Analysis
-
max time kernel
110s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
19/04/2023, 02:04
Static task
static1
Behavioral task
behavioral1
Sample
JJSploit_7.1.3_x86_en-US.msi
Resource
win7-20230220-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
JJSploit_7.1.3_x86_en-US.msi
Resource
win10v2004-20230220-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
JJSploit_7.1.3_x86_en-US.msi
-
Size
5.8MB
-
MD5
89b39aafa577686ce2890ff00a22f7d6
-
SHA1
1259bb1962d23f242ebe340f359b3825a31989d4
-
SHA256
dfdb140d98307146cbdbc726cc1f4897acc14288c95fd8bfc5ab29f91c895fa3
-
SHA512
59d7ee87354f01c9bcaf438086a730f56c671f75815be696b07107d54f886b48a7217a7c4138e690a6c0670b7c39dd564650b63e6e12743d46b3bd65824ad70d
-
SSDEEP
98304:oni7F600rU+xmX0VumSuS2eaYbC8wSKyWatyiGoMNjbLmf19+I3NlNi3bywir:Gi7F6MiVVBS2e3bC8wS+QGZNYpi2
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 564 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in Program Files directory 23 IoCs
description ioc Process File created C:\Program Files (x86)\JJSploit\resources\luascripts\jailbreak\removewalls.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\animations\jumpland.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\animations\levitate.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\jailbreak\walkspeed.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\JJSploit.exe msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\animations\energizegui.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\animations\dab.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\multidimensionalcharacter.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\chattroll.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\noclip.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\magnetizeto.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\beesim\autodig.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\Uninstall JJSploit.lnk msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\jailbreak\policeesp.lua msiexec.exe File opened for modification C:\Program Files (x86)\JJSploit\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\animations\walkthrough.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\jailbreak\criminalesp.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\infinitejump.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\fly.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\tptool.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\god.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\teleportto.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\aimbot.lua msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\6c93a9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI95EA.tmp msiexec.exe File created C:\Windows\Installer\{7FF8E9C7-261E-4AB2-A1D2-72D10618FD82}\ProductIcon msiexec.exe File opened for modification C:\Windows\Installer\{7FF8E9C7-261E-4AB2-A1D2-72D10618FD82}\ProductIcon msiexec.exe File created C:\Windows\Installer\6c93ac.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\6c93a9.msi msiexec.exe File created C:\Windows\Installer\6c93aa.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\6c93aa.ipi msiexec.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe -
Modifies registry class 35 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\SourceList msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7C9E8FF7E1622BA41A2D271D6081DF28 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7C9E8FF7E1622BA41A2D271D6081DF28\Environment = "MainProgram" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\PackageCode = "168083A7465697B46A7B5C6B7E1FE20A" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\ProductIcon = "C:\\Windows\\Installer\\{7FF8E9C7-261E-4AB2-A1D2-72D10618FD82}\\ProductIcon" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7C9E8FF7E1622BA41A2D271D6081DF28\ShortcutsFeature = "MainProgram" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7C9E8FF7E1622BA41A2D271D6081DF28\MainProgram msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA\7C9E8FF7E1622BA41A2D271D6081DF28 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Features\7C9E8FF7E1622BA41A2D271D6081DF28 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\ProductName = "JJSploit" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7C9E8FF7E1622BA41A2D271D6081DF28 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\AdvertiseFlags = "388" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\Language = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\Version = "117506051" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\SourceList\PackageName = "JJSploit_7.1.3_x86_en-US.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7C9E8FF7E1622BA41A2D271D6081DF28\External msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\SourceList\Net msiexec.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2024 msiexec.exe 2024 msiexec.exe 952 powershell.exe 1952 chrome.exe 1952 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1376 msiexec.exe Token: SeIncreaseQuotaPrivilege 1376 msiexec.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe Token: SeSecurityPrivilege 2024 msiexec.exe Token: SeCreateTokenPrivilege 1376 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1376 msiexec.exe Token: SeLockMemoryPrivilege 1376 msiexec.exe Token: SeIncreaseQuotaPrivilege 1376 msiexec.exe Token: SeMachineAccountPrivilege 1376 msiexec.exe Token: SeTcbPrivilege 1376 msiexec.exe Token: SeSecurityPrivilege 1376 msiexec.exe Token: SeTakeOwnershipPrivilege 1376 msiexec.exe Token: SeLoadDriverPrivilege 1376 msiexec.exe Token: SeSystemProfilePrivilege 1376 msiexec.exe Token: SeSystemtimePrivilege 1376 msiexec.exe Token: SeProfSingleProcessPrivilege 1376 msiexec.exe Token: SeIncBasePriorityPrivilege 1376 msiexec.exe Token: SeCreatePagefilePrivilege 1376 msiexec.exe Token: SeCreatePermanentPrivilege 1376 msiexec.exe Token: SeBackupPrivilege 1376 msiexec.exe Token: SeRestorePrivilege 1376 msiexec.exe Token: SeShutdownPrivilege 1376 msiexec.exe Token: SeDebugPrivilege 1376 msiexec.exe Token: SeAuditPrivilege 1376 msiexec.exe Token: SeSystemEnvironmentPrivilege 1376 msiexec.exe Token: SeChangeNotifyPrivilege 1376 msiexec.exe Token: SeRemoteShutdownPrivilege 1376 msiexec.exe Token: SeUndockPrivilege 1376 msiexec.exe Token: SeSyncAgentPrivilege 1376 msiexec.exe Token: SeEnableDelegationPrivilege 1376 msiexec.exe Token: SeManageVolumePrivilege 1376 msiexec.exe Token: SeImpersonatePrivilege 1376 msiexec.exe Token: SeCreateGlobalPrivilege 1376 msiexec.exe Token: SeCreateTokenPrivilege 1376 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1376 msiexec.exe Token: SeLockMemoryPrivilege 1376 msiexec.exe Token: SeIncreaseQuotaPrivilege 1376 msiexec.exe Token: SeMachineAccountPrivilege 1376 msiexec.exe Token: SeTcbPrivilege 1376 msiexec.exe Token: SeSecurityPrivilege 1376 msiexec.exe Token: SeTakeOwnershipPrivilege 1376 msiexec.exe Token: SeLoadDriverPrivilege 1376 msiexec.exe Token: SeSystemProfilePrivilege 1376 msiexec.exe Token: SeSystemtimePrivilege 1376 msiexec.exe Token: SeProfSingleProcessPrivilege 1376 msiexec.exe Token: SeIncBasePriorityPrivilege 1376 msiexec.exe Token: SeCreatePagefilePrivilege 1376 msiexec.exe Token: SeCreatePermanentPrivilege 1376 msiexec.exe Token: SeBackupPrivilege 1376 msiexec.exe Token: SeRestorePrivilege 1376 msiexec.exe Token: SeShutdownPrivilege 1376 msiexec.exe Token: SeDebugPrivilege 1376 msiexec.exe Token: SeAuditPrivilege 1376 msiexec.exe Token: SeSystemEnvironmentPrivilege 1376 msiexec.exe Token: SeChangeNotifyPrivilege 1376 msiexec.exe Token: SeRemoteShutdownPrivilege 1376 msiexec.exe Token: SeUndockPrivilege 1376 msiexec.exe Token: SeSyncAgentPrivilege 1376 msiexec.exe Token: SeEnableDelegationPrivilege 1376 msiexec.exe Token: SeManageVolumePrivilege 1376 msiexec.exe Token: SeImpersonatePrivilege 1376 msiexec.exe Token: SeCreateGlobalPrivilege 1376 msiexec.exe Token: SeCreateTokenPrivilege 1376 msiexec.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 1376 msiexec.exe 1376 msiexec.exe 1376 msiexec.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe 1952 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 564 2024 msiexec.exe 29 PID 2024 wrote to memory of 564 2024 msiexec.exe 29 PID 2024 wrote to memory of 564 2024 msiexec.exe 29 PID 2024 wrote to memory of 564 2024 msiexec.exe 29 PID 2024 wrote to memory of 564 2024 msiexec.exe 29 PID 2024 wrote to memory of 564 2024 msiexec.exe 29 PID 2024 wrote to memory of 564 2024 msiexec.exe 29 PID 2024 wrote to memory of 952 2024 msiexec.exe 33 PID 2024 wrote to memory of 952 2024 msiexec.exe 33 PID 2024 wrote to memory of 952 2024 msiexec.exe 33 PID 1952 wrote to memory of 1900 1952 chrome.exe 38 PID 1952 wrote to memory of 1900 1952 chrome.exe 38 PID 1952 wrote to memory of 1900 1952 chrome.exe 38 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1216 1952 chrome.exe 40 PID 1952 wrote to memory of 1140 1952 chrome.exe 41 PID 1952 wrote to memory of 1140 1952 chrome.exe 41 PID 1952 wrote to memory of 1140 1952 chrome.exe 41 PID 1952 wrote to memory of 1684 1952 chrome.exe 42 PID 1952 wrote to memory of 1684 1952 chrome.exe 42 PID 1952 wrote to memory of 1684 1952 chrome.exe 42 PID 1952 wrote to memory of 1684 1952 chrome.exe 42 PID 1952 wrote to memory of 1684 1952 chrome.exe 42 PID 1952 wrote to memory of 1684 1952 chrome.exe 42 PID 1952 wrote to memory of 1684 1952 chrome.exe 42 PID 1952 wrote to memory of 1684 1952 chrome.exe 42 PID 1952 wrote to memory of 1684 1952 chrome.exe 42 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\JJSploit_7.1.3_x86_en-US.