| File name: | jjsploit_8.14.4_x64_en-US.msi |
| Full analysis: | https://app.any.run/tasks/b133762f-8d7c-4746-accf-6a6ff8ceb365 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | June 02, 2025, 20:03:50 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: jjsploit, Author: wearedevs, Keywords: Installer, Comments: This installer database contains the logic and data required to install jjsploit., Template: x64;0, Revision Number: {78647BD7-A6F9-441C-8198-F83F1E9F555E}, Create Time/Date: Sun May 11 16:25:20 2025, Last Saved Time/Date: Sun May 11 16:25:20 2025, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2 |
| MD5: | 07BFE4CEF3BE354020BBF50205ECAD9B |
| SHA1: | 286AAB63F0174A1D5B01E794AEF1E2A13786C6F0 |
| SHA256: | 05A0CC8F1FBB4A7479734159822511A534BC65766B9A01B0D01450391A7D7711 |
| SSDEEP: | 98304:HVigAXvy/XuMQNHEpW4pabtGpp9SeNbQfK4rpRkxQp6qUykuxiBZ4/6MDVYDJhND:8QC27E4MKZ1h/n |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 456)
SUSPICIOUS
Executes as Windows Service
- VSSVC.exe (PID: 4068)
Manipulates environment variables
- powershell.exe (PID: 456)
Downloads file from URI via Powershell
- powershell.exe (PID: 456)
The process bypasses the loading of PowerShell profile settings
- msiexec.exe (PID: 6700)
Starts POWERSHELL.EXE for commands execution
- msiexec.exe (PID: 6700)
Starts process via Powershell
- powershell.exe (PID: 456)
Executable content was dropped or overwritten
- powershell.exe (PID: 456)
- MicrosoftEdgeWebview2Setup.exe (PID: 7748)
- MicrosoftEdgeUpdate.exe (PID: 7452)
- MicrosoftEdge_X64_137.0.3296.58.exe (PID: 5428)
- setup.exe (PID: 4208)
Starts a Microsoft application from unusual location
- MicrosoftEdgeWebview2Setup.exe (PID: 7748)
- MicrosoftEdgeUpdate.exe (PID: 7452)
Process drops legitimate windows executable
- powershell.exe (PID: 456)
- MicrosoftEdgeWebview2Setup.exe (PID: 7748)
- MicrosoftEdgeUpdate.exe (PID: 7452)
- MicrosoftEdge_X64_137.0.3296.58.exe (PID: 5428)
- setup.exe (PID: 4208)
Starts itself from another location
- MicrosoftEdgeUpdate.exe (PID: 7452)
Application launched itself
- setup.exe (PID: 4208)
- setup.exe (PID: 6644)
INFO
An automatically generated document
- msiexec.exe (PID: 6476)
Reads the computer name
- msiexec.exe (PID: 6700)
- msiexec.exe (PID: 3192)
Checks supported languages
- msiexec.exe (PID: 6700)
- msiexec.exe (PID: 3192)
Executable content was dropped or overwritten
- msiexec.exe (PID: 6700)
- msiexec.exe (PID: 6476)
Manages system restore points
- SrTasks.exe (PID: 8068)
The executable file from the user directory is run by the Powershell process
- MicrosoftEdgeWebview2Setup.exe (PID: 7748)
The sample compiled with english language support
- powershell.exe (PID: 456)
- MicrosoftEdge_X64_137.0.3296.58.exe (PID: 5428)
- MicrosoftEdgeUpdate.exe (PID: 7452)
- MicrosoftEdgeWebview2Setup.exe (PID: 7748)
- setup.exe (PID: 4208)
Manual execution by a user
- jjsploit.exe (PID: 4200)
- jjsploit.exe (PID: 3132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (98.5) |
|---|---|---|
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | jjsploit |
| Author: | wearedevs |
| Keywords: | Installer |
| Comments: | This installer database contains the logic and data required to install jjsploit. |
| Template: | x64;0 |
| RevisionNumber: | {78647BD7-A6F9-441C-8198-F83F1E9F555E} |
| CreateDate: | 2025:05:11 16:25:20 |
| ModifyDate: | 2025:05:11 16:25:20 |
| Pages: | 450 |
| Words: | 2 |
| Software: | Windows Installer XML Toolset (3.14.1.8722) |
| Security: | Read-only recommended |
Total processes
153
Monitored processes
25
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 456 | powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 840 | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{881924D9-2E9A-43C5-9151-D33E4244F91C}\EDGEMITMP_A8F8F.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=137.0.7151.56 --annotation=exe=C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{881924D9-2E9A-43C5-9151-D33E4244F91C}\EDGEMITMP_A8F8F.tmp\setup.exe --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=137.0.3296.58 --initial-client-data=0x22c,0x234,0x238,0x160,0x23c,0x7ff7db1353f8,0x7ff7db135404,0x7ff7db135410 | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{881924D9-2E9A-43C5-9151-D33E4244F91C}\EDGEMITMP_A8F8F.tmp\setup.exe | — | setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Installer Exit code: 0 Version: 137.0.3296.58 Modules
| |||||||||||||||
