Malware Analysis Report

2025-08-10 12:05

Sample ID 240222-ymd11aeh69
Target battlyclient.zip
SHA256 24a053d6cc502fd913a382b1678621c80fbab6a1d449ea8cfe2b3fe8b4b64ae0
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

24a053d6cc502fd913a382b1678621c80fbab6a1d449ea8cfe2b3fe8b4b64ae0

Threat Level: Shows suspicious behavior

The file battlyclient.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Modifies file permissions

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 19:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\soundsystem\20120107\soundsystem-20120107.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\soundsystem\20120107\soundsystem-20120107.jar

Network

N/A

Files

memory/1720-9-0x00000000022E0000-0x00000000052E0000-memory.dmp

memory/1720-10-0x0000000000120000-0x0000000000121000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

91s

Max time network

120s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\commons-io\commons-io\2.4\commons-io-2.4.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 1708 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 4692 wrote to memory of 1708 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\commons-io\commons-io\2.4\commons-io-2.4.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4692-4-0x000001F8E96D0000-0x000001F8EA6D0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 fab15103d1eed429837a6d425bec0d61
SHA1 3ad3cc6c0ea60e3d76a2a121d7efec384839816a
SHA256 298f4a7f57c211790857c955476191328c1b0585d3d2b36ac920f2abc02a0517
SHA512 e5f5cd3de48f8b743db4b5fed18b17dc243b74523efe98f5e7a4c738f3d25f304f5c1f3e4ce08674d3c12faef45408a7ba7b06cfc9cf5aa8761dd60b4e900a19

memory/4692-12-0x000001F8E96B0000-0x000001F8E96B1000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

146s

Max time network

160s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\io\netty\netty-all\4.0.23.Final\netty-all-4.0.23.Final.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2516 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 3048 wrote to memory of 2516 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\io\netty\netty-all\4.0.23.Final\netty-all-4.0.23.Final.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 163.126.19.2.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/3048-4-0x000001BE9BDA0000-0x000001BE9CDA0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 713e8a06067e83f3672d319aecff7483
SHA1 c506b681769f246a0aefefc04a069619a4c57bd2
SHA256 e2a57e1562ef8cbba0dd9e3b055631562b1cb36e7b83d58f7f48d0a9a4f528c5
SHA512 3bee28eb00cc687cd66b55a6b6494431e23505798f5499354670ac4635321a8c70d2df88b037d674f4b83df131be463b273bedd09b375c9fbf126eca8860d12c

memory/3048-12-0x000001BE9BD80000-0x000001BE9BD81000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\google\code\gson\gson\2.2.4\gson-2.2.4.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\google\code\gson\gson\2.2.4\gson-2.2.4.jar

Network

N/A

Files

memory/2964-6-0x0000000002450000-0x0000000005450000-memory.dmp

memory/2964-10-0x0000000000240000-0x0000000000241000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

119s

Max time network

125s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\google\guava\guava\17.0\guava-17.0.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\google\guava\guava\17.0\guava-17.0.jar

Network

N/A

Files

memory/2500-2-0x00000000022C0000-0x00000000052C0000-memory.dmp

memory/2500-10-0x0000000000130000-0x0000000000131000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

146s

Max time network

153s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\commons-codec\commons-codec\1.9\commons-codec-1.9.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3824 wrote to memory of 1988 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 3824 wrote to memory of 1988 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\commons-codec\commons-codec\1.9\commons-codec-1.9.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/3824-4-0x00000261AC4E0000-0x00000261AD4E0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 a1b786efc64f4027987de1933d259a3e
SHA1 6f1865b9bcac7eb857cec30fc6a87010770a8b4b
SHA256 b3e4a54696426f2a6f950faafd78d7c25bd52d1ca76b4f14f6bb775415f4f446
SHA512 e7ebbc7e8183e5dc3afd2868f1b053803e16bf76e429be39441c46e23714ce690dcd805cbdb677b48a06ab97733f99d397721db3a6c651549cfe4364fa895bd1

memory/3824-12-0x00000261AC4C0000-0x00000261AC4C1000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

