jar.adwind (Back to overview)

AdWind

aka: AlienSpy, JSocket, Frutas, UNRECOM, JBifrost, Sockrat
URLhaus          

Part of Malware-as-service platform
Used as a generic name for Java-based RAT
Functionality
- collect general system and user information
- terminate process
-log keystroke
-take screenshot and access webcam
- steal cache password from local or web forms
- download and execute Malware
- modify registry
- download components
- Denial of Service attacks
- Acquire VPN certificates

Initial infection vector
1. Email to JAR files attached
2. Malspam URL to downlaod the malware

Persistence
- Runkey - HKCU\Software\Microsoft\Windows\current version\run

Hiding
Uses attrib.exe

Notes on Adwind
The malware is not known to be proxy aware

References
https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html
http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat
http://malware-traffic-analysis.net/2017/07/04/index.html
https://codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/
https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885
https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html