Overview

overview

10

Static

static

10

NewOrder -...97.jar

windows7-x64

1

NewOrder -...97.jar

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 05:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NewOrder - P2D041197.jar

  • Size

    628KB

  • MD5

    bc34f4e23dca52ed6425b46a3dcf5e95

  • SHA1

    e82affa4fea489146e3deb803efdb561a394073f

  • SHA256

    f77617921c5fb6f8114eca9fe330b8d2bfc3a99c4f581f3f9a8282a31d528aeb

  • SHA512

    2f3a171e9ada6f10b4ed182f5fdb4ec7086f99def55db52f2663980eff2009048b6a240f30c7c9e3ba518b4075c79bc77faa5e613e590f823abc1e613385123a

  • SSDEEP

    12288:Cz396wbsskjH0PljDlBPfPSlU5XhBFDYU1SkzuiSn/BIu9:s39bssOUP1l9fPScXhfg3z

Score
10/10
adwinddiscoverytrojan

Malware Config

Signatures

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

    trojanadwind
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\NewOrder - P2D041197.jar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:2404
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\zbrspjjraf.js
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4336
      • C:\Program Files\Java\jre-1.8\bin\javaw.exe
        "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\qgkjv.txt"
        3⤵
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:3200
        • C:\Program Files\Java\jre-1.8\bin\java.exe
          "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.174504929484940671347965085096563403.class
          4⤵
          • Drops file in System32 directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3448
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9068515242872426269.vbs
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1012
            • C:\Windows\system32\cscript.exe
              cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9068515242872426269.vbs
              6⤵
                PID:2580
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2225211764578340356.vbs
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2404
              • C:\Windows\system32\cscript.exe
                cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2225211764578340356.vbs
                6⤵
                  PID:2176
              • C:\Windows\SYSTEM32\xcopy.exe
                xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
                5⤵
                  PID:3328
                • C:\Windows\SYSTEM32\cmd.exe
                  cmd.exe
                  5⤵
                    PID:5036

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          File and Directory Permissions Modification

          1
          T1222

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
            Filesize

            46B

            MD5

            27e8e3bf8ba0a27601813484869b504c

            SHA1

            bf52fad8f3d7b4775466aa3b4f44e8a810ec49a3

            SHA256

            08f0f728a8bd22409398f9d3cea93159722928f9199ec235a21383572d5aff11

            SHA512

            8d3aab972dfb378cf465d0f0e2aff1fd15ec73b4c65b3768813833724251ab0b1a5abf5af42ee946667e2f687aec2a57508ae43c7044202e71c16860e3f78973

            Download Submit
          • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
            Filesize

            46B

            MD5

            0b1be7106d22ad09946a932afeac96fe

            SHA1

            71fa40de2b1d76edc00745c5cbb1060857905b43

            SHA256

            213bc4d553a140f054fda3f8c4da011465dcc88544a09e1f347fbf5a2861ab54

            SHA512

            b0eaf06d0bf962a5f168f76c7e08835f22f010e5e84a39d08ec3bfc8d38ac2010f80cbbf5b8ec70f0de450f65c76d4df9df8fe38a33fbb8491a0ed3d6a737674

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Retrive2225211764578340356.vbs
            Filesize

            281B

            MD5

            a32c109297ed1ca155598cd295c26611

            SHA1

            dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

            SHA256

            45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

            SHA512

            70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Retrive9068515242872426269.vbs
            Filesize

            276B

            MD5

            3bdfd33017806b85949b6faa7d4b98e4

            SHA1

            f92844fee69ef98db6e68931adfaa9a0a0f8ce66

            SHA256

            9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

            SHA512

            ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\_0.174504929484940671347965085096563403.class
            Filesize

            241KB

            MD5

            781fb531354d6f291f1ccab48da6d39f

            SHA1

            9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

            SHA256

            97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

            SHA512

            3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3198953144-1466794930-246379610-1000\83aa4cc77f591dfc2374580bbd95f6ba_66f3ac8f-aa40-456a-9a7d-d8b3ebc9da1b
            Filesize

            45B

            MD5

            c8366ae350e7019aefc9d1e6e6a498c6

            SHA1

            5731d8a3e6568a5f2dfbbc87e3db9637df280b61

            SHA256

            11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

            SHA512

            33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll
            Filesize

            558KB

            MD5

            bf78c15068d6671693dfcdfa5770d705

            SHA1

            4418c03c3161706a4349dfe3f97278e7a5d8962a

            SHA256

            a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb

            SHA512

            5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140.dll
            Filesize

