Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2024, 16:18
Static task
static1
Behavioral task
behavioral1
Sample
forge-1.20.1-47.2.21-installer.jar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
forge-1.20.1-47.2.21-installer.jar
Resource
win10v2004-20240226-en
General
-
Target
forge-1.20.1-47.2.21-installer.jar
-
Size
5.7MB
-
MD5
7153380e67719ad71e18333ae0294683
-
SHA1
d471440a78fbe00cef8953bbceebb2dbc7fede19
-
SHA256
607aa0361dc683d7bcf177cc2ff443b79d332467265f74d66a3bddee08bad50c
-
SHA512
d182be8365301b93fe9dfc308e966566b27a7000abdb0a48dfeecda03c172777cf983376968e03b4bd8b4eee50f73156234041e9c8639e2462777788dca4db74
-
SSDEEP
98304:9d5AhFyWGTsK0vVNPGjI02GZfkPRaA66dMxIruZ+vuefPpiRnqib1Cnr6+O6SDCB:9d5egLT5wOj9vEp66dMiu0vnMbW26rj
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2500 icacls.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb java.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2500 2328 java.exe 85 PID 2328 wrote to memory of 2500 2328 java.exe 85
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\forge-1.20.1-47.2.21-installer.jar1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
PID:2500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD5d0f6ee499ccd3236ec8469423e4d92a5
SHA1d572e61fe4b3db3bf31883daffd03b5407edf7a4
SHA25648e1edfe6fa5c2030832692e6162f57fb6ad9dac0bfbcc80787ed84c9871d693
SHA512c28b6723d6076fb09a42f307b384149b67af9a8e6bed060415c665c2d789b1e65a41a3388651be6132eff0d1ea7c91c30d04db8e3121b08ca0c8e08b2e7d7f59