7d70b19371306e1600e68018971da0ba6c2debaa923a476193f4431ba4d1153e

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OptiCraft JAVA 1.8.9/mcdata/runtime/lib/deploy/messages_ja.jnlp
Size

6KB
MD5

b7279f1c3ba0b63806f37f6b9d33c314
SHA1

751170a7cdefcb1226604ac3f8196e06a04fd7ac
SHA256

8d499c1cb14d58e968a823e11d5b114408c010b053b3b38cfef7ebf9fb49096f
SHA512

4a3bf898a36d55010c8a8f92e5a784516475bdfffcd337d439d6da251ddb97bcc7e26f104ac5602320019ed5c0b8dc8883b2581760afea9c59c74982574d164b
SSDEEP

96:Ltk1ZccBD8M25jCTDrk9/RoaG7THG9o7f6tEflA44CAmIbIC3j5pN/o8woJb:W1xBY1CG6OlG2r

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4152	icacls.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3976	javaws.exe
3976	javaws.exe
3976	javaws.exe
3976	javaws.exe
2432	javaws.exe
2432	javaws.exe
1692	jp2launcher.exe
1692	jp2launcher.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1692	jp2launcher.exe
1692	jp2launcher.exe
1692	jp2launcher.exe
1692	jp2launcher.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 3976	5016	jp2launcher.exe	89
PID 5016 wrote to memory of 3976	5016	jp2launcher.exe	89
PID 3976 wrote to memory of 2432	3976	javaws.exe	90
PID 3976 wrote to memory of 2432	3976	javaws.exe	90
PID 3976 wrote to memory of 1692	3976	javaws.exe	91
PID 3976 wrote to memory of 1692	3976	javaws.exe	91
PID 1692 wrote to memory of 4152	1692	jp2launcher.exe	92
PID 1692 wrote to memory of 4152	1692	jp2launcher.exe	92

C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
"C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -securejws "C:\Users\Admin\AppData\Local\Temp\OptiCraft JAVA 1.8.9\mcdata\runtime\lib\deploy\messages_ja.jnlp"
1⤵
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  "C:\Program Files\Java\jre-1.8\bin\javaws.exe" "C:\Users\Admin\AppData\Local\Temp\OptiCraft JAVA 1.8.9\mcdata\runtime\lib\deploy\messages_ja.jnlp"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    JavaWSSplashScreen -splash 64195 "C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2432
- - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
    "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURqbmxweC5vcmlnRmlsZW5hbWVBcmc9QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXE9wdGlDcmFmdCBKQVZBIDEuOC45XG1jZGF0YVxydW50aW1lXGxpYlxkZXBsb3lcbWVzc2FnZXNfamEuam5scAAtRGpubHB4LnJlbW92ZT1mYWxzZQAtRHN1bi5hd3Qud2FybXVwPXRydWUALVhib290Y2xhc3NwYXRoL2E6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHBsdWdpbi5qYXIALURqbmxweC5zcGxhc2hwb3J0PTY0MTk2AC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGJpblxqYXZhdy5leGU= -ma QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXE9wdGlDcmFmdCBKQVZBIDEuOC45XG1jZGF0YVxydW50aW1lXGxpYlxkZXBsb3lcbWVzc2FnZXNfamEuam5scA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "\"everyone\":(OI)(CI)M"
      4⤵
      Modifies file permissions
      PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
713B

MD5
36e1457296fafb239449537183f74b80

SHA1
defbbb507a3e9306e7b1a8a136f0fca65dfb00ee

SHA256
b91aa084099e99cee60b3337c558e97c407440661fe066e19620db2bc58d710c

SHA512
7b40667efa5dede79452bf177b3461d946179340c78e61d7381b359c1e72e53b1ed93ebbf93a922f01487d8771c50f8e83d2948465adba39ba9fa31530dd805c

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\securitypack.jar

Filesize
12KB

MD5
4f9f42a2c5524bf0ce187c5dcb517b89

SHA1
b54ff1e485ee0605753e23f254e288f9a79cc59d

SHA256
e271e41f800f3f25e0f9fe212f2e31e6a57b74d28b89fd3425deb42a6a1b411a

SHA512
45eb73dae61b6cb855a33966b6c3f1f064a15714761e3075eda105f72adf3780b05dbfbcca75fb47734ca47bb6abe4a1db075d30b1db748ffca11d9928d6cdbc

Download Submit
memory/1692-52-0x000002AD9C820000-0x000002AD9C821000-memory.dmp

Filesize
4KB

Download
memory/1692-2-0x000002AD9CBC0000-0x000002AD9CE30000-memory.dmp

Filesize
2.4MB

Download
memory/1692-65-0x000002AD9C820000-0x000002AD9C821000-memory.dmp

Filesize
4KB

Download
memory/1692-81-0x000002AD9C820000-0x000002AD9C821000-memory.dmp

Filesize
4KB

Download
memory/1692-107-0x000002AD9CBC0000-0x000002AD9CE30000-memory.dmp

Filesize
2.4MB

Download
memory/1692-114-0x000002AD9C820000-0x000002AD9C821000-memory.dmp

Filesize
4KB

Download
memory/1692-117-0x000002AD9C820000-0x000002AD9C821000-memory.dmp

Filesize
4KB

Download
memory/1692-28-0x000002AD9C820000-0x000002AD9C821000-memory.dmp

Filesize
4KB

Download
memory/1692-145-0x000002AD9C820000-0x000002AD9C821000-memory.dmp

Filesize
4KB

Download
memory/1692-150-0x000002AD9C820000-0x000002AD9C821000-memory.dmp

Filesize
4KB

Download
memory/1692-15-0x000002AD9C820000-0x000002AD9C821000-memory.dmp

Filesize
4KB

Download
memory/1692-170-0x000002AD9C820000-0x000002AD9C821000-memory.dmp

Filesize
4KB

Download
memory/1692-175-0x000002AD9C820000-0x000002AD9C821000-memory.dmp

Filesize
4KB

Download