adwind | d12234226c190e7deedec269690eae0ae6984f71dfa8a1c1b5524a8d0ff96675

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b12eb8cdd3411a8c3bf8149d637ace2_JaffaCakes118.jar
Size

627KB
MD5

7b12eb8cdd3411a8c3bf8149d637ace2
SHA1

c2c9ad099e981004e9b9579445f80ca1a159cbdf
SHA256

d12234226c190e7deedec269690eae0ae6984f71dfa8a1c1b5524a8d0ff96675
SHA512

164eaed06fa08c58466ed696f7a58b8618215e0e28c3d810b9b26c0f45b3b7ef0067639e550c8183d1024ea3aac4568d4c65498ea1a313d5c2e1b1b8c3c3a07c
SSDEEP

12288:AS0pJr8GnPrNzJwaIZAOYeKoeZOwg7cHbZ+Bky7wYu04xz40q:qMGzUA7eHeTgGF+ia+xz40q

Score

10^/10

adwind persistence trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
Adwind family
adwind

Class file contains resources related to AdWind 1 IoCs

Processes:

resource	yara_rule
sample	family_adwind5

Blocklisted process makes network request 6 IoCs

Processes:

WScript.exe

flow	pid	Process
8	3100	WScript.exe
38	3100	WScript.exe
58	3100	WScript.exe
73	3100	WScript.exe
95	3100	WScript.exe
103	3100	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NgBiLalxeu.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NgBiLalxeu.vbs	WScript.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exewscript.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NgBiLalxeu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\NgBiLalxeu.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NgBiLalxeu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\NgBiLalxeu.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	wscript.exe

Drops file in System32 directory 1 IoCs

Processes:

java.exe

description	ioc	Process
File created	C:\Windows\System32\test.txt	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

wscript.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wscript.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

javaw.exejava.exe

pid	Process
4844	javaw.exe
1172	java.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

java.exewscript.execmd.exejavaw.exejava.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 1512 wrote to memory of 4264	1512	java.exe	86
PID 1512 wrote to memory of 4264	1512	java.exe	86
PID 4264 wrote to memory of 3100	4264	wscript.exe	88
PID 4264 wrote to memory of 3100	4264	wscript.exe	88
PID 4264 wrote to memory of 1504	4264	wscript.exe	89
PID 4264 wrote to memory of 1504	4264	wscript.exe	89
PID 1504 wrote to memory of 1588	1504	cmd.exe	91
PID 1504 wrote to memory of 1588	1504	cmd.exe	91
PID 4264 wrote to memory of 4844	4264	wscript.exe	93
PID 4264 wrote to memory of 4844	4264	wscript.exe	93
PID 4844 wrote to memory of 1172	4844	javaw.exe	94
PID 4844 wrote to memory of 1172	4844	javaw.exe	94
PID 4844 wrote to memory of 2144	4844	javaw.exe	97
PID 4844 wrote to memory of 2144	4844	javaw.exe	97
PID 1172 wrote to memory of 3996	1172	java.exe	98
PID 1172 wrote to memory of 3996	1172	java.exe	98
PID 3996 wrote to memory of 2516	3996	cmd.exe	102
PID 3996 wrote to memory of 2516	3996	cmd.exe	102
PID 2144 wrote to memory of 4196	2144	cmd.exe	101
PID 2144 wrote to memory of 4196	2144	cmd.exe	101
PID 4844 wrote to memory of 4456	4844	javaw.exe	103
PID 4844 wrote to memory of 4456	4844	javaw.exe	103
PID 1172 wrote to memory of 3104	1172	java.exe	105
PID 1172 wrote to memory of 3104	1172	java.exe	105
PID 4456 wrote to memory of 3252	4456	cmd.exe	107
PID 4456 wrote to memory of 3252	4456	cmd.exe	107
PID 3104 wrote to memory of 904	3104	cmd.exe	108
PID 3104 wrote to memory of 904	3104	cmd.exe	108
PID 4844 wrote to memory of 3588	4844	javaw.exe	109
PID 4844 wrote to memory of 3588	4844	javaw.exe	109
PID 1172 wrote to memory of 1068	1172	java.exe	110
PID 1172 wrote to memory of 1068	1172	java.exe	110
PID 1172 wrote to memory of 4224	1172	java.exe	115
PID 1172 wrote to memory of 4224	1172	java.exe	115

