Malware Analysis Report

2024-11-15 05:10

Sample ID 240606-pp14wafb28
Target b64d7367d098c192a762a38a973575d4664c1d702058a864534c581b2110a6cd
SHA256 b64d7367d098c192a762a38a973575d4664c1d702058a864534c581b2110a6cd
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b64d7367d098c192a762a38a973575d4664c1d702058a864534c581b2110a6cd

Threat Level: Shows suspicious behavior

The file b64d7367d098c192a762a38a973575d4664c1d702058a864534c581b2110a6cd was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Modifies file permissions

Reads runtime system information

Writes file to tmp directory

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 12:31

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:31

Platform

debian9-mipsbe-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:31

Platform

debian9-mipsel-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool.jar

Network

N/A

Files

memory/2860-2-0x0000000002770000-0x00000000029E0000-memory.dmp

memory/2860-10-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2860-11-0x0000000002770000-0x00000000029E0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

95s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\dns.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 1904 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 1904 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\dns.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

memory/1224-2-0x0000016BA47A0000-0x0000016BA4A10000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 a0b819b2dec9d443c116be7edfa79dbb
SHA1 249331803de3961a9ab845bdac014fd2e5d7933f
SHA256 d6e1f20e5a836b081d750cfb0540bb137c9e99680216afab2b8d1699e11a416a
SHA512 dac344d390cabe20c996159e5ec507c5cf3338cfbdee76279083d28344cce1e34b03117d3e3a58be6291b9d6cb167f39bef6ce4226bbd7812ac39a9bc5d06d25

memory/1224-12-0x0000016BA2D70000-0x0000016BA2D71000-memory.dmp

memory/1224-13-0x0000016BA47A0000-0x0000016BA4A10000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

132s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\hideme.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 2308 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 1704 wrote to memory of 2308 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\hideme.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3924,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/1704-2-0x000001D480000000-0x000001D480270000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 6949ebf6daafd767395fbe0db55cf4fa
SHA1 d8f2f1542d31463974151c23e2e00ca9637051fb
SHA256 ae4d3c3546535bdd215ee2bc17918f5e14567d1b7047ce06ae683f571a3d1080
SHA512 e9eb75cf6cc813d75607858ce2d7da79eb5524de9270f1e8c639ba0864dc95fd3503829aaf147d7ce111859dbbbc09cb102ba6dcdaff4df18c081ce9a0622ccf

memory/1704-11-0x000001D4EFD90000-0x000001D4EFD91000-memory.dmp

memory/1704-13-0x000001D480000000-0x000001D480270000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win7-20240419-en

Max time kernel

118s

Max time network

122s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\mymap.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\mymap.jar

Network

N/A

Files

memory/2392-2-0x00000000025B0000-0x0000000002820000-memory.dmp

memory/2392-10-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2392-11-0x00000000025B0000-0x0000000002820000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

97s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\mymap.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5036 wrote to memory of 3556 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 5036 wrote to memory of 3556 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\mymap.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/5036-2-0x0000023DAB250000-0x0000023DAB4C0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 c68a7a38a13419bc19a05e545bd3ce1f
SHA1 6996923852cb025b246beac7381dd2a2e0341b5a
SHA256 795cf88f00806d2ffa38ccb7eeb6c295f7e834006d82045a7ce591f11b5052b6
SHA512 9dc4c142f12451d5104dae05ebf188d918af70ee4870feaff42db7a5cbe212377eb5765c6ef24c94698315836e0727ff28469631ec60a904c41dcc6169351571

memory/5036-12-0x0000023DA9BF0000-0x0000023DA9BF1000-memory.dmp

memory/5036-13-0x0000023DAB250000-0x0000023DAB4C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:34

Platform

debian9-armhf-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

161s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\url.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 948 wrote to memory of 3812 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 948 wrote to memory of 3812 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\url.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.204.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/948-2-0x0000024170C60000-0x0000024170ED0000-memory.dmp

memory/948-11-0x000002416F3D0000-0x000002416F3D1000-memory.dmp

memory/948-12-0x0000024170C60000-0x0000024170ED0000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

105s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-idea.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 2676 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 3100 wrote to memory of 2676 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-idea.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3100-2-0x00000288BBC50000-0x00000288BBEC0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 d08c99f9f56a9d48e9929f7f9a0b4525
SHA1 f869a32e77df4743125533f4f1cd29bfaf7ba11f
SHA256 be09b571af9d0f085787ba6081f33345ceae220f550142610b5dbd9cdf6d997f
SHA512 cd6812a2841deeb3c7c60249aaba29dd9ea62e496cea85011e73e11a9f10c59943927f1beefb326176e1c394fd2cfa5c185275dc6d244dc5b8e37d9454c718dc

memory/3100-13-0x00000288BBC30000-0x00000288BBC31000-memory.dmp

memory/3100-14-0x00000288BBC50000-0x00000288BBEC0000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

152s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\power.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 2868 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 3008 wrote to memory of 2868 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\power.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/3008-2-0x000002314BF60000-0x000002314C1D0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 43c00811208303f0b7dab1286a104eb1
SHA1 fd829bd8df3e25b820d0e92db77d3564a44ef599
SHA256 5ce17670319e75fb083cb9edae3a854812f708a84a540819217238be13a73f48
SHA512 3adea1a4614c78c4c09c6b1d2dbd7906fa91c8b81fd7a85d6bb31211e5445ad9e8d544a7dd5c4e673855c13ff237e6882536f60f2278f67d38e324ef61897d89

memory/3008-12-0x000002314A690000-0x000002314A691000-memory.dmp

memory/3008-13-0x000002314BF60000-0x000002314C1D0000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

152s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2017.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 376 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 1664 wrote to memory of 376 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2017.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 74.239.69.13.in-addr.arpa udp

Files

memory/1664-2-0x000001C7D34B0000-0x000001C7D3720000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 84d9daa92f8846828e3317e8c0e559e5
SHA1 a0f727030db080255d9d3cb0ff2a2ace99301b1b
SHA256 1f34dae99df252f98d87d744ac79b881c20950029a966f4ef40d7daced535183
SHA512 dbf57d8c2e069dde688bcbe3518d784530f0bc319f66832df4bb49183d126627a972cf9a3aab2f567378c82155a6b84d832fc102e39170c9218e719514c57cf6

memory/1664-13-0x000001C7D1CE0000-0x000001C7D1CE1000-memory.dmp

memory/1664-14-0x000001C7D34B0000-0x000001C7D3720000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win7-20240508-en

Max time kernel

120s

Max time network

122s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\mymap-v1.0.1.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\mymap-v1.0.1.jar

Network

N/A

Files

memory/2076-2-0x0000000002710000-0x0000000002980000-memory.dmp

memory/2076-10-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2076-11-0x0000000002710000-0x0000000002980000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win7-20240508-en

Max time kernel

119s

Max time network

124s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-phpstorm.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-phpstorm.jar

Network

N/A

Files

memory/1728-2-0x0000000002530000-0x00000000027A0000-memory.dmp

memory/1728-11-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1728-12-0x0000000002530000-0x00000000027A0000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\power.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\power.jar

Network

N/A

Files

memory/2408-2-0x0000000002400000-0x0000000002670000-memory.dmp

memory/2408-10-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2408-11-0x0000000002400000-0x0000000002670000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

130s

Command Line

[/tmp/macjihuo-2022/mac.sh]

