popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

JavHa.exe

Malicious Library UPX OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 9, 2023, 10:05 a.m. March 9, 2023, 10:08 a.m.
Size 1.6MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 4adf9b20011bc571b61884f1b630a84a
SHA256 044e62e14faf9e06d2759ac0d62b4c6cb3a103fe287e235c48ab1c64604cfe3a
CRC32 0AB956AE
ssdeep 24576:gncYAIIhJ6Z1NM97KM/th4FosodIWp26ICk95akZPa/S6Dh/aI5:2GJ6q7DQi3dTp2/9gpRaI5
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
ia3vdm9un.85lmau9r6c2tecp
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 1515520
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 2949120
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0ddf0000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000064
process_name: pw.exe
process_identifier: 760
1 1 0

Process32NextW

 snapshot_handle: 0x00000064
process_name: sdclt.exe
process_identifier: 660
1 1 0

Process32NextW

 snapshot_handle: 0x00000064
process_name: taskhost.exe
process_identifier: 840
1 1 0

Process32NextW

 snapshot_handle: 0x00000064
process_name: SearchFilterHost.exe
process_identifier: 1696
1 1 0

Process32NextW

 snapshot_handle: 0x00000064
process_name: JavHa.exe
process_identifier: 1552
1 1 0
section {u'size_of_data': u'0x00184800', u'virtual_address': u'0x00001000', u'entropy': 7.90493181984744, u'name': u'.text', u'virtual_size': u'0x00184658'} entropy 7.90493181985 description A section with a high entropy has been found
entropy 0.961931290622 description Overall entropy of this PE file is high
buffer Buffer with sha1: 5c8bd8dfe69161b97c0c7ce2f55a4e74a1fe79a3
Elastic malicious (high confidence)
FireEye Generic.mg.4adf9b20011bc571
McAfee Artemis!4ADF9B20011B
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_70% (W)
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/GenKryptik.GHCR
Cynet Malicious (score: 100)
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
Avast FileRepMalware [Misc]
Emsisoft Trojan.GenericKD.65839359 (B)
McAfee-GW-Edition Artemis!Trojan
Trapmine malicious.moderate.ml.score
Sophos Generic ML PUA (PUA)
Webroot
Gridinsoft Trojan.Win32.Gen.bot
Microsoft Trojan:Win32/Woreflint.A!cl
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Trojan.GenericKD.65839359
Acronis suspicious
BitDefenderTheta Gen:NN.ZexaF.36308.LvX@aSdD3opG
Cylance unsafe
TrendMicro-HouseCall TrojanSpy.Win32.RHADAMANTHYS.YXDCHZ
Rising Trojan.Kryptik!8.8 (TFE:5:td19bmHh0BM)
MaxSecure Trojan.Malware.300983.susgen
AVG FileRepMalware [Misc]