Adwind RAT / JRAT

 1title: Adwind RAT / JRAT
 2id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
 3status: test
 4description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
 5references:
 6    - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
 7    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
 8author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
 9date: 2017-11-10
10modified: 2022-10-09
11tags:
12    - attack.execution
13    - attack.t1059.005
14    - attack.t1059.007
15    - detection.emerging-threats
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        - CommandLine|contains|all:
22              - '\AppData\Roaming\Oracle'
23              - '\java'
24              - '.exe '
25        - CommandLine|contains|all:
26              - 'cscript.exe'
27              - 'Retrive'
28              - '.vbs '
29    condition: selection
30level: high

References

• Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'IMG.94751700 PDF_original.jar'

  Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

  
  Read More

• š.RY0£¿€-Q”Êr\¦3J{ÄÀŒ(¿Ó¢¿³†@ “;wîܽ{wss“øуöööbÉ‘µØû€š6’Óž³Õd;ª Ù˜rÆ®ÁðåßHÖT¯Kð§Í™j©§”²e[•SU3zÿý·O�zçôéwÎœy—Ä 32ÊŽÄ—©iûŽÒ¥‚sn¯™H©l_f¤ß¿'Ș={öìðð�>>zô¨{ú�@¼òí·ßÞ¼yóöíÛ?ýôÓÏ?ÿL䈖Ü...

  
  Read More

Related rules

• Adwind RAT / JRAT File Artifact
• Csc.EXE Execution Form Potentially Suspicious Parent
• Cscript/Wscript Uncommon Script Extension Execution
• File Was Not Allowed To Run
• HTML Help HH.EXE Suspicious Child Process