File name:

Bestellung.jar

Full analysis: https://app.any.run/tasks/5133afb3-25e1-433a-9e9d-749e2c8394e0
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Malware Trends Tracker     >>>
Analysis date: May 15, 2019, 05:54:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adwind
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

25664A73A3A1DDC5FCC76E2A5A49AEFE

SHA1:

9F33F07D280C25FF7CE487C98A85D3204ACEAA96

SHA256:

ED13AEEA867D246D97D8E05E50449939B5C80EF2A2BAEB4FFC8C6103757A178B

SSDEEP:

12288:Sfp42N5ZRy2XMT6OUr93KpAx0B1U3Fcm8sjqOQKSEYQohzvEUpqzz:eXN5ZRy24FTSMO1VRocJop2zz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 1356)
      • reg.exe (PID: 3036)

    • Writes to a start menu file

      • WScript.exe (PID: 1356)

    • AdWind was detected

      • java.exe (PID: 2656)
      • java.exe (PID: 3700)

    • Loads dropped or rewritten executable

      • javaw.exe (PID: 3252)
      • svchost.exe (PID: 812)
      • wscript.exe (PID: 2196)
      • javaw.exe (PID: 3336)
      • explorer.exe (PID: 116)
      • java.exe (PID: 2656)
      • javaw.exe (PID: 3380)
      • java.exe (PID: 3700)

    • Application was dropped or rewritten from another process

      • java.exe (PID: 2656)
      • javaw.exe (PID: 3252)
      • javaw.exe (PID: 3336)
      • javaw.exe (PID: 3380)
      • java.exe (PID: 3700)

    • Turns off system restore

      • regedit.exe (PID: 3164)

    • Uses TASKKILL.EXE to kill security tools

      • javaw.exe (PID: 3380)

    • ADWIND was detected

      • javaw.exe (PID: 3380)

    • UAC/LUA settings modification

      • regedit.exe (PID: 3164)

    • Changes Image File Execution Options

      • regedit.exe (PID: 3164)

  • SUSPICIOUS

    • Application launched itself

      • wscript.exe (PID: 2196)

    • Executes JAVA applets

      • explorer.exe (PID: 116)
      • wscript.exe (PID: 2196)
      • javaw.exe (PID: 3252)

    • Creates files in the user directory

      • wscript.exe (PID: 2196)
      • javaw.exe (PID: 3252)
      • WScript.exe (PID: 1356)
      • xcopy.exe (PID: 3824)

    • Executes scripts

      • wscript.exe (PID: 2196)
      • javaw.exe (PID: 3336)
      • cmd.exe (PID: 3168)
      • cmd.exe (PID: 3884)
      • cmd.exe (PID: 2436)
      • cmd.exe (PID: 3968)
      • cmd.exe (PID: 3276)
      • cmd.exe (PID: 3192)
      • cmd.exe (PID: 2800)
      • cmd.exe (PID: 2504)

    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 3252)
      • java.exe (PID: 2656)
      • javaw.exe (PID: 3380)
      • java.exe (PID: 3700)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 3824)
      • javaw.exe (PID: 3380)

    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 3252)

    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 3252)

    • Starts itself from another location

      • javaw.exe (PID: 3252)

    • Uses TASKKILL.EXE to kill process

      • javaw.exe (PID: 3380)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:05:15 05:44:27
ZipCRC: 0x7cf3c163
ZipCompressedSize: 664965
ZipUncompressedSize: 1014909
ZipFileName: paqzomyspw/resources/lzgpusxodo
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
170
Monitored processes
78
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaw.exe no specs wscript.exe no specs wscript.exe javaw.exe no specs #ADWIND java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs xcopy.exe cmd.exe no specs cscript.exe no specs explorer.exe no specs svchost.exe no specs reg.exe attrib.exe no specs attrib.exe no specs #ADWIND javaw.exe #ADWIND java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs taskkill.exe no specs cmd.exe no specs regedit.exe no specs regedit.exe no specs taskkill.exe no specs regedit.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs wmic.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs PhotoViewer.dll no specs

Process information

PID
CMD
Path
Indicators
Parent process
116C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
236taskkill /IM AdAwareDesktop.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
408taskkill /IM CisTray.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
572WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:ListC:\Windows\System32\Wbem\WMIC.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
584taskkill /IM capinfos.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
596cmd.exe /c regedit.exe /s C:\Users\admin\AppData\Local\Temp\buKFFuklGW8546643136176095379.regC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
812C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
968taskkill /IM V3Medic.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1012taskkill /IM procexp.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1180taskkill /IM procexp.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
Total events
8 862
Read events
8 592
Write events
270
Delete events
0

Modification events

(PID) Process:(2196) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2196) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1356) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\BMmbWyYJuO
Operation:writeName:
Value:
false - 15/5/2019
(PID) Process:(1356) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:BMmbWyYJuO
Value:
wscript.exe //B "C:\Users\admin\AppData\Roaming\BMmbWyYJuO.js"
(PID) Process:(1356) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:BMmbWyYJuO
Value:
wscript.exe //B "C:\Users\admin\AppData\Roaming\BMmbWyYJuO.js"
(PID) Process:(1356) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1356) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1356) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(1356) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(1356) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
111
Suspicious files
10
Text files
82
Unknown types
15

Dropped files

PID
Process
Filename
Type
3336javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
2196wscript.exeC:\Users\admin\AppData\Roaming\thyywdnfim.txtjava
MD5:
SHA256:
3824xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\releasetext
MD5:1BCCC3A965156E53BE3136B3D583B7B6
SHA256:03A4DB27DEA69374EFBAF121C332D0AF05840D16D0C1FBF127D00E65054B118A
3824xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txttext
MD5:745D6DB5FC58C63F74CE6A7D4DB7E695
SHA256:C77BA9F668FEE7E9B810F1493E518ADF87233AC8793E4B37C9B3D1ED7846F1C0
3824xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\Welcome.htmlhtml
MD5:27CF299B6D93FACA73FBCDCF4AECFD93
SHA256:3F1F0EE75588DBBA3B143499D08AA9AB431E4A34E483890CFAC94A8E1061B7CF
3824xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txttext
MD5:AB9DB8D553033C0326BD2D38D77F84C1
SHA256:38995534DF44E0526F8C8C8D479C778A4B34627CFD69F19213CFBE019A7261BA
3336javaw.exeC:\Users\admin\ecsbvnzsau.jstext
MD5:
SHA256:
3252javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
1356WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BMmbWyYJuO.jstext
MD5:
SHA256:
2196wscript.exeC:\Users\admin\AppData\Roaming\BMmbWyYJuO.jstext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
10
DNS requests
3
Threats
4

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1356
WScript.exe
184.75.209.163:7800
unknownsoft.duckdns.org
Amanah Tech Inc.
CA
malicious
3380
javaw.exe
185.244.31.160:7075
olavroy.duckdns.org
malicious

DNS requests

Domain
IP
Reputation
unknownsoft.duckdns.org
  • 184.75.209.163
malicious
olavroy.duckdns.org
  • 185.244.31.160
malicious

Threats

PID
Process
Class
Message
1056
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1056
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3380
javaw.exe
A Network Trojan was detected
ET TROJAN Possible Adwind SSL Cert (assylias.Inc)
3380
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Java.Adwind.cu
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Bestellung.jar