Logo malicious Threat Score: 100/100 AV Multiscan: 45% Labeled as: Java.Trojan.GenericGB Tagged as: #trojan [Privacy Badger has replaced this Twitter button.] 9879438b7ff8f9f03ac525addc4d5d18.bz2 Analyzed on November 20th 2017 00:37:46 (CEST) running the Kernelmode monitor Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1 VxStream Sandbox v7.10 © Hybrid Analysis Incident Response Risk Assessment Persistence     Modifies auto-execute functionality by setting/creating a value in the registry     Modifies auto-execute functionality to enable the debugger hack     Spawns a lot of processes     Writes data to a remote process Fingerprint     Reads the active computer name     Reads the cryptographic machine GUID Evasive     Possibly checks for the presence of a forensics/monitoring tool Adware     Possibly checks for the presence of an adware detecting tool Platform Intelligence Artifact Context Associated SHA256s     9e89ea0a97123e1522a04feb49496ee58ae9fb09e6219de9f4e3fd780a9b529d     c151cf3050ccf82e92465fd24ae3ba77a43c08f7cbdab1abe2ff2697bc981183 Indicators Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.     Malicious Indicators 10     Anti-Detection/Stealthyness         Modifies auto-execute functionality to enable the debugger hack         Terminates other processes using taskkill     External Systems         Sample was identified as malicious by a large number of Antivirus engines         Sample was identified as malicious by at least one Antivirus engine     General         The analysis extracted a file that was identified as malicious     Installation/Persistance         Writes data to a remote process     System Security         Terminates system processes         Uses taskkill excessively (often used to disable security tools)     Unusual Characteristics         Spawns a lot of processes     Hiding 1 Malicious Indicators         All indicators are available only in the private webservice or standalone version     Suspicious Indicators 15     Anti-Detection/Stealthyness         Runs the registry editor in a silent manner     Anti-Reverse Engineering         Creates guarded memory regions (anti-debugging trick to avoid memory dumping)         Possibly checks for the presence of a forensics/monitoring tool     Cryptographic Related         References key cryptographic functions     Environment Awareness         Reads the active computer name         Reads the cryptographic machine GUID     Installation/Persistance         Copies data to/from the Java Runtime folder         Creates new processes         Executes a visual basic script         Modifies auto-execute functionality by setting/creating a value in the registry     Remote Access Related         Contains references to WMI/WMIC     System Destruction         Possibly checks for the presence of an adware detecting tool     Unusual Characteristics         Installs hooks/patches the running process         Reads information about supported languages     Hiding 1 Suspicious Indicators         All indicators are available only in the private webservice or standalone version     Informative 7     General         Creates a writable file in a temporary directory         Launches a VBS file         Reads Windows Trust Settings         Runs shell commands         Spawns new processes     Installation/Persistance         Dropped files         Touches files in the Windows directory File Details All Details: phpworBHo_.jar Filename     phpworBHo_.jar Size     513KiB (525607 bytes) Type     java Description     Java archive data (JAR) Architecture     WINDOWS SHA256     7b965b8a19a7b2ccfb2034b81a8b020247a284638fb3032d1b38337e6dc8943aCopy SHA256 to clipboard Resources Icon     Sample Icon Visualization Input File (PortEx)     PE Visualization Classification (TrID)     100.0% (.ZIP) ZIP compressed archive Screenshots Hybrid Analysis Tip: Click an analysed process below to view more details. Analysed 222 processes in total (System Resource Monitor).     javaw.exe -jar "C:phpworBHo_.jar" (PID: 3068)         java.exe -jar %TEMP%_0.4121897489030028643705085698298392.class (PID: 3728)             cmd.exe /C cscript.exe %TEMP%Retrive3005839175773921224.vbs (PID: 4044)                 cscript.exe %TEMP%Retrive3005839175773921224.vbs (PID: 308)             cmd.exe /C cscript.exe %TEMP%Retrive8519028878817837879.vbs (PID: 3940)                 cscript.exe %TEMP%Retrive8519028878817837879.vbs (PID: 4036)             cmd.exe (PID: 1036)         cmd.exe /C cscript.exe %TEMP%Retrive3791202351905831748.vbs (PID: 3836)             cscript.exe %TEMP%Retrive3791202351905831748.vbs (PID: 3756)         cmd.exe /C cscript.exe %TEMP%Retrive6761054475108374641.vbs (PID: 3844)             cscript.exe %TEMP%Retrive6761054475108374641.vbs (PID: 1764)         xcopy.exe "xcopy "%PROGRAMFILES%Javajre1.8.0_25" "%APPDATA%Oracle" /e (PID: 1300)         cmd.exe (PID: 3960)         reg.exe "reg add HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v wHiDpcbHAYm /t REG_EXPAND_SZ /d ""%APPDATA%Oracleinjavaw.exe" -jar "%USERPROFILE%ICHxjJDnrDtSxDRkMDReHZ.DrcPWt"" /f (PID: 1024)         attrib.exe "attrib +h "%USERPROFILE%ICHxjJDnrDt*.