Java/Adwind.LL!tr
Analysis
Java/Adwind.LL!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as Java/Adwind.LL!tr may have varying behaviour.
Below are examples of some of these behaviours:
- This malware may drop any of the following file(s):
- undefinedUserundefined\[Random]\ID.txt : This file is a none malicious text file.
- undefinedUserundefined\[Random]\[Random].[Random] : This file is a copy of the original malware itself.
- undefinedTempundefined\_0.[XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX].class, where X is any numerical character, this file is detected as Java/Adwind.AAU!tr.
- Using taskkill this malware kills the following monitoring/security related tools:
- AdAwareDesktop.exe
- AdAwareService.exe
- AdAwareTray.exe
- avpmapp.exe
- BgScan.exe
- BullGuard.exe
- BullGuardBhvScanner.exe
- BullGuardUpdate.exe
- BullGuarScanner.exe
- capinfos.exe
- cavwp.exe
- cis.exe
- CisTray.exe
- clamscan.exe
- ClamTray.exe
- ClamWin.exe
- cmdagent.exe
- ConfigSecurityPolicy.exe
- CONSCTLX.EXE
- dragon_updater.exe
- dumpcap.exe
- econceal.exe
- econser.exe
- editcap.exe
- escanmon.exe
- escanpro.exe
- LittleHook.exe
- mbam.exe
- mbamscheduler.exe
- mbamservice.exe
- mergecap.exe
- MpCmdRun.exe
- MpUXSrv.exe
- MSASCui.exe
- MsMpEng.exe
- MWAGENT.EXE
- MWASER.EXE
- NisSrv.exe
- ProcessHacker.exe
- procexp.exe
- rawshark.exe
- text2pcap.exe
- TRAYICOS.EXE
- TRAYSSER.EXE
- tshark.exe
- V3Main.exe
- V3Medic.exe
- V3Proxy.exe
- V3SP.exe
- V3Svc.exe
- V3Up.exe
- VIEWTCP.EXE
- WebCompanion.exe
- wireshark.exe
- This malware may apply any of the following registry modification(s):
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- Sjahgodyjsz = undefinedappdataundefined\oracle\bin\javaw.exe\ -jar undefinedUserundefined\[Random]\[Random].[Random]
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- This malware will further lower the safeguards of the affected hosts by applying the following registry modifications:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- LowRiskFileTypes = ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
- SaveZoneInformation = ""00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- Using the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options,
this malware will set the following applications into running svchost.exe when the associated file being debugged. The applications listed are mostly Antivirus/Security related.
- acs.exe
- AdAwareDesktop.exe
- AdAwareService.exe
- AdAwareTray.exe
- AgentSvc.exe
- AVK.exe
- AVKProxy.exe
- AVKService.exe
- AVKTray.exe
- AVKWCtlx64.exe
- avpmapp.exe
- av_task.exe
- Bav.exe
- bavhm.exe
- BavSvc.exe
- BavTray.exe
- BavUpdater.exe
- BavWebClient.exe
- BDSSVC.EXE
- BgScan.exe
- BullGuard.exe
- BullGuardBhvScanner.exe
- BullGuardUpdate.exe
