File name: | 5.vbs |
Full analysis: | https://app.any.run/tasks/4b319809-eaf0-43ab-bbe6-c8a08bcdacc9 |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | January 22, 2019, 11:12:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 5330373468703FF98BDB5325F3655D0D |
SHA1: | 10E9BD66CA60DFE07C21459AE05BB5FECEBEE386 |
SHA256: | C42BD9B5C0B3F09343B76CB13BC861F641C5CF531418ED50AF2B52B7383A8832 |
SSDEEP: | 12288:U+0QEPmpd2xWY3W0fKeWXIl9vQgS+2EM7tcDZfToM00y3mS9In5JCVA9Fn0iOxHe:U+06Qm0fyd9EX9X00yB7A9J0xlqRsZY9 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3072 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\5.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1668 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\gunBbUbCls.vbs" | C:\Windows\System32\WScript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2924 | "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version 2> C:\Users\admin\AppData\Local\Temp\output.txt | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3672 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | cmd.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2504 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | WScript.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
3676 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.135243806351962651277977204796321563.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
2356 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive908435332104360285.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2896 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive908435332104360285.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2496 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1694202503491959198.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2840 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7624169359906761482.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1668 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gunBbUbCls.vbs | text | |
MD5:4941F6AFF7EC8F6ABD6CBF231B3CEA62 | SHA256:CF89150D32E65985DFA42F7F48B99EF555422EAB557F10DE36A23522CC1A5FE9 | |||
3676 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:7CD46993162776CAF74CA85BABAA0822 | SHA256:788CE2C166A364611E94B8977A5879F98177257CC0F2D1BAE94AA70E1BF08E97 | |||
3072 | WScript.exe | C:\Users\admin\AppData\Roaming\gunBbUbCls.vbs | text | |
MD5:4941F6AFF7EC8F6ABD6CBF231B3CEA62 | SHA256:CF89150D32E65985DFA42F7F48B99EF555422EAB557F10DE36A23522CC1A5FE9 | |||
3072 | WScript.exe | C:\Users\admin\AppData\Roaming\ntfsmgr.jar | java | |
MD5:487875253D8E2FF69D7454CD871A20E1 | SHA256:7C26D40383A92A2AE4EE817676791F97BDB906080970CF4DDE46506437EF85D5 | |||
2924 | cmd.exe | C:\Users\admin\AppData\Local\Temp\output.txt | text | |
MD5:FCF81EDEAE4E8C13E8B099A9EE455E27 | SHA256:0CCC5DDB797429E5625AEDB2ECEE3F42E97221264CD69D5FF53A094F72FE5D7B | |||
2504 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:1F60E94794FF6145467019EF1FE59C13 | SHA256:907E4412F2B3A58785BC70935AC8F387C53C37D378996C588DAE501339859505 | |||
3672 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:1F60E94794FF6145467019EF1FE59C13 | SHA256:907E4412F2B3A58785BC70935AC8F387C53C37D378996C588DAE501339859505 | |||
2764 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\release | text | |
MD5:1BCCC3A965156E53BE3136B3D583B7B6 | SHA256:03A4DB27DEA69374EFBAF121C332D0AF05840D16D0C1FBF127D00E65054B118A | |||
2764 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt | text | |
MD5:745D6DB5FC58C63F74CE6A7D4DB7E695 | SHA256:C77BA9F668FEE7E9B810F1493E518ADF87233AC8793E4B37C9B3D1ED7846F1C0 | |||
2504 | javaw.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2f | dbf | |
MD5:C8366AE350E7019AEFC9D1E6E6A498C6 | SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1668 | WScript.exe | 173.46.85.14:3360 | pm2bitcoin.com | Abc-hosters LLC | US | malicious |
3100 | javaw.exe | 185.244.30.121:4379 | respainc.duckdns.org | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
pm2bitcoin.com |
| malicious |
respainc.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3100 | javaw.exe | A Network Trojan was detected | ET TROJAN Possible Adwind SSL Cert (assylias.Inc) |