Java/Adwind.LL!tr

description-logoAnalysis



Java/Adwind.LL!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as Java/Adwind.LL!tr may have varying behaviour.
Below are examples of some of these behaviours:

  • This malware may drop any of the following file(s):
    • undefinedUserundefined\[Random]\ID.txt : This file is a none malicious text file.
    • undefinedUserundefined\[Random]\[Random].[Random] : This file is a copy of the original malware itself.
    • undefinedTempundefined\_0.[XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX].class, where X is any numerical character, this file is detected as Java/Adwind.AAU!tr.

  • Using taskkill this malware kills the following monitoring/security related tools:
    • AdAwareDesktop.exe
    • AdAwareService.exe
    • AdAwareTray.exe
    • avpmapp.exe
    • BgScan.exe
    • BullGuard.exe
    • BullGuardBhvScanner.exe
    • BullGuardUpdate.exe
    • BullGuarScanner.exe
    • capinfos.exe
    • cavwp.exe
    • cis.exe
    • CisTray.exe
    • clamscan.exe
    • ClamTray.exe
    • ClamWin.exe
    • cmdagent.exe
    • ConfigSecurityPolicy.exe
    • CONSCTLX.EXE
    • dragon_updater.exe
    • dumpcap.exe
    • econceal.exe
    • econser.exe
    • editcap.exe
    • escanmon.exe
    • escanpro.exe
    • LittleHook.exe
    • mbam.exe
    • mbamscheduler.exe
    • mbamservice.exe
    • mergecap.exe
    • MpCmdRun.exe
    • MpUXSrv.exe
    • MSASCui.exe
    • MsMpEng.exe
    • MWAGENT.EXE
    • MWASER.EXE
    • NisSrv.exe
    • ProcessHacker.exe
    • procexp.exe
    • rawshark.exe
    • text2pcap.exe
    • TRAYICOS.EXE
    • TRAYSSER.EXE
    • tshark.exe
    • V3Main.exe
    • V3Medic.exe
    • V3Proxy.exe
    • V3SP.exe
    • V3Svc.exe
    • V3Up.exe
    • VIEWTCP.EXE
    • WebCompanion.exe
    • wireshark.exe

  • This malware may apply any of the following registry modification(s):
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
      • Sjahgodyjsz = undefinedappdataundefined\oracle\bin\javaw.exe\ -jar undefinedUserundefined\[Random]\[Random].[Random]
      This automatically executes the dropped file every time the infected user logs on.

  • This malware will further lower the safeguards of the affected hosts by applying the following registry modifications:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
      • LowRiskFileTypes = ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
      • SaveZoneInformation = ""00000001

