umbral | ccbcc6269218d292a06db3d9896dc621598a76794881ffbeb6f093d8b54e1c43

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-02-2025 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JJSploit.exe
Size

6.6MB
MD5

f29fd0bb7218e3cf63ab6040be0a1698
SHA1

c078e4888d6e1cf6c75a4141d51a1d375c2f71c8
SHA256

ccbcc6269218d292a06db3d9896dc621598a76794881ffbeb6f093d8b54e1c43
SHA512

b68185e83baca3f8779e085fed57a0324fee7528139c4afa245900f206707b645f631cb08d8a2cc3ea6b75a65d0e5ac76c250897e28df2c6e7c4724f7790f40d
SSDEEP

196608:1dNnRdvjsTOvHK19gO8xbecifaCI1L5N1JTLX46:z1RSavI9sbf8vKf5

Score

10^/10

umbral xworm discovery execution rat stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1324340303330545737/uIs8g3XVai83nQDHiKK-YVa0ltDQNJzxQbjP4uxON9omg5HXiArLuwvr7JPc6YmtXDeK

Extracted

Family

xworm

study-conclusions.gl.at.ply.gg:20142

Attributes

Install_directory
%Temp%
install_file
System32.exe

Signatures

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012282-2.dat	family_umbral
behavioral1/memory/2764-16-0x0000000000940000-0x0000000000980000-memory.dmp	family_umbral
behavioral1/memory/2660-14-0x0000000000400000-0x0000000000AAC000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000173f4-8.dat	family_xworm
behavioral1/memory/2752-15-0x0000000000340000-0x0000000000358000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2472	powershell.exe
2472	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2764	JJSploitInjector.exe
2752	JJSplo.exe

