Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 05:25
Static task
static1
Behavioral task
behavioral1
Sample
3704a8f86fe69466491c8423500bf1385554ce9d0f0deb2a373655f3abce653b.jar
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3704a8f86fe69466491c8423500bf1385554ce9d0f0deb2a373655f3abce653b.jar
Resource
win10v2004-20220414-en
General
-
Target
3704a8f86fe69466491c8423500bf1385554ce9d0f0deb2a373655f3abce653b.jar
-
Size
89KB
-
MD5
20de1c62ba825235d8ec0a6ccebac974
-
SHA1
53b53e50377754928990f67101d320a69442398c
-
SHA256
3704a8f86fe69466491c8423500bf1385554ce9d0f0deb2a373655f3abce653b
-
SHA512
25e3985ced204a05fa8cb0016b6e0fe60237fa36ffed79b9f9dfd43ed09bb72821995cc4b3bfcc22b45efe95655dddcf26656a822b72f2b6cd06e1215cc55046
Malware Config
Signatures
-
JAR file contains resources related to AdWind 1 IoCs
This JAR file potentially contains loader stubs used by the AdWind RAT.
resource yara_rule behavioral2/files/0x000800000002314d-145.dat family_adwind_stub -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1832 attrib.exe 2536 attrib.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asddresd = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\eqwzdd\\asdwsd.jar\"" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asddresd = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\eqwzdd\\asdwsd.jar\"" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\eqwzdd\Desktop.ini java.exe File opened for modification C:\Users\Admin\AppData\Roaming\eqwzdd\Desktop.ini attrib.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1004 reg.exe 672 reg.exe 2632 reg.exe 3724 reg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2112 java.exe 1988 javaw.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2112 wrote to memory of 1004 2112 java.exe 78 PID 2112 wrote to memory of 1004 2112 java.exe 78 PID 2112 wrote to memory of 672 2112 java.exe 80 PID 2112 wrote to memory of 672 2112 java.exe 80 PID 2112 wrote to memory of 2536 2112 java.exe 85 PID 2112 wrote to memory of 2536 2112 java.exe 85 PID 2112 wrote to memory of 1832 2112 java.exe 84 PID 2112 wrote to memory of 1832 2112 java.exe 84 PID 2112 wrote to memory of 1988 2112 java.exe 82 PID 2112 wrote to memory of 1988 2112 java.exe 82 PID 1988 wrote to memory of 2632 1988 javaw.exe 87 PID 1988 wrote to memory of 2632 1988 javaw.exe 87 PID 1988 wrote to memory of 3724 1988 javaw.exe 89 PID 1988 wrote to memory of 3724 1988 javaw.exe 89 PID 1988 wrote to memory of 4016 1988 javaw.exe 91 PID 1988 wrote to memory of 4016 1988 javaw.exe 91 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 2536 attrib.exe 4016 attrib.exe 1832 attrib.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\3704a8f86fe69466491c8423500bf1385554ce9d0f0deb2a373655f3abce653b.jar1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SYSTEM32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v asddresd /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\eqwzdd\asdwsd.jar\"" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:1004
-
-
C:\Windows\SYSTEM32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v asddresd /f2⤵
- Modifies registry key
PID:672
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\eqwzdd\asdwsd.jar"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SYSTEM32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v asddresd /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\eqwzdd\asdwsd.jar\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:2632
-
-
C:\Windows\SYSTEM32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v asddresd /f3⤵
- Modifies registry key
PID:3724
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\.Plugins33⤵
- Views/modifies file attributes
PID:4016
-
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\eqwzdd"2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1832
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\eqwzdd\*.*"2⤵
- Sets file to hidden
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:2536
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5f8db06f3d4369b96093fc7e93e5b5f5b
SHA15ddbbd4dc0abd12b88ef165ba2b42e81afd5d9b6
SHA25679701f8236b53898027290686c6f762e9223781ca84866276cf174a5180a6eac
SHA51236ead269e0cdf360a408c73dc4ab08d7eebe04c68994394c738f5e34405172ca3e995d54ac27e394a417e877ad310c2ce5b2500bafd7aa690ef3c4d501674608
-
Filesize
63B
MD5e783bdd20a976eaeaae1ff4624487420
SHA1c2a44fab9df00b3e11582546b16612333c2f9286
SHA2562f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3
SHA5128c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80
-
Filesize
89KB
MD520de1c62ba825235d8ec0a6ccebac974
SHA153b53e50377754928990f67101d320a69442398c
SHA2563704a8f86fe69466491c8423500bf1385554ce9d0f0deb2a373655f3abce653b
SHA51225e3985ced204a05fa8cb0016b6e0fe60237fa36ffed79b9f9dfd43ed09bb72821995cc4b3bfcc22b45efe95655dddcf26656a822b72f2b6cd06e1215cc55046