File name:

5.vbs

Full analysis: https://app.any.run/tasks/4b319809-eaf0-43ab-bbe6-c8a08bcdacc9
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Malware Trends Tracker     >>>
Analysis date: January 22, 2019, 11:12:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adwind
trojan
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines
MD5:

5330373468703FF98BDB5325F3655D0D

SHA1:

10E9BD66CA60DFE07C21459AE05BB5FECEBEE386

SHA256:

C42BD9B5C0B3F09343B76CB13BC861F641C5CF531418ED50AF2B52B7383A8832

SSDEEP:

12288:U+0QEPmpd2xWY3W0fKeWXIl9vQgS+2EM7tcDZfToM00y3mS9In5JCVA9Fn0iOxHe:U+06Qm0fyd9EX9X00yB7A9J0xlqRsZY9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 3072)
      • WScript.exe (PID: 1668)
      • reg.exe (PID: 2668)

    • Writes to a start menu file

      • WScript.exe (PID: 1668)

    • AdWind was detected

      • java.exe (PID: 3676)
      • java.exe (PID: 3284)

    • Loads dropped or rewritten executable

      • javaw.exe (PID: 2504)
      • java.exe (PID: 3676)
      • WScript.exe (PID: 3072)
      • javaw.exe (PID: 3672)
      • cmd.exe (PID: 2924)
      • javaw.exe (PID: 3100)
      • java.exe (PID: 3284)

    • Application was dropped or rewritten from another process

      • javaw.exe (PID: 3672)
      • javaw.exe (PID: 2504)
      • java.exe (PID: 3676)
      • javaw.exe (PID: 3100)
      • java.exe (PID: 3284)

    • Uses TASKKILL.EXE to kill security tools

      • javaw.exe (PID: 3100)

    • Turns off system restore

      • regedit.exe (PID: 2492)

    • ADWIND was detected

      • javaw.exe (PID: 3100)

    • Changes Image File Execution Options

      • regedit.exe (PID: 2492)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3072)
      • javaw.exe (PID: 2504)
      • java.exe (PID: 3676)
      • javaw.exe (PID: 3100)
      • java.exe (PID: 3284)

    • Creates files in the user directory

      • WScript.exe (PID: 3072)
      • WScript.exe (PID: 1668)
      • javaw.exe (PID: 2504)
      • xcopy.exe (PID: 2764)

    • Executes JAVA applets

      • cmd.exe (PID: 2924)
      • WScript.exe (PID: 3072)
      • javaw.exe (PID: 2504)

    • Executes scripts

      • WScript.exe (PID: 3072)
      • cmd.exe (PID: 2356)
      • cmd.exe (PID: 2496)
      • cmd.exe (PID: 2840)
      • cmd.exe (PID: 2652)
      • cmd.exe (PID: 3524)
      • cmd.exe (PID: 3964)
      • cmd.exe (PID: 3340)
      • cmd.exe (PID: 3788)

    • Application launched itself

      • WScript.exe (PID: 3072)

    • Connects to unusual port

      • WScript.exe (PID: 1668)
      • javaw.exe (PID: 3100)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 2764)
      • javaw.exe (PID: 3100)

    • Starts itself from another location

      • javaw.exe (PID: 2504)

    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 2504)

    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 2504)

    • Uses TASKKILL.EXE to kill process

      • javaw.exe (PID: 3100)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
180
Monitored processes
81
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe wscript.exe cmd.exe no specs javaw.exe no specs javaw.exe no specs java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cscript.exe no specs cmd.exe no specs xcopy.exe cscript.exe no specs reg.exe attrib.exe no specs #ADWIND javaw.exe attrib.exe no specs java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs taskkill.exe no specs cmd.exe no specs regedit.exe no specs regedit.exe no specs taskkill.exe no specs regedit.exe taskkill.exe no specs wmic.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
408taskkill /IM wireshark.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
800taskkill /IM cis.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1168taskkill /IM editcap.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1236taskkill /IM dragon_updater.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1428taskkill /IM MWAGENT.EXE /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1440taskkill /IM cmdagent.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1464"C:\Windows\regedit.exe" /s C:\Users\admin\AppData\Local\Temp\nYGnHErAjl3932586309046624601.regC:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\systemroot\system32\ntdll.dll
1668"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\gunBbUbCls.vbs" C:\Windows\System32\WScript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1916taskkill /IM MpUXSrv.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
2052taskkill /IM clamscan.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
Total events
1 235
Read events
998
Write events
237
Delete events
0

Modification events

(PID) Process:(3072) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3072) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1668) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\gunBbUbCls
Operation:writeName:
Value:
false - 1/22/2019
(PID) Process:(1668) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:gunBbUbCls
Value:
wscript.exe //B "C:\Users\admin\AppData\Roaming\gunBbUbCls.vbs"
(PID) Process:(1668) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:gunBbUbCls
Value:
wscript.exe //B "C:\Users\admin\AppData\Roaming\gunBbUbCls.vbs"
(PID) Process:(3072) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:ntfsmgr
Value:
"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar"
(PID) Process:(1668) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1668) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1668) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(1668) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
111
Suspicious files
10
Text files
80
Unknown types
15

Dropped files

PID
Process
Filename
Type
3072WScript.exeC:\Users\admin\AppData\Roaming\ntfsmgr.jarjava
MD5:
SHA256:
1668WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gunBbUbCls.vbstext
MD5:
SHA256:
2924cmd.exeC:\Users\admin\AppData\Local\Temp\output.txttext
MD5:
SHA256:
2504javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
3672javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
3072WScript.exeC:\Users\admin\AppData\Roaming\gunBbUbCls.vbstext
MD5:
SHA256:
2504javaw.exeC:\Users\admin\AppData\Local\Temp\_0.135243806351962651277977204796321563.classjava
MD5:781FB531354D6F291F1CCAB48DA6D39F
SHA256:97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9
3676java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
2504javaw.exeC:\Users\admin\AppData\Local\Temp\Retrive908435332104360285.vbstext
MD5:3BDFD33017806B85949B6FAA7D4B98E4
SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6
3676java.exeC:\Users\admin\AppData\Local\Temp\Retrive1694202503491959198.vbstext
MD5:3BDFD33017806B85949B6FAA7D4B98E4
SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
2
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1668
WScript.exe
173.46.85.14:3360
pm2bitcoin.com
Abc-hosters LLC
US
malicious
3100
javaw.exe
185.244.30.121:4379
respainc.duckdns.org
malicious

DNS requests

Domain
IP
Reputation
pm2bitcoin.com
  • 173.46.85.14
malicious
respainc.duckdns.org
  • 185.244.30.121
malicious

Threats

PID
Process
Class
Message
1060
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3100
javaw.exe
A Network Trojan was detected
ET TROJAN Possible Adwind SSL Cert (assylias.Inc)
No debug info