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\7b12eb8cdd3411a8c3bf8149d637ace2_JaffaCakes118.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\xchaoedjjv.vbs
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\NgBiLalxeu.vbs"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:3100
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -version
      4⤵
      PID:1588
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.65333414927744366264166172843144029.class
      4⤵
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5153761802214374474.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3996
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5153761802214374474.vbs
        6⤵
        
        PID:2516
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4936737022201489473.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3104
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4936737022201489473.vbs
        6⤵
        
        PID:904
    - - C:\Windows\SYSTEM32\xcopy.exe
        
        xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
        5⤵
        
        PID:1068
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:4224
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3554597557082794685.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3554597557082794685.vbs
        5⤵
        
        PID:4196
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive646288275408060035.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive646288275408060035.vbs
        5⤵
        
        PID:3252
  - - C:\Windows\SYSTEM32\xcopy.exe
      xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
      4⤵
      PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
a1e4a65b61afcae17d22cff62244464e

SHA1
2e298d3f57f979b91f0b76950c437e7c20fabd68

SHA256
ab1bc744e831b568a23606928b94ec8944da59f720be925840674b292b661d20

SHA512
3f8c6e52c35f4b02b1302b1dcc779047fc39fa467eb84e16d388b20c4a0e9f7874e1b88e5cbad268aae9e020b299ee79f0b165dbe762c8ab061a8598b9065bcb

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
04a05b844736b0f24c4df7ce9e2629ad

SHA1
feb73ec31b9f6bb0dbe76683cca14f5868971d39

SHA256
042c83f3af4f3b9e5e7e2d328d16d2fee9f706579c04572577d5b49a74f68034

SHA512
fbccdd928d0d06db7d2a6fce1dae3bfee55abffb364ceb5573a7469d6cbc0df6a56c5b65c8828041d213e49d9372e6b67c2ffd39592a1a556f748b1d31ad2845

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive3554597557082794685.vbs

Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive646288275408060035.vbs

Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.65333414927744366264166172843144029.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
147B

MD5
878f394e749aeb94775a31acccc09414

SHA1
4255a663fa9b4c141fde96869071d1d29450ced8

SHA256
afdd2e30a49d992e02746954a658ca1d8af5460c2f70607ecdb2b68883cfc421

SHA512
23637278397943d779cab6b6f3730d5708c8374ac18bed4f4e6b69a63a7e5304d39c5c2c8c48206812d0a2f0cc209620c92c57a39bb489ec9fad63a323f5d12d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3756129449-3121373848-4276368241-1000\83aa4cc77f591dfc2374580bbd95f6ba_a63d6fdc-08cb-4232-ab51-76cafdcb4d96

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\NgBiLalxeu.vbs

Filesize
19KB

MD5
4b697592e3bf7435f4f84b54cdd5fae3

SHA1
3820c508096cea9c622dbf5330451a1bb47d22f0

SHA256
0485f9ac3dc8f47255d2b27eae9fceb679d43f9ee0dec10bfadf5abf40c13e0c

SHA512
f60a186f62e2b9bcd7e48fa1eeb921c311c33ecd68803cdb465cbfe6d89804eccf547fd3cfec6d866e8f32be3553527941dc68963d06b6a5769f597c8756ecd6

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll

Filesize
558KB

MD5
bf78c15068d6671693dfcdfa5770d705

SHA1
4418c03c3161706a4349dfe3f97278e7a5d8962a

SHA256
a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb

SHA512
5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140.dll

Filesize
95KB

MD5
7415c1cc63a0c46983e2a32581daefee

SHA1
5f8534d79c84ac45ad09b5a702c8c5c288eae240

SHA256
475ab98b7722e965bd38c8fa6ed23502309582ccf294ff1061cb290c7988f0d1

SHA512
3d4b24061f72c0e957c7b04a0c4098c94c8f1afb4a7e159850b9939c7210d73398be6f27b5ab85073b4e8c999816e7804fef0f6115c39cd061f4aaeb4dcda8cf

