Malware Analysis Report

2025-08-06 00:04

Sample ID 240223-n9crcaga44
Target FiveM.jar
SHA256 b6ead8eb152a92651bae2f1aa50b7d12f7c2ffc368733fe37d0d4c744fdaa0f2
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b6ead8eb152a92651bae2f1aa50b7d12f7c2ffc368733fe37d0d4c744fdaa0f2

Threat Level: Shows suspicious behavior

The file FiveM.jar was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Modifies file permissions

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 12:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 12:05

Reported

2024-02-23 12:09

Platform

win10-20240221-en

Max time kernel

169s

Max time network

188s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\FiveM.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 2748 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 1972 wrote to memory of 2748 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\FiveM.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\WatchRedo.mid"

Network

Country Destination Domain Proto
NL 165.22.196.0:80 doomsdayclient.com tcp
US 8.8.8.8:53 0.196.22.165.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.98.74.40.in-addr.arpa udp

Files

memory/1972-4-0x0000015180000000-0x0000015181000000-memory.dmp

memory/1972-11-0x00000151FD160000-0x00000151FD161000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 558e694d63847ea85723172eb4affedb
SHA1 07abe548855541efb5dead266c5b8f7bd3a25beb
SHA256 fa7f3de3bae690a0a0969344a46ccf0a35af38e8e94f2840a358b0b36f456ef1
SHA512 9e890aabfde92c1d4606667ff59922e5f97ad117d56492b6b7d869ba1b94af66484e7508cf6d2357e4892bf199d7b8cee7070d4817f30740f54ea5b9653f3cb6

memory/1972-26-0x00000151FD160000-0x00000151FD161000-memory.dmp

memory/1972-27-0x0000015180000000-0x0000015181000000-memory.dmp

memory/1972-36-0x0000015180000000-0x0000015181000000-memory.dmp

memory/1972-43-0x00000151FD160000-0x00000151FD161000-memory.dmp

memory/1972-49-0x00000151FD160000-0x00000151FD161000-memory.dmp

memory/1972-51-0x00000151FD160000-0x00000151FD161000-memory.dmp

memory/1972-54-0x0000015180000000-0x0000015181000000-memory.dmp

memory/1972-60-0x00000151FD160000-0x00000151FD161000-memory.dmp

memory/1972-63-0x00000151FD160000-0x00000151FD161000-memory.dmp

memory/1972-65-0x00000151FD160000-0x00000151FD161000-memory.dmp

memory/1972-66-0x00000151FD160000-0x00000151FD161000-memory.dmp

memory/1972-68-0x0000015180000000-0x0000015181000000-memory.dmp

memory/1972-73-0x0000015180000000-0x0000015181000000-memory.dmp

memory/1972-80-0x0000015180000000-0x0000015181000000-memory.dmp

memory/1972-82-0x00000151996C0000-0x00000151996C1000-memory.dmp

memory/1972-92-0x0000015180000000-0x0000015181000000-memory.dmp

memory/4324-106-0x00007FF613320000-0x00007FF613418000-memory.dmp

memory/4324-107-0x00007FFB1DD80000-0x00007FFB1DDB4000-memory.dmp

memory/4324-108-0x00007FFB0D7C0000-0x00007FFB0DA74000-memory.dmp

memory/4324-109-0x00007FFB0B720000-0x00007FFB0C7CB000-memory.dmp

memory/4324-110-0x00007FFB0ACB0000-0x00007FFB0ADC2000-memory.dmp