enSilo Blocks New Variant of Adwind RAT

Adwind is an infamous Remote Access Trojan (RAT) was first discovered in 2013.  A new variant of Adwind RAT was detected and blocked by enSilo, while other anti-virus agents (AV) failed to detect, according to VirusTotal.



On March 27, 2018, enSilo’s post protection platform detected and blocked a new variant of the Adwind Remote Access Trojan (RAT), across multiple customer environments. This threat was only a small portion of an Adwind campaign that started around the beginning of 2018. Adwind is an infamous RAT that was first discovered in 2013. It’s a Java, cross-platform, multifunctional RAT. Hence, it is also known as jRAT.

Adwind RAT main capabilities are:

  • Capturing screenshots
  • Logging keystrokes
  • Recording audio from the microphone
  • Recording videos and taking pictures using connected webcams
  • Uploading files to the Command and Control (C&C) server
  • Downloading and executing

This new variant looks just like old Adwind RAT variants. However, when the attacks took place, this new variant was not detected by any commercial Anti-Virus (AV) engines in VirusTotal. On April 2, 2018, this variant was detected by 11 AV engines only. This was a low detection amount in comparison to previous Adwind RAT variants. Figure 1 emphasizes this comparison.

Figure 1-6

Figure 1 - New "Adwind" variant analysis results on VirusTotal

Malware analysis

The Adwind RAT is commonly distributed in a massive spam campaigns via a phishing email that either contains an attached JAR file or as a download hyperlink, attempting to lure the victim to click on it. This new Adwind RAT variant was downloaded from a hyperlink and the file name associated with this threat was InvoicePAYMENT.jar. The victim accidentally executed this file thinking the file was a document of an invoice payment.

When analyzing an Adwind JAR file variant using a Java bytecode decompiler, it’s preferable to use a decompiler like Procyon and not JD-GUI. The JD-GUI decompiler typically has a problem to decompile some of the bytecode commands and the Adwind RAT uses obfuscation techniques to defeat decompilers. For example, in JD-GUI, the main function looks empty, while on Procyon, there is a call to a static function as shown in Figure 2.


blog 2


Figure 2 – The JAR main function. In the left, JD-GUI decompiler view, in the center “Procyon” decompiler view and in the right “ByteCode” decompiler view.


To make things harder to analyze the dropper JAR file, the classes, functions and variable names were changed to random generated words. The dropper JAR file includes many resource encrypted files. The Java code that runs in runtime is executed using “ScriptEngine” object by calling its “eval” java function on concatenated static strings, which are located in different classes.
Figure 3 shows a part of the decompiled obfuscated code from that JAR file.

Figure 3-4

Figure 3 – Part of the decompiled obfuscated code


Previous analysis of Adwind RAT variants, suggested that there was a built-in configuration file and that they get configurations during the execution. This configuration file typically contains a C&C domain or remote IP address, target port, encryption keys and so on. Figure 4 shows a configuration file used by this new Adwind RAT variant.


Figure 4-5

Figure 4 - The "Adwind" decrypted configuration file


This new Adwind RAT variant works as the previous variants in the following manner:

  1. The dropper drops the payload JAR file to the %temp% directory and executes it.
  2. Checks if there are AV and firewall applications installed on the affected system using Visual Basic script (VBscripts).
  3. Copy itself (The JAR dropper) to a new directory in the %userprofile% Then the folder attribution is changed to hidden to hide the folder.
  4. In an effort to achieve persistency on the affected system the RAT performs the following steps:

             a.  Copy the original Java installation directory to %appdata%\Oracle folder location.

             b.  Creates a new value in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry                     key, which runs the dropper JAR after Windows booted and the user has logged on into                             the affected system.

enSilo Blocks Adwind RAT


enSilo’s post protection platform blocks Adwind as it attempts to access the internet as shown in    Figure 5.

Figure 5-5

Figure 5: blocked "Adwind" C&C communicate attempt

Since, this new Adwind RAT variant was blocked in real-time from communicating with its C&C server, it wasn’t able to perform any further activities. Simply meaning that the threat was contained, without causing any damage.

There are quite few variants of Adwind\jRAT in the wild and new ones are constantly being discovered. enSilo’s post-infection protection platform, which is not based on signatures, enables to reduce dwell time while preserving business continuity.


File and hashes of the analyzed samples:

Filename: InvoicePAYMENT.jar 

SHA256: 7D08062CBB665D6949ED9C14A4E21A90529462781DF95A5BBC324D747C8BA1C1

Filename: Adwind.class (The payload JAR file in %temp% directorySHA256:97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9

File paths

%userprofile%\GAEPgWElmjjThe hidden directory where the dropper JAR copy itself to.

Persistence in Registry


File hashes of additional samples – SHA256:








DNS from the analyzed sample configuration



This domain was still blacklisted by multiple security vendors during the time of writing this report.


IP addresses:









Related Blog Posts

Customers Say It Best - Managed Security Service Provider one

cybersecurity , enSilo Corporate and Product


Retailers, restaurants, hoteliers, and small businesses are having problems discovering breaches on their POS systems. Delayed detection of a.

Read More

5 Ways to Tackle Ransomware Attacks One

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations



Read More

enSilo Blocks New Variant of Adwind RAT one

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations



Read More

enSilo RECOMMENDED in NSS Labs 2018 Advanced Endpoint Protection (AEP) Group Test

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations



Read More