  • Using the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options, this malware will set the following applications into running svchost.exe when the associated file being debugged. The applications listed are mostly Antivirus/Security related.
    • acs.exe
    • AdAwareDesktop.exe
    • AdAwareService.exe
    • AdAwareTray.exe
    • AgentSvc.exe
    • AVK.exe
    • AVKProxy.exe
    • AVKService.exe
    • AVKTray.exe
    • AVKWCtlx64.exe
    • avpmapp.exe
    • av_task.exe
    • Bav.exe
    • bavhm.exe
    • BavSvc.exe
    • BavTray.exe
    • BavUpdater.exe
    • BavWebClient.exe
    • BDSSVC.EXE
    • BgScan.exe
    • BullGuard.exe
    • BullGuardBhvScanner.exe
    • BullGuardUpdate.exe
    • BullGuarScanner.exe
    • capinfos.exe
    • cavwp.exe
    • CertReg.exe
    • cis.exe
    • CisTray.exe
    • clamscan.exe
    • ClamTray.exe
    • ClamWin.exe
    • cmdagent.exe
    • ConfigSecurityPolicy.exe
    • CONSCTLX.EXE
    • coreFrameworkHost.exe
    • coreServiceShell.exe
    • dragon_updater.exe
    • dumpcap.exe
    • econceal.exe
    • econser.exe
    • editcap.exe
    • EMLPROXY.EXE
    • escanmon.exe
    • escanpro.exe
    • fcappdb.exe
    • FCDBlog.exe
    • FCHelper64.exe
    • FilMsg.exe
    • FilUp.exe
    • filwscc.exe
    • fmon.exe
    • FortiClient.exe
    • FortiClient_Diagnostic_Tool.exe
    • FortiESNAC.exe
    • FortiFW.exe
    • FortiProxy.exe
    • FortiSSLVPNdaemon.exe
    • FortiTray.exe
    • FPAVServer.exe
    • FProtTray.exe
    • FPWin.exe
    • freshclam.exe
    • freshclamwrap.exe
    • fsgk32.exe
    • FSHDLL64.exe
    • fshoster32.exe
    • FSM32.EXE
    • FSMA32.EXE
    • fsorsp.exe
    • fssm32.exe
    • GdBgInx64.exe
    • GDKBFltExe32.exe
    • GDSC.exe
    • GDScan.exe
    • guardxkickoff_x64.exe
    • guardxservice.exe
    • iptray.exe
    • K7AVScan.exe
    • K7CrvSvc.exe
    • K7EmlPxy.EXE
    • K7FWSrvc.exe
    • K7PSSrvc.exe
    • K7RTScan.exe
    • K7SysMon.Exe
    • K7TSecurity.exe
    • K7TSMain.exe
    • K7TSMngr.exe
    • LittleHook.exe
    • mbam.exe
    • mbamscheduler.exe
    • mbamservice.exe
    • MCS-Uninstall.exe
    • MCShieldCCC.exe
    • MCShieldDS.exe
    • MCShieldRTM.exe
    • mergecap.exe
    • MpCmdRun.exe
    • MpUXSrv.exe
    • MSASCui.exe
    • MsMpEng.exe
    • MWAGENT.EXE
    • MWASER.EXE
    • nanoav.exe
    • nanosvc.exe
    • nbrowser.exe
    • nfservice.exe
    • NisSrv.exe
    • njeeves2.exe
    • nnf.exe
    • nprosec.exe
    • NS.exe
    • nseupdatesvc.exe
    • nvcod.exe
    • nvcsvc.exe
    • nvoy.exe
    • nwscmon.exe
    • ONLINENT.EXE
    • OPSSVC.EXE
    • op_mon.exe
    • ProcessHacker.exe
    • procexp.exe
    • PSANHost.exe
    • PSUAMain.exe
    • PSUAService.exe
    • psview.exe
    • PtSessionAgent.exe
    • PtSvcHost.exe
    • PtWatchDog.exe
    • quamgr.exe
    • QUHLPSVC.EXE
    • rawshark.exe
    • SAPISSVC.EXE
    • SASCore64.exe
    • SASTask.exe
    • SBAMSvc.exe
    • SBAMTray.exe
    • SBPIMSvc.exe
    • SCANNER.EXE
    • SCANWSCS.EXE
    • schmgr.exe
    • scproxysrv.exe
    • ScSecSvc.exe
    • SDFSSvc.exe
    • SDScan.exe
    • SDTray.exe
    • SDWelcome.exe
    • SSUpdate64.exe
    • SUPERAntiSpyware.exe
    • SUPERDelete.exe
    • text2pcap.exe
    • TRAYICOS.EXE
    • TRAYSSER.EXE
    • trigger.exe
    • tshark.exe
    • twsscan.exe
    • twssrv.exe
    • uiSeAgnt.exe
    • uiUpdateTray.exe
    • uiWatchDog.exe
    • uiWinMgr.exe
    • UnThreat.exe
    • UserReg.exe
    • utsvc.exe
    • V3Main.exe
    • V3Medic.exe
    • V3Proxy.exe
    • V3SP.exe
    • V3Svc.exe
    • V3Up.exe
    • VIEWTCP.EXE
    • VIPREUI.exe
    • virusutilities.exe
    • WebCompanion.exe
    • wireshark.exe
    • Zanda.exe
    • Zlh.exe
    • zlhh.exe



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-09-19 91.07104
2023-09-18 91.07074
2023-08-18 91.06137
2023-07-31 91.05603
2020-12-08 82.40700 Sig Updated
2020-12-03 82.27800 Sig Updated
2020-09-01 80.05600 Sig Updated
2020-06-09 78.04900 Sig Updated
2020-06-08 78.02700 Sig Updated
2020-06-08 78.01200 Sig Updated