            95KB

            MD5

            7415c1cc63a0c46983e2a32581daefee

            SHA1

            5f8534d79c84ac45ad09b5a702c8c5c288eae240

            SHA256

            475ab98b7722e965bd38c8fa6ed23502309582ccf294ff1061cb290c7988f0d1

            SHA512

            3d4b24061f72c0e957c7b04a0c4098c94c8f1afb4a7e159850b9939c7210d73398be6f27b5ab85073b4e8c999816e7804fef0f6115c39cd061f4aaeb4dcda8cf

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140_1.dll
            Filesize

            36KB

            MD5

            fcda37abd3d9e9d8170cd1cd15bf9d3f

            SHA1

            b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2

            SHA256

            0579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6

            SHA512

            de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties
            Filesize

            3KB

            MD5

            880baacb176553deab39edbe4b74380d

            SHA1

            37a57aad121c14c25e149206179728fa62203bf0

            SHA256

            ff4a3a92bc92cb08d2c32c435810440fd264edd63e56efa39430e0240c835620

            SHA512

            3039315bb283198af9090bd3d31cfae68ee73bc2b118bbae0b32812d4e3fd0f11ce962068d4a17b065dab9a66ef651b9cb8404c0a2defce74bb6b2d1d93646d5

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif
            Filesize

            153B

            MD5

            1e9d8f133a442da6b0c74d49bc84a341

            SHA1

            259edc45b4569427e8319895a444f4295d54348f

            SHA256

            1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

            SHA512

            63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

            Download Submit
          • C:\Users\Admin\AppData\Roaming\qgkjv.txt
            Filesize

            479KB

            MD5

            d7d1131452a0427e78a2710d280537b5

            SHA1

            279b601cb79c5d1790910c839125a45b2f43101d

            SHA256

            4c81c42509988b29c4d77288ed55849de919676fbca4a938bf773f893f2e547e

            SHA512

            483d03f5dcf0011679463a68f233cb50796c056d1045cc6eeaccae41ffbe51e562a186f6cd6196b0c3b63631553a7d780d6d77648117903e4d58238b2ef8d198

            Download Submit
          • C:\Users\Admin\zbrspjjraf.js
            Filesize

            945KB

            MD5

            1d266565196b28ef3e62398a3fdb63cd

            SHA1

            d8e7f9d683f3db330c9225ab708d0a4095f2eea1

            SHA256

            5fc03a19d37c227c9cfe59a5e962956fb46ae2a7969e0cf0ea1f806e201295a0

            SHA512

            51f1a887ba9d6886b10263d06811899313dfcb1469ef64f70658875e4a7da721cf4aee626c3539762d42183a9a1c17d77cb0b80bc7165de73481b9e8d261d3a2

            Download Submit
          • memory/2352-4-0x0000020E3A840000-0x0000020E3B840000-memory.dmp
            Filesize

            16.0MB

            Download
          • memory/2352-14-0x0000020E38F60000-0x0000020E38F61000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3200-28-0x000002850A320000-0x000002850B320000-memory.dmp
            Filesize

            16.0MB

            Download
          • memory/3200-66-0x000002850A320000-0x000002850B320000-memory.dmp
            Filesize

            16.0MB

            Download
          • memory/3200-67-0x000002850A5B0000-0x000002850A5C0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3200-65-0x000002850A5A0000-0x000002850A5B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3200-59-0x000002850A300000-0x000002850A301000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3200-30-0x000002850A300000-0x000002850A301000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3448-41-0x0000024626210000-0x0000024627210000-memory.dmp
            Filesize

            16.0MB

            Download
          • memory/3448-91-0x0000024626210000-0x0000024627210000-memory.dmp
            Filesize

            16.0MB

            Download
          • memory/3448-92-0x00000246261F0000-0x00000246261F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3448-101-0x0000024626210000-0x0000024627210000-memory.dmp
            Filesize

            16.0MB

            Download
          • memory/3448-87-0x00000246261F0000-0x00000246261F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3448-85-0x00000246261F0000-0x00000246261F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3448-80-0x00000246261F0000-0x00000246261F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3448-79-0x0000024626210000-0x0000024627210000-memory.dmp
            Filesize

            16.0MB

            Download
          • memory/3448-73-0x0000024626210000-0x0000024627210000-memory.dmp
            Filesize

            16.0MB

            Download
          • memory/3448-56-0x00000246261F0000-0x00000246261F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3448-48-0x00000246261F0000-0x00000246261F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3448-997-0x00000246261F0000-0x00000246261F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3448-1000-0x00000246261F0000-0x00000246261F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3448-1004-0x00000246261F0000-0x00000246261F1000-memory.dmp
            Filesize

            4KB

            Download