Name on Threat:
Adwind
Threat Vector:
Email
IOC Hash:
SHA256: 80e9b768f26d4ae99215020804c2f1d22993dcef2b962d35d08af37f02416dbb

Description

Adwind is a backdoor written in JAVA and arrives thru spam email.  It’s a cross-platform Remote Access Tool (RAT) that can run on Windows, Mac OS, Linux and Android platforms. This malware is found to be sold in the dark web and was previously used by hackers to target banks. It has different names such as AlienSpy, Frutas, Unrecom, Sockrat, JSocket, and jRat.

Below is the list of capabilities of the Adwind malware:

  • Collect general system and user information
  • Terminate running processes
  • Log keystrokes
  • Take screenshots and access the webcam
  • Steal cached passwords and grab data from web forms
  • Download and execute other malware
  • Modify Registry Entries
  • Download Additional Malicious components
  • Play audio or record sound from a microphone

Technical Overview:

1. This malware arrives as an attachment in a spam Email:    

2. When executed, it creates a random name folder in the user directory and drops and executes a copy of itself like the example below:

 

3.  It also creates an Autostart key for Persistence:

4.  It adds the following registry entries to prevent AV processes or tools from starting:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%Filename of Target Exe%]

“debugger”=”svchost.exe”

The %Filename of Target Exe% is a string variable. Below is the list of strings it uses which are found to be AV related:

ProcessHacker.exe
econceal.exe
nseupdatesvc.exe
coreFrameworkHost.exe
procexp.exe
escanmon.exe
nfservice.exe
coreServiceShell.exe
MSASCui.exe
escanpro.exe
nwscmon.exe
uiUpdateTray.exe
MsMpEng.exe
TRAYSSER.EXE
njeeves2.exe
VIPREUI.exe
MpUXSrv.exe
TRAYICOS.EXE
nvcod.exe
SBAMSvc.exe
MpCmdRun.exe
econser.exe
nvoy.exe
SBAMTray.exe
NisSrv.exe
VIEWTCP.EXE
zlhh.exe
SBPIMSvc.exe
ConfigSecurityPolicy.exe
FSHDLL64.exe
Zlh.exe
bavhm.exe
procexp.exe
fsgk32.exe
nprosec.exe
BavSvc.exe
wireshark.exe
fshoster32.exe
Zanda.exe
BavTray.exe
tshark.exe
FSMA32.EXE
NS.exe
Bav.exe
text2pcap.exe
fsorsp.exe
acs.exe
BavWebClient.exe
rawshark.exe
fssm32.exe
op_mon.exe
BavUpdater.exe
mergecap.exe
FSM32.EXE
PSANHost.exe
MCShieldCCC.exe
editcap.exe
trigger.exe
PSUAMain.exe
MCShieldRTM.exe
dumpcap.exe
FProtTray.exe
PSUAService.exe
MCShieldDS.exe
capinfos.exe
FPWin.exe
AgentSvc.exe
MCS-Uninstall.exe
mbam.exe
FPAVServer.exe
BDSSVC.EXE
SDScan.exe
mbamscheduler.exe
AVK.exe
EMLPROXY.EXE
SDFSSvc.exe
mbamservice.exe
GdBgInx64.exe
OPSSVC.EXE
SDWelcome.exe
AdAwareService.exe
AVKProxy.exe
ONLINENT.EXE
SDTray.exe
AdAwareTray.exe
GDScan.exe
QUHLPSVC.EXE
UnThreat.exe
WebCompanion.exe
AVKWCtlx64.exe
SAPISSVC.EXE
utsvc.exe
AdAwareDesktop.exe
AVKService.exe
SCANNER.EXE
FortiClient.exe
V3Main.exe
AVKTray.exe
SCANWSCS.EXE
fcappdb.exe
V3Svc.exe
GDKBFltExe32.exe
scproxysrv.exe
FCDBlog.exe
V3Up.exe
GDSC.exe
ScSecSvc.exe
FCHelper64.exe
V3SP.exe
virusutilities.exe
SUPERAntiSpyware.exe
fmon.exe
V3Proxy.exe
guardxservice.exe
SASCore64.exe
FortiESNAC.exe
V3Medic.exe
guardxkickoff_x64.exe
SSUpdate64.exe
FortiProxy.exe
BgScan.exe
iptray.exe
SUPERDelete.exe
FortiSSLVPNdaemon.exe
BullGuard.exe
freshclam.exe
SASTask.exe
FortiTray.exe
BullGuardBhvScanner.exe
freshclamwrap.exe
K7RTScan.exe
FortiFW.exe
BullGuarScanner.exe
K7RTScan.exe
K7FWSrvc.exe
FortiClient_Diagnostic_Tool.exe
LittleHook.exe
K7FWSrvc.exe
K7PSSrvc.exe
av_task.exeCertReg.exe
BullGuardUpdate.exe
K7PSSrvc.exe
K7EmlPxy.EXE
FilMsg.exe
clamscan.exe
K7EmlPxy.EXE
K7TSecurity.exe
FilUp.exe
ClamTray.exe
K7TSecurity.exe
K7AVScan.exe
filwscc.exe
ClamWin.exe
K7AVScan.exe
K7CrvSvc.exe
filwscc.exe
cis.exe
K7CrvSvc.exe
K7SysMon.Exe
psview.exe
CisTray.exe
K7SysMon.Exe
K7TSMain.exe
quamgr.exe
cmdagent.exe
K7TSMain.exe
K7TSMngr.exe
quamgr.exe
cavwp.exe
K7TSMngr.exe
uiWinMgr.exe
schmgr.exe
dragon_updater.exe
nanosvc.exe
uiWatchDog.exe
schmgr.exe
MWAGENT.EXE
nanoav.exe
uiSeAgnt.exe
twsscan.exe
MWASER.EXE
nnf.exe
PtWatchDog.exe
twssrv.exe
CONSCTLX.EXE
nvcsvc.exe
PtSvcHost.exe
UserReg.exe
avpmapp.exe
nbrowser.exe
PtSessionAgent.exe