141s

Max time network

159s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\io\github\battlyclient\wrapper\2.0.0\wrapper-2.0.0.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 5028 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 1056 wrote to memory of 5028 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\io\github\battlyclient\wrapper\2.0.0\wrapper-2.0.0.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/1056-2-0x000002040DE70000-0x000002040EE70000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 396405f3847f3b4407afe433c86a3081
SHA1 2c8346bec1bfceb20bc5701fde521f9bd1635706
SHA256 26ba73c854e7938be189495d63df55f65d9a2e3d2b24d63b3ed3aaf8a897bed8
SHA512 a845645e33ae950816e137eb14a78900e8c285e7a3f8e0a68c8fed161c6ba661fe36adac72561dfcb2212f2c2c32a76968df4c6d4c17a4a9f39e77d345bce1d1

memory/1056-12-0x000002040C650000-0x000002040C651000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

119s

Max time network

126s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\mojang\authlib\1.5.21\authlib-1.5.21.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\mojang\authlib\1.5.21\authlib-1.5.21.jar

Network

N/A

Files

memory/1740-7-0x00000000020C0000-0x00000000050C0000-memory.dmp

memory/1740-10-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win7-20240220-en

Max time kernel

120s

Max time network

122s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\mojang\netty\1.8.8\netty-1.8.8.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\mojang\netty\1.8.8\netty-1.8.8.jar

Network

N/A

Files

memory/1892-8-0x00000000025C0000-0x00000000055C0000-memory.dmp

memory/1892-10-0x0000000000240000-0x0000000000241000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\codecwav\20101023\codecwav-20101023.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\codecwav\20101023\codecwav-20101023.jar

Network

N/A

Files

memory/1948-3-0x0000000002740000-0x0000000005740000-memory.dmp

memory/1948-10-0x0000000000240000-0x0000000000241000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

93s

Max time network

120s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\ibm\icu\icu4j-core-mojang\51.2\icu4j-core-mojang-51.2.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 4724 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 2236 wrote to memory of 4724 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\ibm\icu\icu4j-core-mojang\51.2\icu4j-core-mojang-51.2.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/2236-4-0x000002E9D48D0000-0x000002E9D58D0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 e04c86c7ca9fd7cd6e87c55b416af301
SHA1 c19739e120380940077561a50b9215ad1f663649
SHA256 bb71106cfeb6794498c753bc6770e2e55f70e09345ed72da1db0cf79e75d8e89
SHA512 4fab7f4c6992b85ec3bd3c976eef0e40fa3a04485343b2fccb60c5853be6a37466f8e4899e0f1450147a2a343d7573ca1fa5d5a5e980ae8d46b15e7ab920f0ba

memory/2236-13-0x000002E9D3000000-0x000002E9D3001000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

117s

Max time network

124s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\commons-codec\commons-codec\1.9\commons-codec-1.9.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\commons-codec\commons-codec\1.9\commons-codec-1.9.jar

Network

N/A

Files

memory/2368-6-0x0000000002140000-0x0000000005140000-memory.dmp

memory/2368-10-0x0000000000320000-0x0000000000321000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

148s

Max time network

152s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\commons-logging\commons-logging\1.1.3\commons-logging-1.1.3.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 976 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 1628 wrote to memory of 976 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\commons-logging\commons-logging\1.1.3\commons-logging-1.1.3.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 152.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 191.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 48.192.11.51.in-addr.arpa udp

Files

memory/1628-4-0x000001F980000000-0x000001F981000000-memory.dmp

memory/1628-11-0x000001F9F0F60000-0x000001F9F0F61000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 1f5014cdbd992ac8653dedee2d4a4f07
SHA1 980b51454a5c4790e6fce40fc93b71129822f368
SHA256 24fdde59000c6bc1d2e11a850e15e18636c928a10d9ec8197e44e0b0109788f2
SHA512 d7411fb157c6fa5865087b94ed4616b4a8aad4070a3784b573c04d07536f67aeec5e1a606542a07ac636995265b45d236b105a594ebe8f312db17bc4b8dabf3d

Analysis: behavioral29

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

120s

Max time network

128s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\io\github\battlyclient\wrapper\2.0.0\wrapper-2.0.0.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\io\github\battlyclient\wrapper\2.0.0\wrapper-2.0.0.jar

Network

N/A

Files

memory/1704-2-0x0000000002040000-0x0000000005040000-memory.dmp

memory/1704-10-0x0000000001C50000-0x0000000001C51000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\commons-logging\commons-logging\1.1.3\commons-logging-1.1.3.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\commons-logging\commons-logging\1.1.3\commons-logging-1.1.3.jar

Network

N/A

Files

memory/1712-6-0x00000000025B0000-0x00000000055B0000-memory.dmp

memory/1712-10-0x0000000000150000-0x0000000000151000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\codecjorbis\20101023\codecjorbis-20101023.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\codecjorbis\20101023\codecjorbis-20101023.jar

Network

N/A

Files

memory/2144-6-0x0000000002540000-0x0000000005540000-memory.dmp

memory/2144-10-0x0000000000150000-0x0000000000151000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

147s

Max time network

156s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\libraryjavasound\20101123\libraryjavasound-20101123.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 60 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 4932 wrote to memory of 60 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\libraryjavasound\20101123\libraryjavasound-20101123.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/4932-2-0x000001E7AA7F0000-0x000001E7AB7F0000-memory.dmp

memory/4932-11-0x000001E7AA7D0000-0x000001E7AA7D1000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 6aa71c162226bcc41537a030457bcec0
SHA1 75dd5a8c33d1df72c84e3f3ccbfdf2c8ec137ce6
SHA256 e8363e682fa618f59e0b6c931cee7e1bf07aaa948c5b3b2bfdddda72d5d8d387
SHA512 db884efa974bcb9471449464c2e57dbb966b84cf37eab0192cf3d718d529b59e71b1d06eee182a45d47fa30e1f0abc76dff3e9a4be8171553852bb422616ea36

memory/4932-13-0x000001E7AA7F0000-0x000001E7AB7F0000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

147s

Max time network

150s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\codecjorbis\20101023\codecjorbis-20101023.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4064 wrote to memory of 3708 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 4064 wrote to memory of 3708 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\codecjorbis\20101023\codecjorbis-20101023.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4064-4-0x0000017D81410000-0x0000017D82410000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 82cb1eb387e9b3abb212ba4237b7007a
SHA1 68b9c5c28c5325e574ffca7b08b25585a99c8390
SHA256 f9b6f9844e5fc105a1b29828b1809d4ba26ca738e29ef35fe4b0cb6be12b2723
SHA512 aef6af4fac311fdef2e528a4b4926a4126be257b7cbae6fd038de5c312b21f98558c5d669f588a01846ec8c9f8f656b5507084601df14a9dd4a6bd1035ed75ab

memory/4064-12-0x0000017DFF820000-0x0000017DFF821000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

147s

Max time network

160s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\soundsystem\20120107\soundsystem-20120107.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3232 wrote to memory of 2964 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 3232 wrote to memory of 2964 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\soundsystem\20120107\soundsystem-20120107.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 152.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/3232-4-0x0000025446120000-0x0000025447120000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 b6ed51cbc00e991ef28f7bab79350129
SHA1 de58c3b8c27565feefb84f303c3a0be5fe1cf0a5
SHA256 62853665e141c6b4f7704af3379999c73dd88746225393810751191f331d4a20
SHA512 f8dbe94cd4257e1113f362b4a88b9eb8fa6d6126046a606943443b15d798444048a0b3b79da44973160e1b0c07b3835ec70d0bd4e7f61467880bba5b01622a76

memory/3232-12-0x0000025446100000-0x0000025446101000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

121s

Max time network

127s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\io\netty\netty-all\4.0.23.Final\netty-all-4.0.23.Final.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\io\netty\netty-all\4.0.23.Final\netty-all-4.0.23.Final.jar

Network

N/A

Files

memory/2944-8-0x0000000002030000-0x0000000005030000-memory.dmp

memory/2944-10-0x0000000001B50000-0x0000000001B51000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

138s

Max time network

158s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\mojang\realms\1.7.59\realms-1.7.59.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3508 wrote to memory of 1860 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 3508 wrote to memory of 1860 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\mojang\realms\1.7.59\realms-1.7.59.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/3508-2-0x000001CCEFA90000-0x000001CCF0A90000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 8fc3c1d43ad8d91ebcfd497fc31cba77
SHA1 15043bba93bbe51f9be91fe04814b9832318ad1d
SHA256 856c5e95bbbd95eb4ff21e5252fd3eda59c5f26006b66ea69f0e8a5bf2a8b672
SHA512 f8c1b48e47dd77c0abd2585f7203536f3974a4ca39decc3e166b3923978176e8d6955f8dba21b53522a19d7e5f7e0911e4f2da4e97de8d226ff61892ccd5fb62

memory/3508-12-0x000001CCEFA70000-0x000001CCEFA71000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

90s

Max time network

121s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\codecwav\20101023\codecwav-20101023.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 3036 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 2360 wrote to memory of 3036 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\codecwav\20101023\codecwav-20101023.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 203.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/2360-4-0x000001CC09EE0000-0x000001CC0AEE0000-memory.dmp

memory/2360-11-0x000001CC086B0000-0x000001CC086B1000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 78c9f9734090b7cc27ac4409d6b980ae
SHA1 ccff4678b3958edf70747ccf6e4105bf8ecd2215
SHA256 3a06719397988caadb18e808deca3bc0b1e0a4d4936f898a4d3f6d2444439671
SHA512 144330c82b26056e6e7f1c8d7fa656f8d75fd3c19caf962acfeabde5de284739136e462a1d5200e2a72321f8f3ca83f491ae1b1cab12cded412d894d2315a8bb

Analysis: behavioral17

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win7-20240215-en

Max time kernel

118s

Max time network

120s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\libraryjavasound\20101123\libraryjavasound-20101123.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\libraryjavasound\20101123\libraryjavasound-20101123.jar

Network

N/A

Files

memory/2876-6-0x0000000002680000-0x0000000005680000-memory.dmp

memory/2876-10-0x0000000001C70000-0x0000000001C71000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

90s

Max time network

158s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\librarylwjglopenal\20100824\librarylwjglopenal-20100824.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 1464 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 1484 wrote to memory of 1464 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\librarylwjglopenal\20100824\librarylwjglopenal-20100824.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/1484-4-0x0000020736520000-0x0000020737520000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 24e722166619b63072ee16c0079c1c46
SHA1 c82e3cd50e710b4c2d9d3bb4fa9dd85e90cefd5f
SHA256 4ffea53a8a9090251b9b9f16cd64bf7f487a08f18ffc081bd09ec5c5e554d8f8
SHA512 6bdb848d90e919c63274de7398932b432b1e10f2ade6aa73636cc530e099ae06b9c539b07e4eb8f84b5216c7ebc15b125a5e94305f10cec77a28eb38cc074547

memory/1484-11-0x0000020734C50000-0x0000020734C51000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\commons-io\commons-io\2.4\commons-io-2.4.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\commons-io\commons-io\2.4\commons-io-2.4.jar

Network

N/A

Files

memory/2924-9-0x0000000002410000-0x0000000005410000-memory.dmp

memory/2924-10-0x0000000000350000-0x0000000000351000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

149s

Max time network

154s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\google\code\gson\gson\2.2.4\gson-2.2.4.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 4984 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 1204 wrote to memory of 4984 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\google\code\gson\gson\2.2.4\gson-2.2.4.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 203.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

memory/1204-4-0x000002B25D580000-0x000002B25E580000-memory.dmp

memory/1204-11-0x000002B25D560000-0x000002B25D561000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 fa5d50291836204bc58a88ad42264f86
SHA1 52401cb2fa2a69a97680aefccdda1e527dcbcbdd
SHA256 cdaa8bbfac2718774ec4796030bd1c0d9d14cf26f7822fda77ad384818178f0e
SHA512 458d4eac2fb6e5c5fb6fc8a90d698dc96ba0f137466b91bda90a91e06c1edfa333285a1aa5fbaee89892a0671e3723b668ebc237d1172b891f8d45f587cace19

memory/1204-13-0x000002B25D580000-0x000002B25E580000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