*" (PID: 2304)         attrib.exe "attrib +h "%USERPROFILE%ICHxjJDnrDt" (PID: 1804)         javaw.exe -jar %USERPROFILE%ICHxjJDnrDtSxDRkMDReHZ.DrcPWt (PID: 2352)             java.exe -jar %TEMP%_0.467237802677680345016958333484578610.class (PID: 2392)                 cmd.exe /C cscript.exe %TEMP%Retrive3731418051498572090.vbs (PID: 2684)                     cscript.exe %TEMP%Retrive3731418051498572090.vbs (PID: 2832)                 cmd.exe /C cscript.exe %TEMP%Retrive7044146437686179666.vbs (PID: 2812)                     cscript.exe %TEMP%Retrive7044146437686179666.vbs (PID: 2732)                 cmd.exe (PID: 2872)             cmd.exe /C cscript.exe %TEMP%Retrive7628837890759371353.vbs (PID: 1228)                 cscript.exe %TEMP%Retrive7628837890759371353.vbs (PID: 2212)             cmd.exe /C cscript.exe %TEMP%Retrive3530126421885876512.vbs (PID: 2624)                 cscript.exe %TEMP%Retrive3530126421885876512.vbs (PID: 2696)             cmd.exe (PID: 2736)             taskkill.exe taskkill /IM ProcessHacker.exe /T /F (PID: 3048)             cmd.exe /c regedit.exe /s %TEMP%YSqRLNkmok2423403084465319161.reg (PID: 3044)                 regedit.exe /s %TEMP%YSqRLNkmok2423403084465319161.reg (PID: 3064)             taskkill.exe taskkill /IM procexp.exe /T /F (PID: 3224)             taskkill.exe taskkill /IM MSASCui.exe /T /F (PID: 1808)             taskkill.exe taskkill /IM MsMpEng.exe /T /F (PID: 3024)             taskkill.exe taskkill /IM MpUXSrv.exe /T /F (PID: 3928)             taskkill.exe taskkill /IM MpCmdRun.exe /T /F (PID: 3948)             taskkill.exe taskkill /IM NisSrv.exe /T /F (PID: 3972)             taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F (PID: 320)             taskkill.exe taskkill /IM procexp.exe /T /F (PID: 1616)             taskkill.exe taskkill /IM wireshark.exe /T /F (PID: 2200)             taskkill.exe taskkill /IM tshark.exe /T /F (PID: 3636)             taskkill.exe taskkill /IM text2pcap.exe /T /F (PID: 2232)             taskkill.exe taskkill /IM rawshark.exe /T /F (PID: 2708)             taskkill.exe taskkill /IM mergecap.exe /T /F (PID: 2640)             taskkill.exe taskkill /IM editcap.exe /T /F (PID: 2784)             taskkill.exe taskkill /IM dumpcap.exe /T /F (PID: 820)             taskkill.exe taskkill /IM capinfos.exe /T /F (PID: 2120)             taskkill.exe taskkill /IM mbam.exe /T /F (PID: 3060)             taskkill.exe taskkill /IM mbamscheduler.exe /T /F (PID: 3072)             taskkill.exe taskkill /IM mbamservice.exe /T /F (PID: 3288)             taskkill.exe taskkill /IM AdAwareService.exe /T /F (PID: 2952)             taskkill.exe taskkill /IM AdAwareTray.exe /T /F (PID: 3292)             taskkill.exe taskkill /IM WebCompanion.exe /T /F (PID: 3388)             taskkill.exe taskkill /IM AdAwareDesktop.exe /T /F (PID: 3452)             taskkill.exe taskkill /IM V3Main.exe /T /F (PID: 3484)             taskkill.exe taskkill /IM V3Svc.exe /T /F (PID: 3576)             taskkill.exe taskkill /IM V3Up.exe /T /F (PID: 3580)             taskkill.exe taskkill /IM V3SP.exe /T /F (PID: 584)             taskkill.exe taskkill /IM V3Proxy.exe /T /F (PID: 976)             taskkill.exe taskkill /IM V3Medic.exe /T /F (PID: 3664)             taskkill.exe taskkill /IM BgScan.exe /T /F (PID: 512)             taskkill.exe taskkill /IM BullGuard.exe /T /F (PID: 1536)             taskkill.exe taskkill /IM BullGuardBhvScanner.exe /T /F (PID: 312)             taskkill.exe taskkill /IM BullGuarScanner.exe /T /F (PID: 324)             taskkill.exe taskkill /IM LittleHook.exe /T /F (PID: 3976)             taskkill.exe taskkill /IM BullGuardUpdate.exe /T /F (PID: 3984)             taskkill.exe taskkill /IM clamscan.exe /T /F (PID: 3712)             taskkill.exe taskkill /IM ClamTray.exe /T /F (PID: 4076)             taskkill.exe taskkill /IM ClamWin.exe /T /F (PID: 4064)             taskkill.exe taskkill /IM cis.exe /T /F (PID: 3740)             taskkill.exe taskkill /IM CisTray.exe /T /F (PID: 1928)             taskkill.exe taskkill /IM cmdagent.exe /T /F (PID: 1424)             taskkill.exe taskkill /IM cavwp.exe /T /F (PID: 2632)             taskkill.exe taskkill /IM dragon_updater.exe /T /F (PID: 2772)             taskkill.exe taskkill /IM MWAGENT.EXE /T /F (PID: 2948)             taskkill.exe taskkill /IM MWASER.EXE /T /F (PID: 2992)             taskkill.exe taskkill /IM CONSCTLX.EXE /T /F (PID: 280)