Analysis
-
max time kernel
304s -
max time network
308s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-02-2025 02:21
General
-
Target
JJSploit.exe
-
Size
6.6MB
-
MD5
f29fd0bb7218e3cf63ab6040be0a1698
-
SHA1
c078e4888d6e1cf6c75a4141d51a1d375c2f71c8
-
SHA256
ccbcc6269218d292a06db3d9896dc621598a76794881ffbeb6f093d8b54e1c43
-
SHA512
b68185e83baca3f8779e085fed57a0324fee7528139c4afa245900f206707b645f631cb08d8a2cc3ea6b75a65d0e5ac76c250897e28df2c6e7c4724f7790f40d
-
SSDEEP
196608:1dNnRdvjsTOvHK19gO8xbecifaCI1L5N1JTLX46:z1RSavI9sbf8vKf5
Malware Config
Extracted
Family
xworm
C2
study-conclusions.gl.at.ply.gg:20142
Attributes
-
Install_directory
%Temp%
-
install_file
System32.exe
Signatures
-
Detect Umbral payload 3 IoCs
resource yara_rule behavioral1/files/0x001d00000002ae5a-4.dat family_umbral behavioral1/memory/4984-14-0x00000210AE330000-0x00000210AE370000-memory.dmp family_umbral behavioral1/memory/2452-30-0x0000000000400000-0x0000000000AAC000-memory.dmp family_umbral -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x001a00000002aec6-16.dat family_xworm behavioral1/memory/612-26-0x0000000000C80000-0x0000000000C98000-memory.dmp family_xworm -
Umbral family
-
Xworm family
-
Executes dropped EXE 2 IoCs
pid Process 4984 JJSploitInjector.exe 612 JJSplo.exe -
Loads dropped DLL 1 IoCs
pid Process 3716 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Installer\e584e0b.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JJSploit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008628da5cf44c13110000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008628da5c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008628da5c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8628da5c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008628da5c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings JJSploit.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 832 msiexec.exe 832 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 612 JJSplo.exe Token: SeDebugPrivilege 4984 JJSploitInjector.exe Token: SeShutdownPrivilege 4144 msiexec.exe Token: SeIncreaseQuotaPrivilege 4144 msiexec.exe Token: SeSecurityPrivilege 832 msiexec.exe Token: SeCreateTokenPrivilege 4144 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4144 msiexec.exe Token: SeLockMemoryPrivilege 4144 msiexec.exe Token: SeIncreaseQuotaPrivilege 4144 msiexec.exe Token: SeMachineAccountPrivilege 4144 msiexec.exe Token: SeTcbPrivilege 4144 msiexec.exe Token: SeSecurityPrivilege 4144 msiexec.exe Token: SeTakeOwnershipPrivilege 4144 msiexec.exe Token: SeLoadDriverPrivilege 4144 msiexec.exe Token: SeSystemProfilePrivilege 4144 msiexec.exe Token: SeSystemtimePrivilege 4144 msiexec.exe Token: SeProfSingleProcessPrivilege 4144 msiexec.exe Token: SeIncBasePriorityPrivilege 4144 msiexec.exe Token: SeCreatePagefilePrivilege 4144 msiexec.exe Token: SeCreatePermanentPrivilege 4144 msiexec.exe Token: SeBackupPrivilege 4144 msiexec.exe Token: SeRestorePrivilege 4144 msiexec.exe Token: SeShutdownPrivilege 4144 msiexec.exe Token: SeDebugPrivilege 4144 msiexec.exe Token: SeAuditPrivilege 4144 msiexec.exe Token: SeSystemEnvironmentPrivilege 4144 msiexec.exe Token: SeChangeNotifyPrivilege 4144 msiexec.exe Token: SeRemoteShutdownPrivilege 4144 msiexec.exe Token: SeUndockPrivilege 4144 msiexec.exe Token: SeSyncAgentPrivilege 4144 msiexec.exe Token: SeEnableDelegationPrivilege 4144 msiexec.exe Token: SeManageVolumePrivilege 4144 msiexec.exe Token: SeImpersonatePrivilege 4144 msiexec.exe Token: SeCreateGlobalPrivilege 4144 msiexec.exe Token: SeIncreaseQuotaPrivilege 2300 wmic.exe Token: SeSecurityPrivilege 2300 wmic.exe Token: SeTakeOwnershipPrivilege 2300 wmic.exe Token: SeLoadDriverPrivilege 2300 wmic.exe Token: SeSystemProfilePrivilege 2300 wmic.exe Token: SeSystemtimePrivilege 2300 wmic.exe Token: SeProfSingleProcessPrivilege 2300 wmic.exe Token: SeIncBasePriorityPrivilege 2300 wmic.exe Token: SeCreatePagefilePrivilege 2300 wmic.exe Token: SeBackupPrivilege 2300 wmic.exe Token: SeRestorePrivilege 2300 wmic.exe Token: SeShutdownPrivilege 2300 wmic.exe Token: SeDebugPrivilege 2300 wmic.exe Token: SeSystemEnvironmentPrivilege 2300 wmic.exe Token: SeRemoteShutdownPrivilege 2300 wmic.exe Token: SeUndockPrivilege 2300 wmic.exe Token: SeManageVolumePrivilege 2300 wmic.exe Token: 33 2300 wmic.exe Token: 34 2300 wmic.exe Token: 35 2300 wmic.exe Token: 36 2300 wmic.exe Token: SeIncreaseQuotaPrivilege 2300 wmic.exe Token: SeSecurityPrivilege 2300 wmic.exe Token: SeTakeOwnershipPrivilege 2300 wmic.exe Token: SeLoadDriverPrivilege 2300 wmic.exe Token: SeSystemProfilePrivilege 2300 wmic.exe Token: SeSystemtimePrivilege 2300 wmic.exe Token: SeProfSingleProcessPrivilege 2300 wmic.exe Token: SeIncBasePriorityPrivilege 2300 wmic.exe Token: SeCreatePagefilePrivilege 2300 wmic.