adwind | 2b4db73f2e681b7f7d5b0b4cee46453428c4dd3c9c94070ef8840fc73a54d58a

General

Target

justificante.jar
Size

647KB
MD5

f2862159a6e80713e03cf09ad149b4e3
SHA1

740f32542b8e53908e02f3db0234736648085236
SHA256

2b4db73f2e681b7f7d5b0b4cee46453428c4dd3c9c94070ef8840fc73a54d58a
SHA512

8c62ee4181f42f66004dd15317842d9bd56fbceecd6628a7146c0774605bc6ba157f5028eb4900618f38d0308304252081eabf21a419a8befb7c03774b9318a6

Score

10^/10

adwind vjw0rm persistence trojan worm

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

5 1880 WScript.exe

flow	pid	process
5	1880	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKNFBZAbcx.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKNFBZAbcx.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\tKNFBZAbcx.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

javaw.exe

pid process

240 javaw.exe

pid	process
240	javaw.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

java.exewscript.exejavaw.execmd.exe

description	pid	process	target process
PID 756 wrote to memory of 1996	756	java.exe	wscript.exe
PID 756 wrote to memory of 1996	756	java.exe	wscript.exe
PID 756 wrote to memory of 1996	756	java.exe	wscript.exe
PID 1996 wrote to memory of 1880	1996	wscript.exe	WScript.exe
PID 1996 wrote to memory of 1880	1996	wscript.exe	WScript.exe
PID 1996 wrote to memory of 1880	1996	wscript.exe	WScript.exe
PID 1996 wrote to memory of 240	1996	wscript.exe	javaw.exe
PID 1996 wrote to memory of 240	1996	wscript.exe	javaw.exe
PID 1996 wrote to memory of 240	1996	wscript.exe	javaw.exe
PID 240 wrote to memory of 1736	240	javaw.exe	java.exe
PID 240 wrote to memory of 1736	240	javaw.exe	java.exe
PID 240 wrote to memory of 1736	240	javaw.exe	java.exe
PID 240 wrote to memory of 1724	240	javaw.exe	cmd.exe
PID 240 wrote to memory of 1724	240	javaw.exe	cmd.exe
PID 240 wrote to memory of 1724	240	javaw.exe	cmd.exe
PID 1724 wrote to memory of 2024	1724	cmd.exe	cscript.exe
PID 1724 wrote to memory of 2024	1724	cmd.exe	cscript.exe
PID 1724 wrote to memory of 2024	1724	cmd.exe	cscript.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\justificante.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\system32\wscript.exe
wscript C:\Users\Admin\oddlcjbdnx.js
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\tKNFBZAbcx.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1880

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\uuxxxuatou.txt"
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:240

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.223623243828517173568191431634009153.class
4⤵
PID:1736

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6696661852867173216.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6696661852867173216.vbs
5⤵
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_0.223623243828517173568191431634009153.class
Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\tKNFBZAbcx.js
Filesize
30KB

MD5
fa3fd06cbfb568048b94746fe7846ac6

SHA1
242538e1e09cb9d5342441e981946a12d111860d

SHA256
f827c5ccc625f33515de3e7019cca67c06066ebf460288b47c464002ef0390a1

SHA512
5e4d960cc58256d4a9f94dbb2556d19aa362be0a4e26133f0a42e9392457f405a3d0c68235e1781a33dc625c03777b28970a6a10aea8e3a1ef7e92bf3cf7dab7

Download Submit
C:\Users\Admin\AppData\Roaming\uuxxxuatou.txt
Filesize
479KB

MD5
0af2ffb0e3a810f556a0eef909a5ecc7

SHA1
641fe60bfa8569a0a13dc9279ea1cafb5cb912ad

SHA256
9d05feba177ac6b9433f0a28bf9e6ba9828f1621f625f7ca80009a1cf5b5374b

SHA512
883f01a0d0c2ed6ada0dd3d2b4548d01b54f6cf4fcfd6a39f9a61511147fefc4ea8ad4392873fd54e4d7c1c04adc01c94bf99447ddfcde925340ae4ea409b1c9

Download Submit
C:\Users\Admin\oddlcjbdnx.js
Filesize
969KB

MD5
06a575d37fb3ed9c959b6f5ee7d4794c

SHA1
bad9d9875c3ea3e50bf0b111dc54fef104162afb

SHA256
d7c9739a75f4218fd75acf6c86d04e55b5d5d618bd99ee3cd34b57e52e2de4b9

SHA512
d686fc32aba72091387cb89a2ab9f1b8e31aad47085fea0f017e7a94a25dfef1ba5f064859333dfebfc405750077f893d06b53438f60d1cc0c4c7b32853fa289

Download Submit
memory/240-98-0x0000000002370000-0x0000000005370000-memory.dmp

Filesize
48.0MB

Download
memory/240-71-0x0000000000000000-mapping.dmp

Download
memory/240-84-0x0000000002370000-0x0000000005370000-memory.dmp

Filesize
48.0MB

Download
memory/756-58-0x0000000002240000-0x0000000005240000-memory.dmp

Filesize
48.0MB

Download
memory/756-54-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp

Filesize
8KB

Download
memory/1724-101-0x0000000000000000-mapping.dmp

Download
memory/1736-85-0x0000000000000000-mapping.dmp

Download
memory/1736-95-0x0000000002190000-0x0000000005190000-memory.dmp

Filesize
48.0MB

Download
memory/1736-99-0x0000000002190000-0x0000000005190000-memory.dmp

Filesize
48.0MB

Download
memory/1880-69-0x0000000000000000-mapping.dmp

Download
memory/1996-65-0x0000000000000000-mapping.dmp

Download
memory/2024-102-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads