| File name: | 3936f965b1322e11a17c00.jar |
| Full analysis: | https://app.any.run/tasks/864bf818-84b5-4bba-9120-8e4725f34300 |
| Verdict: | Malicious activity |
| Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
| Analysis date: | December 02, 2019, 20:19:41 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract |
| MD5: | 6C28118531CD1B304DCC622D3934FCCE |
| SHA1: | 34FE90C509F71B0983CA03358120A17CA6EFB157 |
| SHA256: | D402DEEA52E74FBE6BDF2AD9C24FEAF12A93E676000DF2F37A48B2F7FC0ACE0E |
| SSDEEP: | 12288:DozgIe+CSZWiCQMnNEps8IYuiH6Z8KpWCTzd2:D8bmSZWrnGXKxZX3U |
MALICIOUS
Loads dropped or rewritten executable
- javaw.exe (PID: 944)
- explorer.exe (PID: 352)
- javaw.exe (PID: 3844)
Application was dropped or rewritten from another process
- javaw.exe (PID: 944)
- javaw.exe (PID: 3844)
Changes the autorun value in the registry
- reg.exe (PID: 3032)
ADWIND was detected
- javaw.exe (PID: 3844)
SUSPICIOUS
Executes JAVA applets
- explorer.exe (PID: 352)
Starts CMD.EXE for commands execution
- javaw.exe (PID: 944)
- javaw.exe (PID: 3844)
Executes scripts
- cmd.exe (PID: 2760)
- cmd.exe (PID: 2380)
- cmd.exe (PID: 3864)
- cmd.exe (PID: 2648)
Creates files in the user directory
- javaw.exe (PID: 944)
- xcopy.exe (PID: 564)
Starts itself from another location
- javaw.exe (PID: 944)
Uses REG.EXE to modify Windows registry
- javaw.exe (PID: 944)
Uses ATTRIB.EXE to modify file attributes
- javaw.exe (PID: 944)
Executable content was dropped or overwritten
- xcopy.exe (PID: 564)
- javaw.exe (PID: 3844)
Uses WMIC.EXE to obtain a system information
- javaw.exe (PID: 3844)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .jar | | | Java Archive (78.3) |
|---|---|---|
| .zip | | | ZIP compressed archive (21.6) |
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2019:12:02 15:38:16 |
| ZipCRC: | 0xa8b00506 |
| ZipCompressedSize: | 157 |
| ZipUncompressedSize: | 196 |
| ZipFileName: | META-INF/MANIFEST.MF |
Total processes
58
Monitored processes
16
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 352 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | — | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 460 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5510435670402930668.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 564 | xcopy "C:\Program Files\Java\jre1.8.0_92" "C:\Users\admin\AppData\Roaming\Oracle\" /e | C:\Windows\system32\xcopy.exe | javaw.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extended Copy Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 784 | WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List | C:\Windows\System32\Wbem\WMIC.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 944 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\3936f965b1322e11a17c00.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | explorer.exe | |||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 Modules
| |||||||||||||||
| 2380 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1747769548337168727.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2648 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5510435670402930668.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2760 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1607344381097647767.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2764 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4208824248956349468.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 3032 | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v azAJGmTslQc /t REG_EXPAND_SZ /d "\"C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\admin\BYFTRhmQlpr\OJNuMAJCBqR.eVGMtB\"" /f | C:\Windows\system32\reg.exe | javaw.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
161
Read events
155
Write events
6
Delete events
0
Modification events
| (PID) Process: | (3032) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | azAJGmTslQc |
Value: "C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\admin\BYFTRhmQlpr\OJNuMAJCBqR.eVGMtB" | |||
| (PID) Process: | (352) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3844) javaw.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
| Operation: | write | Name: | Name |
Value: javaw.exe | |||
Executable files
107
Suspicious files
11
Text files
66
Unknown types
15
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 944 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive1747769548337168727.vbs | — | |
MD5:— | SHA256:— | |||
| 944 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:— | SHA256:— | |||
| 564 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\bin\bci.dll | executable | |
MD5:6D8D8A26450EE4BA0BE405629EA0A511 | SHA256:7945365A3CD40D043DAE47849E6645675166920958300E64DEA76A865BC479AF | |||
| 564 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\bin\decora_sse.dll | executable | |
MD5:94434B8739CB5CD184C63CEC209F06E2 | SHA256:ADF4E9CE0866FF16A16F626CFC62355FB81212B1E7C95DD908E3644F88B77E91 | |||
| 564 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt | text | |
MD5:745D6DB5FC58C63F74CE6A7D4DB7E695 | SHA256:C77BA9F668FEE7E9B810F1493E518ADF87233AC8793E4B37C9B3D1ED7846F1C0 | |||
| 564 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\release | text | |
MD5:1BCCC3A965156E53BE3136B3D583B7B6 | SHA256:03A4DB27DEA69374EFBAF121C332D0AF05840D16D0C1FBF127D00E65054B118A | |||
| 564 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\bin\deploy.dll | executable | |
MD5:720EDC1469525DFCD3AE211E653D0241 | SHA256:BFF79FB05667992CC2BDA9BAE6E5A301BAF553042F952203641CCD7E1FC4552D | |||
| 564 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\bin\dcpr.dll | executable | |
MD5:682CFD9431E5675900B04FEBE6CD4EB9 | SHA256:80111E1D706741F5EF7F661835C3AA46664666425AA1B5F93103410F2BEE1213 | |||
| 564 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\bin\fontmanager.dll | executable | |
MD5:412B97D96EA9384C78851938921EE44A | SHA256:20BEF5BCD523CFF21BAD585AF91D1C913D5535A6B20AC70F5F3D8DAFB2F90F25 | |||
| 564 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\bin\eula.dll | executable | |
MD5:6F1188DF337E62427791C77EA36E6EEF | SHA256:DEC4F2F32EDC45F70E7119C9E52C4CEF44BB9AA627DBEC1EE70F61D37468556B | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
4
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3844 | javaw.exe | 139.99.208.175:7777 | spark101.sytes.net | OVH SAS | AU | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
spark101.sytes.net |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3844 | javaw.exe | A Network Trojan was detected | ET TROJAN Possible Adwind SSL Cert (assylias.Inc) |
3844 | javaw.exe | A Network Trojan was detected | MALWARE [PTsecurity] Backdoor.Java.Adwind.cu |
3844 | javaw.exe | A Network Trojan was detected | MALWARE [PTsecurity] Backdoor.Java.Adwind.cu |
1 ETPRO signatures available at the full report