Adwind RAT / JRAT File Artifact

 1title: Adwind RAT / JRAT File Artifact
 2id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
 3related:
 4    - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
 5      type: derived
 6status: test
 7description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
 8references:
 9    - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
10    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
11author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
12date: 2017-11-10
13modified: 2022-12-02
14tags:
15    - attack.execution
16    - attack.t1059.005
17    - attack.t1059.007
18logsource:
19    category: file_event
20    product: windows
21detection:
22    selection:
23        - TargetFilename|contains|all:
24              - '\AppData\Roaming\Oracle\bin\java'
25              - '.exe'
26        - TargetFilename|contains|all:
27              - '\Retrive'
28              - '.vbs'
29    condition: selection
30level: high

References

• Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'IMG.94751700 PDF_original.jar'

  Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

  
  Read More

• š.RY0£¿€-Q”Êr\¦3J{ÄÀŒ(¿Ó¢¿³†@ “;wîܽ{wss“øуöööbÉ‘µØû€š6’Óž³Õd;ª Ù˜rÆ®ÁðåßHÖT¯Kð§Í™j©§”²e[•SU3zÿý·O�zçôéwÎœy—Ä 32ÊŽÄ—©iûŽÒ¥‚sn¯™H©l_f¤ß¿'Ș={öìðð�>>zô¨{ú�@¼òí·ßÞ¼yóöíÛ?ýôÓÏ?ÿL䈖Ü...

  
  Read More

Related rules

• Adwind RAT / JRAT
• Csc.EXE Execution Form Potentially Suspicious Parent
• Cscript/Wscript Uncommon Script Extension Execution
• File Was Not Allowed To Run
• HTML Help HH.EXE Suspicious Child Process