javaw.exe

The executable javaw.exe has been detected as malware by 9 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘4348cb5925f5501f5c512527933f663e’. While running, it connects to the Internet address google-public-dns-a.google.com on port 1199.
MD5:
26e98dbc5a1cc8ba3e139635236b4995

SHA-1:
078457918dfdd3c13354ddd40c7cef2d3b7cc27a

SHA-256:
2bcf55d65b14e9fc5ac5405f0bdd1c80a20d43d6cea58d3f1c8080297abb690c

Scanner detections:
9 / 68

Status:
Malware

Analysis date:
12/27/2024 6:33:37 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Trojan/Win32.Generic
2014.08.27

Avira AntiVirus
TR/ATRAPS.Gen
7.11.169.144

Dr.Web
Trojan.PackedENT.24715
9.0.1.0362

ESET NOD32
MSIL/Bladabindi (variant)
8.10323

F-Prot
W32/Zusy.Q.gen
v6.4.7.1.166

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.2728

Malwarebytes
Trojan.Facebook
v2014.12.28.09

Rising Antivirus
PE:Trojan.Injector!6.50
23.00.65.141226

SUPERAntiSpyware
Trojan.Agent/Gen-Zusy
10150

File size:
188 KB (192,512 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\windows\javaw.exe

File PE Metadata
Compilation timestamp:
8/30/2014 12:48:59 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:NREEC2Oi8NXC797F8TBfFvj4bq57HT6dmqoymPQPeCgo:N9C2F8NXC796TB9vj48H+dfeJo

Entry address:
0xFFEF

Entry point:
E8, 12, 5B, 00, 00, E9, A4, FE, FF, FF, 6A, 0C, 68, 38, 11, 42, 00, E8, 67, 0D, 00, 00, 6A, 0E, E8, 68, 02, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, F4, 37, 42, 00, BA, F0, 37, 42, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A, 04, 50, E8, D9, E7, FF, FF, 59, FF, 76, 04, E8, D0, E7, FF, FF, 59, 83, 66, 04, 00, C7, 45, FC, FE, FF, FF, FF, E8, 0A, 00, 00, 00, E8, 56, 0D, 00, 00, C3, 8B, D0, EB, C5, 6A, 0E, E8, 33, 01, 00, 00, 59, C3, CC, CC, CC, CC, CC, CC...
 
[+]

Entropy:
7.1965

Code size:
102 KB (104,448 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
4348cb5925f5501f5c512527933f663e

Command:
"C:\windows\javaw.exe"..


The executing file has been seen to make the following network communication in live environments.

TCP:
Connects to google-public-dns-a.google.com  (8.8.8.8:1199)

Remove javaw.exe - Powered by Reason Core Security