5. It also tries to terminate the said processes if found running.

6. It communicates with its C2 using TLSv1.2

7. Once communication is established, it will exfiltrate data and may download additional payload such as other malware on the infected system.

Other Information

Dump Config File of Adwind

{

"NETWORK":[{"PORT":1010,"DNS":"185.75.59.253"}],

"INSTALL":true,

"MODULE_PATH":"TZ/lmS/a.uB",

"PLUGIN_FOLDER":"aUVnOWFBQkn",

"JRE_FOLDER":"LOHZgW",

"JAR_FOLDER":"JnpronDXwkD",

"JAR_EXTENSION":"hneTIZ",

"ENCRYPT_KEY":"HAcSNRrrdXUWJieONrQYoghbh",

"DELAY_INSTALL":2

,"NICKNAME":"1",

"VMWARE":false,

"PLUGIN_EXTENSION":"JceSJ",

"WEBSITE_PROJECT":"https://jrat.io",

"JAR_NAME":"MGPBtRBLZuK",

"SECURITY":[{"REG":[{"VALUE":"\"DisableConfig\"=dword:00000001\r\n\"DisableSR\"=dword:00000001\r\n","KEY":"[HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore]"}],"NAME":"Restore System"},

{"PROCESS":["ProcessHacker.exe"],"NAME":"Process Hacker"},

{"PROCESS":["procexp.exe"],"NAME":"MsConfig"},

{"PROCESS":["MSASCui.exe","MsMpEng.exe","MpUXSrv.exe","MpCmdRun.exe","NisSrv.exe","ConfigSecurityPolicy.exe"],"NAME":"Windows Defender"},

{"PROCESS":["procexp.exe"],"NAME":"Process Explorer"},

{"PROCESS":["wireshark.exe","tshark.exe","text2pcap.exe","rawshark.exe","mergecap.exe","editcap.exe","dumpcap.exe","capinfos.exe"],"NAME":"Wireshark"},

{"PROCESS":["mbam.exe","mbamscheduler.exe","mbamservice.exe"],"NAME":"MalwareBytes"},

{"PROCESS":["AdAwareService.exe","AdAwareTray.exe","WebCompanion.exe","AdAwareDesktop.exe"],"NAME":"Ad-Aware Antivirus"},

{"PROCESS":["V3Main.exe","V3Svc.exe","V3Up.exe","V3SP.exe","V3Proxy.exe","V3Medic.exe"],"NAME":"Ahnlab V3 Internet Security 8.0"},

{"PROCESS":["BgScan.exe","BullGuard.exe","BullGuardBhvScanner.exe","BullGuarScanner.exe","LittleHook.exe","BullGuardUpdate.exe"],"NAME":"Bull Guard Antivirus"},

{"PROCESS":["clamscan.exe","ClamTray.exe","ClamWin.exe"],"NAME":"ClamWin Antivirus"},

{"PROCESS":["cis.exe","CisTray.exe","cmdagent.exe","cavwp.exe","dragon_updater.exe"],"NAME":"COMODO Antivirus"},