144s

Max time network

152s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\google\guava\guava\17.0\guava-17.0.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 4268 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 4268 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\google\guava\guava\17.0\guava-17.0.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 74.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/1224-2-0x000002B3C1810000-0x000002B3C2810000-memory.dmp

memory/1224-12-0x000002B3C0040000-0x000002B3C0041000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 579cc68b98575c7071825e0dff40bf0d
SHA1 a3aa7820cc3574aa1807e042b8efafbcf5fd155a
SHA256 dcde74ec417d6cc06c266da62933f455cdd7128e29f37b5b258558775d816161
SHA512 4bea9a61e0700e9b395ea2dc4380869e1145ef8fd64f4ed024e7ca2e694d7385e516f8315e435643a5e73b041c6a8fbfa3a081705e4f634b6197918d86899abc

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

144s

Max time network

151s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\mojang\netty\1.8.8\netty-1.8.8.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4864 wrote to memory of 4564 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 4864 wrote to memory of 4564 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\mojang\netty\1.8.8\netty-1.8.8.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/4864-4-0x00000261C7490000-0x00000261C8490000-memory.dmp

memory/4864-11-0x00000261C7470000-0x00000261C7471000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 f0b4cfba0c1fb107974f595aa02f66f4
SHA1 c9d5002aca517fbfff1c7def8d493891b1df20b9
SHA256 18520d8597cd01b5453aacd1babf6aff1bc6e24cbe48ac2645f70a783518a42c
SHA512 df8690c031bd0055a598e70a3931aac2d995ba1a56885b4e98f3cac1e1ef1abdb50c6f71da3d58e84dfcbd8cf4f242ff65243bb00c586fa21a287f5919f07b16

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

122s

Max time network

128s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\ibm\icu\icu4j-core-mojang\51.2\icu4j-core-mojang-51.2.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\ibm\icu\icu4j-core-mojang\51.2\icu4j-core-mojang-51.2.jar

Network

N/A

Files

memory/1768-8-0x00000000023B0000-0x00000000053B0000-memory.dmp

memory/1768-11-0x0000000000130000-0x0000000000131000-memory.dmp

memory/1768-12-0x0000000000130000-0x0000000000131000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

148s

Max time network

151s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\mojang\authlib\1.5.21\authlib-1.5.21.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 1096 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 1836 wrote to memory of 1096 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\mojang\authlib\1.5.21\authlib-1.5.21.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/1836-4-0x000001F920160000-0x000001F921160000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 9ce141c29a374da9f0ba1be1f00ce8ac
SHA1 4671c21887088adb2e84aa50173deb2f79d2f7cd
SHA256 61d0809b1481c42dbd8659f072f5c5041c85ea7fad72da834c1dfd914d185e94
SHA512 f6226f605340acca3e9baf2b4c191083ca138946df0ced061d5747d060dc369b3ff4696d559447cc7f7848f250d28588b6bc9e6eb24f5d54c21de9754bf380ad

memory/1836-12-0x000001F91E890000-0x000001F91E891000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

121s

Max time network

130s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\mojang\realms\1.7.59\realms-1.7.59.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\mojang\realms\1.7.59\realms-1.7.59.jar

Network

N/A

Files

memory/1052-6-0x0000000002300000-0x0000000005300000-memory.dmp

memory/1052-10-0x00000000001B0000-0x00000000001B1000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-02-22 19:53

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

122s

Max time network

129s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\librarylwjglopenal\20100824\librarylwjglopenal-20100824.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\libraries\com\paulscode\librarylwjglopenal\20100824\librarylwjglopenal-20100824.jar

Network

N/A

Files

memory/1352-9-0x0000000002160000-0x0000000005160000-memory.dmp

memory/1352-10-0x0000000000240000-0x0000000000241000-memory.dmp