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1376
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1BFC27BAB2179643C920D7A78105C0B2 C2⤵
- Loads dropped DLL
PID:564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:952
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1488
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000049C" "00000000000002DC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1960
-
C:\Windows\system32\pcwrun.exeC:\Windows\system32\pcwrun.exe ""1⤵PID:1960
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6a39758,0x7fef6a39768,0x7fef6a397782⤵PID:1900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=284 --field-trial-handle=1192,i,16451137506413001823,9976817089803792854,131072 /prefetch:22⤵PID:1216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1192,i,16451137506413001823,9976817089803792854,131072 /prefetch:82⤵PID:1140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1192,i,16451137506413001823,9976817089803792854,131072 /prefetch:82⤵PID:1684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2228 --field-trial-handle=1192,i,16451137506413001823,9976817089803792854,131072 /prefetch:12⤵PID:2176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2120 --field-trial-handle=1192,i,16451137506413001823,9976817089803792854,131072 /prefetch:12⤵PID:2168
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1360 --field-trial-handle=1192,i,16451137506413001823,9976817089803792854,131072 /prefetch:22⤵PID:2552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1464 --field-trial-handle=1192,i,16451137506413001823,9976817089803792854,131072 /prefetch:12⤵PID:2648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3864 --field-trial-handle=1192,i,16451137506413001823,9976817089803792854,131072 /prefetch:82⤵PID:2668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3936 --field-trial-handle=1192,i,16451137506413001823,9976817089803792854,131072 /prefetch:82⤵PID:2684
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2224
-
C:\Windows\helppane.exeC:\Windows\helppane.exe -Embedding1⤵PID:2912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.9MB
MD57b0cd24f6573f45f707381896445dc20
SHA1bd49edd9bf4536324f71effa53c0ecac53e074e0
SHA2565caab958fde69fbae9bd0f3dbee8398ef616c0dc1245cd2c0f17ac9e15c8c777
SHA5129f76f91edece4c67a956971b803d53a437ea4c4ee8cdb46d21ca6d45ea8e1fec71d77446c864cbdb2310fda1b7ea73d0720d238a3647288a737debc588d7b513
-
Filesize
2KB
MD5f068536b5f52a414259ef8494396cd3a
SHA1bb7e57cf2618cf04fd620dd7c36e2d0c55d646b4
SHA2567ad6289e51fdbd18fa9d9e4ce69016edda15d128ae5391d59f4cbd65b2ff53f0
SHA512305e4b899d8b40ef4608e720f7c0bb6070b17adea0af82a761bce9546978ac01c104d95bbe0f80a40bf3a8af049a37a5d86b23081b603cafad134cb9e850016e
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
4KB
MD54fd26cddaa669a090e26d5fcd85c48fd
SHA1625c1599d8140740c30dc1a79bbdecaec62ecd6a
SHA256a162c31af53a16c7923d93960192c907b5fe89534022ee7a2f01c6474021759c
SHA5128be92723280321af379bd6eb9f875b605bb054928e5835a08d6bd87bd73194fc95abdcb28c0f90cd457cfb9cbf2962e93d7c95a47af0ac7fbca757044674a098
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp
Filesize16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
113KB
MD54fdd16752561cf585fed1506914d73e0
SHA1f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA5123695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600
-
Filesize
5.8MB
MD589b39aafa577686ce2890ff00a22f7d6
SHA11259bb1962d23f242ebe340f359b3825a31989d4
SHA256dfdb140d98307146cbdbc726cc1f4897acc14288c95fd8bfc5ab29f91c895fa3
SHA51259d7ee87354f01c9bcaf438086a730f56c671f75815be696b07107d54f886b48a7217a7c4138e690a6c0670b7c39dd564650b63e6e12743d46b3bd65824ad70d
-
Filesize
113KB
MD54fdd16752561cf585fed1506914d73e0
SHA1f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA5123695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600