analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

EFTpaymentsummary.jar

Full analysis: https://app.any.run/tasks/18318087-904f-4cdb-b25e-36b49bfec802
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Analysis date: September 19, 2019, 09:17:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adwind
trojan
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

475A124DC89C4726F3F7C3BD1EE797AA

SHA1:

447CEC4911681BA3F17FC993425AD3583053C156

SHA256:

C6FCB09D2E1E158ED56F1254E609C8F8BEC1259CD5837D73CAEA107BCA86E5B4

SSDEEP:

12288:A4wdcia6TxDWimYwRMJ1xod5sJwekqRSeoVUHvROze:RcDW7MJ1KaJEVcMze

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • AdWind was detected

      • java.exe (PID: 3564)
    • Loads dropped or rewritten executable

      • explorer.exe (PID: 276)
      • java.exe (PID: 3564)
      • javaw.exe (PID: 3428)
    • Application was dropped or rewritten from another process

      • javaw.exe (PID: 3428)
      • java.exe (PID: 3564)
  • SUSPICIOUS

    • Executes scripts

      • cmd.exe (PID: 3716)
      • cmd.exe (PID: 3320)
      • cmd.exe (PID: 324)
      • cmd.exe (PID: 2900)
    • Creates files in the user directory

      • javaw.exe (PID: 3428)
      • xcopy.exe (PID: 2068)
    • Executes JAVA applets

      • javaw.exe (PID: 3428)
      • explorer.exe (PID: 276)
    • Starts CMD.EXE for commands execution

      • java.exe (PID: 3564)
      • javaw.exe (PID: 3428)
    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 2068)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0808
ZipCompression: Deflated
ZipModifyDate: 2019:09:05 09:40:26
ZipCRC: 0x260fd0e1
ZipCompressedSize: 71
ZipUncompressedSize: 72
ZipFileName: META-INF/MANIFEST.MF
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
13
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaw.exe no specs #ADWIND java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cscript.exe no specs cmd.exe no specs xcopy.exe cscript.exe no specs xcopy.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3428"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\Downloads\EFTpaymentsummary.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
3564"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.220173437311776962556986919382679808.classC:\Program Files\Java\jre1.8.0_92\bin\java.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
3716cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3039976479730933514.vbsC:\Windows\system32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2064cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3039976479730933514.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3320cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2497634352614145410.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
324cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7139435130291587133.vbsC:\Windows\system32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2220cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2497634352614145410.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3112cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7139435130291587133.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2900cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8884718635369372470.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2068xcopy "C:\Program Files\Java\jre1.8.0_92" "C:\Users\admin\AppData\Roaming\Oracle\" /eC:\Windows\system32\xcopy.exe
java.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 490
Read events
978
Write events
0
Delete events
0

Modification events

No data
Executable files
107
Suspicious files
10
Text files
68
Unknown types
15

Dropped files

PID
Process
Filename
Type
3428javaw.exeC:\Users\admin\AppData\Local\Temp\Retrive2497634352614145410.vbs
MD5:
SHA256:
3564java.exeC:\Users\admin\AppData\Local\Temp\Retrive7139435130291587133.vbs
MD5:
SHA256:
3428javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:795614C5453319F6574E6BE125C072C7
SHA256:AB208B64E69A30E9AC9199694F885A6A1BB9E34C910E1CFB5CE57D801ADCF708
3564java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:19BCCB83B8CA4CE13BFF337280677364
SHA256:B92A21309F593C4266C04032F26FF795BC148047D6C8CA20C8308511BDE45F51
3564java.exeC:\Users\admin\AppData\Local\Temp\Retrive3039976479730933514.vbstext
MD5:3BDFD33017806B85949B6FAA7D4B98E4
SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6
2068xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\COPYRIGHTtext
MD5:89F660D2B7D58DA3EFD2FECD9832DA9C
SHA256:F6A08C9CC04D7C6A86576C1EF50DD0A690AE5CB503EFD205EDB2E408BD8D557B
3428javaw.exeC:\Users\admin\AppData\Local\Temp\_0.220173437311776962556986919382679808.classjava
MD5:781FB531354D6F291F1CCAB48DA6D39F
SHA256:97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9
2068xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\bin\dt_shmem.dllexecutable
MD5:0744E6A5145AA945D89A16EAC835FAB2
SHA256:C417390F681276EC0D55D81A91B87EAE75CA245045F5C23E9B43550B708FB1A6
2068xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\bin\decora_sse.dllexecutable
MD5:94434B8739CB5CD184C63CEC209F06E2
SHA256:ADF4E9CE0866FF16A16F626CFC62355FB81212B1E7C95DD908E3644F88B77E91
2068xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\releasetext
MD5:1BCCC3A965156E53BE3136B3D583B7B6
SHA256:03A4DB27DEA69374EFBAF121C332D0AF05840D16D0C1FBF127D00E65054B118A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info