SYMBOLCOMMON_NAMEaka. SYNONYMS
jar.adwind (Back to overview)

AdWind

aka: AlienSpy, JSocket, Frutas, UNRECOM, JBifrost, Sockrat
URLhaus              

Part of Malware-as-service platform
Used as a generic name for Java-based RAT
Functionality
- collect general system and user information
- terminate process
-log keystroke
-take screenshot and access webcam
- steal cache password from local or web forms
- download and execute Malware
- modify registry
- download components
- Denial of Service attacks
- Acquire VPN certificates

Initial infection vector
1. Email to JAR files attached
2. Malspam URL to downlaod the malware

Persistence
- Runkey - HKCU\Software\Microsoft\Windows\current version\run

Hiding
Uses attrib.exe

Notes on Adwind
The malware is not known to be proxy aware

References
2021-11-23HPPatrick Schläpfer
RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild
AdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2020-07-30SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-06-28Security-in-BitsSecurity-in-Bits
Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI
AdWind Ratty
2020-04-29ZscalerSudeep Singh
Compromised Wordpress sites used to distribute Adwind RAT
AdWind
2019-05-20Check PointBen Herzog
Malware Against the C Monoculture
AdWind jRAT GhostMiner Zebrocy
2018-09-24Cisco TalosPaul Rascagnères, Robert Perica, Tomislav Pericin, Vitor Ventura
Adwind Dodges AV via DDE
AdWind
2018-08-20Marco Ramilli's BlogMarco Ramilli
Interesting hidden threat since years ?
AdWind
2018-03-12Github (herrcore)Sergei Frankoff
Python decryptor for newer AdWind config file
AdWind
2018-02-16FortinetXiaopeng Zhang
New jRAT/Adwind Variant Being Spread With Package Delivery Scam
AdWind
2017-10-03SeqritePavankumar Chaudhari
Evolution of jRAT JAVA Malware
AdWind
2017-07-11Trend MicroMarshall Chen, Rubio Wu
Spam Campaign Delivers Cross-platform Remote Access Trojan Adwind
AdWind
2017-07-04Malware Traffic AnalysisBrad Duncan
MALSPAM WITH JAVA-BASED RAT
AdWind
2015-12-08The CitizenlabClaudio Guarnieri, John Scott-Railton, Marion Marschalek, Morgan Marquis-Boire
Packrat: Seven Years of a South American Threat Actor
AdWind Adzok CyberGate Xtreme RAT Packrat
Yara Rules
[TLP:WHITE] jar_adwind_w0 (20170803 | Adwind RAT)
rule jar_adwind_w0 {
    meta:
        author = "Asaf Aprozper, asafa AT minerva-labs.com"
        description = "Adwind RAT"
        reference = "https://minerva-labs.com/post/adwind-and-other-evasive-java-rats"
        last_modified = "2017-06-25"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind"
        malpedia_version = "20170803"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a0 = "META-INF/MANIFEST.MF"
        $a1 = /Main(\$)Q[0-9][0-9][0-9][0-9]/
        $PK = "PK"
    condition:
        $PK at 0 and $a0 and $a1
}
[TLP:WHITE] jar_adwind_w1 (20170803 | Alien Spy Remote Access Trojan)
rule jar_adwind_w1 {
    meta:
        description = "Alien Spy Remote Access Trojan"
        author = "General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team"
        reference = "www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf"
        reference = "www.fidelissecurity.com/sites/default/files/AlienSpy-Configs2_1_2.csv"
        date = "2015-04-04"
        filetype = "Java"
        hash = "075fa0567d3415fbab3514b8aa64cfcb"
        hash = "818afea3040a887f191ee9d0579ac6ed"
        hash = "973de705f2f01e82c00db92eaa27912c"
        hash = "7f838907f9cc8305544bd0ad4cfd278e"
        hash = "071e12454731161d47a12a8c4b3adfea"
        hash = "a7d50760d49faff3656903c1130fd20b"
        hash = "f399afb901fcdf436a1b2a135da3ee39"
        hash = "3698a3630f80a632c0c7c12e929184fb"
        hash = "fdb674cadfa038ff9d931e376f89f1b6"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind"
        malpedia_version = "20170803"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $sa_1 = "META-INF/MANIFEST.MF"
        $sa_2 = "Main.classPK"
        $sa_3 = "plugins/Server.classPK"
        $sa_4 = "IDPK"
	
        $sb_1 = "config.iniPK"
        $sb_2 = "password.iniPK"
        $sb_3 = "plugins/Server.classPK"
        $sb_4 = "LoadStub.classPK"
        $sb_5 = "LoadStubDecrypted.classPK"
        $sb_7 = "LoadPassword.classPK"
        $sb_8 = "DecryptStub.classPK"
        $sb_9 = "ClassLoaders.classPK"
	
        $sc_1 = "config.xml"
        $sc_2 = "options"
        $sc_3 = "plugins"
        $sc_4 = "util"
        $sc_5 = "util/OSHelper"
        $sc_6 = "Start.class"
        $sc_7 = "AlienSpy"

    condition:
        filesize < 800KB and ((all of ($sa_*)) or (all of ($sb_*)) or (all of ($sc_*)))
}
Download all Yara Rules