7d70b19371306e1600e68018971da0ba6c2debaa923a476193f4431ba4d1153e

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OptiCraft JAVA 1.8.9/mcdata/runtime/lib/deploy/messages_zh_CN.jnlp
Size

3KB
MD5

e6f84c081895acdfd98da0f496e1dd3d
SHA1

1c2b96673dddd3596890ef4fc22017d484a1f652
SHA256

a1752a0175f490f61e0aad46dc6887c19711f078309062d5260e164ac844f61a
SHA512

d4d28780147e22678cd8e7415cacfad533ae5af31d74426bbe4993f05a0707e4f0f71d948093ffa1a0d6ea48310e901cd0ed1c14e2fbdf69c92462d070a9664f

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4516	icacls.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1096	javaws.exe
1096	javaws.exe
1096	javaws.exe
1096	javaws.exe
2948	javaws.exe
2948	javaws.exe
784	jp2launcher.exe
784	jp2launcher.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
784	jp2launcher.exe
784	jp2launcher.exe
784	jp2launcher.exe
784	jp2launcher.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 1096	3540	jp2launcher.exe	89
PID 3540 wrote to memory of 1096	3540	jp2launcher.exe	89
PID 1096 wrote to memory of 2948	1096	javaws.exe	90
PID 1096 wrote to memory of 2948	1096	javaws.exe	90
PID 1096 wrote to memory of 784	1096	javaws.exe	91
PID 1096 wrote to memory of 784	1096	javaws.exe	91
PID 784 wrote to memory of 4516	784	jp2launcher.exe	93
PID 784 wrote to memory of 4516	784	jp2launcher.exe	93

C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
"C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -securejws "C:\Users\Admin\AppData\Local\Temp\OptiCraft JAVA 1.8.9\mcdata\runtime\lib\deploy\messages_zh_CN.jnlp"
1⤵
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  "C:\Program Files\Java\jre-1.8\bin\javaws.exe" "C:\Users\Admin\AppData\Local\Temp\OptiCraft JAVA 1.8.9\mcdata\runtime\lib\deploy\messages_zh_CN.jnlp"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    JavaWSSplashScreen -splash 51893 "C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2948
- - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
    "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURqbmxweC5vcmlnRmlsZW5hbWVBcmc9QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXE9wdGlDcmFmdCBKQVZBIDEuOC45XG1jZGF0YVxydW50aW1lXGxpYlxkZXBsb3lcbWVzc2FnZXNfemhfQ04uam5scAAtRGpubHB4LnJlbW92ZT1mYWxzZQAtRHN1bi5hd3Qud2FybXVwPXRydWUALVhib290Y2xhc3NwYXRoL2E6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHBsdWdpbi5qYXIALURqbmxweC5zcGxhc2hwb3J0PTUxODk0AC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGJpblxqYXZhdy5leGU= -ma QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXE9wdGlDcmFmdCBKQVZBIDEuOC45XG1jZGF0YVxydW50aW1lXGxpYlxkZXBsb3lcbWVzc2FnZXNfemhfQ04uam5scA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:784
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "\"everyone\":(OI)(CI)M"
      4⤵
      Modifies file permissions
      PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
713B

MD5
169b9a5351100559c0f7e87a6951e28d

SHA1
9b5209e039a55e0b946fa35cbd097164d9d90eb4

SHA256
8ff258395412aa1e08c59839e775214bc399b3e4f4d058a6a76744f08f03f669

SHA512
d7d671e8baaffd8330a6f7bc9d08ea3c4da7aa3c90d5ada97522e25d6b4a6b6d3039f848a965227513049e783a7b9a1e3758b881b8ae2d04bfe0956729f90968

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\securitypack.jar

Filesize
12KB

MD5
4f9f42a2c5524bf0ce187c5dcb517b89

SHA1
b54ff1e485ee0605753e23f254e288f9a79cc59d

SHA256
e271e41f800f3f25e0f9fe212f2e31e6a57b74d28b89fd3425deb42a6a1b411a

SHA512
45eb73dae61b6cb855a33966b6c3f1f064a15714761e3075eda105f72adf3780b05dbfbcca75fb47734ca47bb6abe4a1db075d30b1db748ffca11d9928d6cdbc

Download Submit
memory/784-2-0x000001AC9FE50000-0x000001ACA00C0000-memory.dmp

Filesize
2.4MB

Download
memory/784-15-0x000001AC9E040000-0x000001AC9E041000-memory.dmp

Filesize
4KB

Download
memory/784-29-0x000001AC9E040000-0x000001AC9E041000-memory.dmp

Filesize
4KB

Download
memory/784-52-0x000001AC9E040000-0x000001AC9E041000-memory.dmp

Filesize
4KB

Download
memory/784-66-0x000001AC9E040000-0x000001AC9E041000-memory.dmp

Filesize
4KB

Download
memory/784-79-0x000001AC9E040000-0x000001AC9E041000-memory.dmp

Filesize
4KB

Download
memory/784-107-0x000001AC9FE50000-0x000001ACA00C0000-memory.dmp

Filesize
2.4MB

Download
memory/784-148-0x000001AC9E040000-0x000001AC9E041000-memory.dmp

Filesize
4KB

Download
memory/784-169-0x000001AC9E040000-0x000001AC9E041000-memory.dmp

Filesize
4KB

Download
memory/784-193-0x000001AC9E040000-0x000001AC9E041000-memory.dmp

Filesize
4KB

Download