7d70b19371306e1600e68018971da0ba6c2debaa923a476193f4431ba4d1153e

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OptiCraft JAVA 1.8.9/mcdata/runtime/lib/deploy/messages_sv.jnlp
Size

3KB
MD5

a6005be45c88900a15bc80d461b60c30
SHA1

ca3e18b5aea928a8465656c86970d9584d85ef7f
SHA256

5ccee63720fcac2a136cf1fa90cbac05040f89ffe8c082c2d067247bfcd76b87
SHA512

9442ffb47bf0f158a44a81a16b2ab94bb36fac2f75b0c9467654ab9a8df26a63c0c7a7717deaf5476068bc0a0d602b828ce1e8d229cbfaaf201c24c0f78be1f9

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5084	icacls.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3440	javaws.exe
3440	javaws.exe
3440	javaws.exe
3440	javaws.exe
1552	javaws.exe
1552	javaws.exe
552	jp2launcher.exe
552	jp2launcher.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
552	jp2launcher.exe
552	jp2launcher.exe
552	jp2launcher.exe
552	jp2launcher.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 3440	792	jp2launcher.exe	89
PID 792 wrote to memory of 3440	792	jp2launcher.exe	89
PID 3440 wrote to memory of 1552	3440	javaws.exe	90
PID 3440 wrote to memory of 1552	3440	javaws.exe	90
PID 3440 wrote to memory of 552	3440	javaws.exe	91
PID 3440 wrote to memory of 552	3440	javaws.exe	91
PID 552 wrote to memory of 5084	552	jp2launcher.exe	92
PID 552 wrote to memory of 5084	552	jp2launcher.exe	92

C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
"C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -securejws "C:\Users\Admin\AppData\Local\Temp\OptiCraft JAVA 1.8.9\mcdata\runtime\lib\deploy\messages_sv.jnlp"
1⤵
- Suspicious use of WriteProcessMemory
PID:792
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  "C:\Program Files\Java\jre-1.8\bin\javaws.exe" "C:\Users\Admin\AppData\Local\Temp\OptiCraft JAVA 1.8.9\mcdata\runtime\lib\deploy\messages_sv.jnlp"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    JavaWSSplashScreen -splash 62803 "C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1552
- - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
    "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURqbmxweC5vcmlnRmlsZW5hbWVBcmc9QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXE9wdGlDcmFmdCBKQVZBIDEuOC45XG1jZGF0YVxydW50aW1lXGxpYlxkZXBsb3lcbWVzc2FnZXNfc3Yuam5scAAtRGpubHB4LnJlbW92ZT1mYWxzZQAtRHN1bi5hd3Qud2FybXVwPXRydWUALVhib290Y2xhc3NwYXRoL2E6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHBsdWdpbi5qYXIALURqbmxweC5zcGxhc2hwb3J0PTYyODA0AC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGJpblxqYXZhdy5leGU= -ma QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXE9wdGlDcmFmdCBKQVZBIDEuOC45XG1jZGF0YVxydW50aW1lXGxpYlxkZXBsb3lcbWVzc2FnZXNfc3Yuam5scA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "\"everyone\":(OI)(CI)M"
      4⤵
      Modifies file permissions
      PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
713B

MD5
2429690ad919d3a51fc56e742e29fab3

SHA1
a6ea3d9125ea4cf0a8cd84a5f3512e8aa0845042

SHA256
702479bc8e5e7d98411cb3c75ea95483a932859bff1f36d4ee66ad70c775d6c8

SHA512
37204aefea5357cc455f34c5ae721a52b8579f04118fd9c2753aa897ea02a68ef18112e1383d3ded951e46f28efaf701faa06451418d91d15ffff5f3aff87120

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\securitypack.jar

Filesize
12KB

MD5
4f9f42a2c5524bf0ce187c5dcb517b89

SHA1
b54ff1e485ee0605753e23f254e288f9a79cc59d

SHA256
e271e41f800f3f25e0f9fe212f2e31e6a57b74d28b89fd3425deb42a6a1b411a

SHA512
45eb73dae61b6cb855a33966b6c3f1f064a15714761e3075eda105f72adf3780b05dbfbcca75fb47734ca47bb6abe4a1db075d30b1db748ffca11d9928d6cdbc

Download Submit
memory/552-80-0x000001FA1A170000-0x000001FA1A171000-memory.dmp

Filesize
4KB

Download
memory/552-28-0x000001FA1A170000-0x000001FA1A171000-memory.dmp

Filesize
4KB

Download
memory/552-2-0x000001FA1A510000-0x000001FA1A780000-memory.dmp

Filesize
2.4MB

Download
memory/552-109-0x000001FA1A510000-0x000001FA1A780000-memory.dmp

Filesize
2.4MB

Download
memory/552-116-0x000001FA1A170000-0x000001FA1A171000-memory.dmp

Filesize
4KB

Download
memory/552-119-0x000001FA1A170000-0x000001FA1A171000-memory.dmp

Filesize
4KB

Download
memory/552-120-0x000001FA1A170000-0x000001FA1A171000-memory.dmp

Filesize
4KB

Download
memory/552-51-0x000001FA1A170000-0x000001FA1A171000-memory.dmp

Filesize
4KB

Download
memory/552-147-0x000001FA1A170000-0x000001FA1A171000-memory.dmp

Filesize
4KB

Download
memory/552-152-0x000001FA1A170000-0x000001FA1A171000-memory.dmp

Filesize
4KB

Download
memory/552-15-0x000001FA1A170000-0x000001FA1A171000-memory.dmp

Filesize
4KB

Download
memory/552-172-0x000001FA1A170000-0x000001FA1A171000-memory.dmp

Filesize
4KB

Download
memory/552-176-0x000001FA1A170000-0x000001FA1A171000-memory.dmp

Filesize
4KB

Download
memory/552-177-0x000001FA1A170000-0x000001FA1A171000-memory.dmp

Filesize
4KB

Download
memory/552-179-0x000001FA1A170000-0x000001FA1A171000-memory.dmp

Filesize
4KB

Download