Overview

overview

10

Static

static

ORDER_21108899.js

windows7_x64

10

ORDER_21108899.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDER_21108899.js

  • Size

    987KB

  • Sample

    211029-b8spyshbfr

  • MD5

    341e4ef0c44307292552407c3d901528

  • SHA1

    f9a40fc6c02bb92fcf44a28c1a3ee0a28508f369

  • SHA256

    c6763de0547e3afe161e4ee6b8adba529d413db74a974d1a55a033ec3cf96db5

  • SHA512

    b1e19b628cb4577f99b111c77bd7d118979b9bbf99ae5ca41ef1dcce23591292f3f8ce280c072aaaef9b3b8cd154e75ea90a1e37c33c997050680f67f9622946

Score
10/10
adwindpersistencesuricatatrojan

Malware Config

Targets

    • Target

      ORDER_21108899.js

    • Size

      987KB

    • MD5

      341e4ef0c44307292552407c3d901528

    • SHA1

      f9a40fc6c02bb92fcf44a28c1a3ee0a28508f369

    • SHA256

      c6763de0547e3afe161e4ee6b8adba529d413db74a974d1a55a033ec3cf96db5

    • SHA512

      b1e19b628cb4577f99b111c77bd7d118979b9bbf99ae5ca41ef1dcce23591292f3f8ce280c072aaaef9b3b8cd154e75ea90a1e37c33c997050680f67f9622946

    Score
    10/10
    adwindpersistencesuricatatrojan

    • AdWind

      A Java-based RAT family operated as malware-as-a-service.

      trojanadwind

    • suricata: ET MALWARE Possible Adwind/jSocket SSL Cert (assylias.Inc)

      suricata: ET MALWARE Possible Adwind/jSocket SSL Cert (assylias.Inc)

      suricata

    • Detect jar appended to MSI

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks