Analysis Overview
SHA256
b6ead8eb152a92651bae2f1aa50b7d12f7c2ffc368733fe37d0d4c744fdaa0f2
Threat Level: Shows suspicious behavior
The file FiveM.jar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Modifies file permissions
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 12:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 12:05
Reported
2024-02-23 12:09
Platform
win10-20240221-en
Max time kernel
169s
Max time network
188s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1972 wrote to memory of 2748 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 1972 wrote to memory of 2748 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\FiveM.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\WatchRedo.mid"
Network
| Country | Destination | Domain | Proto |
| NL | 165.22.196.0:80 | doomsdayclient.com | tcp |
| US | 8.8.8.8:53 | 0.196.22.165.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.98.74.40.in-addr.arpa | udp |
Files
memory/1972-4-0x0000015180000000-0x0000015181000000-memory.dmp
memory/1972-11-0x00000151FD160000-0x00000151FD161000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 558e694d63847ea85723172eb4affedb |
| SHA1 | 07abe548855541efb5dead266c5b8f7bd3a25beb |
| SHA256 | fa7f3de3bae690a0a0969344a46ccf0a35af38e8e94f2840a358b0b36f456ef1 |
| SHA512 | 9e890aabfde92c1d4606667ff59922e5f97ad117d56492b6b7d869ba1b94af66484e7508cf6d2357e4892bf199d7b8cee7070d4817f30740f54ea5b9653f3cb6 |
memory/1972-26-0x00000151FD160000-0x00000151FD161000-memory.dmp
memory/1972-27-0x0000015180000000-0x0000015181000000-memory.dmp
memory/1972-36-0x0000015180000000-0x0000015181000000-memory.dmp
memory/1972-43-0x00000151FD160000-0x00000151FD161000-memory.dmp
memory/1972-49-0x00000151FD160000-0x00000151FD161000-memory.dmp
memory/1972-51-0x00000151FD160000-0x00000151FD161000-memory.dmp
memory/1972-54-0x0000015180000000-0x0000015181000000-memory.dmp
memory/1972-60-0x00000151FD160000-0x00000151FD161000-memory.dmp
memory/1972-63-0x00000151FD160000-0x00000151FD161000-memory.dmp
memory/1972-65-0x00000151FD160000-0x00000151FD161000-memory.dmp
memory/1972-66-0x00000151FD160000-0x00000151FD161000-memory.dmp
memory/1972-68-0x0000015180000000-0x0000015181000000-memory.dmp
memory/1972-73-0x0000015180000000-0x0000015181000000-memory.dmp
memory/1972-80-0x0000015180000000-0x0000015181000000-memory.dmp
memory/1972-82-0x00000151996C0000-0x00000151996C1000-memory.dmp
memory/1972-92-0x0000015180000000-0x0000015181000000-memory.dmp
memory/4324-106-0x00007FF613320000-0x00007FF613418000-memory.dmp
memory/4324-107-0x00007FFB1DD80000-0x00007FFB1DDB4000-memory.dmp
memory/4324-108-0x00007FFB0D7C0000-0x00007FFB0DA74000-memory.dmp
memory/4324-109-0x00007FFB0B720000-0x00007FFB0C7CB000-memory.dmp
memory/4324-110-0x00007FFB0ACB0000-0x00007FFB0ADC2000-memory.dmp