File verdict·Decided by the MT AI Engine

Our call

Suspicious

Item: Fapcraft.1.12.2.v1.1.jar
Rating: 2.5
Author: MalwareTips File Scanner

Unsigned Minecraft mod with anti-debug and obfuscation; tier-1 engines silent but FileScan flags evasion techniques.

Trust score52Caution

MT AI confidence · 62%

Fapcraft.1.12.2.v1.1.jar

43.7 MB

0c5cfabb7d64aac865…5ccc4925bf

Antivirus engines

0 of 75 flagged

Code signing

Unsigned

Age

First seen 2y ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

62%Confidence

Moderate

Reasoning

The file exhibits a classic benign-software profile: zero tier-1 malware detections, high prevalence (common_old classification), and no confirmed malicious children or C2 contact. However, the consistent SUSPICIOUS verdicts from FileScan.IO and the presence of anti-debug and obfuscation techniques create ambiguity. The offensive MITRE techniques (T1543.002, T1562.001) are ambient to Java runtime execution and Oracle Java privilege management, not indicative of malicious payload. The evasion indicators align with legitimate mod obfuscation rather than malware family behaviour. No tier-1 engine identified a malware family, and no sandbox malicious verdict was recorded.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

engines.tier1Malicious=0; 17 tier-1 engines (Avast, BitDefender, Kaspersky, Microsoft, ESET-NOD32, Fortinet, Emsisoft, others) all undetected
prevalence.classification=common_old; 67,224 submissions across 3,742 sources; file age 905 days — consistent with established Minecraft mod
behaviour.offensiveTechniques=[T1543.002, T1562.001] are ambient to Java runtime privilege escalation for Oracle usage tracking, not malicious payload indicators
droppedChildren.hasMaliciousChild=false; 10 children inspected, all verdicts unknown, no malicious confirmed
communityComments: FileScan.IO flagged SUSPICIOUS (5 reports, 100% confidence) citing anti-debug, base64, obfuscation — consistent with legitimate mod evasion, not malware family

Points in its favour

All 17 tier-1 antivirus engines report clean (Avast, BitDefender, Kaspersky, Microsoft, ESET-NOD32, Fortinet, Emsisoft, others)
High prevalence: 67,224 submissions across 3,742 sources; file age 905 days indicates established software
No malicious children confirmed (10 dropped files inspected, all verdicts unknown)
No contacted malicious hosts; no C2 beaconing detected
Filename consistent with known Minecraft mod project (Fapcraft)

Points against

Anti-debug and obfuscation techniques detected by FileScan.IO (5 independent analyses, 100% confidence)
Unsigned JAR file with no publisher verification
T1543.002 and T1562.001 MITRE techniques (though ambient to Java runtime)
Base64 encoding and masquerade tags in FileScan analysis

What to do

Do not execute this file on production systems without further investigation. If obtained from an official Minecraft mod repository, the risk is lower; if from an untrusted source, isolate and scan with updated antivirus before use. The tier-1 engine consensus suggests low malware probability, but FileScan's consistent evasion flags warrant manual code review or sandboxing in an isolated environment.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK

Adversary techniques mapped to the MITRE ATT&CK framework.

T1064T1082T1106T1202T1497T1518.001T1543.002T1562.001T1564T1564.001T1564.003T1574.002T1574.010

Spawned processes

$(unnamed)

"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\<USER>\Desktop\runtime.jar"

$(unnamed)

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

$(unnamed)

C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Java\jre1.8.0_421\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\sample.jar"" >> C:\cmdlinestart.log 2>&1

$(unnamed)

C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

$(unnamed)

"C:\Program Files\Java\jre1.8.0_421\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\sample.jar"

$(unnamed)

C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

$(unnamed)

C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Java\jre1.8.0_441\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\runtime.jar"" >> C:\cmdlinestart.log 2>&1

$(unnamed)

"C:\Program Files\Java\jre1.8.0_441\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\runtime.jar"

+7 more processes captured.

Filesystem & mutexes

Files written15

C:\Users\<USER>\AppData\Local\Temp\hsperfdata_<USER>\5900
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
C:\ProgramData\Oracle
C:\ProgramData\Oracle\Java
C:\ProgramData\Oracle\Java\.oracle_jre_usage

+10 more

Files deleted15

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6936
C:\Users\user\AppData\Local\Temp\hsperfdata_user\6968
C:\Users\user\AppData\Local\Temp\hsperfdata_user\6724
C:\Users\user\AppData\Local\Temp\hsperfdata_user\6932
C:\Users\user\AppData\Local\Temp\hsperfdata_user\4604

+10 more

Mutexes created1

\Sessions\1\BaseNamedObjects\Local\SessionImmersiveColorMutex

Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen

70eadfeb928b0ba67392…c88651Never scanned
never seen before
e5f18c887d14a902f7bd…d7c326Never scanned
never seen before
c1de3a9376fdaef0ba6a…308b70Never scanned
never seen before
45129bbb6010a26880e1…778371Never scanned
never seen before
3f8096f14540c8e18e4e…ad10b8Never scanned
never seen before
c73e13f885532ae82bcd…5de2b9Never scanned
never seen before
e528f24efa987f28ac62…00f9e6Never scanned
never seen before
b468bf508c1b034631c5…457d6eNever scanned
never seen before
8c6fbce70f6f9ec2cfa7…e3ab25Never scanned
never seen before
0e50dbe64e16b3d646c5…49996fNever scanned
never seen before

No researcher-database hits

External threat-intel sources were not collected for this scan.

Antivirus engine breakdown

0 detections across 75 engines

0 malicious0 suspicious75 clean

Tier-117 engines

0flag

Top commercial AVs (low FP rate)

Tier-238 engines

0flag

Mainstream engines with mixed FP rates

Low-trust20 engines

0flag

Heuristic / generic-AI engines (high FP rate)

All 75 engines report this file as clean.

Hash 0c5cfabb7d64… cross-referenced against 75 AV engines via our AV network.

Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old

Unique uploaders

3,742

Hundreds of people have uploaded this — common.

Total submissions

67,224

Includes repeat uploads by the same source.

First seen by VT

2y ago

Jan 6, 2024

Prevalence quadrant

Rare · New

Targeted malware lives here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

here

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

1/6/2024, 6:19:38 PM

First seen (MalwareBazaar)

—

Last analysis (VT)

6/29/2026, 6:02:45 PM

Scanned here

6/30/2026, 1:03:30 AM

File name: Fapcraft.1.12.2.v1.1.jar
Size: 43.70 MB
MIME type: (unknown)
Detected type: JAR
SHA-256: 0c5cfabb7d64aac865fd6753375ddd856bed12e1ff8f1e0e4164fa5ccc4925bf
MD5: f5d9b40d51f4bd60e2bd30d30e4548a2
SHA-1: f53e08bbe16f25240af25793600e76ea854b731a
First seen (VT): 1/6/2024, 6:19:38 PM
Last analysis (VT): 6/29/2026, 6:02:45 PM
First scan (MalwareTips): 6/30/2026, 1:03:30 AM
Last scan (MalwareTips): 6/30/2026, 1:03:30 AM
Community reputation: +6trusted

Behavior tags

jardetect-debug-environmentsets-process-namelong-sleepschecks-cpu-name

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.