Loads dropped DLL 9 IoCs

pid	Process
2660	JJSploit.exe
2660	JJSploit.exe
2324	MsiExec.exe
1236	msiexec.exe
1236	msiexec.exe
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files\jjsploit\resources\luascripts\animations\energizegui.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\magnetizeto.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\animations\dab.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\jailbreak\criminalesp.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\tptool.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\jailbreak\policeesp.lua	msiexec.exe
File created	C:\Program Files\jjsploit\Uninstall jjsploit.lnk	msiexec.exe
File opened for modification	C:\Program Files\jjsploit\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\teleportto.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\infinitejump.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\animations\levitate.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\fly.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\jailbreak\walkspeed.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\animations\jumpland.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\aimbot.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\beesim\autodig.lua	msiexec.exe
File created	C:\Program Files\jjsploit\jjsploit.exe	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\animations\walkthrough.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\jailbreak\removewalls.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\noclip.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\god.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\multidimensionalcharacter.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\chattroll.lua	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{6A8ACD21-60F4-4550-8D6D-DBB3FFA8C7C4}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f77975f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9859.tmp	msiexec.exe
File created	C:\Windows\Installer\f779762.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f779760.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f77975f.msi	msiexec.exe
File created	C:\Windows\Installer\f779760.ipi	msiexec.exe
File created	C:\Windows\Installer\{6A8ACD21-60F4-4550-8D6D-DBB3FFA8C7C4}\ProductIcon	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JJSploit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\12DCA8A64F060554D8D6BD3BFF8A7C4C\ShortcutsFeature = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\12DCA8A64F060554D8D6BD3BFF8A7C4C\MainProgram	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\12DCA8A64F060554D8D6BD3BFF8A7C4C	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\AdvertiseFlags = "388"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2294C8C9A96F9A557BCA814D87DFAFEC	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\12DCA8A64F060554D8D6BD3BFF8A7C4C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\ProductName = "jjsploit"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\Language = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\ProductIcon = "C:\\Windows\\Installer\\{6A8ACD21-60F4-4550-8D6D-DBB3FFA8C7C4}\\ProductIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2294C8C9A96F9A557BCA814D87DFAFEC	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\12DCA8A64F060554D8D6BD3BFF8A7C4C\External	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\PackageCode = "0C7F8E08B1B421D4A886CBB7E79DC45D"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\12DCA8A64F060554D8D6BD3BFF8A7C4C	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\Version = "135004162"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList\PackageName = "jjsploit_8.12.2_x64_en-US (1).msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\12DCA8A64F060554D8D6BD3BFF8A7C4C\Environment = "MainProgram"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2294C8C9A96F9A557BCA814D87DFAFEC\12DCA8A64F060554D8D6BD3BFF8A7C4C	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1236	msiexec.exe
1236	msiexec.exe
2472	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	1236	msiexec.exe
Token: SeTakeOwnershipPrivilege	1236	msiexec.exe
Token: SeSecurityPrivilege	1236	msiexec.exe
Token: SeDebugPrivilege	2752	JJSplo.exe
Token: SeCreateTokenPrivilege	2012	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2012	msiexec.exe
Token: SeLockMemoryPrivilege	2012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2012	msiexec.exe
Token: SeMachineAccountPrivilege	2012	msiexec.exe
Token: SeTcbPrivilege	2012	msiexec.exe
Token: SeSecurityPrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeLoadDriverPrivilege	2012	msiexec.exe
Token: SeSystemProfilePrivilege	2012	msiexec.exe
Token: SeSystemtimePrivilege	2012	msiexec.exe
Token: SeProfSingleProcessPrivilege	2012	msiexec.exe
Token: SeIncBasePriorityPrivilege	2012	msiexec.exe
Token: SeCreatePagefilePrivilege	2012	msiexec.exe
Token: SeCreatePermanentPrivilege	2012	msiexec.exe
Token: SeBackupPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeShutdownPrivilege	2012	msiexec.exe
Token: SeDebugPrivilege	2012	msiexec.exe
Token: SeAuditPrivilege	2012	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2012	msiexec.exe
Token: SeChangeNotifyPrivilege	2012	msiexec.exe
Token: SeRemoteShutdownPrivilege	2012	msiexec.exe
Token: SeUndockPrivilege	2012	msiexec.exe
Token: SeSyncAgentPrivilege	2012	msiexec.exe
Token: SeEnableDelegationPrivilege	2012	msiexec.exe
Token: SeManageVolumePrivilege	2012	msiexec.exe
Token: SeImpersonatePrivilege	2012	msiexec.exe
Token: SeCreateGlobalPrivilege	2012	msiexec.exe
Token: SeDebugPrivilege	2764	JJSploitInjector.exe
Token: SeIncreaseQuotaPrivilege	2056	wmic.exe
Token: SeSecurityPrivilege	2056	wmic.exe
Token: SeTakeOwnershipPrivilege	2056	wmic.exe
Token: SeLoadDriverPrivilege	2056	wmic.exe
Token: SeSystemProfilePrivilege	2056	wmic.exe
Token: SeSystemtimePrivilege	2056	wmic.exe
Token: SeProfSingleProcessPrivilege	2056	wmic.exe
Token: SeIncBasePriorityPrivilege	2056	wmic.exe
Token: SeCreatePagefilePrivilege	2056	wmic.exe
Token: SeBackupPrivilege	2056	wmic.exe
Token: SeRestorePrivilege	2056	wmic.exe
Token: SeShutdownPrivilege	2056	wmic.exe
Token: SeDebugPrivilege	2056	wmic.exe
Token: SeSystemEnvironmentPrivilege	2056	wmic.exe
Token: SeRemoteShutdownPrivilege	2056	wmic.exe
Token: SeUndockPrivilege	2056	wmic.exe
Token: SeManageVolumePrivilege	2056	wmic.exe
Token: 33	2056	wmic.exe
Token: 34	2056	wmic.exe
Token: 35	2056	wmic.exe
Token: SeIncreaseQuotaPrivilege	2056	wmic.exe
Token: SeSecurityPrivilege	2056	wmic.exe
Token: SeTakeOwnershipPrivilege	2056	wmic.exe
Token: SeLoadDriverPrivilege	2056	wmic.exe
Token: SeSystemProfilePrivilege	2056	wmic.exe
Token: SeSystemtimePrivilege	2056	wmic.exe
Token: SeProfSingleProcessPrivilege	2056	wmic.exe
Token: SeIncBasePriorityPrivilege	2056	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2012	msiexec.exe
2012	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2764	2660	JJSploit.exe	30
PID 2660 wrote to memory of 2764	2660	JJSploit.exe	30
PID 2660 wrote to memory of 2764	2660	JJSploit.exe	30
PID 2660 wrote to memory of 2764	2660	JJSploit.exe	30
PID 2660 wrote to memory of 2752	2660	JJSploit.exe	31
PID 2660 wrote to memory of 2752	2660	JJSploit.exe	31
PID 2660 wrote to memory of 2752	2660	JJSploit.exe	31
PID 2660 wrote to memory of 2752	2660	JJSploit.exe	31
PID 2660 wrote to memory of 2012	2660	JJSploit.exe	32
PID 2660 wrote to memory of 2012	2660	JJSploit.exe	32
PID 2660 wrote to memory of 2012	2660	JJSploit.exe	32
PID 2660 wrote to memory of 2012	2660	JJSploit.exe	32
PID 2660 wrote to memory of 2012	2660	JJSploit.exe	32
PID 2660 wrote to memory of 2012	2660	JJSploit.exe	32
PID 2660 wrote to memory of 2012	2660	JJSploit.exe	32
PID 2764 wrote to memory of 2056	2764	JJSploitInjector.exe	34
PID 2764 wrote to memory of 2056	2764	JJSploitInjector.exe	34
PID 2764 wrote to memory of 2056	2764	JJSploitInjector.exe	34
PID 1236 wrote to memory of 2324	1236	msiexec.exe	37
PID 1236 wrote to memory of 2324	1236	msiexec.exe	37
PID 1236 wrote to memory of 2324	1236	msiexec.exe	37
PID 1236 wrote to memory of 2324	1236	msiexec.exe	37
PID 1236 wrote to memory of 2324	1236	msiexec.exe	37
PID 1236 wrote to memory of 2324	1236	msiexec.exe	37
PID 1236 wrote to memory of 2324	1236	msiexec.exe	37
PID 1236 wrote to memory of 2472	1236	msiexec.exe	41
PID 1236 wrote to memory of 2472	1236	msiexec.exe	41
PID 1236 wrote to memory of 2472	1236	msiexec.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JJSploit.exe
"C:\Users\Admin\AppData\Local\Temp\JJSploit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\JJSploitInjector.exe
  "C:\Users\Admin\AppData\Local\Temp\JJSploitInjector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- C:\Users\Admin\AppData\Local\Temp\JJSplo.exe
  "C:\Users\Admin\AppData\Local\Temp\JJSplo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\jjsploit_8.12.2_x64_en-US (1).msi"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2012

