Malware Analysis Report

2025-08-10 12:05

Sample ID 240222-znjtbafa7v
Target sodium-fabric-0.5.8+mc1.20.4.jar
SHA256 3c363ec0122157f65e55a8edf6545a60955091387cd0e94b3ecdcd64a93284f7
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3c363ec0122157f65e55a8edf6545a60955091387cd0e94b3ecdcd64a93284f7

Threat Level: Shows suspicious behavior

The file sodium-fabric-0.5.8+mc1.20.4.jar was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Modifies file permissions

Drops file in Program Files directory

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 20:51

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 20:51

Reported

2024-02-22 20:54

Platform

win10v2004-20240221-en

Max time kernel

142s

Max time network

151s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\sodium-fabric-0.5.8+mc1.20.4.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4488 wrote to memory of 2700 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 4488 wrote to memory of 2700 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\sodium-fabric-0.5.8+mc1.20.4.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp

Files

memory/4488-2-0x00000198616E0000-0x00000198626E0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 47de062fccb008479425f2bddc130fa9
SHA1 97e81a1188427088c09f868fdc5c703478d378f3
SHA256 b263d9f505c978469641950e041f61a124c162ebe339247baa8fed06b38a576f
SHA512 8a143006b743ee0ed1fe8265df2c0e9f877969cc440bf1ed8939e3ac3f5e86e8d9d6d9ecd3e40ff6898b70d577582a630d7e39f45e5aa0c901f1eaf3c3d7eb2c

memory/4488-12-0x000001985FE80000-0x000001985FE81000-memory.dmp

memory/4488-16-0x000001985FE80000-0x000001985FE81000-memory.dmp

memory/4488-18-0x000001985FE80000-0x000001985FE81000-memory.dmp

memory/4488-22-0x000001985FE80000-0x000001985FE81000-memory.dmp

memory/4488-26-0x00000198616E0000-0x00000198626E0000-memory.dmp

memory/4488-30-0x00000198616E0000-0x00000198626E0000-memory.dmp

memory/4488-32-0x00000198616E0000-0x00000198626E0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 20:51

Reported

2024-02-22 20:54

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\sodium-fabric-0.5.8+mc1.20.4.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\sodium-fabric-0.5.8+mc1.20.4.jar

Network

N/A

Files

memory/2180-3-0x0000000002560000-0x0000000005560000-memory.dmp

memory/2180-11-0x0000000000450000-0x0000000000451000-memory.dmp