{"PROCESS":["MWAGENT.EXE","MWASER.EXE","CONSCTLX.EXE","avpmapp.exe","econceal.exe","escanmon.exe","escanpro.exe","TRAYSSER.EXE","TRAYICOS.EXE","econser.exe","VIEWTCP.EXE"],"NAME":"EScan Antivirus"},

{"PROCESS":["FSHDLL64.exe","fsgk32.exe","fshoster32.exe","FSMA32.EXE","fsorsp.exe","fssm32.exe","FSM32.EXE","trigger.exe"],"NAME":"F-Secure Antivirus"},

{"PROCESS":["FProtTray.exe","FPWin.exe","FPAVServer.exe"],"NAME":"F-PROT Antivirus"},

{"PROCESS":["AVK.exe","GdBgInx64.exe","AVKProxy.exe","GDScan.exe","AVKWCtlx64.exe","AVKService.exe","AVKTray.exe","GDKBFltExe32.exe","GDSC.exe"],"NAME":"G DATA Antivirus"},

{"PROCESS":["virusutilities.exe","guardxservice.exe","guardxkickoff_x64.exe"],"NAME":"IKARUS Antivirus"},

{"PROCESS":["iptray.exe","freshclam.exe","freshclamwrap.exe"],"NAME":"Immunet Antivirus"},

{"PROCESS":["K7RTScan.exe","K7FWSrvc.exe","K7PSSrvc.exe","K7EmlPxy.EXE","K7TSecurity.exe","K7AVScan.exe","K7CrvSvc.exe","K7SysMon.Exe","K7TSMain.exe","K7TSMngr.exe"],"NAME":"K7 Ultimate Antivirus"},

{"PROCESS":["nanosvc.exe","nanoav.exe"],"NAME":"NANO Antivirus"},

{"PROCESS":["nnf.exe","nvcsvc.exe","nbrowser.exe","nseupdatesvc.exe","nfservice.exe","nwscmon.exe","njeeves2.exe","nvcod.exe","nvoy.exe","zlhh.exe","Zlh.exe","nprosec.exe","Zanda.exe"],"NAME":"Norman Antivirus"},

{"PROCESS":["NS.exe"],"NAME":"Norton Internet Security"},

{"PROCESS":["acs.exe","op_mon.exe"],"NAME":"Outpost ASecurity Suite Pro"},

{"PROCESS":["PSANHost.exe","PSUAMain.exe","PSUAService.exe","AgentSvc.exe"],"NAME":"Panda Antivirus"},

{"PROCESS":["BDSSVC.EXE","EMLPROXY.EXE","OPSSVC.EXE","ONLINENT.EXE","QUHLPSVC.EXE","SAPISSVC.EXE","SCANNER.EXE","SCANWSCS.EXE","scproxysrv.exe","ScSecSvc.exe"],"NAME":"Quick Heal Antivirus"},

{"PROCESS":["SUPERAntiSpyware.exe","SASCore64.exe","SSUpdate64.exe","SUPERDelete.exe","SASTask.exe"],"NAME":"SUPER Anti-Spyware"},

{"PROCESS":["K7RTScan.exe","K7FWSrvc.exe","K7PSSrvc.exe","K7EmlPxy.EXE","K7TSecurity.exe","K7AVScan.exe","K7CrvSvc.exe","K7SysMon.Exe","K7TSMain.exe","K7TSMngr.exe"],"NAME":"K7 Ultimate Antivirus"},

{"PROCESS":["uiWinMgr.exe","uiWatchDog.exe","uiSeAgnt.exe","PtWatchDog.exe","PtSvcHost.exe","PtSessionAgent.exe","coreFrameworkHost.exe","coreServiceShell.exe","uiUpdateTray.exe"],"NAME":"Trend Micro Antivirus+"},

{"PROCESS":["VIPREUI.exe","SBAMSvc.exe","SBAMTray.exe","SBPIMSvc.exe"],"NAME":"VIPRE Security 2015"},

{"PROCESS":["bavhm.exe","BavSvc.exe","BavTray.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},

{"PROCESS":["MCShieldCCC.exe","MCShieldRTM.exe","MCShieldDS.exe","MCS-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},

{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},

{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},

{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","FortiProxy.exe","FortiSSLVPNdaemon.exe","FortiTray.exe","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},

{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],

"JAR_REGISTRY":"GPJLxQgafwm",

"DELAY_CONNECT":2,

"SECURITY_TIMES":1,

"VBOX":false}

 

How Cyphort's ADF Can Help

Cyport detects Adwind and its C2 communication as TROJAN_ADWIND.CY.