Analysis Overview
SHA256
7e763c8e187c904647acce8f0374225380cab602f750695e1f5b67cb3455b1cd
Threat Level: Shows suspicious behavior
The file MobPlugin-1.26.2.jar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Modifies file permissions
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 00:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 00:26
Reported
2024-02-23 09:59
Platform
win10v2004-20240221-en
Max time kernel
453s
Max time network
458s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2512 wrote to memory of 2104 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 2512 wrote to memory of 2104 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\MobPlugin-1.26.2.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
Files
memory/2512-4-0x00000207C2DE0000-0x00000207C3DE0000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | e99b789ced38f2bf0063faf806df8596 |
| SHA1 | 0d4e2646946bf883fc66994e7e387d30ac868a4e |
| SHA256 | 4aa0ea3cdcc5c059bac17a7414c2851194338ca5e9b2978b80088e24503acb9c |
| SHA512 | fbda2e2ebcff0edef9267181f177eeec6d20cb2aaf17fc8f14f2b1eb9d2bd177282ae57d30f9622df5c70fc75316efcee320c581bc2fa843a534add4da6b6599 |
memory/2512-12-0x00000207C13C0000-0x00000207C13C1000-memory.dmp