adwind | a175d061fa3d3a6263d165c7f95261ac69d464bb744ca789a9c005abad8d026d

General

Target

a175d061fa3d3a6263d165c7f95261ac69d464bb744ca789a9c005abad8d026d.jar
Size

62KB
MD5

115902df0ff3992041223e42adb10e8b
SHA1

f8acdddddd88089357be77788355b2377ee9e6f5
SHA256

a175d061fa3d3a6263d165c7f95261ac69d464bb744ca789a9c005abad8d026d
SHA512

fa9da64b5eeebbc51d097657e016492f001befacc6f7b54b4ef0548ced1603dfbfc80873d2880dd1058aef5bd4f52874d32b1cd5dc96ad2524fe6ea583a906ae
SSDEEP

1536:WxvJQnmTJxrYolc/4aAi6s1kV6Y99mJ4f6fZwle:W5JQnmTP3lc/4qPKyfZwle

Score

10^/10

adwind evasion persistence trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind

JAR file contains resources related to AdWind 1 IoCs

This JAR file potentially contains loader stubs used by the AdWind RAT.

resource	yara_rule
behavioral1/files/0x00090000000122cc-74.dat	family_adwind_stub

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
324	attrib.exe
784	attrib.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Update = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Java Update\\Java Update.jar\""	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Update = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Java Update\\Java Update.jar\""	reg.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Java Update\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Java Update\Desktop.ini	attrib.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1568	reg.exe
1104	reg.exe
1360	reg.exe
1080	reg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1488	java.exe
1684	javaw.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1360	1488	java.exe	28
PID 1488 wrote to memory of 1360	1488	java.exe	28
PID 1488 wrote to memory of 1360	1488	java.exe	28
PID 1488 wrote to memory of 1080	1488	java.exe	29
PID 1488 wrote to memory of 1080	1488	java.exe	29
PID 1488 wrote to memory of 1080	1488	java.exe	29
PID 1488 wrote to memory of 324	1488	java.exe	30
PID 1488 wrote to memory of 324	1488	java.exe	30
PID 1488 wrote to memory of 324	1488	java.exe	30
PID 1488 wrote to memory of 784	1488	java.exe	31
PID 1488 wrote to memory of 784	1488	java.exe	31
PID 1488 wrote to memory of 784	1488	java.exe	31
PID 1488 wrote to memory of 1684	1488	java.exe	32
PID 1488 wrote to memory of 1684	1488	java.exe	32
PID 1488 wrote to memory of 1684	1488	java.exe	32
PID 1684 wrote to memory of 1568	1684	javaw.exe	33
PID 1684 wrote to memory of 1568	1684	javaw.exe	33
PID 1684 wrote to memory of 1568	1684	javaw.exe	33
PID 1684 wrote to memory of 1104	1684	javaw.exe	36
PID 1684 wrote to memory of 1104	1684	javaw.exe	36
PID 1684 wrote to memory of 1104	1684	javaw.exe	36
PID 1684 wrote to memory of 1940	1684	javaw.exe	37
PID 1684 wrote to memory of 1940	1684	javaw.exe	37
PID 1684 wrote to memory of 1940	1684	javaw.exe	37

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
324	attrib.exe
784	attrib.exe
1940	attrib.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\a175d061fa3d3a6263d165c7f95261ac69d464bb744ca789a9c005abad8d026d.jar
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "Java Update" /t REG_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\Java Update\Java Update.jar\"" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1360
- C:\Windows\system32\reg.exe
  reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Java Update" /f
  2⤵
  - Modifies registry key
  PID:1080
- C:\Windows\system32\attrib.exe
  attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Java Update\*.*"
  2⤵
  - Sets file to hidden
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:324
- C:\Windows\system32\attrib.exe
  attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Java Update"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:784
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Java Update\Java Update.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "Java Update" /t REG_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\Java Update\Java Update.jar\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1568
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Java Update" /f
    3⤵
    - Modifies registry key
    PID:1104
- - C:\Windows\system32\attrib.exe
    attrib +H "C:\Users\Admin\.Java Update"
    3⤵
    - Views/modifies file attributes
    PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Java Update\Desktop.ini

Filesize
63B

MD5
e783bdd20a976eaeaae1ff4624487420

SHA1
c2a44fab9df00b3e11582546b16612333c2f9286

SHA256
2f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3

SHA512
8c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80

Download Submit
C:\Users\Admin\AppData\Roaming\Java Update\Java Update.jar

Filesize
62KB

MD5
115902df0ff3992041223e42adb10e8b

SHA1
f8acdddddd88089357be77788355b2377ee9e6f5

SHA256
a175d061fa3d3a6263d165c7f95261ac69d464bb744ca789a9c005abad8d026d

SHA512
fa9da64b5eeebbc51d097657e016492f001befacc6f7b54b4ef0548ced1603dfbfc80873d2880dd1058aef5bd4f52874d32b1cd5dc96ad2524fe6ea583a906ae

Download Submit
memory/1488-54-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

Filesize
8KB

Download
memory/1488-57-0x0000000002180000-0x0000000005180000-memory.dmp

Filesize
48.0MB

Download
memory/1684-88-0x0000000002170000-0x0000000005170000-memory.dmp

Filesize
48.0MB

Download
memory/1684-95-0x0000000002170000-0x0000000005170000-memory.dmp

Filesize
48.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads