Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
Shiginima Launcher SE v4.100.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Shiginima Launcher SE v4.100.exe
Resource
win10v2004-20240508-en
General
-
Target
Shiginima Launcher SE v4.100.exe
-
Size
3.5MB
-
MD5
3921c9cd2b780c6dd56153e02e609515
-
SHA1
abc3031e1b467d373f8aeee37909adabbf2f8f3c
-
SHA256
835a9ca80047c284ab13922bbc93c415654f2d17e99e97e409e2233748109ea9
-
SHA512
c8f091e75ed87edc6afc4ab80a10b4e753c8939eeb26a99ed7295a758f053fffc648e0d9afad74937a8cbf9bba38274f49c9fbb3f99978d4c550435b3d3c0ebf
-
SSDEEP
98304:xMYT+VB+/ede3UKaEIWKCNRBmX+ZV35ZMiwYLt/hr:GYSB+/eEUKaEiC6+jt
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 4880 javaw.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4216 icacls.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{0663461A-0EB9-4882-B3DF-EF463781E1D5} svchost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{23BFCAA7-C8A5-4693-861D-2580EBDCF07C} svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4880 javaw.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 404 javaw.exe 404 javaw.exe 404 javaw.exe 404 javaw.exe 404 javaw.exe 4880 javaw.exe 4880 javaw.exe 1476 OpenWith.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 736 wrote to memory of 404 736 Shiginima Launcher SE v4.100.exe 90 PID 736 wrote to memory of 404 736 Shiginima Launcher SE v4.100.exe 90 PID 404 wrote to memory of 4216 404 javaw.exe 91 PID 404 wrote to memory of 4216 404 javaw.exe 91 PID 404 wrote to memory of 4880 404 javaw.exe 113 PID 404 wrote to memory of 4880 404 javaw.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shiginima Launcher SE v4.100.exe"C:\Users\Admin\AppData\Local\Temp\Shiginima Launcher SE v4.100.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -classpath "C:\Users\Admin\AppData\Local\Temp\Shiginima Launcher SE v4.100.exe" net.mc.main.Main2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
PID:4216
-
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xmx1G -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode -XX:-UseAdaptiveSizePolicy -Xmn128M -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump -Djava.library.path=C:\Users\Admin\AppData\Roaming\.minecraft\versions\1.5.2\1.5.2-natives-567213063800 -Dminecraft.launcher.brand=java-minecraft-launcher "-Dminecraft.launcher.version=Shiginima Launcher v4.100" -Dminecraft.client.jar=C:\Users\Admin\AppData\Roaming\.minecraft\versions\1.5.2\1.5.2.jar -cp C:\Users\Admin\AppData\Roaming\.minecraft\libraries\net\minecraft\launchwrapper\1.5\launchwrapper-1.5.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\net\sf\jopt-simple\jopt-simple\4.5\jopt-simple-4.5.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\ow2\asm\asm-all\4.1\asm-all-4.1.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\net\java\jinput\jinput\2.0.5\jinput-2.0.5.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\net\java\jutils\jutils\1.0.0\jutils-1.0.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl\lwjgl\2.9.0\lwjgl-2.9.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl\lwjgl_util\2.9.0\lwjgl_util-2.9.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\versions\1.5.2\1.5.2.jar net.minecraft.launchwrapper.Launch teste token:698dc19d-489c-3e4d-b73e-28a713eab07b:698dc19d489c3e4db73e28a713eab07b --gameDir C:\Users\Admin\AppData\Roaming\.minecraft --assetsDir C:\Users\Admin\AppData\Roaming\.minecraft\assets\virtual\pre-1.63⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4880
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4048,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3880 /prefetch:81⤵PID:4728
-
C:\Windows\System32\GameBarPresenceWriter.exe"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer1⤵PID:2960
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:3660
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Checks processor information in registry
- Modifies registry class
PID:2532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD51885386886e4236b0956081b2d06f548
SHA1e3cd75b992963169230d4ee7499d81d3017432d5
SHA256be6e87dd5952622c16629f617262ce1f69ec16201eec3e02f5ce958e190af48f
