Malware Analysis Report

2025-08-06 00:04

Sample ID 240223-arbvfahd39
Target MobPlugin-1.26.2.jar
SHA256 7e763c8e187c904647acce8f0374225380cab602f750695e1f5b67cb3455b1cd
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7e763c8e187c904647acce8f0374225380cab602f750695e1f5b67cb3455b1cd

Threat Level: Shows suspicious behavior

The file MobPlugin-1.26.2.jar was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Modifies file permissions

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 00:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 00:26

Reported

2024-02-23 09:59

Platform

win10v2004-20240221-en

Max time kernel

453s

Max time network

458s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\MobPlugin-1.26.2.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2104 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 2512 wrote to memory of 2104 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\MobPlugin-1.26.2.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/2512-4-0x00000207C2DE0000-0x00000207C3DE0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 e99b789ced38f2bf0063faf806df8596
SHA1 0d4e2646946bf883fc66994e7e387d30ac868a4e
SHA256 4aa0ea3cdcc5c059bac17a7414c2851194338ca5e9b2978b80088e24503acb9c
SHA512 fbda2e2ebcff0edef9267181f177eeec6d20cb2aaf17fc8f14f2b1eb9d2bd177282ae57d30f9622df5c70fc75316efcee320c581bc2fa843a534add4da6b6599

memory/2512-12-0x00000207C13C0000-0x00000207C13C1000-memory.dmp