Signatures

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/filesystems /bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/AppCode2022.2/sed5oBQwT /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/PyCharm2017.3/config/sedDrZmWd /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/Rider2019.3/config/sedOLD8IQ /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/Goland2020.2/sedrMDXbU /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/PhpStorm2021.3/sedzbGGup /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/CLion2018.1/config/sedMecfjR /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/~/yz/active-agt-goland.jar /bin/cp N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/AppCode2020.3/sedvBZXc4 /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/Datagrip2021.1/sedpwEjLV /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/IntelliJIdea2018.3/config/sedkYb7bC /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/PyCharm2019.3/config/sed72gAJF /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/PyCharm2017.2/config/sedGFX6jE /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/DataSpell2020.2/sedH1Di1G /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/AppCode2017.1/config/sed4zkuc0 /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/CLion2019.1/config/sedP5JQDz /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/IntelliJIdea2017.3/config/sedXd4ZxT /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/Goland2022.3/sedVFwqLS /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/PyCharm2020.2/sedhib1Qf /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/~/micool/plugins/mymap.jar /bin/cp N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/IntelliJIdea2020.1/sed3DdZZr /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/Rider2021.1/sedVGUz4v /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/CLion2018.3/config/sedatHac0 /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/DataSpell2017.3/config/sedXjXDgA /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/AppCode2019.2/config/sedblKB8Z /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/RubyMine2019.2/config/sed8f61ks /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/~/yz/plugins/power.jar /bin/cp N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/AppCode2021.2/sedh3cUgc /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/Datagrip2021.3/sedfdh783 /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/DataGrip2018.3/config/sedRu0Wl9 /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/WebStorm2019.3/config/seduCt9Id /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/RubyMine2022.2/sedfhmThV /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/~/yz/active-agt-rider.jar /bin/cp N/A
File opened for modification /tmp/macjihuo-2022/~/micool.jar /bin/cp N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/DataSpell2022.3/sednynM5E /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/Goland2022.2/sedpWP1wj /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/IntelliJIdea2021.3/sed7J7Gci /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/PhpStorm2022.3/sed7NiPi7 /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/~/micool/config/url.conf /bin/cp N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/AppCode2017.2/config/sedba82Bz /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/AppCode2018.3/config/sedJoPNhR /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/PyCharm2017.1/config/sedtypXH4 /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/RubyMine2018.3/config/sed8O1XTi /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/Clion2022.1/sedNAfotq /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/Rider2020.1/sedJ2h89N /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/WebStorm2021.3/sedncuNJU /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/Goland2020.1/sedBYZFYk /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/CLion2017.3/config/sedN0I0Rh /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/~/yz/fuzzes/active-agt-rider.jar /bin/cp N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/GoLand2018.2/config/sedeOUNPS /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/~/micool/config/dns.conf /bin/cp N/A
File opened for modification /tmp/macjihuo-2022/~/micool/plugins/dns.jar /bin/cp N/A
File opened for modification /tmp/macjihuo-2022/~/yz/active-agt-pycharm.jar /bin/cp N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/AppCode2022.3/sedpNOiDs /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/Goland2021.3/sedvlyH4a /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/CLion2018.2/config/sed9esDKq /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/DataGrip2017.3/config/sedIdDKVq /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/AppCode2020.2/sed7K6gbv /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/RubyMine2017.2/config/sedsFqu6Z /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/Goland2022.1/sed9ZtMiK /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/Rider2019.2/config/sedfcLH2g /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/AppCode2022.1/sedJlazqk /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/Datagrip2022.1/sedlnpLlD /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrains/DataSpell2022.1/sedVxT0Lw /bin/sed N/A
File opened for modification /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/Rider2018.3/config/sedDbikG7 /bin/sed N/A

Processes

/tmp/macjihuo-2022/mac.sh

[/tmp/macjihuo-2022/mac.sh]

/bin/sed

[sed -i s/bianliang1//g micool_macconfig/JetBrains/AppCode2020.1/appcode.vmoptions micool_macconfig/JetBrains/AppCode2020.2/appcode.vmoptions micool_macconfig/JetBrains/AppCode2020.3/appcode.vmoptions micool_macconfig/JetBrains/AppCode2021.1/appcode.vmoptions micool_macconfig/JetBrains/AppCode2021.2/appcode.vmoptions micool_macconfig/JetBrains/AppCode2021.3/appcode.vmoptions micool_macconfig/JetBrains/AppCode2022.1/appcode.vmoptions micool_macconfig/JetBrains/AppCode2022.2/appcode.vmoptions micool_macconfig/JetBrains/AppCode2022.3/appcode.vmoptions micool_macconfig/JetBrains/Clion2020.1/clion.vmoptions micool_macconfig/JetBrains/Clion2020.2/clion.vmoptions micool_macconfig/JetBrains/Clion2020.3/clion.vmoptions micool_macconfig/JetBrains/Clion2021.1/clion.vmoptions micool_macconfig/JetBrains/Clion2021.2/clion.vmoptions micool_macconfig/JetBrains/Clion2021.3/clion.vmoptions micool_macconfig/JetBrains/Clion2022.1/clion.vmoptions micool_macconfig/JetBrains/Clion2022.2/clion.vmoptions micool_macconfig/JetBrains/Clion2022.3/clion.vmoptions micool_macconfig/JetBrains/DataSpell2020.1/dataspell.vmoptions micool_macconfig/JetBrains/DataSpell2020.2/dataspell.vmoptions micool_macconfig/JetBrains/DataSpell2020.3/dataspell.vmoptions micool_macconfig/JetBrains/DataSpell2021.1/dataspell.vmoptions micool_macconfig/JetBrains/DataSpell2021.2/dataspell.vmoptions micool_macconfig/JetBrains/DataSpell2021.3/dataspell.vmoptions micool_macconfig/JetBrains/DataSpell2022.1/dataspell.vmoptions micool_macconfig/JetBrains/DataSpell2022.2/dataspell.vmoptions micool_macconfig/JetBrains/DataSpell2022.3/dataspell.vmoptions micool_macconfig/JetBrains/Datagrip2020.1/datagrip.vmoptions micool_macconfig/JetBrains/Datagrip2020.2/datagrip.vmoptions micool_macconfig/JetBrains/Datagrip2020.3/datagrip.vmoptions micool_macconfig/JetBrains/Datagrip2021.1/datagrip.vmoptions micool_macconfig/JetBrains/Datagrip2021.2/datagrip.vmoptions micool_macconfig/JetBrains/Datagrip2021.3/datagrip.vmoptions micool_macconfig/JetBrains/Datagrip2022.1/datagrip.vmoptions micool_macconfig/JetBrains/Datagrip2022.2/datagrip.vmoptions micool_macconfig/JetBrains/Datagrip2022.3/datagrip.vmoptions micool_macconfig/JetBrains/Goland2020.1/goland.vmoptions micool_macconfig/JetBrains/Goland2020.2/goland.vmoptions micool_macconfig/JetBrains/Goland2020.3/goland.vmoptions micool_macconfig/JetBrains/Goland2021.1/goland.vmoptions micool_macconfig/JetBrains/Goland2021.2/goland.vmoptions micool_macconfig/JetBrains/Goland2021.3/goland.vmoptions micool_macconfig/JetBrains/Goland2022.1/goland.vmoptions micool_macconfig/JetBrains/Goland2022.2/goland.vmoptions micool_macconfig/JetBrains/Goland2022.3/goland.vmoptions micool_macconfig/JetBrains/IntelliJIdea2020.1/idea.vmoptions micool_macconfig/JetBrains/IntelliJIdea2020.2/idea.vmoptions micool_macconfig/JetBrains/IntelliJIdea2020.3/idea.vmoptions micool_macconfig/JetBrains/IntelliJIdea2021.1/idea.vmoptions micool_macconfig/JetBrains/IntelliJIdea2021.2/idea.vmoptions micool_macconfig/JetBrains/IntelliJIdea2021.3/idea.vmoptions micool_macconfig/JetBrains/IntelliJIdea2022.1/idea.vmoptions micool_macconfig/JetBrains/IntelliJIdea2022.2/idea.vmoptions micool_macconfig/JetBrains/IntelliJIdea2022.3/idea.vmoptions micool_macconfig/JetBrains/PhpStorm2020.1/phpstorm.vmoptions micool_macconfig/JetBrains/PhpStorm2020.2/phpstorm.vmoptions micool_macconfig/JetBrains/PhpStorm2020.3/phpstorm.vmoptions micool_macconfig/JetBrains/PhpStorm2021.1/phpstorm.vmoptions micool_macconfig/JetBrains/PhpStorm2021.2/phpstorm.vmoptions micool_macconfig/JetBrains/PhpStorm2021.3/phpstorm.vmoptions micool_macconfig/JetBrains/PhpStorm2022.1/phpstorm.vmoptions micool_macconfig/JetBrains/PhpStorm2022.2/phpstorm.vmoptions micool_macconfig/JetBrains/PhpStorm2022.3/phpstorm.vmoptions micool_macconfig/JetBrains/PyCharm2020.1/pycharm.vmoptions micool_macconfig/JetBrains/PyCharm2020.2/pycharm.vmoptions micool_macconfig/JetBrains/PyCharm2020.3/pycharm.vmoptions micool_macconfig/JetBrains/PyCharm2021.1/pycharm.vmoptions micool_macconfig/JetBrains/PyCharm2021.2/pycharm.vmoptions micool_macconfig/JetBrains/PyCharm2021.3/pycharm.vmoptions micool_macconfig/JetBrains/PyCharm2022.1/pycharm.vmoptions micool_macconfig/JetBrains/PyCharm2022.2/pycharm.vmoptions micool_macconfig/JetBrains/PyCharm2022.3/pycharm.vmoptions micool_macconfig/JetBrains/Rider2020.1/rider.vmoptions micool_macconfig/JetBrains/Rider2020.2/rider.vmoptions micool_macconfig/JetBrains/Rider2020.3/rider.vmoptions micool_macconfig/JetBrains/Rider2021.1/rider.vmoptions micool_macconfig/JetBrains/Rider2021.2/rider.vmoptions micool_macconfig/JetBrains/Rider2021.3/rider.vmoptions micool_macconfig/JetBrains/Rider2022.1/rider.vmoptions micool_macconfig/JetBrains/Rider2022.2/rider.vmoptions micool_macconfig/JetBrains/Rider2022.3/rider.vmoptions micool_macconfig/JetBrains/RubyMine2020.1/rubymine.vmoptions micool_macconfig/JetBrains/RubyMine2020.2/rubymine.vmoptions micool_macconfig/JetBrains/RubyMine2020.3/rubymine.vmoptions micool_macconfig/JetBrains/RubyMine2021.1/rubymine.vmoptions micool_macconfig/JetBrains/RubyMine2021.2/rubymine.vmoptions micool_macconfig/JetBrains/RubyMine2021.3/rubymine.vmoptions micool_macconfig/JetBrains/RubyMine2022.1/rubymine.vmoptions micool_macconfig/JetBrains/RubyMine2022.2/rubymine.vmoptions micool_macconfig/JetBrains/RubyMine2022.3/rubymine.vmoptions micool_macconfig/JetBrains/WebStorm2020.1/webstorm.vmoptions micool_macconfig/JetBrains/WebStorm2020.2/webstorm.vmoptions micool_macconfig/JetBrains/WebStorm2020.3/webstorm.vmoptions micool_macconfig/JetBrains/WebStorm2021.1/webstorm.vmoptions micool_macconfig/JetBrains/WebStorm2021.2/webstorm.vmoptions micool_macconfig/JetBrains/WebStorm2021.3/webstorm.vmoptions micool_macconfig/JetBrains/WebStorm2022.1/webstorm.vmoptions micool_macconfig/JetBrains/WebStorm2022.2/webstorm.vmoptions micool_macconfig/JetBrains/WebStorm2022.3/webstorm.vmoptions]

/bin/sed

[sed -i s/bianliang1//g micool_macconfig/JetBrainsold/AppCode2017.1/config/appcode.vmoptions micool_macconfig/JetBrainsold/AppCode2017.2/config/appcode.vmoptions micool_macconfig/JetBrainsold/AppCode2017.3/config/appcode.vmoptions micool_macconfig/JetBrainsold/AppCode2018.1/config/appcode.vmoptions micool_macconfig/JetBrainsold/AppCode2018.2/config/appcode.vmoptions micool_macconfig/JetBrainsold/AppCode2018.3/config/appcode.vmoptions micool_macconfig/JetBrainsold/AppCode2019.1/config/appcode.vmoptions micool_macconfig/JetBrainsold/AppCode2019.2/config/appcode.vmoptions micool_macconfig/JetBrainsold/AppCode2019.3/config/appcode.vmoptions micool_macconfig/JetBrainsold/CLion2017.1/config/clion.vmoptions micool_macconfig/JetBrainsold/CLion2017.2/config/clion.vmoptions micool_macconfig/JetBrainsold/CLion2017.3/config/clion.vmoptions micool_macconfig/JetBrainsold/CLion2018.1/config/clion.vmoptions micool_macconfig/JetBrainsold/CLion2018.2/config/clion.vmoptions micool_macconfig/JetBrainsold/CLion2018.3/config/clion.vmoptions micool_macconfig/JetBrainsold/CLion2019.1/config/clion.vmoptions micool_macconfig/JetBrainsold/CLion2019.2/config/clion.vmoptions micool_macconfig/JetBrainsold/CLion2019.3/config/clion.vmoptions micool_macconfig/JetBrainsold/DataGrip2017.1/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataGrip2017.2/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataGrip2017.3/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataGrip2018.1/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataGrip2018.2/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataGrip2018.3/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataGrip2019.1/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataGrip2019.2/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataGrip2019.3/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataSpell2017.1/config/dataspell.vmoptions micool_macconfig/JetBrainsold/DataSpell2017.2/config/dataspell.vmoptions micool_macconfig/JetBrainsold/DataSpell2017.3/config/dataspell.vmoptions micool_macconfig/JetBrainsold/DataSpell2018.1/config/dataspell.vmoptions micool_macconfig/JetBrainsold/DataSpell2018.2/config/dataspell.vmoptions micool_macconfig/JetBrainsold/DataSpell2018.3/config/dataspell.vmoptions micool_macconfig/JetBrainsold/DataSpell2019.1/config/dataspell.vmoptions micool_macconfig/JetBrainsold/DataSpell2019.2/config/dataspell.vmoptions micool_macconfig/JetBrainsold/DataSpell2019.3/config/dataspell.vmoptions micool_macconfig/JetBrainsold/GoLand2017.1/config/goland.vmoptions micool_macconfig/JetBrainsold/GoLand2017.2/config/goland.vmoptions micool_macconfig/JetBrainsold/GoLand2017.3/config/goland.vmoptions micool_macconfig/JetBrainsold/GoLand2018.1/config/goland.vmoptions micool_macconfig/JetBrainsold/GoLand2018.2/config/goland.vmoptions micool_macconfig/JetBrainsold/GoLand2018.3/config/goland.vmoptions micool_macconfig/JetBrainsold/GoLand2019.1/config/goland.vmoptions micool_macconfig/JetBrainsold/GoLand2019.2/config/goland.vmoptions micool_macconfig/JetBrainsold/GoLand2019.3/config/goland.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2017.1/config/idea.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2017.2/config/idea.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2017.3/config/idea.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2018.1/config/idea.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2018.2/config/idea.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2018.3/config/idea.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2019.1/config/idea.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2019.2/config/idea.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2019.3/config/idea.vmoptions micool_macconfig/JetBrainsold/PhpStorm2017.1/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PhpStorm2017.2/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PhpStorm2017.3/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PhpStorm2018.1/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PhpStorm2018.2/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PhpStorm2018.3/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PhpStorm2019.1/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PhpStorm2019.2/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PhpStorm2019.3/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PyCharm2017.1/config/pycharm.vmoptions micool_macconfig/JetBrainsold/PyCharm2017.2/config/pycharm.vmoptions micool_macconfig/JetBrainsold/PyCharm2017.3/config/pycharm.vmoptions micool_macconfig/JetBrainsold/PyCharm2018.1/config/pycharm.vmoptions micool_macconfig/JetBrainsold/PyCharm2018.2/config/pycharm.vmoptions micool_macconfig/JetBrainsold/PyCharm2018.3/config/pycharm.vmoptions micool_macconfig/JetBrainsold/PyCharm2019.1/config/pycharm.vmoptions micool_macconfig/JetBrainsold/PyCharm2019.2/config/pycharm.vmoptions micool_macconfig/JetBrainsold/PyCharm2019.3/config/pycharm.vmoptions micool_macconfig/JetBrainsold/Rider2017.1/config/rider.vmoptions micool_macconfig/JetBrainsold/Rider2017.2/config/rider.vmoptions micool_macconfig/JetBrainsold/Rider2017.3/config/rider.vmoptions micool_macconfig/JetBrainsold/Rider2018.1/config/rider.vmoptions micool_macconfig/JetBrainsold/Rider2018.2/config/rider.vmoptions micool_macconfig/JetBrainsold/Rider2018.3/config/rider.vmoptions micool_macconfig/JetBrainsold/Rider2019.1/config/rider.vmoptions micool_macconfig/JetBrainsold/Rider2019.2/config/rider.vmoptions micool_macconfig/JetBrainsold/Rider2019.3/config/rider.vmoptions micool_macconfig/JetBrainsold/RubyMine2017.1/config/rubymine.vmoptions micool_macconfig/JetBrainsold/RubyMine2017.2/config/rubymine.vmoptions micool_macconfig/JetBrainsold/RubyMine2017.3/config/rubymine.vmoptions micool_macconfig/JetBrainsold/RubyMine2018.1/config/rubymine.vmoptions micool_macconfig/JetBrainsold/RubyMine2018.2/config/rubymine.vmoptions micool_macconfig/JetBrainsold/RubyMine2018.3/config/rubymine.vmoptions micool_macconfig/JetBrainsold/RubyMine2019.1/config/rubymine.vmoptions micool_macconfig/JetBrainsold/RubyMine2019.2/config/rubymine.vmoptions micool_macconfig/JetBrainsold/RubyMine2019.3/config/rubymine.vmoptions micool_macconfig/JetBrainsold/WebStorm2017.1/config/webstorm.vmoptions micool_macconfig/JetBrainsold/WebStorm2017.2/config/webstorm.vmoptions micool_macconfig/JetBrainsold/WebStorm2017.3/config/webstorm.vmoptions micool_macconfig/JetBrainsold/WebStorm2018.1/config/webstorm.vmoptions micool_macconfig/JetBrainsold/WebStorm2018.2/config/webstorm.vmoptions micool_macconfig/JetBrainsold/WebStorm2018.3/config/webstorm.vmoptions micool_macconfig/JetBrainsold/WebStorm2019.1/config/webstorm.vmoptions micool_macconfig/JetBrainsold/WebStorm2019.2/config/webstorm.vmoptions micool_macconfig/JetBrainsold/WebStorm2019.3/config/webstorm.vmoptions]

/bin/cp

[cp -fR micool_macconfig/configfile ~/]

/bin/cp

[cp -fR micool_macconfig/JetBrains ~/Library/Application Support/]

/bin/cp

[cp -fR micool_macconfig/JetBrainsold ~/Library/Preferences/]

Network

Country Destination Domain Proto
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
N/A 224.0.0.251:5353 udp
GB 89.187.167.7:443 tcp

Files

/tmp/macjihuo-2022/micool_macconfig/JetBrains/AppCode2020.1/sedfRNL9V

MD5 648fb484f539b1da057250ecb01a0c4a
SHA1 6991ad396b31946a88811f20662988e1125cc70d
SHA256 bee8c1dfefa2470f1b51c48fb19ec3fa7b4fa9d14d9e41c03d0e0730ae6ce580
SHA512 f0cd1a1dc4ad43dfdef6f86d4b2748e0bfe1232613d324f822458acfedcf1246ac47c5533f082bfddda8e2ffed4dde2f94c4400bece42b315837a48c22abeb22

/tmp/macjihuo-2022/micool_macconfig/JetBrains/AppCode2021.3/sedTjpylL

MD5 4592ada02bc8d19ca23eece71d471905
SHA1 2a7a37ddd3b4231a5e7848c6f8f336bc54dfeb4a
SHA256 be9a4e426ae394b258615c25d697f693955a0e835e98e93c5090507a568faeea
SHA512 f6b0eabd0829a6d62b53331100fe3392c5303c0bbdbc11b953585f84f92ae368974138ef759ac21d60d02fa50c7c469ee99e79122cad38d013c6264d0b65024f

/tmp/macjihuo-2022/micool_macconfig/JetBrains/Clion2022.1/sedNAfotq

MD5 f2ce790a536ea15ae3798b86d457f049
SHA1 298c98026949043e7927f76a43b374b6bf988260
SHA256 58e089385510c36b905622ad88257a395109fb85e652d6ae46cd68462c94190b
SHA512 a6ec4b2af52b9610ed9ad63155d488c1d10f64dd1d1571887f3225c5b9b0dab4b469ac739d06c6f5f1d93dfec0c4d96121f0637005d525423111ad4a5d01bed2

/tmp/macjihuo-2022/micool_macconfig/JetBrains/Clion2022.2/sed5nuDBZ

MD5 94183880a0a377844ca8659f8c327a52
SHA1 f73fc6399688a00e16808d728476cfd64831a13d
SHA256 d49b28503dcfb2e26d63b58ddccfa2f8f53608de5733b735c09e771f5036d2c1
SHA512 29592cea999324a69260d421a647f0c101f2c0f77440e254426052612ea7c4bc3f48e8337eb44908d0402b5371beda424913a01dc06941a5c03ed80ff1547517

/tmp/macjihuo-2022/micool_macconfig/JetBrains/DataSpell2022.1/sedVxT0Lw

MD5 8713a72de33535bbc4a3ccf245b0a459
SHA1 552f08a2aa6881865de2876dbeba70076618b253
SHA256 e253568d4a6431812791388c6d22233e25e3244954b1f4b963aea6ccf2e54c82
SHA512 a009ec9016f324830fb1d5a06ba6c2dc34fed29dab63196bcea20f1d1090ba14f7c36479a49aaeab65983942b7868f69d75e8e6a99f85fdae1b425f0f71c0bd7

/tmp/macjihuo-2022/micool_macconfig/JetBrains/Datagrip2022.1/sedlnpLlD

MD5 5968a8371c3e299e2a76fd2588ccc543
SHA1 dcd2d9c89296c576afb4d9f422f70da1045b651d
SHA256 7d867e416fb6a3463f1ae6a252663a4354607c1a651ce8679e12d2760a3063a7
SHA512 2d3b9e5803ca1b5d055ff3ca9ce9dcbe08512902e6388ea80a7a65627b8ebb7c5dc3bbe1baf896aa3b3a4340ba1c6b96d8168fe5c274556d31af3dfbea0cd2f3

/tmp/macjihuo-2022/micool_macconfig/JetBrains/Goland2022.1/sed9ZtMiK

MD5 09f88529816feb54a08550a66b1574f1
SHA1 7e511a46e059d45a8592e52f7037d44c6ee396a8
SHA256 8969161585abd68bcbb427d8901236282cc607c0f782439b5733e90e3f7d599e
SHA512 57627b2c92350597bd79b73038b811d7f39f41f0ded5d85c0e1a5f108951984a338863a834368ca38f1d7718a5692e84d639d9503fa71f647704c23853e5f083

/tmp/macjihuo-2022/micool_macconfig/JetBrains/IntelliJIdea2022.1/sedBj4WrR

MD5 25201b35b81a2020e6f062cc4acc7fb4
SHA1 ec3e6efa92bb543c48bb3d159e9ee6f19a5d0bb4
SHA256 22af227aaf188e46f32f67f18604e08357612e6e6963a31dc8cdb1016e6b72fd
SHA512 e1c91fc2e767aa120f503dfa56a1b948eb48f292569360ba5146380e16bf518cbcd0368adb2e7bfe310f29aacf1b594f03dcf8a6954f2fff8531dfe0fb94d884

/tmp/macjihuo-2022/micool_macconfig/JetBrains/PhpStorm2022.1/sedJKAeLY

MD5 132ed2b20fa73e5c4ba3ea467e319c3a
SHA1 76e8d2cda6957a0cb5e44af6095af3a961810a20
SHA256 5c6a4b82d3ebbdd4d925cd0ee23f007271017257d511bf253ab8239ca6d82e4c
SHA512 a49fee056dbb137b8b525741c8832276631761d04483a09f0205a63fd9073fc1dfa647d9bd9d0179f25ea7dc8b54d69849ab623cba14a6a71beb53bbe251fef9

/tmp/macjihuo-2022/micool_macconfig/JetBrains/PyCharm2022.1/sedtsZeh6

MD5 d4bb80b138ad6706a055befba06303c6
SHA1 77e968f0f760b6c2029d7309cf77ef81ac1c4eef
SHA256 15a1fa998df77ba6972b4acaf391d664baec416f90e1a199046aaa57451b47f9
SHA512 e9d5edd28ae20a2154404bf75c7ed22a7c013243eb5552f1018e2370d565fc92f870b1e9c0ed5be8cfee24a1b18c7555d18d587d8657fa4cd8176bd74412d1dc

/tmp/macjihuo-2022/micool_macconfig/JetBrains/Rider2022.1/sedFTms0d

MD5 2da0fca0fe800904b8f9a506f0051453
SHA1 a4b6116b04fee9d5907d88f00d7156dc7f5fe65e
SHA256 388b8b9b40c466e05cf6c20dc18567a47f2fb938867c08cb77f6c855b67d0298
SHA512 d9024478739693557bf04bd18b7bf41a1ef970e143074ed46fcb5c0b2a931abab9ce70b51c70d77b3240fd673cb22c4ce426edba763afac8d69420d2f4ae7b6b

/tmp/macjihuo-2022/micool_macconfig/JetBrains/WebStorm2022.1/sedvnb75t

MD5 3a496a292d9ad388bd4ec8e4edadce7c
SHA1 9ef96d1ba490bb0d6d9014e512863306e5763867
SHA256 5d707c9b179e62951960556b6c979d69db1fa85ddda056644531a1005fc9dbf2
SHA512 0983bfe13da9410c2dd2d34c80cc811b55ccab68a18717677038f6cda48add9c94893fb0ca79dbf788ab5201bb8e1fd700e8e59534d5f66162cb7ebf2ad304bb

/tmp/macjihuo-2022/micool_macconfig/JetBrainsold/AppCode2017.1/config/sed4zkuc0

MD5 cf4e01880e2fa3a44c45f24139aeef9f
SHA1 c99c018c4f1acc0f4ebacac239a2d4821706753a
SHA256 250224c2a7eba8e8fd52c5fe558efe43dab02dc1c5565db280072ac3bdea9507
SHA512 b0d92221bf96dea58b7c4a887b9b3950b172e58610ef3b586bbfd7a3c79b5653bb1e432877ebdaee737527026cd6f68f402eb886a363cbe8f70e73a47f28ccd9

/tmp/macjihuo-2022/micool_macconfig/JetBrainsold/AppCode2018.1/config/sedHrmCrI

MD5 40cc0b7c92848e7d043e58b8ee055733
SHA1 a6dfe95fbf9d80626463ea1ed3f2679e279a6e98
SHA256 c539b8f772e27315b5df857ba82b2598f2465715516e88d98740cddafaff0d2a
SHA512 af2fd2e51a53a3a84e2b92c402487029902848675155c763b088409fb279b773ec9f48d1dc8aeaf4aa8804140f39cd4e88b7cfe0ece5aba2ec88323e10a53933

/tmp/macjihuo-2022/micool_macconfig/JetBrainsold/AppCode2019.1/config/sedUJh8Hq

MD5 5d9a28a9ebc4026decee10655f3f87a9
SHA1 262920fbdb1236d5a7fd5adf94222dc29a4d9335
SHA256 8731c72f22a9c7cfa8c7b5f255174e375a2c9f535030a86deb8a7a9e9c1fb76b
SHA512 c5287ef9ed6e5fd374390ed7926f878282cbde8a6ef70b67b660a87fbb70e1cec3fa57c031f2c016ee899c6f504437095928c1f173251179bf692847fa67b177

/tmp/macjihuo-2022/~/micool/config/dns.conf

MD5 14fd644eec8003eb6f887d037d8a5782
SHA1 77bbb4b2ec2267bb4c53ed9e8d9b9641da185c7d
SHA256 7965272fbdbcfc3255c5b6598e3c118f3dd898834ba4f2e91b6eff1b57fdc06c
SHA512 bb08c1d2634cc550adf612df501d9ffe4bb4b33441bd37e8b371b57a209b862e33df2ec76e444ce3e58bb6459c3e36bef588749445d72fd069004fd8cc5e563b

/tmp/macjihuo-2022/~/micool/config/mymap.conf

MD5 fb6122abc94fc90c0ef8584564c377e1
SHA1 85cfb558a4378609dc1edb7f97c1d8c0b7753554
SHA256 88729850e6563281d5d71677138e8ba814fc616e632aa87dd78d42a32ef69eab
SHA512 907b0845ef3b5109dcaab7192d683e77502dc4f059384f8e90591a1dddec54ec1975f08f04bf5cbacaa68f2df8fe3d4486100c04bb591eccb174c1226c1082ec

/tmp/macjihuo-2022/~/micool/config/power.conf

MD5 b25976299912f9bfd8e9d308b8106704
SHA1 405f62ff714fa3a13f594091e760c4a1da2ca3fe
SHA256 f8cf031a60785f6f08a382ebd5a9792f29c1091a8892da59511c608039e47ca7
SHA512 a17db9a9f66336f3921075a72ee30d373300026e2ec67d3f772a2099b91d1bf1ca897425bfc8f3e18502cba6775ad12bae6b0a7be64f93d813870088fc776bf6

/tmp/macjihuo-2022/~/micool/config/url.conf

MD5 fea2bfbedda20d5ad9429f537e15f4ce
SHA1 0b219cc137a185439fb9bd99d85b8fe320967507
SHA256 88e1dca8019ad412cf2c6fbd947a83786cffc7b32f1ee35594d25d1f38fae5f8
SHA512 13fc087f41c6ab045bba514095db2be2ce383a6d5f58d50997af7073eba4729dc69f3dc30de6067237bbec2291e32400f79864ec8725450a2a5f5042097a862c

/tmp/macjihuo-2022/~/micool/micool.jar

MD5 2fa1b1364515dce93eb67c423b570deb
SHA1 2a723c2ef30be4a5c167c6639bf9ec0b9c7e7ca2
SHA256 3acc4e9d91793f6909458a4761b75b6da45c8868e75dca33c9fec63659202995
SHA512 0b6cf7caf6d48419251d0aa1ccf280536eb20b1f108f874a9ce86943601c2317833031578fc869366e3bc40dedfabfd64527598ea63b879bc77f82a9a218766b

/tmp/macjihuo-2022/~/micool/plugins/dns.jar

MD5 4f3c516c1704a5569725246d57dd1ae7
SHA1 4e8693b5a7a3837cf7f6db0c4f1316f376d34721
SHA256 d1150b1831b112b93d74a34a10ce6c11606e0d2255d532c29f91f1d92b40a552
SHA512 f885fc751e9035944489578bb037f05521c6258c377c0c7bf8b8d10b799063e6e529c715ecebf9729724f0497f588803d7d463fbb70f5efbd73952624f60d08e

/tmp/macjihuo-2022/~/micool/plugins/hideme.jar

MD5 cdab6a30b0949a741f13935f5483c303
SHA1 729d00e4fa04ca49c00b5b6aa60706dfadd5644e
SHA256 fa14c735ab9fed3f3a5df0dc78a5d38ae0a146099ddc858197e9f528bd996c40
SHA512 bf155c0b062fe9c7c237f9b0329a155387b7294fae7c7ed73e41e9528f119ccc513855329f6e91e62106b589c8b215d981ed11f2f89c7e13c06fbdcf7d6d1ee8

/tmp/macjihuo-2022/~/micool/plugins/mymap-v1.0.1.jar

MD5 7a0e7526ba7542c94fdc8f5bd0a4052c
SHA1 37c069fdde8182879bf4958d703a19113bbae4ec
SHA256 2a20c5f9a05820f522d9338c57aeac51232422af87ac299c3bb541e948549774
SHA512 96bbb690f150322a8a86e88f013f749f55f67f41b4f5f19b78121d8d653b851c290c17e6e551b89e5ed37c38b1c408511cb67c5f15c627edf11a9ce61a480e89

/tmp/macjihuo-2022/~/micool/plugins/power.jar

MD5 d8711b73bc0507dbdc841b098af99787
SHA1 26ee7577969265ff77a7fd786bcb707fe21a3d6b
SHA256 7819e5b968ce5ea2e638e53d84089d35e89e9ea3088f18f8dbf6dd38d14ab25a
SHA512 dde478c503a5fbd17fd3cdac67d379abdb392d9edadc37feeafc3572f44044674af2f16e33b7c201fcb52e0d4eeb635fd53843b58700986aa380191aca6cc843

/tmp/macjihuo-2022/~/micool/plugins/url.jar

MD5 6b181e5b8255db4cd9beb1c6af5f420e
SHA1 b1bebbee8d98218db5794f596001b8b7427ae0c7
SHA256 ce5a83aee31153cca30274ac94467b316edea8cb28acf72f52f5a72d455b1b43
SHA512 26dabc145da4a987744ab86d600ab81482771fb8fc99933828104d4698f4dc407eb97281a36f01d5852fc2209d0092f10b7d23d62db8f7e456f8d2d0a108ce7a

/tmp/macjihuo-2022/~/micool2017.jar

MD5 f5721587debebb34575e7a5c1267278c
SHA1 e507fecf49457473a8f04323aa0538638ba158f5
SHA256 1818217b48e9b9222a60ce620f5f13e04172aaf7e2d79d700d20a83d733ebec0
SHA512 a85a0c4c425c09d85b28eefdb4cfca10610a47bc882e81129857e40a92fdc905b44c0c9819cabd8e5fac61f4a5fff5b045f6946420cf76beb61e1fa84a8ac817

/tmp/macjihuo-2022/~/micool2018.jar

MD5 a577fe434dcf668222505d75eb4a9b58
SHA1 3323d5d0b82e716609808090d3dc7cb3198b8c4b
SHA256 da958394d79615d0d0d31190ed0b63b3959901067db72dfba223c7e3a844c8bc
SHA512 e47be505914db6c93a196edf10043e6563a557d926210a7dd4b92376c1fb8ac74a9838270d9e85786d80b11847781fa000952a124400187a2c5cc22d0ca62052

/tmp/macjihuo-2022/~/micool2019.jar

MD5 b7650f3603805693d7633b64a755b416
SHA1 de72619132579a7fde5a441f880955087d32f6ed
SHA256 e3055d5b636b39d5609b8cfa28da2d8955615985fad53a5c27baac51cadbc698
SHA512 55c059b134c705460fc6ae4d5a1e87890dcda2a9dd8f587e6941f9003851fc703d04789d8ef58fd9e625fef86fc3a5cddebc2c25765a0444942da32f97d21ef0

/tmp/macjihuo-2022/~/yz/config/power.conf

MD5 51b9fac208fc13ef7da9897eaa46c2a0
SHA1 de03a814781e4426e324f98f8b70fb53fc615262
SHA256 b593043691cd24394b49be507800f20ea61faef157c26e10bf9982a467f69d65
SHA512 cf7fac6689349dc83a88377ef437c2a310fd647b14843067c4de31868bc683a8753edc6efd17cb82913067cc8a5ee82578c336e6fe8885056797439794c3472a

/tmp/macjihuo-2022/~/yz/fuzzes/config/dns.conf

MD5 f01ce69d967d52ddf0d72a1c9ca5c9bf
SHA1 f7ea9dc8c67e8aa7b0495d23ecff7cbcf0dbc2e6
SHA256 f098e501d16f260fc7fced68935bb63e52bddb660da3170edb5bc5026d6145c4
SHA512 4c2f60204117d8ea1fefef6cd2fe7f4cd61f79fed0e834dac574a160aba579e1b6e6fae5cb4bdde2e6677ed53195bb4b7a232a600d7333eb4448b3be52fc1f75

/tmp/macjihuo-2022/~/yz/fuzzes/config/power.conf

MD5 bb2144dc9371c0dbb9a52ceb0fa2e723
SHA1 bb1e5e197857c868c2ada0feef143fe0a37a6488
SHA256 5314860eae776e150d88f7869ccaa0d21ed281430cbf6de38a49358eb0f7b625
SHA512 4d216364fdd27c18eb5de08f3e7e82788874bc9c623feca4300d7d4bc65356295a03440ff5c6003970012a77dc6e1d42c2fa225d06dd8c9e5456363cdeaeb189

/tmp/macjihuo-2022/~/yz/fuzzes/plugins/power.jar

MD5 cdc01ec1abee702c535da143fb3947d9
SHA1 0f73e2cf797ee4b25a73bc6f78cfd7d41952d294
SHA256 26db4a54482189dc989e59734318d5c12d656183d5394fe3c0fe5b33313cb785
SHA512 72c26a50a1f1ab9712808a218cf8026c6540fbe6ebc28eb3fee3eddf011f8566e82446630731a559c2ad0ca684be486bd991fc46149f6412ac692218e4e1d354

/tmp/macjihuo-2022/~/yz/plugins/power.jar

MD5 d3e171f2099f3a6c644a603fe909b77e
SHA1 a6b849ad3c95378ddc4132c842ef8a86d12606c9
SHA256 1f9f85ab767e29dd222ebdaff5f2a91a6c5716a1246cac2aa4e2028f92a76137
SHA512 2d8c0b81817a523e7e23209fc9195ccc11a2f6b9fbb5931994a04f9ed69503476e173a710dec87a534e023325014b5348548d51a45d46395681a8acce5e5b35c

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

160s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 2760 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 2428 wrote to memory of 2760 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3100 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

memory/2428-2-0x0000028CEEDE0000-0x0000028CEF050000-memory.dmp

memory/2428-11-0x0000028CEEDC0000-0x0000028CEEDC1000-memory.dmp

memory/2428-13-0x0000028CEEDE0000-0x0000028CEF050000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\micool.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3448 wrote to memory of 3488 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 3448 wrote to memory of 3488 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\micool.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/3448-2-0x00000264D7260000-0x00000264D74D0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 048a2a653ff414ff6b0d3078a6831115
SHA1 b77f6ccd35b93729f3b51fb73bc660c525c29b11
SHA256 4fe0df6652ef1cfaee55f98192dea04755fd2fdab43c885e866d52f5199086fe
SHA512 a64797d75ac92f01df5941f926537a5fffa3c1eaeaeb113e36d73fddc16d245131e0a3f4df4cc0361bb0a30b89eaeb06435afba27c53c5a24e79ab65e2b927e5

memory/3448-13-0x00000264D7240000-0x00000264D7241000-memory.dmp

memory/3448-14-0x00000264D7260000-0x00000264D74D0000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\url.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\url.jar

Network

N/A

Files

memory/2884-2-0x00000000026F0000-0x0000000002960000-memory.dmp

memory/2884-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2884-11-0x00000000026F0000-0x0000000002960000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

105s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2019.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 720 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 1400 wrote to memory of 720 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2019.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/1400-2-0x000001F2B2920000-0x000001F2B2B90000-memory.dmp

memory/1400-11-0x000001F2B1010000-0x000001F2B1011000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 3ecfd3a15ec5e7ed2515b1a5eadccb97
SHA1 f4a57fe6caea99b2a9ae6a893be90d2c46f3dab2
SHA256 cf7f77b1a0c1d0b9a435ed64ceeb222eac204ba6934a78e89aed5ceb374dd674
SHA512 155ac125458b8a608b95a21c9ad446973a981ada01f5a0b20b6a11b2085ba8bd98420cfba1e18a56a188ff04cf62f63c54dec26b3a4657169da639375c939220

memory/1400-16-0x000001F2B2B90000-0x000001F2B2BA0000-memory.dmp

memory/1400-18-0x000001F2B2BA0000-0x000001F2B2BB0000-memory.dmp

memory/1400-21-0x000001F2B2BB0000-0x000001F2B2BC0000-memory.dmp

memory/1400-24-0x000001F2B2BD0000-0x000001F2B2BE0000-memory.dmp

memory/1400-23-0x000001F2B2BC0000-0x000001F2B2BD0000-memory.dmp

memory/1400-26-0x000001F2B2BE0000-0x000001F2B2BF0000-memory.dmp

memory/1400-30-0x000001F2B2BF0000-0x000001F2B2C00000-memory.dmp

memory/1400-32-0x000001F2B2C10000-0x000001F2B2C20000-memory.dmp

memory/1400-31-0x000001F2B2C00000-0x000001F2B2C10000-memory.dmp

memory/1400-34-0x000001F2B2C20000-0x000001F2B2C30000-memory.dmp

memory/1400-38-0x000001F2B2920000-0x000001F2B2B90000-memory.dmp

memory/1400-40-0x000001F2B2C40000-0x000001F2B2C50000-memory.dmp

memory/1400-39-0x000001F2B2C30000-0x000001F2B2C40000-memory.dmp

memory/1400-42-0x000001F2B2B90000-0x000001F2B2BA0000-memory.dmp

memory/1400-43-0x000001F2B2C50000-0x000001F2B2C60000-memory.dmp

memory/1400-46-0x000001F2B2C60000-0x000001F2B2C70000-memory.dmp

memory/1400-45-0x000001F2B2BA0000-0x000001F2B2BB0000-memory.dmp

memory/1400-49-0x000001F2B2C70000-0x000001F2B2C80000-memory.dmp

memory/1400-48-0x000001F2B2BB0000-0x000001F2B2BC0000-memory.dmp

memory/1400-53-0x000001F2B2C80000-0x000001F2B2C90000-memory.dmp

memory/1400-52-0x000001F2B2BD0000-0x000001F2B2BE0000-memory.dmp

memory/1400-51-0x000001F2B2BC0000-0x000001F2B2BD0000-memory.dmp

memory/1400-55-0x000001F2B2BE0000-0x000001F2B2BF0000-memory.dmp

memory/1400-56-0x000001F2B2C90000-0x000001F2B2CA0000-memory.dmp

memory/1400-61-0x000001F2B2CA0000-0x000001F2B2CB0000-memory.dmp

memory/1400-60-0x000001F2B2C00000-0x000001F2B2C10000-memory.dmp

memory/1400-59-0x000001F2B2BF0000-0x000001F2B2C00000-memory.dmp

memory/1400-66-0x000001F2B2CB0000-0x000001F2B2CC0000-memory.dmp

memory/1400-67-0x000001F2B2CC0000-0x000001F2B2CD0000-memory.dmp

memory/1400-64-0x000001F2B2C10000-0x000001F2B2C20000-memory.dmp

memory/1400-69-0x000001F2B2CD0000-0x000001F2B2CE0000-memory.dmp

memory/1400-68-0x000001F2B2C20000-0x000001F2B2C30000-memory.dmp

memory/1400-77-0x000001F2B2CE0000-0x000001F2B2CF0000-memory.dmp

memory/1400-76-0x000001F2B2C30000-0x000001F2B2C40000-memory.dmp

memory/1400-79-0x000001F2B2C40000-0x000001F2B2C50000-memory.dmp

memory/1400-80-0x000001F2B2CF0000-0x000001F2B2D00000-memory.dmp

memory/1400-81-0x000001F2B1010000-0x000001F2B1011000-memory.dmp

memory/1400-84-0x000001F2B2C50000-0x000001F2B2C60000-memory.dmp

memory/1400-85-0x000001F2B2D00000-0x000001F2B2D10000-memory.dmp

memory/1400-88-0x000001F2B2C60000-0x000001F2B2C70000-memory.dmp

memory/1400-89-0x000001F2B2D10000-0x000001F2B2D20000-memory.dmp

memory/1400-92-0x000001F2B2D20000-0x000001F2B2D30000-memory.dmp

memory/1400-91-0x000001F2B2C70000-0x000001F2B2C80000-memory.dmp

memory/1400-95-0x000001F2B2C80000-0x000001F2B2C90000-memory.dmp

memory/1400-96-0x000001F2B2D30000-0x000001F2B2D40000-memory.dmp

memory/1400-97-0x000001F2B1010000-0x000001F2B1011000-memory.dmp

memory/1400-98-0x000001F2B2C90000-0x000001F2B2CA0000-memory.dmp

memory/1400-100-0x000001F2B2CA0000-0x000001F2B2CB0000-memory.dmp

memory/1400-102-0x000001F2B2CC0000-0x000001F2B2CD0000-memory.dmp

memory/1400-101-0x000001F2B2CB0000-0x000001F2B2CC0000-memory.dmp

memory/1400-103-0x000001F2B2CD0000-0x000001F2B2CE0000-memory.dmp

memory/1400-104-0x000001F2B2CE0000-0x000001F2B2CF0000-memory.dmp

memory/1400-105-0x000001F2B2CF0000-0x000001F2B2D00000-memory.dmp

memory/1400-106-0x000001F2B2D00000-0x000001F2B2D10000-memory.dmp

memory/1400-107-0x000001F2B2D10000-0x000001F2B2D20000-memory.dmp

memory/1400-108-0x000001F2B2D20000-0x000001F2B2D30000-memory.dmp

memory/1400-109-0x000001F2B2D30000-0x000001F2B2D40000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win10v2004-20240508-en

