File name: | 0001.js |
Full analysis: | https://app.any.run/tasks/526d5da0-dbaf-4edf-9169-e9e137cad8c5 |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | February 18, 2019, 14:06:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | F26FFC347C938CF2A656A7A6E521C0E7 |
SHA1: | C9CD037AD49AF9DD7FBEF6F2A87CA45295E0D381 |
SHA256: | 98D51539F6A59B342256CA962F91A5671919D4B19E7BD25B6032EDC7476F180C |
SSDEEP: | 24576:g+9brGru9ehnbXCvvgEfk8iif5P+WzQwaHBqiq:zGrucERh0uQz4D |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2988 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\0001.js" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2432 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\dspWZiSyBB.js" | C:\Windows\System32\WScript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2796 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\tnhgqbftvy.txt" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | WScript.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2204 | "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\admin\AppData\Roaming\dspWZiSyBB.js | C:\Windows\System32\schtasks.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3428 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.70664211105760334099657525175834494.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | — | javaw.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
3084 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7938737947649289228.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3648 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7938737947649289228.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2268 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7561121797165593772.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3164 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7561121797165593772.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2572 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive886781589446666918.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2988 | WScript.exe | C:\Users\admin\AppData\Roaming\dspWZiSyBB.js | text | |
MD5:5566B5684C45626CF74DDFC4549AAB87 | SHA256:B00F587F72338FBAA31C8096F96B18F3991FAF07B55CC602FB1DCB66E2071539 | |||
3428 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:B9175ADBD98714338997DECE3B931033 | SHA256:017830BB5124C9259C51555AFB31ED4C14393FFD7A6A73CD5AF8D583BDC12B8F | |||
2432 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dspWZiSyBB.js | text | |
MD5:5566B5684C45626CF74DDFC4549AAB87 | SHA256:B00F587F72338FBAA31C8096F96B18F3991FAF07B55CC602FB1DCB66E2071539 | |||
3428 | java.exe | C:\Users\admin\AppData\Local\Temp\Retrive7561121797165593772.vbs | text | |
MD5:3BDFD33017806B85949B6FAA7D4B98E4 | SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6 | |||
2988 | WScript.exe | C:\Users\admin\AppData\Roaming\tnhgqbftvy.txt | java | |
MD5:F32CCAC1E250BE2D4491A03C77F5F4B7 | SHA256:8E9927947BAD12156E88F3E0E93D8610347F8EA923573AD864B62AE011D11B72 | |||
2796 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:77AE945C2F599227320F29D165DB69C2 | SHA256:A16E3C9CE4CC801D363273301C159DBB44E1F6CDCEB627725A7D555F559FC559 | |||
2796 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive7938737947649289228.vbs | text | |
MD5:3BDFD33017806B85949B6FAA7D4B98E4 | SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6 | |||
2796 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive886781589446666918.vbs | text | |
MD5:A32C109297ED1CA155598CD295C26611 | SHA256:45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7 | |||
2388 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\release | text | |
MD5:1BCCC3A965156E53BE3136B3D583B7B6 | SHA256:03A4DB27DEA69374EFBAF121C332D0AF05840D16D0C1FBF127D00E65054B118A | |||
2388 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\LICENSE | text | |
MD5:98F46AB6481D87C4D77E0E91A6DBC15F | SHA256:23F9A5C12FA839650595A32872B7360B9E030C7213580FB27DD9185538A5828C |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3804 | javaw.exe | 31.171.152.103:5011 | flexio.ddns.net | Keminet Ltd. | AL | malicious |
2432 | WScript.exe | 194.5.98.8:7755 | unknownsoft.hopto.org | — | FR | malicious |
Domain | IP | Reputation |
---|---|---|
unknownsoft.hopto.org |
| malicious |
flexio.ddns.net |
| malicious |