011.ddns.net | — | DE | malicious |
Domain | IP | Reputation |
---|---|---|
goz.unknowncrypter.com |
| malicious |
asorock0011.ddns.net |
| malicious |
notepad-plus-plus.org |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3752 | javaw.exe | A Network Trojan was detected | ET TROJAN Possible Adwind SSL Cert (assylias.Inc) |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|