File name: | Bestellung.jar |
Full analysis: | https://app.any.run/tasks/e83e633e-9d19-4719-aee7-2abe3d167257 |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | May 15, 2019, 05:58:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 25664A73A3A1DDC5FCC76E2A5A49AEFE |
SHA1: | 9F33F07D280C25FF7CE487C98A85D3204ACEAA96 |
SHA256: | ED13AEEA867D246D97D8E05E50449939B5C80EF2A2BAEB4FFC8C6103757A178B |
SSDEEP: | 12288:Sfp42N5ZRy2XMT6OUr93KpAx0B1U3Fcm8sjqOQKSEYQohzvEUpqzz:eXN5ZRy24FTSMO1VRocJop2zz |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | paqzomyspw/resources/lzgpusxodo |
---|---|
ZipUncompressedSize: | 1014909 |
ZipCompressedSize: | 664965 |
ZipCRC: | 0x7cf3c163 |
ZipModifyDate: | 2019:05:15 05:44:27 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\Bestellung.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | explorer.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2532 | wscript C:\Users\admin\ecsbvnzsau.js | C:\Windows\system32\wscript.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1968 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\BMmbWyYJuO.js" | C:\Windows\System32\WScript.exe | wscript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2708 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\khxvvtf.txt" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | wscript.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
3224 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.79194151188280277810846458078536771.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
2900 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7522228294999144210.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3652 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4976838952797391484.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2524 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7522228294999144210.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3000 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4976838952797391484.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
292 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7877283023523043323.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3224 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:EEC205133119891F60A4C1F4342E63D5 | SHA256:37F66E98A51B675B599EE1C4F1461602776B56B7151CBBB90BA751E672A05E58 | |||
2708 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:266CF5780F5AD242D9F6734A5316C8B8 | SHA256:9D325F07673298CB493CFAD1E5E47B2ADEB3CD20CB172237B361B189E32030F6 | |||
2948 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:49A0AEBC734025860651263B49178527 | SHA256:5E2298CE69BB49CB2C8BA68BE86E34031D5775D87BBF1B7D193815412FB4482A | |||
2948 | javaw.exe | C:\Users\admin\ecsbvnzsau.js | text | |
MD5:E85249FE9E6986C52B21695147033DA5 | SHA256:512A4F6770B8EDF0C8AB5DC7A9C829CAF9EF3F8D9E68A40D1661151624EFC22E | |||
2532 | wscript.exe | C:\Users\admin\AppData\Roaming\khxvvtf.txt | java | |
MD5:358EAF53236F4589C5449D2D82D11C15 | SHA256:36071C9C418FE1E539EFC57DCA7CA8FB071D24663115C482026407AC55D80360 | |||
2532 | wscript.exe | C:\Users\admin\AppData\Roaming\BMmbWyYJuO.js | text | |
MD5:0E79B768B76913712DFD04C5FA750BD6 | SHA256:61B843EF3E39A0C24660C489EC94FB1FC7B135D524AE5DAC57782E1C109A0455 | |||
1968 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BMmbWyYJuO.js | text | |
MD5:0E79B768B76913712DFD04C5FA750BD6 | SHA256:61B843EF3E39A0C24660C489EC94FB1FC7B135D524AE5DAC57782E1C109A0455 | |||
3804 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\release | text | |
MD5:1BCCC3A965156E53BE3136B3D583B7B6 | SHA256:03A4DB27DEA69374EFBAF121C332D0AF05840D16D0C1FBF127D00E65054B118A | |||
3804 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt | text | |
MD5:745D6DB5FC58C63F74CE6A7D4DB7E695 | SHA256:C77BA9F668FEE7E9B810F1493E518ADF87233AC8793E4B37C9B3D1ED7846F1C0 | |||
3804 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\Welcome.html | html | |
MD5:27CF299B6D93FACA73FBCDCF4AECFD93 | SHA256:3F1F0EE75588DBBA3B143499D08AA9AB431E4A34E483890CFAC94A8E1061B7CF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2936 | opera.exe | GET | 200 | 66.225.197.197:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 543 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3308 | javaw.exe | 185.244.31.160:7075 | olavroy.duckdns.org | — | — | malicious |
2936 | opera.exe | 66.225.197.197:80 | crl4.digicert.com | CacheNetworks, Inc. | US | whitelisted |
2936 | opera.exe | 185.26.182.93:443 | certs.opera.com | Opera Software AS | — | whitelisted |
1968 | WScript.exe | 184.75.209.163:7800 | unknownsoft.duckdns.org | Amanah Tech Inc. | CA | malicious |
Domain | IP | Reputation |
---|---|---|
unknownsoft.duckdns.org |
| malicious |
olavroy.duckdns.org |
| malicious |
certs.opera.com |
| whitelisted |
crl4.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3308 | javaw.exe | A Network Trojan was detected | ET TROJAN Possible Adwind SSL Cert (assylias.Inc) |
3308 | javaw.exe | A Network Trojan was detected | MALWARE [PTsecurity] Backdoor.Java.Adwind.cu |
3308 | javaw.exe | A Network Trojan was detected | ET TROJAN Possible Adwind SSL Cert (assylias.Inc) |
3308 | javaw.exe | A Network Trojan was detected | ET TROJAN Possible Adwind SSL Cert (assylias.Inc) |