Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-11-2024 10:22
Static task
static1
Behavioral task
behavioral1
Sample
JJSploit_8.10.7_x64-setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JJSploit_8.10.7_x64-setup.exe
Resource
win10v2004-20241007-en
General
-
Target
JJSploit_8.10.7_x64-setup.exe
-
Size
19.0MB
-
MD5
ab53c5d1bdcf304124561fbc7f3a7915
-
SHA1
92ae497974a20f77127e536686952235ad4b9ffc
-
SHA256
cc329ae0aa9e11a9028302a83fe21c41648f28f05c55bb97f22b5f4b2af32ec2
-
SHA512
6fd6049dd91775bdec19a6b867d1d32d421b710ece922af22adea054bd454e6263e23e8884c3f1f1024d74f49e1e351882d605292932a4f382c85a664304b35a
-
SSDEEP
196608:3rwl+2o/3hfvtz0rjEzDZPb7sF87ERxgcyAtANSP7+bjMUURHvunEywSRCT8H:K+BvqrjE/R3g8YRxNtANI7+bm0E7SZH
Malware Config
Extracted
xworm
5.0
review-tub.gl.at.ply.gg:35036
hl5BkPGyS9Yy5EMg
-
Install_directory
%AppData%
-
install_file
msedgewebview2.exe
-
telegram
https://api.telegram.org/bot7247711860:AAEZVVyI8BKIccD8HUVaVUhc-jqat0-9cAY/sendMessage?chat_id=7163197258
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/files/0x0009000000016ccd-24.dat family_xworm behavioral1/memory/2744-37-0x0000000000880000-0x0000000000894000-memory.dmp family_xworm behavioral1/memory/1592-92-0x0000000001230000-0x0000000001244000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 752 powershell.exe 1652 powershell.exe 2636 powershell.exe 1792 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedgewebview2.lnk Microsoft Edge WebView2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedgewebview2.lnk Microsoft Edge WebView2.exe -
Executes dropped EXE 7 IoCs
pid Process 2320 Loader.exe 2744 Microsoft Edge WebView2.exe 2812 Loader.exe 1212 Process not Found 1592 msedgewebview2.exe 2016 msedgewebview2.exe 2280 msedgewebview2.exe -
Loads dropped DLL 4 IoCs
pid Process 2356 JJSploit_8.10.7_x64-setup.exe 2356 JJSploit_8.10.7_x64-setup.exe 2320 Loader.exe 2812 Loader.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedgewebview2 = "C:\\Users\\Admin\\AppData\\Roaming\\msedgewebview2.exe" Microsoft Edge WebView2.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
resource yara_rule behavioral1/files/0x00050000000195ce-38.dat upx behavioral1/memory/2812-40-0x000007FEF3270000-0x000007FEF3859000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JJSploit_8.10.7_x64-setup.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2548 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2636 powershell.exe 1792 powershell.exe 752 powershell.exe 1652 powershell.exe 2744 Microsoft Edge WebView2.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2744 Microsoft Edge WebView2.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 752 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 2744 Microsoft Edge WebView2.exe Token: SeDebugPrivilege 1592 msedgewebview2.exe Token: SeDebugPrivilege 2016 msedgewebview2.exe Token: SeDebugPrivilege 2280 msedgewebview2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2744 Microsoft Edge WebView2.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2320 2356 JJSploit_8.10.7_x64-setup.exe 30 PID 2356 wrote to memory of 2320 2356 JJSploit_8.10.7_x64-setup.exe 30 PID 2356 wrote to memory of 2320 2356 JJSploit_8.10.7_x64-setup.exe 30 PID 2356 wrote to memory of 2320 2356 JJSploit_8.10.7_x64-setup.exe 30 PID 2356 wrote to memory of 2744 2356 JJSploit_8.10.7_x64-setup.exe 31 PID 2356 wrote to memory of 2744 2356 JJSploit_8.10.7_x64-setup.exe 31 PID 2356 wrote to memory of 2744 2356 JJSploit_8.10.7_x64-setup.exe 31 PID 2356 wrote to memory of 2744 2356 JJSploit_8.10.7_x64-setup.exe 31 PID 2320 wrote to memory of 2812 2320 Loader.exe 32 PID 2320 wrote to memory of 2812 2320 Loader.exe 32 PID 2320 wrote to memory of 2812 2320 Loader.exe 32 PID 2744 wrote to memory of 2636 2744 Microsoft Edge WebView2.exe 35 PID 2744 wrote to memory of 2636 2744 