analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Invoice_K857412496.mht

Full analysis: https://app.any.run/tasks/e5c3c980-2f0e-465c-a6d2-5bf11240e142
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Malware Trends Tracker     >>>
Analysis date: February 18, 2019, 14:43:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
adwind
Indicators:
MIME: text/plain
File info: MIME entity, ASCII text, with CRLF line terminators
MD5:

CA5C2CB3AA44B62B7E2D22D2EACCEFC7

SHA1:

A69512C5259C233820DE9D9BCC6BF64646ADF7C9

SHA256:

D48A0760C1CB8E9140789260A394090D254D616A9F4E7169290B64E737E6EE11

SSDEEP:

6:3XmMQ8a0NNEXW0YVIUOAQ0kJgon3emJCQ9MfUKCK3XViATqb4g+:3XmMQYf1IRAQ0Atn3ec9eUKuAWb4g+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 3792)
      • reg.exe (PID: 2588)

    • ADWIND was detected

      • javaw.exe (PID: 2228)

    • Connects to CnC server

      • javaw.exe (PID: 2228)

  • SUSPICIOUS

    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 3024)
      • javaw.exe (PID: 2228)

    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 3024)
      • javaw.exe (PID: 2228)

    • Executes JAVA applets

      • iexplore.exe (PID: 3256)
      • javaw.exe (PID: 3024)

    • Application launched itself

      • javaw.exe (PID: 3024)

    • Creates files in the user directory

      • javaw.exe (PID: 3024)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • javaw.exe (PID: 3024)

    • Connects to unusual port

      • javaw.exe (PID: 2228)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3576)

    • Application launched itself

      • iexplore.exe (PID: 3256)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3576)
      • iexplore.exe (PID: 3256)
      • iexplore.exe (PID: 3628)

    • Changes internet zones settings

      • iexplore.exe (PID: 3256)

    • Reads Microsoft Office registry keys

      • iexplore.exe (PID: 3256)

    • Creates files in the user directory

      • iexplore.exe (PID: 3628)
      • iexplore.exe (PID: 3256)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
12
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe no specs iexplore.exe javaw.exe no specs reg.exe no specs reg.exe attrib.exe no specs attrib.exe no specs #ADWIND javaw.exe reg.exe no specs reg.exe attrib.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3256"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\Invoice_K857412496.mhtC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3576"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3256 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3628"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3256 CREDAT:137473C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3024"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\Invoice_K98574124623[1].jar" C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeiexplore.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
3016reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v UpdatesJava /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe\" -jar \"C:\Users\admin\AppData\Roaming\UpdatesJava\UpdatesJava.jar\"" /fC:\Windows\system32\reg.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3792reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v UpdatesJava /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe\" -jar \"C:\Users\admin\AppData\Roaming\UpdatesJava\UpdatesJava.jar\"" /fC:\Windows\system32\reg.exe
javaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3932attrib +s +h +r "C:\Users\admin\AppData\Roaming\UpdatesJava\*.*"C:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1012attrib +s +h +r "C:\Users\admin\AppData\Roaming\UpdatesJava"C:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2228"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\UpdatesJava\UpdatesJava.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
3004reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v UpdatesJava /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe\" -jar \"C:\Users\admin\AppData\Roaming\UpdatesJava\UpdatesJava.jar\"" /fC:\Windows\system32\reg.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
867
Read events
770
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
11
Unknown types
3

Dropped files

PID
Process
Filename
Type
3256iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3628iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@uclaut[1].txt
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF1DCA731FE29A2DB3.TMP
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{8B949BDB-338B-11E9-91D7-5254004A04AF}.datbinary
MD5:91BCEDCCEE31F57067EF5FDAED39F1AF
SHA256:CEF793A6CA3F06F36521DB5A904EBEDC7BCE68F37CDDA196BD07D779BE909F4F
3576iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\wbk5D75.tmptext
MD5:800624CE9FEC19B3E92CA9875811E100
SHA256:07C2CD810BA927A29C2A30A368006F63B2A2E21901F35850FC817979C833818C
3628iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@myqbd[1].txttext
MD5:DCACB06EA2884461C94B3B2DD364D1E3
SHA256:9D4399ACDEF13EC343EBE1FE54871E71EEA1CD4A4994E712106C97A486C1D2D7
3628iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@uclaut[2].txttext
MD5:CC147FC9C1DFCCE4867F73D92595489D
SHA256:47CA78ECB42E5C3AD84ABF3497E0090A8C5EC565642BE7B8FC06569118139CC9
3628iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\Invoice_K98574124623[1].jarjava
MD5:F9A0D0DA7B61D3F92B8FB662E93CDEEF
SHA256:F6BFB244E7F33DFDFCAC92D46FB45BA44CE378B370685FA63E9001D7A1D618E6
3576iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\wbk5BED.tmptext
MD5:800624CE9FEC19B3E92CA9875811E100
SHA256:07C2CD810BA927A29C2A30A368006F63B2A2E21901F35850FC817979C833818C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
6
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3628
iexplore.exe
GET
301
104.24.4.46:80
http://j.gs/CKyy
US
malicious
3628
iexplore.exe
GET
302
104.18.55.84:80
http://uclaut.net/-12YGPJ/CKyy?rndad=3110648295-1550501010
US
malicious
3256
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3256
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3628
iexplore.exe
104.28.27.34:443
www.myqbd.com
Cloudflare Inc
US
shared
3628
iexplore.exe
104.24.4.46:80
j.gs
Cloudflare Inc
US
shared
3628
iexplore.exe
192.185.175.157:443
lifeskillsmagicschool.com
CyrusOne LLC
US
suspicious
3628
iexplore.exe
104.18.55.84:80
uclaut.net
Cloudflare Inc
US
shared
2228
javaw.exe
54.37.240.234:3040
dxyasser0.linkpc.net
OVH SAS
FR
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
lifeskillsmagicschool.com
  • 192.185.175.157
suspicious
www.myqbd.com
  • 104.28.27.34
  • 104.28.26.34
unknown
j.gs
  • 104.24.4.46
  • 104.24.5.46
malicious
uclaut.net
  • 104.18.55.84
  • 104.18.54.84
malicious
dxyasser0.linkpc.net
  • 54.37.240.234
malicious

Threats

PID
Process
Class
Message
2228
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Possible JavaRAT(Qarallax/QRat) 4byte TCP serialization java stream
2228
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Java.QRat.gen
2228
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Adwind.RAT v.3.0 Check-in
2228
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Adwind.RAT v.3.0 Check-in
2228
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Adwind.RAT v.3.0 Check-in
2228
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Adwind.RAT v.3.0 Check-in
2228
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Adwind.RAT v.3.0 Check-in
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Invoice_K857412496.mht