7d70b19371306e1600e68018971da0ba6c2debaa923a476193f4431ba4d1153e

Analysis

max time kernel
132s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OptiCraft JAVA 1.8.9/mcdata/runtime/lib/deploy/messages_zh_HK.jnlp
Size

3KB
MD5

880baacb176553deab39edbe4b74380d
SHA1

37a57aad121c14c25e149206179728fa62203bf0
SHA256

ff4a3a92bc92cb08d2c32c435810440fd264edd63e56efa39430e0240c835620
SHA512

3039315bb283198af9090bd3d31cfae68ee73bc2b118bbae0b32812d4e3fd0f11ce962068d4a17b065dab9a66ef651b9cb8404c0a2defce74bb6b2d1d93646d5

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2176	icacls.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2680	javaws.exe
2680	javaws.exe
2680	javaws.exe
2680	javaws.exe
3080	javaws.exe
3080	javaws.exe
912	jp2launcher.exe
912	jp2launcher.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
912	jp2launcher.exe
912	jp2launcher.exe
912	jp2launcher.exe
912	jp2launcher.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 2680	3332	jp2launcher.exe	90
PID 3332 wrote to memory of 2680	3332	jp2launcher.exe	90
PID 2680 wrote to memory of 3080	2680	javaws.exe	91
PID 2680 wrote to memory of 3080	2680	javaws.exe	91
PID 2680 wrote to memory of 912	2680	javaws.exe	92
PID 2680 wrote to memory of 912	2680	javaws.exe	92
PID 912 wrote to memory of 2176	912	jp2launcher.exe	93
PID 912 wrote to memory of 2176	912	jp2launcher.exe	93

C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
"C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -securejws "C:\Users\Admin\AppData\Local\Temp\OptiCraft JAVA 1.8.9\mcdata\runtime\lib\deploy\messages_zh_HK.jnlp"
1⤵
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  "C:\Program Files\Java\jre-1.8\bin\javaws.exe" "C:\Users\Admin\AppData\Local\Temp\OptiCraft JAVA 1.8.9\mcdata\runtime\lib\deploy\messages_zh_HK.jnlp"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    JavaWSSplashScreen -splash 52815 "C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3080
- - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
    "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURqbmxweC5vcmlnRmlsZW5hbWVBcmc9QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXE9wdGlDcmFmdCBKQVZBIDEuOC45XG1jZGF0YVxydW50aW1lXGxpYlxkZXBsb3lcbWVzc2FnZXNfemhfSEsuam5scAAtRGpubHB4LnJlbW92ZT1mYWxzZQAtRHN1bi5hd3Qud2FybXVwPXRydWUALVhib290Y2xhc3NwYXRoL2E6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHBsdWdpbi5qYXIALURqbmxweC5zcGxhc2hwb3J0PTUyODE2AC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGJpblxqYXZhdy5leGU= -ma QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXE9wdGlDcmFmdCBKQVZBIDEuOC45XG1jZGF0YVxydW50aW1lXGxpYlxkZXBsb3lcbWVzc2FnZXNfemhfSEsuam5scA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "\"everyone\":(OI)(CI)M"
      4⤵
      Modifies file permissions
      PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
713B

MD5
5adee684d1fc3f81444ff692c8e7f357

SHA1
4dbbba9e4ea7475507864b098393eef883b4d34c

SHA256
0c2b89ea99bfa64746cee02a5ed71d1c0f6c3f5d8cbe794487a0650fee297c61

SHA512
e67809988b940a43d236d6b23cbc91e00d192de6d6bb107c2beb872e10684df9ecacc67fe4c5ad47a82b4b68743b49bad442be5148692a56c50c8c05ad6e29b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\securitypack.jar

Filesize
12KB

MD5
4f9f42a2c5524bf0ce187c5dcb517b89

SHA1
b54ff1e485ee0605753e23f254e288f9a79cc59d

SHA256
e271e41f800f3f25e0f9fe212f2e31e6a57b74d28b89fd3425deb42a6a1b411a

SHA512
45eb73dae61b6cb855a33966b6c3f1f064a15714761e3075eda105f72adf3780b05dbfbcca75fb47734ca47bb6abe4a1db075d30b1db748ffca11d9928d6cdbc

Download Submit
memory/912-2-0x000001A635780000-0x000001A6359F0000-memory.dmp

Filesize
2.4MB

Download
memory/912-15-0x000001A635360000-0x000001A635361000-memory.dmp

Filesize
4KB

Download
memory/912-28-0x000001A635360000-0x000001A635361000-memory.dmp

Filesize
4KB

Download
memory/912-63-0x000001A635360000-0x000001A635361000-memory.dmp

Filesize
4KB

Download
memory/912-80-0x000001A635360000-0x000001A635361000-memory.dmp

Filesize
4KB

Download
memory/912-106-0x000001A635780000-0x000001A6359F0000-memory.dmp

Filesize
2.4MB

Download
memory/912-117-0x000001A635360000-0x000001A635361000-memory.dmp

Filesize
4KB

Download
memory/912-150-0x000001A635360000-0x000001A635361000-memory.dmp

Filesize
4KB

Download
memory/912-171-0x000001A635360000-0x000001A635361000-memory.dmp

Filesize
4KB

Download
memory/912-182-0x000001A635360000-0x000001A635361000-memory.dmp

Filesize
4KB

Download