Heavily Obfuscated JAR Drops Adwind RAT | IOCs
Logo
Try VMRay Analyzer
VTI SCORE: 91/100
Dynamic Analysis Report
Classification: Hacktool, Trojan

fd86a9b0f3bcd1dc2b061bb7a77b3871cb6d101505218f763221ee9945e69bf3 (SHA256)

Bissell New PO.qrypted.jar

Java Archive

Created at 2018-07-19 09:49:00

...

Notifications (2/2)

Due to a WHOIS service error, no query could be made to get WHOIS data of any contacted domain.

The operating system was rebooted during the analysis.

Indicators

File (130)
»
Filename Hash Operations Source
\etc\release - Access
C:\Program Files\Java\jre7\bin\awt.dll - Access
C:\Program Files\Java\jre7\bin\java - Access
C:\Program Files\Java\jre7\bin\java.exe - Access
C:\Program Files\Java\jre7\bin\management.dll - Access
C:\Program Files\Java\jre7\bin\net.dll - Access
C:\Program Files\Java\jre7\bin\nio.dll - Access
C:\Program Files\Java\jre7\bin\sunec.dll - Access
C:\Program Files\Java\jre7\bin\zip.dll - Access
C:\Program Files\Java\jre7\classes - Access
C:\Program Files\Java\jre7\lib - Access
C:\Program Files\Java\jre7\lib\accessibility.properties - Access, Read
C:\Program Files\Java\jre7\lib\charsets.jar - Access
C:\Program Files\Java\jre7\lib\ext - Access
C:\Program Files\Java\jre7\lib\ext\access-bridge.jar - Access
C:\Program Files\Java\jre7\lib\ext\dnsns.jar - Access
C:\Program Files\Java\jre7\lib\ext\jaccess.jar - Access
C:\Program Files\Java\jre7\lib\ext\localedata.jar - Access
C:\Program Files\Java\jre7\lib\ext\meta-index - Access, Read
C:\Program Files\Java\jre7\lib\ext\sunec.jar - Access, Read
C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar - Access, Read
C:\Program Files\Java\jre7\lib\ext\sunmscapi.jar - Access
C:\Program Files\Java\jre7\lib\ext\sunpkcs11.jar - Access
C:\Program Files\Java\jre7\lib\ext\zipfs.jar - Access
C:\Program Files\Java\jre7\lib\jaxp.properties - Access
C:\Program Files\Java\jre7\lib\jce.jar - Access, Read
C:\Program Files\Java\jre7\lib\jfr.jar - Access
C:\Program Files\Java\jre7\lib\jsse.jar - Access, Read
C:\Program Files\Java\jre7\lib\management\usagetracker.properties - Access
C:\Program Files\Java\jre7\lib\meta-index - Access, Read
C:\Program Files\Java\jre7\lib\resources.jar - Access, Read
C:\Program Files\Java\jre7\lib\rt.jar - Access, Read
C:\Program Files\Java\jre7\lib\security\java.security - Access, Read
C:\Program Files\Java\jre7\lib\security\local_policy.jar - Access, Read
C:\Program Files\Java\jre7\lib\security\US_export_policy.jar - Access, Read
C:\Program Files\Java\jre7\lib\sunrsasign.jar - Access
C:\Program Files\Java\jre7\lib\swing.properties - Access
C:\Program Files\Java\jre7\meta-index - Access
C:\Program%20Files\Java\jre7\lib\ext\sunec.dll - Access
C:\Program%20Files\Java\jre7\lib\ext\x86\sunec.dll - Access
C:\Users\2XC7u663GxWc\.accessibility.properties - Access
C:\Users\2XC7u663GxWc\AppData\Local\Temp\_0.080316539076114361006181509658991106.class - Access
C:\Users\2XC7u663GxWc\AppData\Local\Temp\_0.77866636596601243045465905282659207.class - Access, Read
C:\Users\2XC7u663GxWc\AppData\Local\Temp\_0.98963488192277293018538009244777557.class - Access, Read
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\awt.dll - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\client\classes.jsa - Access, Read
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\java - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\java.exe - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\javaw.exe - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\management.dll - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\msvcr100.dll - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\net.dll - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\nio.dll - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\sunec.dll - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\sunmscapi.dll - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\zip.dll - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\classes - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\accessibility.properties - Access, Read
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\charsets.jar - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\endorsed - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\access-bridge.jar - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\dnsns.jar - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\jaccess.jar - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\localedata.jar - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\meta-index - Access, Read