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A5A42727AA385EDF6E8646B2D09F5112 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:572

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000598" "00000000000005A8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\jjsploit\jjsploit.lnk

Filesize
1KB

MD5
048d1b78c3efecb3e57474414bcf1310

SHA1
f9876bb6068c0248a599c444abb6b8350f5cf0a1

SHA256
719f149bc7fc9e9abf7fa18fa24a62ae36e50e4813e05025bfb09dc155b7d26a

SHA512
e2852e6dac163fb85106d43019efb47a1000ae05bd2d64212a47c02fca2270a97c91f1978c3e1e7b32468d47db2a625ef56d8e5ec062c4cc1ffccfe406956062

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5CA1.tmp

Filesize
132KB

MD5
cfbb8568bd3711a97e6124c56fcfa8d9

SHA1
d7a098ae58bdd5e93a3c1b04b3d69a14234d5e57

SHA256
7f47d98ab25cfea9b3a2e898c3376cc9ba1cd893b4948b0c27caa530fd0e34cc

SHA512
860cbf3286ac4915580cefaf56a9c3d48938eb08e3f31b7f024c4339c037d7c8bdf16e766d08106505ba535be4922a87dc46bd029aae99a64ea2fc02cf3aec04

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjsploit_8.12.2_x64_en-US (1).msi

Filesize
6.3MB

MD5
d8be6f14b4dd7a85a5b5479e88b940da

SHA1
4c1ed04a00fb4fc31cc4c10172d0e6f310faacef

SHA256
c3daa5b6503c601bf868de990dc5fe055c266a7cba6e269115290c37fb8a4d05

SHA512
77964855eddaf57ebf7810185eacf2bd40bfdd883473ac063223ea496744d81db678c171707d44cfe19077df1fcfb8888a54021fc6af7cb4547dcc464ce717ea

Download Submit
\Program Files\jjsploit\jjsploit.exe

Filesize
17.1MB

MD5
b393f1b89a320d6a0b42190c6dcb6860

SHA1
209e800233976ec908a87db948b5aa175d99b1e8

SHA256
ca45895af0e91692514e6f4b8b494e68392821fa18503526243091d7d49e3064

SHA512
21be0b7a232e7182455206b13beada6e9614335a0b3ada9875a68620efc14f43723778910dfb6070a47ee8f177d02add1d5a2e60d616fec914a88b9ecb01f0eb

Download Submit
\Users\Admin\AppData\Local\Temp\JJSplo.exe

Filesize
68KB

MD5
c5ba230193b7f217c0e512a5cb8606e8

SHA1
f04b380d5622285d72531e0ed936e5bfe90fb4af

SHA256
8fd9fdf831724e2c0227f399e2a8be95304daa91b7fd07db4b245dba1380f9c3

SHA512
0c5bd99bdefde5c0a7a809199f0bed1a0590f05ffe12bb554424cf4982b606677c33fafe5e46fc0feb9d5f6163cfbae2fa771a91f9973a6cceae2176b5a3e0a5

Download Submit
\Users\Admin\AppData\Local\Temp\JJSploitInjector.exe

Filesize
229KB

MD5
760861bfe626a80dcf4d2b13f8d8c76a

SHA1
8ce9854d053ce7df079942f6f76550479ccd6325

SHA256
ab957ab7e09f994d24ace2b7d1b807e757249465d12e21d5f1916afb1518e27a

SHA512
513d447fd8a84b799dbdcd8ea3382375aa8190fb340b51f5b78114bddc721b96fdfbd036ed04520a81664f18ff4a414c908c79bddcf665860486663fbb8d3be2

Download Submit
memory/2472-78-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2472-79-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/2660-14-0x0000000000400000-0x0000000000AAC000-memory.dmp

Filesize
6.7MB

Download
memory/2752-15-0x0000000000340000-0x0000000000358000-memory.dmp

Filesize
96KB

Download
memory/2764-16-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download