File name: | Bestellung.jar |
Full analysis: | https://app.any.run/tasks/5133afb3-25e1-433a-9e9d-749e2c8394e0 |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | May 15, 2019, 05:54:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 25664A73A3A1DDC5FCC76E2A5A49AEFE |
SHA1: | 9F33F07D280C25FF7CE487C98A85D3204ACEAA96 |
SHA256: | ED13AEEA867D246D97D8E05E50449939B5C80EF2A2BAEB4FFC8C6103757A178B |
SSDEEP: | 12288:Sfp42N5ZRy2XMT6OUr93KpAx0B1U3Fcm8sjqOQKSEYQohzvEUpqzz:eXN5ZRy24FTSMO1VRocJop2zz |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | paqzomyspw/resources/lzgpusxodo |
---|---|
ZipUncompressedSize: | 1014909 |
ZipCompressedSize: | 664965 |
ZipCRC: | 0x7cf3c163 |
ZipModifyDate: | 2019:05:15 05:44:27 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3336 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\Bestellung.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | explorer.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2196 | wscript C:\Users\admin\ecsbvnzsau.js | C:\Windows\system32\wscript.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1356 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\BMmbWyYJuO.js" | C:\Windows\System32\WScript.exe | wscript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
3252 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\thyywdnfim.txt" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | wscript.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2656 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.92199017021061868636118022161178040.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
3168 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6288464429125789584.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2960 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6288464429125789584.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2436 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1861859833527124057.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3864 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1861859833527124057.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3884 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive677531681493430408.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3336 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:CB378D54A2E1CCCCD9E5EFC98869E9D9 | SHA256:FB19F9813AA742A5B2943649D42EFD86659716A7A4A8790EAC2CC4EEE1813412 | |||
2656 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:7613C208B7D31E3999E5968A915E2EAD | SHA256:7BC3E0EFCB04419DABC8832FB294EB79B19C698490CF8494C80A5BB016077506 | |||
3252 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:28BED426C97073B8AEFD0B16BCE711E2 | SHA256:F2CE0026E371B7E0E143100B15318F7154E8CB1A74E96D47C17EA7A3C30331A1 | |||
2196 | wscript.exe | C:\Users\admin\AppData\Roaming\BMmbWyYJuO.js | text | |
MD5:0E79B768B76913712DFD04C5FA750BD6 | SHA256:61B843EF3E39A0C24660C489EC94FB1FC7B135D524AE5DAC57782E1C109A0455 | |||
2196 | wscript.exe | C:\Users\admin\AppData\Roaming\thyywdnfim.txt | java | |
MD5:358EAF53236F4589C5449D2D82D11C15 | SHA256:36071C9C418FE1E539EFC57DCA7CA8FB071D24663115C482026407AC55D80360 | |||
1356 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BMmbWyYJuO.js | text | |
MD5:0E79B768B76913712DFD04C5FA750BD6 | SHA256:61B843EF3E39A0C24660C489EC94FB1FC7B135D524AE5DAC57782E1C109A0455 | |||
3336 | javaw.exe | C:\Users\admin\ecsbvnzsau.js | text | |
MD5:E85249FE9E6986C52B21695147033DA5 | SHA256:512A4F6770B8EDF0C8AB5DC7A9C829CAF9EF3F8D9E68A40D1661151624EFC22E | |||
3824 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt | text | |
MD5:AB9DB8D553033C0326BD2D38D77F84C1 | SHA256:38995534DF44E0526F8C8C8D479C778A4B34627CFD69F19213CFBE019A7261BA | |||
3252 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive1861859833527124057.vbs | text | |
MD5:A32C109297ED1CA155598CD295C26611 | SHA256:45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7 | |||
3824 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\Welcome.html | html | |
MD5:27CF299B6D93FACA73FBCDCF4AECFD93 | SHA256:3F1F0EE75588DBBA3B143499D08AA9AB431E4A34E483890CFAC94A8E1061B7CF |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3380 | javaw.exe | 185.244.31.160:7075 | olavroy.duckdns.org | — | — | malicious |
1356 | WScript.exe | 184.75.209.163:7800 | unknownsoft.duckdns.org | Amanah Tech Inc. | CA | malicious |
Domain | IP | Reputation |
---|---|---|
unknownsoft.duckdns.org |
| malicious |
olavroy.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3380 | javaw.exe | A Network Trojan was detected | ET TROJAN Possible Adwind SSL Cert (assylias.Inc) |
3380 | javaw.exe | A Network Trojan was detected | MALWARE [PTsecurity] Backdoor.Java.Adwind.cu |