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\sunec.dll - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\sunec.jar - Access, Read
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\sunjce_provider.jar - Access, Read
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\sunmscapi.dll - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\sunmscapi.jar - Access, Read
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\sunpkcs11.jar - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\x86\sunec.dll - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\x86\sunmscapi.dll - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\zipfs.jar - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\i386\jvm.cfg - Access, Read
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\jaxp.properties - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\jce.jar - Access, Read
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\jfr.jar - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\jsse.jar - Access, Read
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\management\usagetracker.properties - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\meta-index - Access, Read
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\net.properties - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\resources.jar - Access, Read
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\rt.jar - Access, Read
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\security\java.security - Access, Read
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\security\local_policy.jar - Access, Read
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\security\US_export_policy.jar - Access, Read
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\sunrsasign.jar - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\swing.properties - Access
C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\meta-index - Access
C:\Users\2XC7u663GxWc\cqsFQOTqbmg - Access
C:\Users\2XC7u663GxWc\cqsFQOTqbmg\ID.txt MD5: 9b201b1dd02cb80825eeb818b96627f3
SHA1: 2bd36111bde69244396c5fb8539c89b714b2e6a5
SHA256: d56585c6039877175e2ebe7a32e04e7c98e947f55839e8cf0e3abc6d06ebb790
SSDeep: 3:YwwAHMaHM3+bIx74Re:YwwAHfHIxsRe
ImpHash: None 		Access, Write Created File
C:\Users\2XC7u663GxWc\cqsFQOTqbmg\nccJQMiokAP - Access
C:\Users\2XC7u663GxWc\cqsFQOTqbmg\zoIZCxYZMIr.EAMkwm MD5: df6fc309f66b3cdb33a8fd183343a610
SHA1: be9e3ae27e19694034f0f7ae81b162befd61689c
SHA256: fd86a9b0f3bcd1dc2b061bb7a77b3871cb6d101505218f763221ee9945e69bf3
SSDeep: 12288:uaVkKWNQXHKobX++/y8rzRZ+otjI+qc+gMNYCEgYjsGGjOXbwlQoMxEVuXLN:5zFfX+Irr+ISc+gh/gY5wla/LN
ImpHash: None 		Access, Read, Write Created File
C:\Users\2XC7u663GxWc\Desktop - Access
C:\Users\2XC7u663GxWc\Desktop\Bissell New PO.qrypted.jar MD5: df6fc309f66b3cdb33a8fd183343a610
SHA1: be9e3ae27e19694034f0f7ae81b162befd61689c
SHA256: fd86a9b0f3bcd1dc2b061bb7a77b3871cb6d101505218f763221ee9945e69bf3
SSDeep: 12288:uaVkKWNQXHKobX++/y8rzRZ+otjI+qc+gMNYCEgYjsGGjOXbwlQoMxEVuXLN:5zFfX+Irr+ISc+gh/gY5wla/LN
ImpHash: None 		Access, Read Sample File
cscript.exe - Access
C:\Users\2XC7u663GxWc\fUTkALeaTxM - Access
C:\Users\2XC7u663GxWc\fUTkALeaTxM\DdWDtpinxpf - Access
C:\Users\2XC7u663GxWc\fUTkALeaTxM\ID.txt MD5: 473d5ea6460d84e1c44532bf39d48eb7
SHA1: c760d009877410051d803f625211fd027445d1c8
SHA256: 9f32e41ce1b7a69787cd3886274f9e8c8a910607a0687b3d3cf965cef60d2109
SSDeep: 3:YwwAHWKIDdIRRKu9hASMi:YwwAHWKIDdsEKhv
ImpHash: None 		Access Created File
C:\Users\2XC7U6~1\AppData\Local\Temp - Access
C:\Users\2XC7U6~1\AppData\Local\Temp\_0.080316539076114361006181509658991106.class - Access
C:\Users\2XC7U6~1\AppData\Local\Temp\_0.77866636596601243045465905282659207.class MD5: 781fb531354d6f291f1ccab48da6d39f
SHA1: 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SSDeep: 6144:WI5pxUZ7Gvi8ulm+yV/rIF0/MO2qnan1J7pXESN6U:J5pxAGqNkrIq/MO2qnA
ImpHash: None 		Access, Read, Write Created File
C:\Users\2XC7U6~1\AppData\Local\Temp\_0.98963488192277293018538009244777557.class - Access, Read
cscript.exe - Access
C:\Users\2XC7U6~1\AppData\Local\Temp\\hsperfdata_2XC7u663GxWc - Access
C:\Users\2XC7U6~1\AppData\Local\Temp\\hsperfdata_2XC7u663GxWc\3928 - Access
C:\Users\2XC7U6~1\AppData\Local\Temp\\hsperfdata_2XC7u663GxWc\4024 - Access
C:\Users\2XC7U6~1\AppData\Local\Temp\\hsperfdata_2XC7u663GxWc\656 MD5: fcd6bcb56c1689fcef28b57c22475bad
SHA1: 1adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256: de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SSDeep: 3::
