adwind | 278c9124c75881f0bb93cb8eec9c3a48c503d674a2d6f5e62e4f29f7f67946ee | Triage

Sharing

General

Target

0bed9b0a8b023564c80628a1979cbe89_JaffaCakes118
Size

447KB
Sample

240501-qv874sga41
MD5

0bed9b0a8b023564c80628a1979cbe89
SHA1

6afdd240d970f8a079be16a1f5a2640ec4cd1f67
SHA256

278c9124c75881f0bb93cb8eec9c3a48c503d674a2d6f5e62e4f29f7f67946ee
SHA512

1e0cde761bc7ff2a52e51db6bed03518e2fb1fe6f65944a586778a8ae5e5b158543fa751957b0fde8cbd77da0f914b5feefc3b215b2680604c166ffcd2610e55
SSDEEP

12288:5Y19jei67QEQLayfQPdQLS4jUvfYNWeueC02461ig4mON1:k9jqEEGa5iLneYNpH61ho

Score

10^/10

adwind discovery persistence trojan

Malware Config

Targets

- Target
  
  W2_PDF.jar
- Size
  
  447KB
- MD5
  
  ec0e8133dbb9686ae7bd0144704415c2
- SHA1
  
  b4929e2a864b61e09a571b86b1ff0311b646d0cd
- SHA256
  
  d4f6ed754a730d7c59147abf4d58ad0c13a3dc6d9a7661d51edbda043b5d2b08
- SHA512
  
  8685664a8e1261c097b2a09d6f4b0ed09f5f4481ea40212962eb066be3e7ca2a3f334d4cafbb36f8137ea8e6566783206ea7aa7a0422d2f7d3394a82bd6f20a7
- SSDEEP
  
  12288:aPwjWiIxcEQlQyjQP5QTS4jcvZSFWeQe20Y469iyUmOYRvdm:8wjwOEeQrWTnGSFbB69ZT1m
Score

10^/10

adwind persistence trojan discovery
- AdWind
  A Java-based RAT family operated as malware-as-a-service.
  trojan adwind
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

adwindpersistencetrojan

behavioral2

adwinddiscoverypersistencetrojan