Backdoor

Backdoor.Win32.Androm.jmbe removal guide

Malware Removal

The Backdoor.Win32.Androm.jmbe is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Backdoor.Win32.Androm.jmbe virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • Performs HTTP requests potentially not found in PCAP.
  • HTTPS urls from behavior.
  • Enumerates running processes
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • Unconventionial language used in binary resources: Chinese (Simplified)
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Deletes its original binary from disk
  • Behavioural detection: Injection (inter-process)
  • Network activity contains more than one unique useragent.
  • Installs itself for autorun at Windows startup
  • Likely virus infection of existing system binary
  • Checks the presence of disk drives in the registry, possibly for anti-virtualization
  • Attempts to modify proxy settings
  • Collects information to fingerprint the system

How to determine Backdoor.Win32.Androm.jmbe?



File Info:

name: 8111495897BE207BFC51.mlw
path: /opt/CAPEv2/storage/binaries/28905801964a0703608a1671d8c11e1433d6f990225843d28c36825c6070985c
crc32: 3923CCFF
md5: 8111495897be207bfc5117fd784755bb
sha1: b2704ebf9d32ff9a7838f8f93685442cb4b8ca27
sha256: 28905801964a0703608a1671d8c11e1433d6f990225843d28c36825c6070985c
sha512: 0383fb238f5774b80fe73bfa3a57b357111324b60c55ba6e07f7988163631213b8a1b2ebbe7a671bc85c72441419ced0a20dc77c98ccf00db28069efe60c5015
ssdeep: 6144:aX9WDuAUunIwqvlQw+Dw6ymsThLcjsKYiDBe4Sdz66RNrcT+JQUOjn4qoyv7gHJ2:AWDav5+DfymaPaA4gz6gNgT0533HJ2
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1EEA412272D65D057F222CB31D8AAAFE4A2B7ED031B200AAB97D49D1C7C75F149901F6C
sha3_384: a3f8041e499d0de3e17316b97363d92381fdf513e216c3c924054654d22c39678bd3fb7a9a987eb44c8d64e45f0d6d81
ep_bytes: 558bec6aff68a88a400068a462400064
timestamp: 2016-04-17 16:28:08


Version Info:

Comments: 
CompanyName:  
FileDescription: Chess
FileVersion: 1, 0, 0, 1
InternalName: Chess
LegalCopyright: Copyright ? 2016
LegalTrademarks: 
OriginalFilename: Chess.exe
PrivateBuild: 
ProductName:   Chess
ProductVersion: 1, 0, 0, 1
SpecialBuild: 
Translation: 0x040f 0x04e4

Backdoor.Win32.Androm.jmbe also known as:

BkavW32.AIDetect.malware2
Elasticmalicious (high confidence)
MicroWorld-eScanTrojan.Inject.BBJ
FireEyeGeneric.mg.8111495897be207b
CAT-QuickHealRansom.Tescrypt.A4
ALYacTrojan.Inject.BBJ
CylanceUnsafe
ZillyaBackdoor.Androm.Win32.34051
K7AntiVirusRiskware ( 0040eff71 )
K7GWRiskware ( 0040eff71 )
CrowdStrikewin/malicious_confidence_80% (D)
BitDefenderThetaGen:NN.ZexaF.34084.Dq3@a4rmf7eb
SymantecRansom.Cryptolocker
ESET-NOD32a variant of Win32/Injector.CWWE
TrendMicro-HouseCallTROJ_OBFUSCATOR_FE17047C.UVPM
KasperskyBackdoor.Win32.Androm.jmbe
BitDefenderTrojan.Inject.BBJ
NANO-AntivirusTrojan.Win32.Encoder.elwfza
AvastWin32:Malware-gen
TencentMalware.Win32.Gencirc.10bf8ca7
Ad-AwareTrojan.Inject.BBJ
EmsisoftTrojan.Inject.BBJ (B)
ComodoTrojWare.Win32.Kelihos.CX@6d4269
DrWebTrojan.Encoder.4480
VIPRETrojan.Win32.Injector.cdgy (v)
TrendMicroTROJ_OBFUSCATOR_FE17047C.UVPM
McAfee-GW-EditionGamarue-FEW!8111495897BE
SophosML/PE-A + Mal/Zbot-UM
APEXMalicious
JiangminBackdoor.Androm.gsk
AviraHEUR/AGEN.1126014
Antiy-AVLTrojan/Generic.ASMalwS.180F502
MicrosoftTrojan:Win32/Sabsik.FL.B!ml
ArcabitTrojan.Inject.BBJ
ViRobotTrojan.Win32.Agent.428666
GDataTrojan.Inject.BBJ
CynetMalicious (score: 100)
AhnLab-V3Trojan/Win32.Inject.C1387059
McAfeeGamarue-FEW!8111495897BE
MAXmalware (ai score=83)
VBA32BScope.Trojan.Encoder
MalwarebytesSpyware.Boaxxe
RisingTrojan.Generic@ML.94 (RDML:jRZoKKMmSk7YmI6pA0qRKA)
YandexTrojan.GenAsa!/lBhHpWui3g
IkarusTrojan.Win32.Injector
eGambitUnsafe.AI_Score_99%
FortinetW32/Injector.CWWE!tr
AVGWin32:Malware-gen
Cybereasonmalicious.897be2
PandaTrj/Genetic.gen

How to remove Backdoor.Win32.Androm.jmbe?

Backdoor.Win32.Androm.jmbe removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment