Analysis
-
max time kernel
169s -
max time network
188s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
23/02/2024, 12:05
Static task
static1
Behavioral task
behavioral1
Sample
FiveM.jar
Resource
win10-20240221-en
General
-
Target
FiveM.jar
-
Size
2.2MB
-
MD5
006342bc0dd37e8c8466e2d64dfb78d9
-
SHA1
0e70cb0cc450d18d6fa1307a005a664b3fa3b1d4
-
SHA256
b6ead8eb152a92651bae2f1aa50b7d12f7c2ffc368733fe37d0d4c744fdaa0f2
-
SHA512
d2c17c6c9d6b10ce6bf75c2b35e175a61293d4c1503a153ade50faffb851bcdafb4fa3e4c440db0be890059e33cc8e7fd7373140e497f7ea7103197aa045de79
-
SSDEEP
49152:241XNPZxxaWnUU93EBVJBT28ibzTLkKqp8OC2mi8wmaSQLYsi:24ZxxfpGxRfmLkK7OT8wmgLYsi
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2748 icacls.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4324 vlc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1972 java.exe 1972 java.exe 1972 java.exe 1972 java.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4324 vlc.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1972 java.exe Token: SeDebugPrivilege 1972 java.exe Token: SeDebugPrivilege 1972 java.exe Token: SeDebugPrivilege 1972 java.exe Token: SeDebugPrivilege 1972 java.exe Token: SeDebugPrivilege 1972 java.exe Token: SeDebugPrivilege 1972 java.exe Token: SeDebugPrivilege 1972 java.exe Token: SeDebugPrivilege 1972 java.exe Token: SeDebugPrivilege 1972 java.exe Token: SeDebugPrivilege 1972 java.exe Token: SeDebugPrivilege 1972 java.exe Token: SeDebugPrivilege 1972 java.exe Token: SeDebugPrivilege 1972 java.exe Token: SeDebugPrivilege 1972 java.exe Token: SeDebugPrivilege 1972 java.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 4324 vlc.exe 4324 vlc.exe 4324 vlc.exe 4324 vlc.exe 4324 vlc.exe 4324 vlc.exe 4324 vlc.exe 4324 vlc.exe 4324 vlc.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 4324 vlc.exe 4324 vlc.exe 4324 vlc.exe 4324 vlc.exe 4324 vlc.exe 4324 vlc.exe 4324 vlc.exe 4324 vlc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1972 java.exe 1972 java.exe 4324 vlc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1972 wrote to memory of 2748 1972 java.exe 75 PID 1972 wrote to memory of 2748 1972 java.exe 75
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\FiveM.jar1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
PID:2748
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4028
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\WatchRedo.mid"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD5558e694d63847ea85723172eb4affedb
SHA107abe548855541efb5dead266c5b8f7bd3a25beb
SHA256fa7f3de3bae690a0a0969344a46ccf0a35af38e8e94f2840a358b0b36f456ef1
SHA5129e890aabfde92c1d4606667ff59922e5f97ad117d56492b6b7d869ba1b94af66484e7508cf6d2357e4892bf199d7b8cee7070d4817f30740f54ea5b9653f3cb6