Heavily Obfuscated JAR Drops Adwind RAT | VTI
Logo
Try VMRay Analyzer
VTI SCORE: 91/100
Dynamic Analysis Report
Classification: Hacktool, Trojan

fd86a9b0f3bcd1dc2b061bb7a77b3871cb6d101505218f763221ee9945e69bf3 (SHA256)

Bissell New PO.qrypted.jar

Java Archive

Created at 2018-07-19 09:49:00

...

Notifications (2/2)

Due to a WHOIS service error, no query could be made to get WHOIS data of any contacted domain.

The operating system was rebooted during the analysis.

Severity Category Operation Classification
4/5
File System Associated with malicious files Trojan
3/5
Anti Analysis Tries to detect the presence of antivirus software -
  • Tries to detect antivirus software via WMI query: "select * from antivirusproduct".
    ...
3/5
Anti Analysis Tries to detect firewall -
  • Tries to detect firewall via WMI query: "select * from firewallproduct".
    ...
2/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection -
2/5
File System Associated with suspicious files Trojan, Hacktool
1/5
Network Performs DNS request -
1/5
Process Creates process with hidden window -
  • The process ""C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\2XC7U6~1\AppData\Local\Temp\_0.77866636596601243045465905282659207.class" starts with hidden window.
    ...
  • The process "cmd.exe /C cscript.exe C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive2955724691501239824.vbs" starts with hidden window.
    ...
  • The process "cmd.exe /C cscript.exe C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive3009091646390096651.vbs" starts with hidden window.
    ...
  • The process "cmd.exe /C cscript.exe C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive4432003530389164433.vbs" starts with hidden window.
    ...
  • The process "cmd.exe /C cscript.exe C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive8453022226677560905.vbs" starts with hidden window.
    ...
  • The process "xcopy "C:\Program Files\Java\jre7" "C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\" /e" starts with hidden window.
    ...
  • The process "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NTMGCGGUKus /t REG_EXPAND_SZ /d "\"C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\2XC7u663GxWc\cqsFQOTqbmg\zoIZCxYZMIr.EAMkwm\"" /f" starts with hidden window.
    ...
  • The process "attrib +h "C:\Users\2XC7u663GxWc\cqsFQOTqbmg\*.*"" starts with hidden window.
    ...
  • The process "attrib +h "C:\Users\2XC7u663GxWc\cqsFQOTqbmg"" starts with hidden window.
    ...
  • The process "C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\2XC7u663GxWc\cqsFQOTqbmg\zoIZCxYZMIr.EAMkwm" starts with hidden window.
    ...
  • The process "C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\2XC7U6~1\AppData\Local\Temp\_0.080316539076114361006181509658991106.class" starts with hidden window.
    ...
  • The process "cmd.exe /C cscript.exe C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive5186310507301951599.vbs" starts with hidden window.
    ...
  • The process "cmd.exe /C cscript.exe C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive466295784543991919.vbs" starts with hidden window.
    ...
  • The process "cmd.exe /C cscript.exe C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive1625750400979200631.vbs" starts with hidden window.
    ...
  • The process "cmd.exe /C cscript.exe C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive3068316261550961408.vbs" starts with hidden window.
    ...
  • The process "C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\2XC7U6~1\AppData\Local\Temp\_0.98963488192277293018538009244777557.class" starts with hidden window.
    ...
  • The process "cmd.exe /C cscript.exe C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive1360789152958718586.vbs" starts with hidden window.
    ...
  • The process "cmd.exe /C cscript.exe C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive3549377093237930864.vbs" starts with hidden window.
    ...
  • The process "cmd.exe /C cscript.exe C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive7366168634408503799.vbs" starts with hidden window.
    ...
  • The process "cmd.exe /C cscript.exe C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive1162148989861803484.vbs" starts with hidden window.
    ...
1/5
File System Modifies operating system directory -
1/5
Persistence Installs system startup script or application -
  • Adds ""C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\2XC7u663GxWc\cqsFQOTqbmg\zoIZCxYZMIr.EAMkwm"" to Windows startup via registry.
    ...
1/5
Process Creates system object -
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image