Analysis
-
max time kernel
338s -
max time network
331s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2024, 04:33
Static task
static1
Behavioral task
behavioral1
Sample
JJSploit_8.10.10_x64_en-US (1).msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JJSploit_8.10.10_x64_en-US (1).msi
Resource
win10v2004-20241007-en
General
-
Target
JJSploit_8.10.10_x64_en-US (1).msi
-
Size
5.0MB
-
MD5
8cb1e85b5723e3d186cc1742b6c71122
-
SHA1
f4638a9849b2bea46c8120930c7727cfae70b4d2
-
SHA256
f1db224af0f14b971ba8be3e33482322b2f821695a4bbe2782b956217da383ad
-
SHA512
b447f7b4e6590120ed50eaad798b271e7ebbe52ad61dbe5e621e0c99a6314fbcfd10ce8e6f837a7ca76e1084651c65dcb0eafcdac6cce6eebe2d1729249add5b
-
SSDEEP
98304:6jmBVvK7NEfE6nal/6r5mzaB325gGiU9fh8ztt8xuvuUnm18uHwCEtFW+VAv8m:srNEfulImzfh8IquKq8uA
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Installer\e5861c2.msi msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 1612 MsiExec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3708 msiexec.exe 3708 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3832 msiexec.exe Token: SeIncreaseQuotaPrivilege 3832 msiexec.exe Token: SeSecurityPrivilege 3708 msiexec.exe Token: SeCreateTokenPrivilege 3832 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3832 msiexec.exe Token: SeLockMemoryPrivilege 3832 msiexec.exe Token: SeIncreaseQuotaPrivilege 3832 msiexec.exe Token: SeMachineAccountPrivilege 3832 msiexec.exe Token: SeTcbPrivilege 3832 msiexec.exe Token: SeSecurityPrivilege 3832 msiexec.exe Token: SeTakeOwnershipPrivilege 3832 msiexec.exe Token: SeLoadDriverPrivilege 3832 msiexec.exe Token: SeSystemProfilePrivilege 3832 msiexec.exe Token: SeSystemtimePrivilege 3832 msiexec.exe Token: SeProfSingleProcessPrivilege 3832 msiexec.exe Token: SeIncBasePriorityPrivilege 3832 msiexec.exe Token: SeCreatePagefilePrivilege 3832 msiexec.exe Token: SeCreatePermanentPrivilege 3832 msiexec.exe Token: SeBackupPrivilege 3832 msiexec.exe Token: SeRestorePrivilege 3832 msiexec.exe Token: SeShutdownPrivilege 3832 msiexec.exe Token: SeDebugPrivilege 3832 msiexec.exe Token: SeAuditPrivilege 3832 msiexec.exe Token: SeSystemEnvironmentPrivilege 3832 msiexec.exe Token: SeChangeNotifyPrivilege 3832 msiexec.exe Token: SeRemoteShutdownPrivilege 3832 msiexec.exe Token: SeUndockPrivilege 3832 msiexec.exe Token: SeSyncAgentPrivilege 3832 msiexec.exe Token: SeEnableDelegationPrivilege 3832 msiexec.exe Token: SeManageVolumePrivilege 3832 msiexec.exe Token: SeImpersonatePrivilege 3832 msiexec.exe Token: SeCreateGlobalPrivilege 3832 msiexec.exe Token: SeCreateTokenPrivilege 3832 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3832 msiexec.exe Token: SeLockMemoryPrivilege 3832 msiexec.exe Token: SeIncreaseQuotaPrivilege 3832 msiexec.exe Token: SeMachineAccountPrivilege 3832 msiexec.exe Token: SeTcbPrivilege 3832 msiexec.exe Token: SeSecurityPrivilege 3832 msiexec.exe Token: SeTakeOwnershipPrivilege 3832 msiexec.exe Token: SeLoadDriverPrivilege 3832 msiexec.exe Token: SeSystemProfilePrivilege 3832 msiexec.exe Token: SeSystemtimePrivilege 3832 msiexec.exe Token: SeProfSingleProcessPrivilege 3832 msiexec.exe Token: SeIncBasePriorityPrivilege 3832 msiexec.exe Token: SeCreatePagefilePrivilege 3832 msiexec.exe Token: SeCreatePermanentPrivilege 3832 msiexec.exe Token: SeBackupPrivilege 3832 msiexec.exe Token: SeRestorePrivilege 3832 msiexec.exe Token: SeShutdownPrivilege 3832 msiexec.exe Token: SeDebugPrivilege 3832 msiexec.exe Token: SeAuditPrivilege 3832 msiexec.exe Token: SeSystemEnvironmentPrivilege 3832 msiexec.exe Token: SeChangeNotifyPrivilege 3832 msiexec.exe Token: SeRemoteShutdownPrivilege 3832 msiexec.exe Token: SeUndockPrivilege 3832 msiexec.exe Token: SeSyncAgentPrivilege 3832 msiexec.exe Token: SeEnableDelegationPrivilege 3832 msiexec.exe Token: SeManageVolumePrivilege 3832 msiexec.exe Token: SeImpersonatePrivilege 3832 msiexec.exe Token: SeCreateGlobalPrivilege 3832 msiexec.exe Token: SeCreateTokenPrivilege 3832 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3832 msiexec.exe Token: SeLockMemoryPrivilege 3832 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3832 msiexec.exe 3832 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3708 wrote to memory of 1612 3708 msiexec.exe 97 PID 3708 wrote to memory of 1612 3708 msiexec.exe 97 PID 3708 wrote to memory of 1612 3708 msiexec.exe 97 PID 3708 wrote to memory of 4832 3708 msiexec.exe 105 PID 3708 wrote to memory of 4832 3708 msiexec.exe 105 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\JJSploit_8.10.10_x64_en-US (1).msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3832
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7EF9B23280BC313699D3402D595B863F C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1612
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4832
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD5cfbb8568bd3711a97e6124c56fcfa8d9
SHA1d7a098ae58bdd5e93a3c1b04b3d69a14234d5e57
SHA2567f47d98ab25cfea9b3a2e898c3376cc9ba1cd893b4948b0c27caa530fd0e34cc
SHA512860cbf3286ac4915580cefaf56a9c3d48938eb08e3f31b7f024c4339c037d7c8bdf16e766d08106505ba535be4922a87dc46bd029aae99a64ea2fc02cf3aec04
-
Filesize
24.1MB
MD5f392de307b1286c8dcc6d533ee978ab7
SHA1220ae30a1a9705f4fd1ad93f7e841659c7dd08cc
SHA256ce562ae9f97fee0bf53c52b8774e3562a18f554a7d9f14f9e56cb6803e652cee
SHA512d920dd977b0ac69333bd1e07f6c1cdcd44afd44e421c591721145193cf6a94449708074a65c248f4ee573a4aed44ca97a8bdcc55d5f1f3050df56871a89afea5
-
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4fe3e71f-4bd7-44bd-97fd-3ec6d7f906c0}_OnDiskSnapshotProp
Filesize6KB
MD5e7700ca31344d9e8f838188741b3a44d
SHA15fe8df70f4ece54a1d9eb1f9ac5dc7ceecefe672
SHA256990beda2eb2f8c8aed16467270949b5d16b2110359629d9516060da7ed7a107d
SHA5126946bbe30c8da42f5c1120b54db72506540a39b787cfd9a68f7b9f848aab189667d0ceb387caed7645d48f1a36c24776e16315ad23c320a95319f803af352652