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140_1.dll

Filesize
36KB

MD5
fcda37abd3d9e9d8170cd1cd15bf9d3f

SHA1
b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2

SHA256
0579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6

SHA512
de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties

Filesize
3KB

MD5
880baacb176553deab39edbe4b74380d

SHA1
37a57aad121c14c25e149206179728fa62203bf0

SHA256
ff4a3a92bc92cb08d2c32c435810440fd264edd63e56efa39430e0240c835620

SHA512
3039315bb283198af9090bd3d31cfae68ee73bc2b118bbae0b32812d4e3fd0f11ce962068d4a17b065dab9a66ef651b9cb8404c0a2defce74bb6b2d1d93646d5

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

Filesize
473KB

MD5
145427827bc63f7b50a88ba276b1fc28

SHA1
f08b684153620b11a224a06d5710880fe8a14e0b

SHA256
b3a3b28ecf120ab7b9109662eafc47903a969bf264842eb05788fbc5c6c3e1df

SHA512
5b68775a609774b1f6661a27078fc6402dada7d09f90173b8448116d23d93b90c17295b9f9e68491715f9e2f11bc671e16ec105b5bf3fe9d00d8bdb7d81c814d

Download Submit
C:\Users\Admin\xchaoedjjv.vbs

Filesize
916KB

MD5
73e4683ec40638fbe5f0663560311c0e

SHA1
14a23d1ef6830b25fc862f048461c6db62cc2b4c

SHA256
a73573331e08b802ef9e961f7a95bb4714a8f0aaa4177341d6ff9be8445caa18

SHA512
19d8ef212f7940a9e76451e60589acefe9351d79d35555da678b1bc4ec00cea323c395d8c4836f83e442e53af7daad992796b200670d928ac56ed414c6b60c38

Download Submit
memory/1172-754-0x00000277B1FF0000-0x00000277B1FF1000-memory.dmp

Filesize
4KB

Download
memory/1172-990-0x00000277B1FF0000-0x00000277B1FF1000-memory.dmp

Filesize
4KB

Download
memory/1172-368-0x00000277B1FF0000-0x00000277B1FF1000-memory.dmp

Filesize
4KB

Download
memory/1172-1022-0x00000277B1FF0000-0x00000277B1FF1000-memory.dmp

Filesize
4KB

Download
memory/1172-1006-0x00000277B1FF0000-0x00000277B1FF1000-memory.dmp

Filesize
4KB

Download
memory/1172-1005-0x00000277B1FF0000-0x00000277B1FF1000-memory.dmp

Filesize
4KB

Download
memory/1172-993-0x00000277B1FF0000-0x00000277B1FF1000-memory.dmp

Filesize
4KB

Download
memory/1172-986-0x00000277B1FF0000-0x00000277B1FF1000-memory.dmp

Filesize
4KB

Download
memory/1172-985-0x00000277B1FF0000-0x00000277B1FF1000-memory.dmp

Filesize
4KB

Download
memory/1172-85-0x00000277B1FF0000-0x00000277B1FF1000-memory.dmp

Filesize
4KB

Download
memory/1172-981-0x00000277B1FF0000-0x00000277B1FF1000-memory.dmp

Filesize
4KB

Download
memory/1512-2-0x0000019786D40000-0x0000019786FB0000-memory.dmp

Filesize
2.4MB

Download
memory/1512-13-0x0000019785430000-0x0000019785431000-memory.dmp

Filesize
4KB

Download
memory/1512-15-0x0000019786D40000-0x0000019786FB0000-memory.dmp

Filesize
2.4MB

Download
memory/1588-35-0x000001D3EAF00000-0x000001D3EAF01000-memory.dmp

Filesize
4KB

Download
memory/4844-58-0x0000022DE0C50000-0x0000022DE0C51000-memory.dmp

Filesize
4KB

Download
memory/4844-96-0x0000022DE0C50000-0x0000022DE0C51000-memory.dmp

Filesize
4KB

Download
memory/4844-448-0x0000022DE0C50000-0x0000022DE0C51000-memory.dmp

Filesize
4KB

Download