SYMBOLCOMMON_NAMEaka. SYNONYMS
jar.adwind (Back to overview)

AdWind

aka: AlienSpy, JSocket, Frutas, UNRECOM, JBifrost, Sockrat
URLhaus              

Part of Malware-as-service platform
Used as a generic name for Java-based RAT
Functionality
- collect general system and user information
- terminate process
-log keystroke
-take screenshot and access webcam
- steal cache password from local or web forms
- download and execute Malware
- modify registry
- download components
- Denial of Service attacks
- Acquire VPN certificates

Initial infection vector
1. Email to JAR files attached
2. Malspam URL to downlaod the malware

Persistence
- Runkey - HKCU\Software\Microsoft\Windows\current version\run

Hiding
Uses attrib.exe

Notes on Adwind
The malware is not known to be proxy aware

References
2019-05-20Check PointBen Herzog
@online{herzog:20190520:malware:dac1524, author = {Ben Herzog}, title = {{Malware Against the C Monoculture}}, date = {2019-05-20}, organization = {Check Point}, url = {https://research.checkpoint.com/malware-against-the-c-monoculture/}, language = {English}, urldate = {2019-10-14} } Malware Against the C Monoculture
AdWind jRAT GhostMiner Zebrocy
2018-09-24Cisco TalosPaul Rascagnères, Vitor Ventura, Tomislav Pericin, Robert Perica
@online{rascagnres:20180924:adwind:9b737eb, author = {Paul Rascagnères and Vitor Ventura and Tomislav Pericin and Robert Perica}, title = {{Adwind Dodges AV via DDE}}, date = {2018-09-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html}, language = {English}, urldate = {2020-01-06} } Adwind Dodges AV via DDE
AdWind
2018-08-20Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20180820:interesting:14ea764, author = {Marco Ramilli}, title = {{Interesting hidden threat since years ?}}, date = {2018-08-20}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2018/08/20/interesting-hidden-threat-since-years/}, language = {English}, urldate = {2019-12-23} } Interesting hidden threat since years ?
AdWind
2018-03-12Github (herrcore)Sergei Frankoff
@online{frankoff:20180312:python:eb6b9f5, author = {Sergei Frankoff}, title = {{Python decryptor for newer AdWind config file}}, date = {2018-03-12}, organization = {Github (herrcore)}, url = {https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885}, language = {English}, urldate = {2020-01-09} } Python decryptor for newer AdWind config file
AdWind
2018-02-16FortinetXiaopeng Zhang
@online{zhang:20180216:new:2b24e6b, author = {Xiaopeng Zhang}, title = {{New jRAT/Adwind Variant Being Spread With Package Delivery Scam}}, date = {2018-02-16}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html}, language = {English}, urldate = {2020-01-06} } New jRAT/Adwind Variant Being Spread With Package Delivery Scam
AdWind
2017-10-03SeqritePavankumar Chaudhari
@online{chaudhari:20171003:evolution:5462d67, author = {Pavankumar Chaudhari}, title = {{Evolution of jRAT JAVA Malware}}, date = {2017-10-03}, organization = {Seqrite}, url = {https://blogs.seqrite.com/evolution-of-jrat-java-malware/}, language = {English}, urldate = {2020-01-06} } Evolution of jRAT JAVA Malware
AdWind
2017-07-11Trend MicroRubio Wu, Marshall Chen
@online{wu:20170711:spam:87ce008, author = {Rubio Wu and Marshall Chen}, title = {{Spam Campaign Delivers Cross-platform Remote Access Trojan Adwind}}, date = {2017-07-11}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat}, language = {English}, urldate = {2020-01-06} } Spam Campaign Delivers Cross-platform Remote Access Trojan Adwind
AdWind
2017-07-04Malware Traffic AnalysisBrad Duncan
@online{duncan:20170704:malspam:3713609, author = {Brad Duncan}, title = {{MALSPAM WITH JAVA-BASED RAT}}, date = {2017-07-04}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/07/04/index.html}, language = {English}, urldate = {2020-01-10} } MALSPAM WITH JAVA-BASED RAT
AdWind
2015-12-08The CitizenlabJohn Scott-Railton, Morgan Marquis-Boire, Claudio Guarnieri, Marion Marschalek
@online{scottrailton:20151208:packrat:5f9bffa, author = {John Scott-Railton and Morgan Marquis-Boire and Claudio Guarnieri and Marion Marschalek}, title = {{Packrat: Seven Years of a South American Threat Actor}}, date = {2015-12-08}, organization = {The Citizenlab}, url = {https://citizenlab.ca/2015/12/packrat-report/}, language = {English}, urldate = {2020-05-18} } Packrat: Seven Years of a South American Threat Actor
AdWind Adzok CyberGate Xtreme RAT Packrat
Yara Rules
[TLP:WHITE] jar_adwind_w0 (20170803 | Adwind RAT)
rule jar_adwind_w0 {
    meta:
        author="Asaf Aprozper, asafa AT minerva-labs.com"
        description = "Adwind RAT"
        reference = "https://minerva-labs.com/post/adwind-and-other-evasive-java-rats"
        last_modified = "2017-06-25"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind"
        malpedia_version = "20170803"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a0 = "META-INF/MANIFEST.MF"
        $a1 = /Main(\$)Q[0-9][0-9][0-9][0-9]/
        $PK = "PK"
    condition:
        $PK at 0 and $a0 and $a1
}
[TLP:WHITE] jar_adwind_w1 (20170803 | Alien Spy Remote Access Trojan)
rule jar_adwind_w1 {
    meta:
        description = "Alien Spy Remote Access Trojan"
        author = "General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team"
        reference_1 = "www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf"
        reference_2 = "www.fidelissecurity.com/sites/default/files/AlienSpy-Configs2_1_2.csv"
        date = "2015-04-04"
        filetype = "Java"
        hash_1 = "075fa0567d3415fbab3514b8aa64cfcb"
        hash_2 = "818afea3040a887f191ee9d0579ac6ed"
        hash_3 = "973de705f2f01e82c00db92eaa27912c"
        hash_4 = "7f838907f9cc8305544bd0ad4cfd278e"
        hash_5 = "071e12454731161d47a12a8c4b3adfea"
        hash_6 = "a7d50760d49faff3656903c1130fd20b"
        hash_7 = "f399afb901fcdf436a1b2a135da3ee39"
        hash_8 = "3698a3630f80a632c0c7c12e929184fb"
        hash_9 = "fdb674cadfa038ff9d931e376f89f1b6"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind"
        malpedia_version = "20170803"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $sa_1 = "META-INF/MANIFEST.MF"
        $sa_2 = "Main.classPK"
        $sa_3 = "plugins/Server.classPK"
        $sa_4 = "IDPK"
	
        $sb_1 = "config.iniPK"
        $sb_2 = "password.iniPK"
        $sb_3 = "plugins/Server.classPK"
        $sb_4 = "LoadStub.classPK"
        $sb_5 = "LoadStubDecrypted.classPK"
        $sb_7 = "LoadPassword.classPK"
        $sb_8 = "DecryptStub.classPK"
        $sb_9 = "ClassLoaders.classPK"
	
        $sc_1 = "config.xml"
        $sc_2 = "options"
        $sc_3 = "plugins"
        $sc_4 = "util"
        $sc_5 = "util/OSHelper"
        $sc_6 = "Start.class"
        $sc_7 = "AlienSpy"

    condition:
        filesize < 800KB and ((all of ($sa_*)) or (all of ($sb_*)) or (all of ($sc_*)))
}
Download all Yara Rules