File name:

ORDINE.jar

Full analysis: https://app.any.run/tasks/2d82e089-0647-4af9-8a20-4968426b813d
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Malware Trends Tracker     >>>
Analysis date: June 12, 2019, 08:35:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adwind
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

8EC2CF6B3EEE8448E05EB231333C6E9A

SHA1:

B9BA016C99921BF522E500DBF31B2741AA97B025

SHA256:

D8CD7E914884D8CF9F715E69826E6A871DC73697C2005535ABD578FF2BC5E4C3

SSDEEP:

12288:jcm9kVgAJ1HtemrN/NBZBrTYiGu3UuIIb59qH/wJwJIg05lT:jcpVgY1t9tTYPuUfLJheT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AdWind was detected

      • java.exe (PID: 3392)
      • java.exe (PID: 3032)

    • Changes the autorun value in the registry

      • WScript.exe (PID: 3444)
      • reg.exe (PID: 2900)

    • Writes to a start menu file

      • WScript.exe (PID: 3444)

    • Loads dropped or rewritten executable

      • java.exe (PID: 3392)
      • explorer.exe (PID: 2044)
      • wscript.exe (PID: 960)
      • svchost.exe (PID: 820)
      • javaw.exe (PID: 2604)
      • javaw.exe (PID: 3512)
      • javaw.exe (PID: 2816)
      • java.exe (PID: 3032)

    • Application was dropped or rewritten from another process

      • javaw.exe (PID: 3512)
      • javaw.exe (PID: 2816)
      • java.exe (PID: 3392)
      • javaw.exe (PID: 2604)
      • java.exe (PID: 3032)

    • UAC/LUA settings modification

      • regedit.exe (PID: 2196)

    • Uses TASKKILL.EXE to kill security tools

      • javaw.exe (PID: 2816)

    • Turns off system restore

      • regedit.exe (PID: 2196)

    • Changes Image File Execution Options

      • regedit.exe (PID: 2196)

  • SUSPICIOUS

    • Executes scripts

      • javaw.exe (PID: 3512)
      • wscript.exe (PID: 960)
      • cmd.exe (PID: 3904)
      • cmd.exe (PID: 3140)
      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 1028)
      • cmd.exe (PID: 2596)
      • cmd.exe (PID: 2164)
      • cmd.exe (PID: 2176)
      • cmd.exe (PID: 2480)

    • Executes JAVA applets

      • explorer.exe (PID: 2044)
      • wscript.exe (PID: 960)
      • javaw.exe (PID: 2604)

    • Application launched itself

      • wscript.exe (PID: 960)

    • Creates files in the user directory

      • wscript.exe (PID: 960)
      • javaw.exe (PID: 2604)
      • WScript.exe (PID: 3444)
      • xcopy.exe (PID: 1908)

    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 2604)
      • java.exe (PID: 3392)
      • javaw.exe (PID: 2816)
      • java.exe (PID: 3032)

    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 2604)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 1908)

    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 2604)

    • Starts itself from another location

      • javaw.exe (PID: 2604)

    • Uses TASKKILL.EXE to kill process

      • javaw.exe (PID: 2816)

  • INFO

    • Manual execution by user

      • verclsid.exe (PID: 1876)
      • javaw.exe (PID: 3512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:06:12 12:15:21
ZipCRC: 0xd265b8b6
ZipCompressedSize: 664217
ZipUncompressedSize: 1012809
ZipFileName: dbudcwytgc/resources/benyqlnwjz
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
214
Monitored processes
99
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs verclsid.exe no specs javaw.exe no specs wscript.exe no specs wscript.exe javaw.exe no specs #ADWIND java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs xcopy.exe cmd.exe no specs cscript.exe no specs svchost.exe no specs explorer.exe no specs reg.exe attrib.exe no specs attrib.exe no specs javaw.exe #ADWIND java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs taskkill.exe no specs cmd.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
184taskkill /IM mergecap.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
388taskkill /IM cavwp.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
536taskkill /IM V3SP.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\imm32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
536attrib +h "C:\Users\admin\Oracle Corporations"C:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
592taskkill /IM editcap.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
680taskkill /IM LittleHook.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
756taskkill /IM TRAYICOS.EXE /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
820C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
892taskkill /IM NisSrv.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
900cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3135218121879757839.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
13 091
Read events
12 359
Write events
732
Delete events
0

Modification events

(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1372) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\ORDINE.jar.zip
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2044) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
(PID) Process:(2044) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:MRUList
Value:
a
Executable files
110
Suspicious files
11
Text files
81
Unknown types
15

Dropped files

PID
Process
Filename
Type
3392java.exeC:\Users\admin\AppData\Local\Temp\Retrive3135218121879757839.vbs
MD5:
SHA256:
3512javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
2044explorer.exeC:\Users\admin\AppData\Local\Temp\ORDINE.jarcompressed
MD5:
SHA256:
960wscript.exeC:\Users\admin\AppData\Roaming\magvwbu.txtjava
MD5:
SHA256:
3512javaw.exeC:\Users\admin\jyxsauqppe.jstext
MD5:
SHA256:
2604javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
3392java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
3444WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jPelBFjked.jstext
MD5:F88618764EAD42FFDFBC2BF457689AA6
SHA256:DEB2B6C548A2FB838CFEE4E47EC752D12E6CC15AD06C2339F4D2AD690040BEFA
960wscript.exeC:\Users\admin\AppData\Roaming\jPelBFjked.jstext
MD5:F88618764EAD42FFDFBC2BF457689AA6
SHA256:DEB2B6C548A2FB838CFEE4E47EC752D12E6CC15AD06C2339F4D2AD690040BEFA
2604javaw.exeC:\Users\admin\AppData\Local\Temp\Retrive4498287930391346465.vbstext
MD5:A32C109297ED1CA155598CD295C26611
SHA256:45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
11
DNS requests
2
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2816
javaw.exe
91.193.75.130:7075
olavroy.duckdns.org
WorldStream B.V.
RS
malicious

DNS requests

Domain
IP
Reputation
brothersjoy.nl
unknown
olavroy.duckdns.org
  • 91.193.75.130
malicious

Threats

PID
Process
Class
Message
1068
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ORDINE.jar