Malware Analysis Report

2025-08-06 00:03

Sample ID 240223-lt6clsed6s
Target SkyblockAddons-1.7.2-for-MC-1.8.9.jar
SHA256 36219222dfc43c42a9edef1da9ed53442ae08c617c3e4a217de61d0b15910f45
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

36219222dfc43c42a9edef1da9ed53442ae08c617c3e4a217de61d0b15910f45

Threat Level: Shows suspicious behavior

The file SkyblockAddons-1.7.2-for-MC-1.8.9.jar was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Modifies file permissions

Drops file in Program Files directory

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 09:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 09:50

Reported

2024-02-23 09:53

Platform

win7-20240221-en

Max time kernel

128s

Max time network

132s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\SkyblockAddons-1.7.2-for-MC-1.8.9.jar

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\SkyblockAddons-1.7.2-for-MC-1.8.9.jar

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6989758,0x7fef6989768,0x7fef6989778

Network

N/A

Files

memory/2348-8-0x0000000002280000-0x0000000005280000-memory.dmp

memory/2348-11-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2348-14-0x0000000002280000-0x0000000005280000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 09:50

Reported

2024-02-23 09:51

Platform

win10v2004-20240221-en

Max time kernel

42s

Max time network

47s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\SkyblockAddons-1.7.2-for-MC-1.8.9.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3228 wrote to memory of 4404 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 3228 wrote to memory of 4404 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\SkyblockAddons-1.7.2-for-MC-1.8.9.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp

Files

memory/3228-4-0x000001EB35200000-0x000001EB36200000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 75bda1ff85407325e956aa848d21c2f1
SHA1 50b5671fdb4a23a603a858fc8494511748cace03
SHA256 f399fa7eb645fa74e57405ec7cf5580ed8be6188faadbb25b5256a3cccb6b550
SHA512 208ed7a44ff2fc79ae2fbce2bd3c6ee406cbb72e07d7b6918166ac2427f59b19f6a53ee783d32f92b16337f7544692ad1fffc0bc995f879e76e0e1db121d8489

memory/3228-17-0x000001EB33940000-0x000001EB33941000-memory.dmp

memory/3228-28-0x000001EB33940000-0x000001EB33941000-memory.dmp

memory/3228-30-0x000001EB35200000-0x000001EB36200000-memory.dmp

memory/3228-33-0x000001EB35200000-0x000001EB36200000-memory.dmp

memory/3228-35-0x000001EB33940000-0x000001EB33941000-memory.dmp

memory/3228-37-0x000001EB35200000-0x000001EB36200000-memory.dmp

memory/3228-41-0x000001EB35200000-0x000001EB36200000-memory.dmp

memory/3228-44-0x000001EB35200000-0x000001EB36200000-memory.dmp

memory/3228-50-0x000001EB33940000-0x000001EB33941000-memory.dmp