| File name: | 0001.js |
| Full analysis: | https://app.any.run/tasks/526d5da0-dbaf-4edf-9169-e9e137cad8c5 |
| Verdict: | Malicious activity |
| Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
| Analysis date: | February 18, 2019, 14:06:54 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines |
| MD5: | F26FFC347C938CF2A656A7A6E521C0E7 |
| SHA1: | C9CD037AD49AF9DD7FBEF6F2A87CA45295E0D381 |
| SHA256: | 98D51539F6A59B342256CA962F91A5671919D4B19E7BD25B6032EDC7476F180C |
| SSDEEP: | 24576:g+9brGru9ehnbXCvvgEfk8iif5P+WzQwaHBqiq:zGrucERh0uQz4D |
MALICIOUS
Changes the autorun value in the registry
- WScript.exe (PID: 2988)
- WScript.exe (PID: 2432)
- reg.exe (PID: 3396)
Uses Task Scheduler to run other applications
- WScript.exe (PID: 2432)
Writes to a start menu file
- WScript.exe (PID: 2432)
AdWind was detected
- java.exe (PID: 3428)
- java.exe (PID: 3944)
Loads the Task Scheduler COM API
- schtasks.exe (PID: 2204)
- schtasks.exe (PID: 3152)
Loads dropped or rewritten executable
- javaw.exe (PID: 3804)
- java.exe (PID: 3428)
- javaw.exe (PID: 2796)
- WScript.exe (PID: 2988)
- java.exe (PID: 3944)
UAC/LUA settings modification
- regedit.exe (PID: 2368)
Turns off system restore
- regedit.exe (PID: 2368)
Application was dropped or rewritten from another process
- javaw.exe (PID: 2796)
- java.exe (PID: 3428)
- javaw.exe (PID: 3804)
- java.exe (PID: 3944)
Uses TASKKILL.EXE to kill security tools
- javaw.exe (PID: 3804)
Changes Image File Execution Options
- regedit.exe (PID: 2368)
SUSPICIOUS
Application launched itself
- WScript.exe (PID: 2988)
Executes JAVA applets
- WScript.exe (PID: 2988)
- javaw.exe (PID: 2796)
Executes scripts
- WScript.exe (PID: 2988)
- cmd.exe (PID: 3084)
- cmd.exe (PID: 2572)
- cmd.exe (PID: 2108)
- cmd.exe (PID: 2268)
- cmd.exe (PID: 3916)
- cmd.exe (PID: 2572)
- cmd.exe (PID: 3640)
- cmd.exe (PID: 2476)
Creates files in the user directory
- WScript.exe (PID: 2988)
- javaw.exe (PID: 2796)
- WScript.exe (PID: 2432)
- xcopy.exe (PID: 2388)
Starts CMD.EXE for commands execution
- java.exe (PID: 3428)
- javaw.exe (PID: 2796)
- javaw.exe (PID: 3804)
- java.exe (PID: 3944)
Connects to unusual port
- WScript.exe (PID: 2432)
- javaw.exe (PID: 3804)
Starts itself from another location
- javaw.exe (PID: 2796)
Executable content was dropped or overwritten
- xcopy.exe (PID: 2388)
Uses REG.EXE to modify Windows registry
- javaw.exe (PID: 2796)
Uses ATTRIB.EXE to modify file attributes
- javaw.exe (PID: 2796)
Uses TASKKILL.EXE to kill process
- javaw.exe (PID: 3804)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
111
Monitored processes
46
Malicious processes
9
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2108 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2001587542766022903.vbs | C:\Windows\system32\cmd.exe | — | java.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2164 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7103669655194116120.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 2204 | "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\admin\AppData\Roaming\dspWZiSyBB.js | C:\Windows\System32\schtasks.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2232 | regedit.exe /s C:\Users\admin\AppData\Local\Temp\QOlWCRUCBi1294509263682198372.reg | C:\Windows\regedit.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Editor Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2268 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7561121797165593772.vbs | C:\Windows\system32\cmd.exe | — | java.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2308 | cmd.exe /c regedit.exe /s C:\Users\admin\AppData\Local\Temp\QOlWCRUCBi1294509263682198372.reg | C:\Windows\system32\cmd.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2368 | "C:\Windows\regedit.exe" /s C:\Users\admin\AppData\Local\Temp\QOlWCRUCBi1294509263682198372.reg | C:\Windows\regedit.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Editor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2388 | xcopy "C:\Program Files\Java\jre1.8.0_92" "C:\Users\admin\AppData\Roaming\Oracle\" /e | C:\Windows\system32\xcopy.exe | javaw.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extended Copy Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2432 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\dspWZiSyBB.js" | C:\Windows\System32\WScript.exe | WScript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 2476 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1973552518147528628.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
1 058
Read events
824
Write events
234
Delete events
0
Modification events
| (PID) Process: | (2988) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (2988) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (2988) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | ntfsmgr |
Value: "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\tnhgqbftvy.txt" | |||
| (PID) Process: | (2432) WScript.exe | Key: | HKEY_CURRENT_USER |
| Operation: | write | Name: | vjw0rm |
Value: FALSE | |||
| (PID) Process: | (2432) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | 0IDR124VF6 |
Value: "C:\Users\admin\AppData\Roaming\dspWZiSyBB.js" | |||
| (PID) Process: | (2432) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (2432) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (2432) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (2432) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (2432) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
Executable files
110
Suspicious files
10
Text files
77
Unknown types
15
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2988 | WScript.exe | C:\Users\admin\AppData\Roaming\tnhgqbftvy.txt | java | |
MD5:— | SHA256:— | |||
| 2988 | WScript.exe | C:\Users\admin\AppData\Roaming\dspWZiSyBB.js | text | |
MD5:— | SHA256:— | |||
| 2796 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:— | SHA256:— | |||
| 2432 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dspWZiSyBB.js | text | |
MD5:— | SHA256:— | |||
| 3428 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:— | SHA256:— | |||
| 2796 | javaw.exe | C:\Users\admin\AppData\Local\Temp\_0.70664211105760334099657525175834494.class | java | |
MD5:781FB531354D6F291F1CCAB48DA6D39F | SHA256:97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9 | |||
| 2796 | javaw.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2f | dbf | |
MD5:C8366AE350E7019AEFC9D1E6E6A498C6 | SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238 | |||
| 2796 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive7938737947649289228.vbs | text | |
MD5:3BDFD33017806B85949B6FAA7D4B98E4 | SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6 | |||
| 2796 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive886781589446666918.vbs | text | |
MD5:A32C109297ED1CA155598CD295C26611 | SHA256:45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7 | |||
| 3428 | java.exe | C:\Users\admin\AppData\Local\Temp\Retrive7561121797165593772.vbs | text | |
MD5:3BDFD33017806B85949B6FAA7D4B98E4 | SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
2
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2432 | WScript.exe | 194.5.98.8:7755 | unknownsoft.hopto.org | — | FR | malicious |
3804 | javaw.exe | 31.171.152.103:5011 | flexio.ddns.net | Keminet Ltd. | AL | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
unknownsoft.hopto.org |
| malicious |
flexio.ddns.net |
| malicious |