SHA51200a6475e6a0b0ce34e3319b65c1fd722c424a9606d20e2170cb1023a51acbf1c70117e91faec1ab4cefa364d4ee37898d8a6a23102e4ab5882521f03664adcc5
-
C:\Users\Admin\AppData\Roaming\.minecraft\libraries\net\java\jinput\jinput-platform\2.0.5\jinput-platform-2.0.5-natives-windows.jar
Filesize151KB
MD5b168b014be0186d9e95bf3d263e3a129
SHA1385ee093e01f587f30ee1c8a2ee7d408fd732e16
SHA25624afbd5e1fab17da57d16a4d3f19d53f36155ef46a9976484201a4bb9722287f
SHA512e8dd2c73c97cb0ec065acb3973a89cacf742005d60eca5f68edfd5306a23c4a6be8dd8deb4f7ff870075f75d79fff9a87c2aaee980ef7b4da764bcb822257dfe
-
Filesize
203KB
MD5cc07d371f79dc4ed2239e1101ae06313
SHA139c7796b469a600f72380316f6b1f11db6c2c7c4
SHA25679b5a4f5829e1a49a415711f7fb8eb5b9ad22defa72929fda2da96ec30d3f018
SHA512d75e3e35844ce41515fd25f34f9cc2228c5b94e479894dc832e07c78f70cb0d83819c7d574d01bbd0363e9387c9ac15f43a1171a8bd75b783aa5c856b492d24c
-
Filesize
7KB
MD5f60976b19661c849c5c87433045a9885
SHA1e12fe1fda814bd348c1579329c86943d2cd3c6a6
SHA256c3334ff39cf0ab3b54925619101054c90098b7c733b1e7834c7b75e4c41e84a5
SHA51239cdb29204df770b84ecd5d0041d8cf662c25bd16ef1e7d8257704a1ed3355cc3bb554b99d1fa2e8f0b5d99973201d344ab6cef04cacf98cd041f93a66e36bec
-
C:\Users\Admin\AppData\Roaming\.minecraft\libraries\net\minecraft\launchwrapper\1.5\launchwrapper-1.5.jar
Filesize27KB
MD5a211ab7001fca1bc2b534a0a5847aed6
SHA15150b9c2951f0fde987ce9c33496e26add1de224
SHA256c9fa09f5815f1d8ce5b7d59a53168b9a1b0ab9663e43b2440311391df7a78d52
SHA51251f8b43475e328c6e4b447fee2fd4a454a7565ec939891c6d7571a365f623d246d2f31453cdd238d46a7f4a7bd4d89b3d9389ab8083aee54804e66849e00ea66
-
C:\Users\Admin\AppData\Roaming\.minecraft\libraries\net\sf\jopt-simple\jopt-simple\4.5\jopt-simple-4.5.jar
Filesize59KB
MD51372bd4823bb1ef61e7db6724f601150
SHA16065cc95c661255349c1d0756657be17c29a4fd3
SHA25664335a48be6b142a7d0c13ec5c82a707857aa58c0234e6eda3eaca0e96eea51b
SHA512eda5b875f357116ee1c3b72ad2bd48d1b40b504a19c1ed8f2e93e42e7f688df7dada366a8e1b4df1853ad8601ca0aa74de52836ab993af3380c3c1d5e0df8b77
-
Filesize
971KB
MD5ce74486a7687ad7ea91dcc1fcd6977b8
SHA15654d06e61a1bba7ae1e7f5233e1106be64c91cd
SHA256c5fb453896fb511a7f949090795c79773f6d6c92e4d13d1f3100f4b2e331471a
SHA5123f26ae61b13accee5f3ddc37645e77c9f6a5531f5ec94f16ea830d7465d0f8e3ff34ecef80f0f24f7205b8b70b5c61bf21c2ca4b402b0065da31bd7945a67599
-
C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl\lwjgl_util\2.9.0\lwjgl_util-2.9.0.jar
Filesize169KB
MD56a0eeaf3451ed9646b7d61a9dd8b86cc
SHA1a778846b64008fc7f48ead2377f034e547991699
SHA256474c2ca620f4147c72db9fa582993688d3c9bca5aed9d9e937ec4fa89b3c2fad
SHA5125cb809256b24d2909e489f5582fbabaacb3c1de4c4b12f1d72e0bde63883fc6bf78b9b821bd205b96f85501d22667e2fe73ab0c73953ff3d2e540a842f2260a4
-
Filesize
209KB
MD5d21c2a06a4e6b175aa01e328f38a1182
SHA1054986e962b88d8660ae4566475658469595ef58
SHA256165b583b0b548405dd97019666f94a86ee1d1e3af227ae4dc82c6e27d6885bb1
SHA512ae18015a48059d84200842dc68a6ee00e15870997db5fc446316461deaa9f78a985e216a5c57a7ece37d302c1c6e25028a4c67b6ae43f80e9343d85ebcb72875
-
Filesize
122B
MD5cdc7fb15ab4759e182316757528de0af
SHA12ba41aebffbad8c5f0a153e67d9f5460264356b9
SHA2566cde6556daf5b5ac3c2354fcb0c5ba5693e4709ce5db32d541b6224e54ef7168
SHA512264284e62b049ac90adb2b53b4b29e819784e70141e602a76fab89221c3524f853b4d69809cd24f3ad96b10da3d5ad60b921cf0f20840eb182e94d0fc49dd8a2
-
Filesize
299KB
MD5a741a804ffb206f8a8d9400e31db45b6
SHA16ab904165045eee2e0a6609122bc29ddc2446b07
SHA25686a8e4555d3614e7ed5a24beda921396ceb9e41dbf2508d713a3d26b928862b7
SHA5126e19383e30cf786d43573d72feccf0c3e778742090ff281b45e6c8a8e8e87dd5e0aa868fd5c103c789511dd4f2e28460db59d6b11e2ae873587b6114f838b8e3
-
Filesize
5.3MB
MD56897c3287fb971c9f362eb3ab20f5ddd
SHA1465378c9dc2f779ae1d6e8046ebc46fb53a57968
SHA256dc0fa48951f61c12eafede5e46e248aa86ab86d1e4c28cd880c1d9c348ec44d6
SHA51201cde436a178013cb68b02ee1cecd474b473373ce9ffff9d0110aead7895b152412fea33a57e491854a772b8c2bbdbe4eb8b9987060435a1a34b9750250a1798
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1181767204-2009306918-3718769404-1000\83aa4cc77f591dfc2374580bbd95f6ba_d2547453-e731-4fdf-8f92-95f955a44aca
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c