Max time kernel

135s

Max time network

132s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2018.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 3916 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 624 wrote to memory of 3916 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2018.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3744,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=1280 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/624-2-0x0000027369800000-0x0000027369A70000-memory.dmp

memory/624-11-0x00000273697E0000-0x00000273697E1000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 779c14896efbc28ea0d72302f89bbb76
SHA1 0d2cb7e198c216d0f431620b03a90b6cff09e5db
SHA256 6431b08f19052f59a65f792ef80e8df6de98bb8b9c1ca2b224d9681e24baee34
SHA512 5faf6d259ab7cb929ba48594b30ef1f0a8924f0e5dd29f8cea090758533cf9cb8ac525cf92f0af683052a8b7a06279d835725aa7519a066089a12ecb9a177e73

memory/624-15-0x0000027369A70000-0x0000027369A80000-memory.dmp

memory/624-17-0x00000273697E0000-0x00000273697E1000-memory.dmp

memory/624-18-0x0000027369800000-0x0000027369A70000-memory.dmp

memory/624-19-0x0000027369A70000-0x0000027369A80000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win7-20240215-en

Max time kernel

120s

Max time network

122s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-goland.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-goland.jar

Network

N/A

Files

memory/2408-2-0x00000000025F0000-0x0000000002860000-memory.dmp

memory/2408-11-0x0000000001D70000-0x0000000001D71000-memory.dmp

memory/2408-12-0x00000000025F0000-0x0000000002860000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-idea.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-idea.jar

Network

N/A

Files

memory/2760-2-0x0000000002670000-0x00000000028E0000-memory.dmp

memory/2760-11-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2760-12-0x0000000002670000-0x00000000028E0000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

155s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-phpstorm.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 3652 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 1968 wrote to memory of 3652 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-phpstorm.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

memory/1968-2-0x000001B5E70A0000-0x000001B5E7310000-memory.dmp

memory/1968-12-0x000001B5E7080000-0x000001B5E7081000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 fa77a4420d301b7eb0e2807189e055bb
SHA1 91efd2e86661293b20094dc2262792781ef93f3b
SHA256 465a06252684314de7d87475309a58c4b0510215d0f804dfa1ab9e44f2ef57e8
SHA512 5e573db7615f777b01da0b925a7328f1746359d3f34fe32adfe31f4fedda895a43e1fae1fc7a565eaa66c0a99ac1f209c2ef026fad7fe392f3a5b83600fb8b6e

memory/1968-14-0x000001B5E70A0000-0x000001B5E7310000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\dns.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\dns.jar

Network

N/A

Files

memory/2984-2-0x0000000002400000-0x0000000002670000-memory.dmp

memory/2984-10-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2984-11-0x0000000002400000-0x0000000002670000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\hideme.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\hideme.jar

Network

N/A

Files

memory/2024-2-0x00000000025D0000-0x0000000002840000-memory.dmp

memory/2024-10-0x0000000000450000-0x0000000000451000-memory.dmp

memory/2024-11-0x00000000025D0000-0x0000000002840000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

155s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\mymap-v1.0.1.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4844 wrote to memory of 1924 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 4844 wrote to memory of 1924 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\mymap-v1.0.1.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/4844-2-0x0000020964C90000-0x0000020964F00000-memory.dmp

memory/4844-11-0x00000209633D0000-0x00000209633D1000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 9ab40c8421744e6858b60b0eaf7233d0
SHA1 a0d114107dee7594d659d4c241258ca4a96a4534
SHA256 d052e6b1fb93c3f6b70adf88316b4ec46190822b820749366b8be6af3fc62b60
SHA512 7fa50020cf99c73723707f08bbd0ae9ff0eab3bec39b983b14b6185471fa46d36a1b3fdd34bfd3efd7a10b6dcce7c239ed0599bcfbb09664acd8c00d74d23f63

memory/4844-13-0x0000020964C90000-0x0000020964F00000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win7-20240220-en

Max time kernel

117s

Max time network

118s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2018.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2018.jar

Network

N/A

Files

memory/2836-2-0x00000000024E0000-0x0000000002750000-memory.dmp

memory/2836-10-0x0000000000440000-0x0000000000441000-memory.dmp

memory/2836-13-0x00000000024E0000-0x0000000002750000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win7-20240221-en

Max time kernel

119s

Max time network

127s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2019.jar

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\java.exe N/A
N/A N/A C:\Windows\system32\java.exe N/A
N/A N/A C:\Windows\system32\java.exe N/A
N/A N/A C:\Windows\system32\java.exe N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2019.jar

Network

N/A

Files

memory/2172-2-0x0000000002170000-0x00000000023E0000-memory.dmp

memory/2172-10-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2172-13-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2172-38-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2172-53-0x0000000000490000-0x000000000049A000-memory.dmp

memory/2172-52-0x0000000000490000-0x000000000049A000-memory.dmp

memory/2172-70-0x0000000002170000-0x00000000023E0000-memory.dmp

memory/2172-71-0x0000000000490000-0x000000000049A000-memory.dmp

memory/2172-72-0x0000000000490000-0x000000000049A000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

132s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-goland.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 1488 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 2280 wrote to memory of 1488 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-goland.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2280-2-0x000001ADA9380000-0x000001ADA95F0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 2268ec75f82d72ffd738cee8f24b7b43
SHA1 9dd842ace0e6b515e7fff8f9a9fa9008b1ec7b15
SHA256 c824118f582e1ff0ead001530db226b6ca26094274a938095b7ea35196cd519a
SHA512 c438a873fc6df5914cd9eb220a9855269ec3b4a2b3e2238b8b32f7579dcdac3cce00c27d33d893644fbb9d32ad9771c71c3c892686d147902127512eef0dcebc

memory/2280-13-0x000001ADA9360000-0x000001ADA9361000-memory.dmp

memory/2280-14-0x000001ADA9380000-0x000001ADA95F0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\micool.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\micool.jar

Network

N/A

Files

memory/2880-2-0x0000000002670000-0x00000000028E0000-memory.dmp

memory/2880-11-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2880-12-0x0000000002670000-0x00000000028E0000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-06 12:31

Reported

2024-06-06 12:33

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2017.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2017.jar

Network

N/A

Files

memory/808-2-0x0000000002490000-0x0000000002700000-memory.dmp

memory/808-11-0x0000000000160000-0x0000000000161000-memory.dmp

memory/808-12-0x0000000002490000-0x0000000002700000-memory.dmp