Microsoft Edge WebView2.exe 35 PID 2744 wrote to memory of 2636 2744 Microsoft Edge WebView2.exe 35 PID 2744 wrote to memory of 1792 2744 Microsoft Edge WebView2.exe 37 PID 2744 wrote to memory of 1792 2744 Microsoft Edge WebView2.exe 37 PID 2744 wrote to memory of 1792 2744 Microsoft Edge WebView2.exe 37 PID 2744 wrote to memory of 752 2744 Microsoft Edge WebView2.exe 39 PID 2744 wrote to memory of 752 2744 Microsoft Edge WebView2.exe 39 PID 2744 wrote to memory of 752 2744 Microsoft Edge WebView2.exe 39 PID 2744 wrote to memory of 1652 2744 Microsoft Edge WebView2.exe 41 PID 2744 wrote to memory of 1652 2744 Microsoft Edge WebView2.exe 41 PID 2744 wrote to memory of 1652 2744 Microsoft Edge WebView2.exe 41 PID 2744 wrote to memory of 2548 2744 Microsoft Edge WebView2.exe 43 PID 2744 wrote to memory of 2548 2744 Microsoft Edge WebView2.exe 43 PID 2744 wrote to memory of 2548 2744 Microsoft Edge WebView2.exe 43 PID 1796 wrote to memory of 1592 1796 taskeng.exe 46 PID 1796 wrote to memory of 1592 1796 taskeng.exe 46 PID 1796 wrote to memory of 1592 1796 taskeng.exe 46 PID 1796 wrote to memory of 2016 1796 taskeng.exe 47 PID 1796 wrote to memory of 2016 1796 taskeng.exe 47 PID 1796 wrote to memory of 2016 1796 taskeng.exe 47 PID 1796 wrote to memory of 2280 1796 taskeng.exe 48 PID 1796 wrote to memory of 2280 1796 taskeng.exe 48 PID 1796 wrote to memory of 2280 1796 taskeng.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JJSploit_8.10.7_x64-setup.exe"C:\Users\Admin\AppData\Local\Temp\JJSploit_8.10.7_x64-setup.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812
-
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Edge WebView2.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge WebView2.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Edge WebView2.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge WebView2.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedgewebview2.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedgewebview2.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedgewebview2" /tr "C:\Users\Admin\AppData\Roaming\msedgewebview2.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2548
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {1203132C-7DEC-4D80-B617-8D9FF1C6977C} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Roaming\msedgewebview2.exeC:\Users\Admin\AppData\Roaming\msedgewebview2.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Users\Admin\AppData\Roaming\msedgewebview2.exeC:\Users\Admin\AppData\Roaming\msedgewebview2.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Users\Admin\AppData\Roaming\msedgewebview2.exeC:\Users\Admin\AppData\Roaming\msedgewebview2.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD54f361c837acb296ee6dda2c9528ece7a
SHA1044a151c432f28bb42ea2f375f8a7648c50ba96f
SHA256b8977b03d3158a58a8299e3c1c6148bf21b767a26259936832bbc7d3fe0f265e
SHA5129bac2cd1d5033dfbf094410c36691c94b0bef7ecc3e740cfa2e44ea3023a33f162b90f5fb858018a485ee541108625edd0ba8f4e7859b20549c4191627363978
-
Filesize
1.6MB
MD59e985651962ccbccdf5220f6617b444f
SHA19238853fe1cff8a49c2c801644d6aa57ed1fe4d2
SHA2563373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e
SHA5128b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5622b31967d9f35102bff193d7681a7e5
SHA1491bb860b5e34a2859e9de82cecee4db056c371f
SHA256e5607b1b6dc035b9a982b16531c17e32719a63e749ebec2efd7b72ea7b0cea86
SHA5121dc0fef836b4a43d8e11627d9c13ec20087b57b84dfaa01909cb34de6f1a64a0789b9a59452eacc6648742a09ef0b023323faf2b12a220be925cec0dd5c81ed3
-
Filesize
6.9MB
MD52522b80294787ada26e108125a3c90ca
SHA175b1b1aec84a802cddbea81224e853ab9b394f6b
SHA25649ea5eb89592cc0f4a4291c3bad5281b3cc1f8a944086c2e9df6197ca48dc9e2
SHA512f1e15e312292357b5f73e4d180a6c143d41aadc56607bb582a21ebc03ad78814ae6a850feb6a327a65ee1312e1efd45de740b2da30cdc6e1d9bf6b48270733e1