Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22/02/2024, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
sodium-fabric-0.5.8+mc1.20.4.jar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
sodium-fabric-0.5.8+mc1.20.4.jar
Resource
win10v2004-20240221-en
General
-
Target
sodium-fabric-0.5.8+mc1.20.4.jar
-
Size
926KB
-
MD5
d7753a50ca37f50abb10465a9a425dac
-
SHA1
4c38d7b01660a27a98406767c613b3f28b6c9dfe
-
SHA256
3c363ec0122157f65e55a8edf6545a60955091387cd0e94b3ecdcd64a93284f7
-
SHA512
bd00b956bde1205171e744a6a3780e835fb6928eb667fb2b56467818c979fb1e8c82561380a71a7dbfa1516cd4b6cf9087ca99f1ae066da6d65af2c828b8d554
-
SSDEEP
12288:HRlp9km8TImzD/jTpoekCBvkOQlMA/ArbbT4XI0cJqjwaanN3DfypWoBw+lE9kZr:H7wD/j19kRMAYPecJq0aanpypFBw10r
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2700 icacls.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb java.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4488 java.exe 4488 java.exe 4488 java.exe 4488 java.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4488 wrote to memory of 2700 4488 java.exe 88 PID 4488 wrote to memory of 2700 4488 java.exe 88
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\sodium-fabric-0.5.8+mc1.20.4.jar1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD547de062fccb008479425f2bddc130fa9
SHA197e81a1188427088c09f868fdc5c703478d378f3
SHA256b263d9f505c978469641950e041f61a124c162ebe339247baa8fed06b38a576f
SHA5128a143006b743ee0ed1fe8265df2c0e9f877969cc440bf1ed8939e3ac3f5e86e8d9d6d9ecd3e40ff6898b70d577582a630d7e39f45e5aa0c901f1eaf3c3d7eb2c