- BullGuarScanner.exe
- capinfos.exe
- cavwp.exe
- CertReg.exe
- cis.exe
- CisTray.exe
- clamscan.exe
- ClamTray.exe
- ClamWin.exe
- cmdagent.exe
- ConfigSecurityPolicy.exe
- CONSCTLX.EXE
- coreFrameworkHost.exe
- coreServiceShell.exe
- dragon_updater.exe
- dumpcap.exe
- econceal.exe
- econser.exe
- editcap.exe
- EMLPROXY.EXE
- escanmon.exe
- escanpro.exe
- fcappdb.exe
- FCDBlog.exe
- FCHelper64.exe
- FilMsg.exe
- FilUp.exe
- filwscc.exe
- fmon.exe
- FortiClient.exe
- FortiClient_Diagnostic_Tool.exe
- FortiESNAC.exe
- FortiFW.exe
- FortiProxy.exe
- FortiSSLVPNdaemon.exe
- FortiTray.exe
- FPAVServer.exe
- FProtTray.exe
- FPWin.exe
- freshclam.exe
- freshclamwrap.exe
- fsgk32.exe
- FSHDLL64.exe
- fshoster32.exe
- FSM32.EXE
- FSMA32.EXE
- fsorsp.exe
- fssm32.exe
- GdBgInx64.exe
- GDKBFltExe32.exe
- GDSC.exe
- GDScan.exe
- guardxkickoff_x64.exe
- guardxservice.exe
- iptray.exe
- K7AVScan.exe
- K7CrvSvc.exe
- K7EmlPxy.EXE
- K7FWSrvc.exe
- K7PSSrvc.exe
- K7RTScan.exe
- K7SysMon.Exe
- K7TSecurity.exe
- K7TSMain.exe
- K7TSMngr.exe
- LittleHook.exe
- mbam.exe
- mbamscheduler.exe
- mbamservice.exe
- MCS-Uninstall.exe
- MCShieldCCC.exe
- MCShieldDS.exe
- MCShieldRTM.exe
- mergecap.exe
- MpCmdRun.exe
- MpUXSrv.exe
- MSASCui.exe
- MsMpEng.exe
- MWAGENT.EXE
- MWASER.EXE
- nanoav.exe
- nanosvc.exe
- nbrowser.exe
- nfservice.exe
- NisSrv.exe
- njeeves2.exe
- nnf.exe
- nprosec.exe
- NS.exe
- nseupdatesvc.exe
- nvcod.exe
- nvcsvc.exe
- nvoy.exe
- nwscmon.exe
- ONLINENT.EXE
- OPSSVC.EXE
- op_mon.exe
- ProcessHacker.exe
- procexp.exe
- PSANHost.exe
- PSUAMain.exe
- PSUAService.exe
- psview.exe
- PtSessionAgent.exe
- PtSvcHost.exe
- PtWatchDog.exe
- quamgr.exe
- QUHLPSVC.EXE
- rawshark.exe
- SAPISSVC.EXE
- SASCore64.exe
- SASTask.exe
- SBAMSvc.exe
- SBAMTray.exe
- SBPIMSvc.exe
- SCANNER.EXE
- SCANWSCS.EXE
- schmgr.exe
- scproxysrv.exe
- ScSecSvc.exe
- SDFSSvc.exe
- SDScan.exe
- SDTray.exe
- SDWelcome.exe
- SSUpdate64.exe
- SUPERAntiSpyware.exe
- SUPERDelete.exe
- text2pcap.exe
- TRAYICOS.EXE
- TRAYSSER.EXE
- trigger.exe
- tshark.exe
- twsscan.exe
- twssrv.exe
- uiSeAgnt.exe
- uiUpdateTray.exe
- uiWatchDog.exe
- uiWinMgr.exe
- UnThreat.exe
- UserReg.exe
- utsvc.exe
- V3Main.exe
- V3Medic.exe
- V3Proxy.exe
- V3SP.exe
- V3Svc.exe
- V3Up.exe
- VIEWTCP.EXE
- VIPREUI.exe
- virusutilities.exe
- WebCompanion.exe
- wireshark.exe
- Zanda.exe
- Zlh.exe
- zlhh.exe
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2023-09-19 | 91.07104 | |
2023-09-18 | 91.07074 | |
2023-08-18 | 91.06137 | |
2023-07-31 | 91.05603 | |
2020-12-08 | 82.40700 | Sig Updated |
2020-12-03 | 82.27800 | Sig Updated |
2020-09-01 | 80.05600 | Sig Updated |
2020-06-09 | 78.04900 | Sig Updated |
2020-06-08 | 78.02700 | Sig Updated |
2020-06-08 | 78.01200 | Sig Updated |