File name: | efcpxvbtmf.js |
Full analysis: | https://app.any.run/tasks/ded5d5d9-d0d4-46b4-a62f-bb2e820e51ae |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | July 17, 2019, 03:13:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 11361E5219E3E30251113DB95DF990F4 |
SHA1: | DB098E1A20CC337AFD3933EAC107507DD09B6DB7 |
SHA256: | FD0FE2A4D1EAF113F3C0F538F7EEB19DC1A1542C1CC3656A857A66CF3EE9C66F |
SSDEEP: | 12288:KXhnM/C8xl21RRzeaE5fK7gdM9N1+uIWc7iRZ0wMGhPtVJSemW8pyoi2G:KbW21Rs75toCwnacd2G |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2628 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\efcpxvbtmf.js" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3152 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\fYztKVNgXc.js" | C:\Windows\System32\WScript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
3564 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ypopbnzmk.txt" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | WScript.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
1672 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.080349237921487854395289455902476617.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
3276 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3271591339649560516.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4032 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3271591339649560516.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3292 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2194305196865309381.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2168 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive390335331197888422.vbs | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2620 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2194305196865309381.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3176 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive390335331197888422.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
(PID) Process: | (2628) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2628) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3152) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\fYztKVNgXc |
Operation: | write | Name: | |
Value: false - 17/7/2019 | |||
(PID) Process: | (3152) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | fYztKVNgXc |
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\fYztKVNgXc.js" | |||
(PID) Process: | (3152) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | fYztKVNgXc |
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\fYztKVNgXc.js" | |||
(PID) Process: | (3152) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3152) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3152) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3152) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3152) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1672 | java.exe | C:\Users\admin\AppData\Local\Temp\Retrive2603777243443815389.vbs | — | |
MD5:— | SHA256:— | |||
3152 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fYztKVNgXc.js | text | |
MD5:6D2359496A51B8814AEC710FF914942A | SHA256:5DA887FE8CD6AAEF5FD213004DDEAAE86DF2A28D98F69A7F139B98EC1FB0AC9C | |||
3564 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:309ADDDF6905EFAB6542E11FEA13E920 | SHA256:E5B42FBB63E1523132B6EA282DE3AA51ED0B73214925E574C61FC516F39C4457 | |||
2628 | WScript.exe | C:\Users\admin\AppData\Roaming\ypopbnzmk.txt | java | |
MD5:F32345D31343A22880098B59168D2B4F | SHA256:E09CDFAC1B2B7AEEC8B029E13D5953B426B3848676A49632E1BF3FC8044FE835 | |||
3956 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\COPYRIGHT | text | |
MD5:89F660D2B7D58DA3EFD2FECD9832DA9C | SHA256:F6A08C9CC04D7C6A86576C1EF50DD0A690AE5CB503EFD205EDB2E408BD8D557B | |||
3956 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\Welcome.html | html | |
MD5:27CF299B6D93FACA73FBCDCF4AECFD93 | SHA256:3F1F0EE75588DBBA3B143499D08AA9AB431E4A34E483890CFAC94A8E1061B7CF | |||
3956 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt | text | |
MD5:745D6DB5FC58C63F74CE6A7D4DB7E695 | SHA256:C77BA9F668FEE7E9B810F1493E518ADF87233AC8793E4B37C9B3D1ED7846F1C0 | |||
1672 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:C4CB6EBD8693F5C260CF1BB7FFE83663 | SHA256:0799D1950C67C91DD9D378C414B3C74443E57421D3209EACB0BF406A452B6D3E | |||
2628 | WScript.exe | C:\Users\admin\AppData\Roaming\fYztKVNgXc.js | text | |
MD5:6D2359496A51B8814AEC710FF914942A | SHA256:5DA887FE8CD6AAEF5FD213004DDEAAE86DF2A28D98F69A7F139B98EC1FB0AC9C | |||
3564 | javaw.exe | C:\Users\admin\AppData\Local\Temp\Retrive3271591339649560516.vbs | text | |
MD5:3BDFD33017806B85949B6FAA7D4B98E4 | SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3152 | WScript.exe | POST | — | 138.68.229.219:7744 | http://unknownsoft.duckdns.org:7744/is-ready | US | — | — | malicious |
3152 | WScript.exe | POST | — | 138.68.229.219:7744 | http://unknownsoft.duckdns.org:7744/is-ready | US | — | — | malicious |
3152 | WScript.exe | POST | — | 138.68.229.219:7744 | http://unknownsoft.duckdns.org:7744/is-ready | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3832 | javaw.exe | 92.38.86.175:1337 | vitlop.ddns.net | ALFA TELECOM s.r.o. | CZ | malicious |
— | — | 92.38.86.175:1337 | vitlop.ddns.net | ALFA TELECOM s.r.o. | CZ | malicious |
3152 | WScript.exe | 138.68.229.219:7744 | unknownsoft.duckdns.org | Digital Ocean, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
unknownsoft.duckdns.org |
| malicious |
vitlop.ddns.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |