Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
05.02 03:05
icon-mobile-150x150.pn...
05.02 03:05
gateway-150x150.png.webp
05.02 03:05
icon-3d-150x150.png.webp
05.02 03:05
85c1110b8226b3dc010b62...
05.02 03:05
df38df7d0dbc713217a863...
05.02 03:05
recaptcha__pl.js.pobrane
05.02 03:05
logo-ostrzalka.png.webp
05.02 03:05
19a2c08e3a5784019a5b46...
05.02 03:05
jquery.min.js.pobrane
05.02 03:05
c36007a68cc76cf98a7fb2...

Latest News
05.02 04:05
Lightspeed is Latest F...
05.02 04:05
Whole Foods Union Vict...
05.02 04:05
Understanding the chal...
05.02 04:05
Analyzing CVE-2025-311...
05.02 03:05
Democrats worry DOGE m...
05.02 03:05
Leaders of 764, global...
05.02 03:05
Can Anyone Supplant Jo...
05.02 03:05
[보안기고] 모바일 보안의 본질을 다시 ...
05.02 03:05
What Are Relocations? ...
05.02 03:05
TerraStealerV2 and Ter...

Summary | ZeroBOX

hz.jar

OS Processor Check ZIP Format

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 14, 2024, 1:21 p.m.	Aug. 14, 2024, 1:34 p.m.

Size	5.0MB
Type	Java archive data (JAR)
MD5	`785a5628c056701f9a9a73cb0505d3b0`
SHA256	`c1ec07f116ddf1b8ca83021012852ef45ff7e6f1bd0eaef32c82fe5d5ece6915`
CRC32	`62F11867`
ssdeep	`98304:Ep+GLQqiPDT9RyYyxmNUg1Bx1grkJUAB64RAtYwd3xvV67B:Epd+lHNpgrKfwpyM3xoB`
Yara	zip_file_format - ZIP file format OS_Processor_Check_Zero - OS Processor Check

java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar C:\Users\test22\AppData\Local\Temp\hz.jar
1880

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (17 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: Error: A JNI error has occurred, please check your installation and try again console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: Exception console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: in thread "main" console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: java.lang.UnsupportedClassVersionError: io/github/luxotick/Start has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 52.0 console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.lang.ClassLoader.defineClass1(Native Method) console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.lang.ClassLoader.defineClass(Unknown Source) console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.security.SecureClassLoader.defineClass(Unknown Source) console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.net.URLClassLoader.defineClass(Unknown Source) console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.net.URLClassLoader.access$100(Unknown Source) console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.net.URLClassLoader$1.run(Unknown Source) console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.net.URLClassLoader$1.run(Unknown Source) console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.security.AccessController.doPrivileged(Native Method) console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.net.URLClassLoader.findClass(Unknown Source) console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.lang.ClassLoader.loadClass(Unknown Source) console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source) console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.lang.ClassLoader.loadClass(Unknown Source) console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at sun.launcher.LauncherHelper.checkAndLoadMain(Unknown Source) console_handle: 0x0000000b	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 14, 2024, 1:21 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 14, 2024, 1:21 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2650202 registers.esp: 12253172 registers.edi: 1 registers.eax: 6 registers.ebp: 1950340288 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02650000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02678000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02680000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02688000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02690000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02698000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a8000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b8000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c8000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e8000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f8000 process_handle: 0xffffffff	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x16200000 process_handle: 0xffffffff	1	0	0

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Skyhigh	RDN/Generic PWS.y
ALYac	Java.Trojan.GenericGBA.36136
VIPRE	Java.Trojan.GenericGBA.35954
BitDefender	Java.Trojan.GenericGBA.35954
Arcabit	Java.Trojan.GenericGBA.D8C72 [many]
ESET-NOD32	multiple detections
McAfee	RDN/Generic PWS.y
Avast	Java:Malware-gen [Trj]
Emsisoft	Java.Trojan.GenericGBA.35954 (B)
F-Secure	Malware.JAVA/AVI.Agent.tutjs
FireEye	Java.Trojan.GenericGBA.35954
Google	Detected
Avira	JAVA/AVI.Agent.tutjs
MAX	malware (ai score=87)
GData	Java.Trojan.GenericGBA.36137
Ikarus	Trojan.Java.Spy
AVG	Java:Malware-gen [Trj]