File name: | ORDINE.jar |
Full analysis: | https://app.any.run/tasks/2d82e089-0647-4af9-8a20-4968426b813d |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | June 12, 2019, 08:35:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 8EC2CF6B3EEE8448E05EB231333C6E9A |
SHA1: | B9BA016C99921BF522E500DBF31B2741AA97B025 |
SHA256: | D8CD7E914884D8CF9F715E69826E6A871DC73697C2005535ABD578FF2BC5E4C3 |
SSDEEP: | 12288:jcm9kVgAJ1HtemrN/NBZBrTYiGu3UuIIb59qH/wJwJIg05lT:jcpVgY1t9tTYPuUfLJheT |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:06:12 12:15:21 |
ZipCRC: | 0xd265b8b6 |
ZipCompressedSize: | 664217 |
ZipUncompressedSize: | 1012809 |
ZipFileName: | dbudcwytgc/resources/benyqlnwjz |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1372 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ORDINE.jar.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1876 | "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401 | C:\Windows\system32\verclsid.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extension CLSID Verification Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3512 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\ORDINE.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | explorer.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
960 | wscript C:\Users\admin\jyxsauqppe.js | C:\Windows\system32\wscript.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3444 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\jPelBFjked.js" | C:\Windows\System32\WScript.exe | wscript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2604 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\magvwbu.txt" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | wscript.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
3392 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.42097763035095368596931249713811012.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
3904 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5709756468366365772.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3948 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5709756468366365772.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3140 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4498287930391346465.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3392 | java.exe | C:\Users\admin\AppData\Local\Temp\Retrive3135218121879757839.vbs | — | |
MD5:— | SHA256:— | |||
2044 | explorer.exe | C:\Users\admin\AppData\Local\Temp\ORDINE.jar | compressed | |
MD5:8EC2CF6B3EEE8448E05EB231333C6E9A | SHA256:D8CD7E914884D8CF9F715E69826E6A871DC73697C2005535ABD578FF2BC5E4C3 | |||
3512 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:C460DB1C6E2A2EDEC2D6A996AA486439 | SHA256:17212E91FE2FDD1FC5135F3BFF926175C9DE8E5C28921201F15220407A79F495 | |||
3392 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:0A4561B5011C3FC8A729084E5E104B56 | SHA256:1FE3AA7B854E64C12655D1369DE8E71A3887DFF362C447C399DBD690823BC487 | |||
960 | wscript.exe | C:\Users\admin\AppData\Roaming\magvwbu.txt | java | |
MD5:A8A69CA9E1ADB77FFC4473EA2B430F60 | SHA256:1ADFFCB7C760EA0964B2BC328850B95F5F1F05999DAEF7BF5E0A41EBE3169F0F | |||
3512 | javaw.exe | C:\Users\admin\jyxsauqppe.js | text | |
MD5:8DBE70E644038AA49A76D9F8F354B4C5 | SHA256:A5EF2154380AE87BDC722764E65AAB2DD8CB84F5CBF742A0B71606C2449F1824 | |||
2604 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:64C7DD72C5E95E08C41D022ABF0C8BE8 | SHA256:E2082D170D0DD00C740DD81A33D898492705934F6475BC99FCBDECA04DF67F49 | |||
2604 | javaw.exe | C:\Users\admin\AppData\Local\Temp\_0.42097763035095368596931249713811012.class | java | |
MD5:781FB531354D6F291F1CCAB48DA6D39F | SHA256:97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9 | |||
3444 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jPelBFjked.js | text | |
MD5:F88618764EAD42FFDFBC2BF457689AA6 | SHA256:DEB2B6C548A2FB838CFEE4E47EC752D12E6CC15AD06C2339F4D2AD690040BEFA | |||
1908 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\COPYRIGHT | text | |
MD5:89F660D2B7D58DA3EFD2FECD9832DA9C | SHA256:F6A08C9CC04D7C6A86576C1EF50DD0A690AE5CB503EFD205EDB2E408BD8D557B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2816 | javaw.exe | 91.193.75.130:7075 | olavroy.duckdns.org | WorldStream B.V. | RS | malicious |
Domain | IP | Reputation |
---|---|---|
brothersjoy.nl |
| unknown |
olavroy.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |