File name: | b7f10d62278881361a6d77d405bc4b00facf1a05.vbs |
Full analysis: | https://app.any.run/tasks/a1e7a891-ae60-418f-b1d7-8248a87e0922 |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | April 25, 2019, 19:41:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | DF92439ED5C2584F18890B34B1E0D115 |
SHA1: | B7F10D62278881361A6D77D405BC4B00FACF1A05 |
SHA256: | CE0798BB742C32D5EFB1643EF400A92A4F559C7A322CCD554E33E3EA6748C4F9 |
SSDEEP: | 12288:i3MdwwJm5zQdBLZ4ltu2enoCDYvfx8tFxNOA9Rw9ASvhs0+DDO2C4A3U2rNM:ic9m5zQzF4ltLeoqY3xlA9JSStvOZL6 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2668 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\b7f10d62278881361a6d77d405bc4b00facf1a05.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2316 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\nuFssOPRVm.vbs" | C:\Windows\System32\WScript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2108 | "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version 2> C:\Users\admin\AppData\Local\Temp\output.txt | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3456 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | cmd.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2172 | "C:\Windows\system32\cmd.exe" /c schtasks /create /sc minute /mo 30 /tn Skypee /tr "C:\Users\admin\AppData\Local\Temp\meee.vbs" | C:\Windows\system32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1928 | schtasks /create /sc minute /mo 30 /tn Skypee /tr "C:\Users\admin\AppData\Local\Temp\meee.vbs" | C:\Windows\system32\schtasks.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2532 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | WScript.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2376 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.41436736119452481955374249029752090.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
2664 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3118351698729556697.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3452 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3118351698729556697.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2532 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive3978545713953750632.vbs | — | |
MD5:— | SHA256:— | |||
2668 | WScript.exe | C:\Users\admin\AppData\Roaming\nuFssOPRVm.vbs | text | |
MD5:13EEBAD9B9F95751849FCD92DAE988CA | SHA256:56518A88D406F8D457462C08F1142F8DAECF4EC68FFA0CE572251E205D2145BA | |||
2108 | cmd.exe | C:\Users\admin\AppData\Local\Temp\output.txt | text | |
MD5:FCF81EDEAE4E8C13E8B099A9EE455E27 | SHA256:0CCC5DDB797429E5625AEDB2ECEE3F42E97221264CD69D5FF53A094F72FE5D7B | |||
2316 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nuFssOPRVm.vbs | text | |
MD5:13EEBAD9B9F95751849FCD92DAE988CA | SHA256:56518A88D406F8D457462C08F1142F8DAECF4EC68FFA0CE572251E205D2145BA | |||
2668 | WScript.exe | C:\Users\admin\AppData\Roaming\ntfsmgr.jar | java | |
MD5:89D87869993225DD4C17A5CF6C794AA4 | SHA256:E7166A19BAA760A5B4AA067AA8192797A2B95FDE256AAE8B99DB74CB03E056E2 | |||
2532 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:134AF37049D31B373E51A4E91091228A | SHA256:6EEAED7C6591ECFFBE9F2D7B27204002FB310563459FC646EFD0557F6976CAAF | |||
2376 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:0F2200977EC9B0ABC03D5AAE7EEAB19E | SHA256:C1655DC75E4986F87DE22BBEF5C5D9E8DB35878AA624104E1644956C28BE5D38 | |||
2316 | WScript.exe | C:\Users\admin\AppData\Local\Temp\meee.vbs | text | |
MD5:862AC5C5963DEE1ADF7079700B9B72C7 | SHA256:C5729F125CAA32F23039388E039867744318B22B21DAD5BCE92E94549F5D00C2 | |||
3456 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:D0D4C6BAED9250927344BB52EFDBB956 | SHA256:C80A0C67F6F5D9AB8070C2DA073C406EAC2871F195B5B966ED39B910D0C68EA4 | |||
3448 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt | text | |
MD5:AB9DB8D553033C0326BD2D38D77F84C1 | SHA256:38995534DF44E0526F8C8C8D479C778A4B34627CFD69F19213CFBE019A7261BA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
916 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
916 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2316 | WScript.exe | 23.105.131.191:3355 | brothersjoy.nl | Nobis Technology Group, LLC | US | malicious |
3256 | javaw.exe | 178.239.21.4:1604 | jsbc-pcs.linkpc.net | Telekomunikacije Republike Srpske akcionarsko drustvo Banja Luka | BA | malicious |
— | — | 23.105.131.191:3355 | brothersjoy.nl | Nobis Technology Group, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
brothersjoy.nl |
| unknown |
jsbc-pcs.linkpc.net |
| malicious |
www.bing.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3256 | javaw.exe | A Network Trojan was detected | ET TROJAN Possible Adwind SSL Cert (assylias.Inc) |
3256 | javaw.exe | A Network Trojan was detected | MALWARE [PTsecurity] Backdoor.Java.Adwind.cu |