ImpHash: None 		Access Created File
C:\Users\2XC7U6~1\AppData\Local\Temp\\hsperfdata_2XC7u663GxWc\860 MD5: fcd6bcb56c1689fcef28b57c22475bad
SHA1: 1adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256: de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SSDeep: 3::
ImpHash: None 		Access Created File
C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive1162148989861803484.vbs MD5: a32c109297ed1ca155598cd295c26611
SHA1: dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256: 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SSDeep: 6:jpxiFtqvAAT+geD5NaqZxLMTQQQavbx3la2Zp6djsyn:vmtqvAndZFcQU9lrXyjsyn
ImpHash: None 		Access, Write Created File
C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive1360789152958718586.vbs - Access, Read
C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive1625750400979200631.vbs MD5: a32c109297ed1ca155598cd295c26611
SHA1: dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256: 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SSDeep: 6:jpxiFtqvAAT+geD5NaqZxLMTQQQavbx3la2Zp6djsyn:vmtqvAndZFcQU9lrXyjsyn
ImpHash: None 		Access, Write Created File
C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive2955724691501239824.vbs MD5: 3bdfd33017806b85949b6faa7d4b98e4
SHA1: f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256: 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SSDeep: 6:jpxiFtqvAAT+geD5NaqZxLMTrLavbx3laDH6djsyn:vmtqvAndZFcrG9lpjsyn
ImpHash: None 		Access, Read, Write Created File
C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive3009091646390096651.vbs MD5: 3bdfd33017806b85949b6faa7d4b98e4
SHA1: f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256: 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SSDeep: 6:jpxiFtqvAAT+geD5NaqZxLMTrLavbx3laDH6djsyn:vmtqvAndZFcrG9lpjsyn
ImpHash: None 		Access, Write Created File
C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive3068316261550961408.vbs MD5: a32c109297ed1ca155598cd295c26611
SHA1: dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256: 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SSDeep: 6:jpxiFtqvAAT+geD5NaqZxLMTQQQavbx3la2Zp6djsyn:vmtqvAndZFcQU9lrXyjsyn
ImpHash: None 		Access, Write Created File
C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive3549377093237930864.vbs MD5: a32c109297ed1ca155598cd295c26611
SHA1: dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256: 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SSDeep: 6:jpxiFtqvAAT+geD5NaqZxLMTQQQavbx3la2Zp6djsyn:vmtqvAndZFcQU9lrXyjsyn
ImpHash: None 		Access, Write Created File
C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive4432003530389164433.vbs MD5: a32c109297ed1ca155598cd295c26611
SHA1: dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256: 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SSDeep: 6:jpxiFtqvAAT+geD5NaqZxLMTQQQavbx3la2Zp6djsyn:vmtqvAndZFcQU9lrXyjsyn
ImpHash: None 		Access, Read, Write Created File
C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive466295784543991919.vbs - Access
C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive5186310507301951599.vbs - Access
C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive7366168634408503799.vbs - Access
C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive8453022226677560905.vbs MD5: a32c109297ed1ca155598cd295c26611
SHA1: dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256: 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SSDeep: 6:jpxiFtqvAAT+geD5NaqZxLMTQQQavbx3la2Zp6djsyn:vmtqvAndZFcQU9lrXyjsyn
ImpHash: None 		Access, Read, Write Created File
C:\Users\2XC7U6~1\Desktop\Bissell New PO.qrypted.jar - Access, Read
C:\Windows\Sun\Java\lib\ext - Access
C:\Windows\Sun\Java\lib\ext\meta-index - Access
C:\Windows\system32 - Access
cscript.exe - Access
C:\Windows\System32\test.txt - Access
Registry (18)
»
Registry Key Name Operations
HKEY_CLASSES_ROOT\.vbs Access, Read
HKEY_CLASSES_ROOT\VBSFile\ScriptEngine Access, Read
HKEY_CURRENT_USER\Control Panel\Desktop Access, Read
HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Access
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32 Access
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\PlacesBar Access
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Access, Read, Write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager Access, Read
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings Access, Read
Domain (1)
»
Domain Sources
zgw5tdpu Function Log
IP (1)
»
IP Protocols Sources
185.227.83.34 TCP PCAP
Export IOCs
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image