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4144 msiexec.exe 4144 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2452 wrote to memory of 4984 2452 JJSploit.exe 81 PID 2452 wrote to memory of 4984 2452 JJSploit.exe 81 PID 2452 wrote to memory of 612 2452 JJSploit.exe 82 PID 2452 wrote to memory of 612 2452 JJSploit.exe 82 PID 2452 wrote to memory of 4144 2452 JJSploit.exe 83 PID 2452 wrote to memory of 4144 2452 JJSploit.exe 83 PID 2452 wrote to memory of 4144 2452 JJSploit.exe 83 PID 4984 wrote to memory of 2300 4984 JJSploitInjector.exe 85 PID 4984 wrote to memory of 2300 4984 JJSploitInjector.exe 85 PID 832 wrote to memory of 3716 832 msiexec.exe 93 PID 832 wrote to memory of 3716 832 msiexec.exe 93 PID 832 wrote to memory of 3716 832 msiexec.exe 93 PID 832 wrote to memory of 3500 832 msiexec.exe 97 PID 832 wrote to memory of 3500 832 msiexec.exe 97 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JJSploit.exe"C:\Users\Admin\AppData\Local\Temp\JJSploit.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\JJSploitInjector.exe"C:\Users\Admin\AppData\Local\Temp\JJSploitInjector.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
-
C:\Users\Admin\AppData\Local\Temp\JJSplo.exe"C:\Users\Admin\AppData\Local\Temp\JJSplo.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:612
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\jjsploit_8.12.2_x64_en-US (1).msi"2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4144
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9099CEF0E8C488458E1A34F58ED03FF5 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3716
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3500
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD5c5ba230193b7f217c0e512a5cb8606e8
SHA1f04b380d5622285d72531e0ed936e5bfe90fb4af
SHA2568fd9fdf831724e2c0227f399e2a8be95304daa91b7fd07db4b245dba1380f9c3
SHA5120c5bd99bdefde5c0a7a809199f0bed1a0590f05ffe12bb554424cf4982b606677c33fafe5e46fc0feb9d5f6163cfbae2fa771a91f9973a6cceae2176b5a3e0a5
-
Filesize
229KB
MD5760861bfe626a80dcf4d2b13f8d8c76a
SHA18ce9854d053ce7df079942f6f76550479ccd6325
SHA256ab957ab7e09f994d24ace2b7d1b807e757249465d12e21d5f1916afb1518e27a
SHA512513d447fd8a84b799dbdcd8ea3382375aa8190fb340b51f5b78114bddc721b96fdfbd036ed04520a81664f18ff4a414c908c79bddcf665860486663fbb8d3be2
-
Filesize
132KB
MD5cfbb8568bd3711a97e6124c56fcfa8d9
SHA1d7a098ae58bdd5e93a3c1b04b3d69a14234d5e57
SHA2567f47d98ab25cfea9b3a2e898c3376cc9ba1cd893b4948b0c27caa530fd0e34cc
SHA512860cbf3286ac4915580cefaf56a9c3d48938eb08e3f31b7f024c4339c037d7c8bdf16e766d08106505ba535be4922a87dc46bd029aae99a64ea2fc02cf3aec04
-
Filesize
6.3MB
MD5d8be6f14b4dd7a85a5b5479e88b940da
SHA14c1ed04a00fb4fc31cc4c10172d0e6f310faacef
SHA256c3daa5b6503c601bf868de990dc5fe055c266a7cba6e269115290c37fb8a4d05
SHA51277964855eddaf57ebf7810185eacf2bd40bfdd883473ac063223ea496744d81db678c171707d44cfe19077df1fcfb8888a54021fc6af7cb4547dcc464ce717ea
-
Filesize
24.6MB
MD56de02b99cfbdf735f59ca7b04fbd025c
SHA11e4706e75e884ea0e69b82ca73b8bad47cfb6883
SHA256e84778033ff8d6958642ac7b86b3dddb8ac7b7081d46ba3ff39faa8c89170f01
SHA512ed0a90fbd98ad6a18adbfcfb13921157d97b88093345193a2a1148a3cda8d172c47f4939b136e7f7a94ea7c02604266f8340a6f478f0db6e6d3ab61de68547e2
-
\??\Volume{5cda2886-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a763a9e7-8746-4975-b93a-baa97f4ce2aa}_OnDiskSnapshotProp
Filesize6KB
MD5be362822d1921e0e60820c8183ece03f
SHA1b22b5b3a4dfbc05e6449db31c375700eeec63afb
SHA2567c218d57de8885b5b84bc14e567cf32640cbff81ab381662952a9ddf28e3fe92
SHA512e0d2d0ad80d983021b523cda7862692a4dff9b2eb3d3924b9a4a1cf07b0cc8f40759e2d61f490f71c0db470b5867637a8cba814a28d06582c5640d2c30b62095