analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

efcpxvbtmf.js

Full analysis: https://app.any.run/tasks/ded5d5d9-d0d4-46b4-a62f-bb2e820e51ae
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Malware Trends Tracker     >>>
Analysis date: July 17, 2019, 03:13:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adwind
trojan
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines
MD5:

11361E5219E3E30251113DB95DF990F4

SHA1:

DB098E1A20CC337AFD3933EAC107507DD09B6DB7

SHA256:

FD0FE2A4D1EAF113F3C0F538F7EEB19DC1A1542C1CC3656A857A66CF3EE9C66F

SSDEEP:

12288:KXhnM/C8xl21RRzeaE5fK7gdM9N1+uIWc7iRZ0wMGhPtVJSemW8pyoi2G:KbW21Rs75toCwnacd2G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 3152)
      • reg.exe (PID: 2824)

    • Writes to a start menu file

      • WScript.exe (PID: 3152)

    • AdWind was detected

      • java.exe (PID: 1672)
      • java.exe (PID: 768)

    • Loads dropped or rewritten executable

      • javaw.exe (PID: 3564)
      • WScript.exe (PID: 2628)
      • java.exe (PID: 1672)
      • javaw.exe (PID: 3832)
      • java.exe (PID: 768)

    • Application was dropped or rewritten from another process

      • java.exe (PID: 1672)
      • javaw.exe (PID: 3832)
      • javaw.exe (PID: 3564)
      • java.exe (PID: 768)

  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 2628)
      • javaw.exe (PID: 3564)
      • WScript.exe (PID: 3152)
      • xcopy.exe (PID: 3956)

    • Executes JAVA applets

      • WScript.exe (PID: 2628)
      • javaw.exe (PID: 3564)

    • Application launched itself

      • WScript.exe (PID: 2628)

    • Executes scripts

      • WScript.exe (PID: 2628)
      • cmd.exe (PID: 2168)
      • cmd.exe (PID: 3276)
      • cmd.exe (PID: 3292)
      • cmd.exe (PID: 3620)
      • cmd.exe (PID: 4064)
      • cmd.exe (PID: 1804)
      • cmd.exe (PID: 1356)
      • cmd.exe (PID: 1812)

    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 3564)
      • java.exe (PID: 1672)
      • javaw.exe (PID: 3832)
      • java.exe (PID: 768)

    • Starts itself from another location

      • javaw.exe (PID: 3564)

    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 3564)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 3956)

    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 3564)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
73
Monitored processes
26
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs wscript.exe javaw.exe no specs #ADWIND java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cscript.exe no specs cmd.exe no specs xcopy.exe cscript.exe no specs reg.exe attrib.exe no specs attrib.exe no specs javaw.exe #ADWIND java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2628"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\efcpxvbtmf.js"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3152"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\fYztKVNgXc.js" C:\Windows\System32\WScript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3564"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ypopbnzmk.txt"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeWScript.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
1672"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.080349237921487854395289455902476617.classC:\Program Files\Java\jre1.8.0_92\bin\java.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
3276cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3271591339649560516.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4032cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3271591339649560516.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3292cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2194305196865309381.vbsC:\Windows\system32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2168cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive390335331197888422.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2620cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2194305196865309381.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3176cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive390335331197888422.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
822
Read events
790
Write events
32
Delete events
0

Modification events

(PID) Process:(2628) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2628) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3152) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\fYztKVNgXc
Operation:writeName:
Value:
false - 17/7/2019
(PID) Process:(3152) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:fYztKVNgXc
Value:
wscript.exe //B "C:\Users\admin\AppData\Roaming\fYztKVNgXc.js"
(PID) Process:(3152) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:fYztKVNgXc
Value:
wscript.exe //B "C:\Users\admin\AppData\Roaming\fYztKVNgXc.js"
(PID) Process:(3152) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3152) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3152) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3152) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3152) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
110
Suspicious files
10
Text files
78
Unknown types
15

Dropped files

PID
Process
Filename
Type
1672java.exeC:\Users\admin\AppData\Local\Temp\Retrive2603777243443815389.vbs
MD5:
SHA256:
3152WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fYztKVNgXc.jstext
MD5:6D2359496A51B8814AEC710FF914942A
SHA256:5DA887FE8CD6AAEF5FD213004DDEAAE86DF2A28D98F69A7F139B98EC1FB0AC9C
3564javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:309ADDDF6905EFAB6542E11FEA13E920
SHA256:E5B42FBB63E1523132B6EA282DE3AA51ED0B73214925E574C61FC516F39C4457
2628WScript.exeC:\Users\admin\AppData\Roaming\ypopbnzmk.txtjava
MD5:F32345D31343A22880098B59168D2B4F
SHA256:E09CDFAC1B2B7AEEC8B029E13D5953B426B3848676A49632E1BF3FC8044FE835
3956xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\COPYRIGHTtext
MD5:89F660D2B7D58DA3EFD2FECD9832DA9C
SHA256:F6A08C9CC04D7C6A86576C1EF50DD0A690AE5CB503EFD205EDB2E408BD8D557B
3956xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\Welcome.htmlhtml
MD5:27CF299B6D93FACA73FBCDCF4AECFD93
SHA256:3F1F0EE75588DBBA3B143499D08AA9AB431E4A34E483890CFAC94A8E1061B7CF
3956xcopy.exeC:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txttext
MD5:745D6DB5FC58C63F74CE6A7D4DB7E695
SHA256:C77BA9F668FEE7E9B810F1493E518ADF87233AC8793E4B37C9B3D1ED7846F1C0
1672java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:C4CB6EBD8693F5C260CF1BB7FFE83663
SHA256:0799D1950C67C91DD9D378C414B3C74443E57421D3209EACB0BF406A452B6D3E
2628WScript.exeC:\Users\admin\AppData\Roaming\fYztKVNgXc.jstext
MD5:6D2359496A51B8814AEC710FF914942A
SHA256:5DA887FE8CD6AAEF5FD213004DDEAAE86DF2A28D98F69A7F139B98EC1FB0AC9C
3564javaw.exeC:\Users\admin\AppData\Local\Temp\Retrive3271591339649560516.vbstext
MD5:3BDFD33017806B85949B6FAA7D4B98E4
SHA256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3152
WScript.exe
POST
138.68.229.219:7744
http://unknownsoft.duckdns.org:7744/is-ready
US
malicious
3152
WScript.exe
POST
138.68.229.219:7744
http://unknownsoft.duckdns.org:7744/is-ready
US
malicious
3152
WScript.exe
POST
138.68.229.219:7744
http://unknownsoft.duckdns.org:7744/is-ready
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3832
javaw.exe
92.38.86.175:1337
vitlop.ddns.net
ALFA TELECOM s.r.o.
CZ
malicious
92.38.86.175:1337
vitlop.ddns.net
ALFA TELECOM s.r.o.
CZ
malicious
3152
WScript.exe
138.68.229.219:7744
unknownsoft.duckdns.org
Digital Ocean, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
unknownsoft.duckdns.org
  • 138.68.229.219
malicious
vitlop.ddns.net
  • 92.38.86.175
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
efcpxvbtmf.js