Analysis Overview
SHA256
36219222dfc43c42a9edef1da9ed53442ae08c617c3e4a217de61d0b15910f45
Threat Level: Shows suspicious behavior
The file SkyblockAddons-1.7.2-for-MC-1.8.9.jar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Modifies file permissions
Drops file in Program Files directory
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 09:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 09:50
Reported
2024-02-23 09:53
Platform
win7-20240221-en
Max time kernel
128s
Max time network
132s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2624 wrote to memory of 2528 | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Program Files\Google\Chrome\Application\chrome.exe |
| PID 2624 wrote to memory of 2528 | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Program Files\Google\Chrome\Application\chrome.exe |
| PID 2624 wrote to memory of 2528 | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Program Files\Google\Chrome\Application\chrome.exe |
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\SkyblockAddons-1.7.2-for-MC-1.8.9.jar
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6989758,0x7fef6989768,0x7fef6989778
Network
Files
memory/2348-8-0x0000000002280000-0x0000000005280000-memory.dmp
memory/2348-11-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2348-14-0x0000000002280000-0x0000000005280000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-23 09:50
Reported
2024-02-23 09:51
Platform
win10v2004-20240221-en
Max time kernel
42s
Max time network
47s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ntdll.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jvm.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3228 wrote to memory of 4404 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 3228 wrote to memory of 4404 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\SkyblockAddons-1.7.2-for-MC-1.8.9.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
Files
memory/3228-4-0x000001EB35200000-0x000001EB36200000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 75bda1ff85407325e956aa848d21c2f1 |
| SHA1 | 50b5671fdb4a23a603a858fc8494511748cace03 |
| SHA256 | f399fa7eb645fa74e57405ec7cf5580ed8be6188faadbb25b5256a3cccb6b550 |
| SHA512 | 208ed7a44ff2fc79ae2fbce2bd3c6ee406cbb72e07d7b6918166ac2427f59b19f6a53ee783d32f92b16337f7544692ad1fffc0bc995f879e76e0e1db121d8489 |
memory/3228-17-0x000001EB33940000-0x000001EB33941000-memory.dmp
memory/3228-28-0x000001EB33940000-0x000001EB33941000-memory.dmp
memory/3228-30-0x000001EB35200000-0x000001EB36200000-memory.dmp
memory/3228-33-0x000001EB35200000-0x000001EB36200000-memory.dmp
memory/3228-35-0x000001EB33940000-0x000001EB33941000-memory.dmp
memory/3228-37-0x000001EB35200000-0x000001EB36200000-memory.dmp
memory/3228-41-0x000001EB35200000-0x000001EB36200000-memory.dmp
memory/3228-44-0x000001EB35200000-0x000001EB36200000-memory.dmp
memory/3228-50-0x000001EB33940000-0x000001EB33941000-memory.dmp