analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

3936f965b1322e11a17c00.jar

Full analysis: https://app.any.run/tasks/864bf818-84b5-4bba-9120-8e4725f34300
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Malware Trends Tracker     >>>
Analysis date: December 02, 2019, 20:19:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
adwind
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

6C28118531CD1B304DCC622D3934FCCE

SHA1:

34FE90C509F71B0983CA03358120A17CA6EFB157

SHA256:

D402DEEA52E74FBE6BDF2AD9C24FEAF12A93E676000DF2F37A48B2F7FC0ACE0E

SSDEEP:

12288:DozgIe+CSZWiCQMnNEps8IYuiH6Z8KpWCTzd2:D8bmSZWrnGXKxZX3U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • javaw.exe (PID: 944)
      • javaw.exe (PID: 3844)

    • Loads dropped or rewritten executable

      • javaw.exe (PID: 944)
      • explorer.exe (PID: 352)
      • javaw.exe (PID: 3844)

    • Changes the autorun value in the registry

      • reg.exe (PID: 3032)

    • ADWIND was detected

      • javaw.exe (PID: 3844)

  • SUSPICIOUS

    • Executes scripts

      • cmd.exe (PID: 2380)
      • cmd.exe (PID: 2760)
      • cmd.exe (PID: 3864)
      • cmd.exe (PID: 2648)

    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 944)
      • javaw.exe (PID: 3844)

    • Creates files in the user directory

      • javaw.exe (PID: 944)
      • xcopy.exe (PID: 564)

    • Executes JAVA applets

      • explorer.exe (PID: 352)

    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 944)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 564)
      • javaw.exe (PID: 3844)

    • Starts itself from another location

      • javaw.exe (PID: 944)

    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 944)

    • Uses WMIC.EXE to obtain a system information

      • javaw.exe (PID: 3844)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jar | Java Archive (78.3)
.zip | ZIP compressed archive (21.6)

EXIF

ZIP

ZipFileName: META-INF/MANIFEST.MF
ZipUncompressedSize: 196
ZipCompressedSize: 157
ZipCRC: 0xa8b00506
ZipModifyDate: 2019:12:02 15:38:16
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
16
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaw.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs xcopy.exe explorer.exe no specs reg.exe attrib.exe no specs attrib.exe no specs #ADWIND javaw.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
944"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\3936f965b1322e11a17c00.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
2760cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1607344381097647767.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3832cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1607344381097647767.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2380cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1747769548337168727.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3344cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1747769548337168727.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
564xcopy "C:\Program Files\Java\jre1.8.0_92" "C:\Users\admin\AppData\Roaming\Oracle\" /eC:\Windows\system32\xcopy.exe
javaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3032reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v azAJGmTslQc /t REG_EXPAND_SZ /d "\"C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\admin\BYFTRhmQlpr\OJNuMAJCBqR.eVGMtB\"" /fC:\Windows\system32\reg.exe
javaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3460attrib +h "C:\Users\admin\BYFTRhmQlpr\*.*"C:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3272attrib +h "C:\Users\admin\BYFTRhmQlpr"C:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
161
Read events
155
Write events
6
Delete events
0

Modification events

(PID) Process:(3032) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:azAJGmTslQc
Value:
"C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\admin\BYFTRhmQlpr\OJNuMAJCBqR.eVGMtB"
(PID) Process:(352) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3844) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
javaw.exe
Executable files
107
Suspicious files
11
Text files
66
Unknown types
15

Dropped files

PID
Process
Filename
Type
944javaw.exeC:\Users\admin\AppData\Local\Temp\Retrive1747769548337168727.vbs
MD5:
SHA256:
944javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:2CD4012881DFB6277E4C33A79A1CF0C9
SHA256:784935C91D348D947798D4A8A0D7BAE66E7E96FA6303FCBB2D53794BA117C5AC
564xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\releasetext
MD5:1BCCC3A965156E53BE3136B3D583B7B6
SHA256:03A4DB27DEA69374EFBAF121C332D0AF05840D16D0C1FBF127D00E65054B118A
564xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txttext
MD5:745D6DB5FC58C63F74CE6A7D4DB7E695
SHA256:C77BA9F668FEE7E9B810F1493E518ADF87233AC8793E4B37C9B3D1ED7846F1C0
564xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\LICENSEtext
MD5:98F46AB6481D87C4D77E0E91A6DBC15F
SHA256:23F9A5C12FA839650595A32872B7360B9E030C7213580FB27DD9185538A5828C
564xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\bin\deploy.dllexecutable
MD5:720EDC1469525DFCD3AE211E653D0241
SHA256:BFF79FB05667992CC2BDA9BAE6E5A301BAF553042F952203641CCD7E1FC4552D
564xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\COPYRIGHTtext
MD5:89F660D2B7D58DA3EFD2FECD9832DA9C
SHA256:F6A08C9CC04D7C6A86576C1EF50DD0A690AE5CB503EFD205EDB2E408BD8D557B
564xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\Welcome.htmlhtml
MD5:27CF299B6D93FACA73FBCDCF4AECFD93
SHA256:3F1F0EE75588DBBA3B143499D08AA9AB431E4A34E483890CFAC94A8E1061B7CF
564xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txttext
MD5:AB9DB8D553033C0326BD2D38D77F84C1
SHA256:38995534DF44E0526F8C8C8D479C778A4B34627CFD69F19213CFBE019A7261BA
944javaw.exeC:\Users\admin\AppData\Local\Temp\Retrive1607344381097647767.vbstext
MD5:3BDFD33017806B85949B6FAA7D4B98E4
SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3844
javaw.exe
139.99.208.175:7777
spark101.sytes.net
OVH SAS
AU
malicious

DNS requests

Domain
IP
Reputation
spark101.sytes.net
  • 139.99.208.175
malicious

Threats

PID
Process
Class
Message
3844
javaw.exe
A Network Trojan was detected
ET TROJAN Possible Adwind SSL Cert (assylias.Inc)
3844
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Java.Adwind.cu
3844
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Java.Adwind.cu
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
3936f965b1322e11a17c00.jar