jar.adwind (Back to overview)

AdWind

aka: AlienSpy, JSocket, Frutas, UNRECOM, JBifrost, Sockrat
URLhaus              

Part of Malware-as-service platform
Used as a generic name for Java-based RAT
Functionality
- collect general system and user information
- terminate process
-log keystroke
-take screenshot and access webcam
- steal cache password from local or web forms
- download and execute Malware
- modify registry
- download components
- Denial of Service attacks
- Acquire VPN certificates

Initial infection vector
1. Email to JAR files attached
2. Malspam URL to downlaod the malware

Persistence
- Runkey - HKCU\Software\Microsoft\Windows\current version\run

Hiding
Uses attrib.exe

Notes on Adwind
The malware is not known to be proxy aware

References
http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat
http://malware-traffic-analysis.net/2017/07/04/index.html
https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html
https://blogs.seqrite.com/evolution-of-jrat-java-malware/
https://codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/
https://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html
https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885
https://research.checkpoint.com/malware-against-the-c-monoculture/
https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html
Yara Rules
[TLP:WHITE] jar_adwind_w0 (20170803 | Adwind RAT)
rule jar_adwind_w0 {
    meta:
        author="Asaf Aprozper, asafa AT minerva-labs.com"
        description = "Adwind RAT"
        reference = "https://minerva-labs.com/post/adwind-and-other-evasive-java-rats"
        last_modified = "2017-06-25"
        malpedia_version = "20170803"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a0 = "META-INF/MANIFEST.MF"
        $a1 = /Main(\$)Q[0-9][0-9][0-9][0-9]/
        $PK = "PK"
    condition:
        $PK at 0 and $a0 and $a1
}
[TLP:WHITE] jar_adwind_w1 (20170803 | Alien Spy Remote Access Trojan)
rule jar_adwind_w1 {
    meta:
        description = "Alien Spy Remote Access Trojan"
        author = "General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team"
        reference_1 = "www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf"
        reference_2 = "www.fidelissecurity.com/sites/default/files/AlienSpy-Configs2_1_2.csv"
        date = "2015-04-04"
        filetype = "Java"
        hash_1 = "075fa0567d3415fbab3514b8aa64cfcb"
        hash_2 = "818afea3040a887f191ee9d0579ac6ed"
        hash_3 = "973de705f2f01e82c00db92eaa27912c"
        hash_4 = "7f838907f9cc8305544bd0ad4cfd278e"
        hash_5 = "071e12454731161d47a12a8c4b3adfea"
        hash_6 = "a7d50760d49faff3656903c1130fd20b"
        hash_7 = "f399afb901fcdf436a1b2a135da3ee39"
        hash_8 = "3698a3630f80a632c0c7c12e929184fb"
        hash_9 = "fdb674cadfa038ff9d931e376f89f1b6"
        malpedia_version = "20170803"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $sa_1 = "META-INF/MANIFEST.MF"
        $sa_2 = "Main.classPK"
        $sa_3 = "plugins/Server.classPK"
        $sa_4 = "IDPK"
	
        $sb_1 = "config.iniPK"
        $sb_2 = "password.iniPK"
        $sb_3 = "plugins/Server.classPK"
        $sb_4 = "LoadStub.classPK"
        $sb_5 = "LoadStubDecrypted.classPK"
        $sb_7 = "LoadPassword.classPK"
        $sb_8 = "DecryptStub.classPK"
        $sb_9 = "ClassLoaders.classPK"
	
        $sc_1 = "config.xml"
        $sc_2 = "options"
        $sc_3 = "plugins"
        $sc_4 = "util"
        $sc_5 = "util/OSHelper"
        $sc_6 = "Start.class"
        $sc_7 = "AlienSpy"

    condition:
        filesize < 800KB and ((all of ($sa_*)) or (all of ($sb_*)) or (all of ($sc_*)))
}
Download all Yara Rules