| 1176 | "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{454A234B-3102-49C3-805E-5B5CB395E547}" /silent | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | — | MicrosoftEdgeUpdate.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update Version: 1.3.195.61 Modules
| |||||||||||||||
| 2320 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2600 | "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -Embedding | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update Version: 1.3.195.61 Modules
| |||||||||||||||
| 3132 | "C:\Program Files\jjsploit\jjsploit.exe" | C:\Program Files\jjsploit\jjsploit.exe | — | explorer.exe | |||||||||||
User: admin Company: wearedevs Integrity Level: MEDIUM Description: jjsploit Version: 8.14.4 Modules
| |||||||||||||||
| 3192 | C:\Windows\syswow64\MsiExec.exe -Embedding BC40BEF32C6EF5FE3B734BA12191E2F2 C | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4068 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4200 | "C:\Program Files\jjsploit\jjsploit.exe" | C:\Program Files\jjsploit\jjsploit.exe | — | explorer.exe | |||||||||||
User: admin Company: wearedevs Integrity Level: MEDIUM Description: jjsploit Version: 8.14.4 Modules
| |||||||||||||||
| 4208 | "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{881924D9-2E9A-43C5-9151-D33E4244F91C}\EDGEMITMP_A8F8F.tmp\setup.exe" --install-archive="C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{881924D9-2E9A-43C5-9151-D33E4244F91C}\MicrosoftEdge_X64_137.0.3296.58.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --user-level | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{881924D9-2E9A-43C5-9151-D33E4244F91C}\EDGEMITMP_A8F8F.tmp\setup.exe | MicrosoftEdge_X64_137.0.3296.58.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Installer Exit code: 0 Version: 137.0.3296.58 Modules
| |||||||||||||||
Total events
18 040
Read events
15 000
Write events
2 983
Delete events
57
Modification events
| (PID) Process: | (6700) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 480000000000000053009687F9D3DB012C1A000060170000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (6700) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 480000000000000053009687F9D3DB012C1A000060170000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (6700) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 48000000000000007A1DDB87F9D3DB012C1A000060170000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (6700) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 48000000000000007A1DDB87F9D3DB012C1A000060170000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (6700) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 48000000000000008B82DD87F9D3DB012C1A000060170000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (6700) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000E7895988F9D3DB012C1A0000E01A0000E80300000100000000000000000000001D04DC8D0F6CAD4994592B966AB865C200000000000000000000000000000000 | |||
| (PID) Process: | (4068) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Leave) |
Value: 4800000000000000C3926C88F9D3DB01E40F0000440C0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (6700) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4800000000000000CE4AE287F9D3DB012C1A000060170000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (6700) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 11 | |||
| (PID) Process: | (6700) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 48000000000000002F265788F9D3DB012C1A000060170000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
206
Suspicious files
20
Text files
22
Unknown types
7
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6700 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 6700 | msiexec.exe | C:\Windows\Installer\128d25.msi | — | |
MD5:— | SHA256:— | |||
| 6700 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:271304A226739BD4287CD8D2AF678BE5 | SHA256:FA9D91465AB747ADA8F7152FD84FBAEA7697B5D9D7D82A3E12F6E3A9587D3DA7 | |||
| 6476 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI3F91.tmp | executable | |
MD5:CFBB8568BD3711A97E6124C56FCFA8D9 | SHA256:7F47D98AB25CFEA9B3A2E898C3376CC9BA1CD893B4948B0C27CAA530FD0E34CC | |||
| 6700 | msiexec.exe | C:\Windows\Installer\inprogressinstallinfo.ipi | binary | |
MD5:4C9FDB6F8914CCDBAA68D4A81E00B2DB | SHA256:3B29135F7B3E7A7BE04D22007166A90D661F42A3E6B023CA0C7ACA8C437179F6 | |||
| 6700 | msiexec.exe | C:\Program Files\jjsploit\resources\luascripts\general\god.lua | text | |
MD5:121A9CE65D07175515C986D40502F1A5 | SHA256:DBFBB0B80576AA03C66CA23D4510C5B5EB33FCA8AB2031BE75556073230DE323 | |||
| 6700 | msiexec.exe | C:\Program Files\jjsploit\resources\luascripts\animations\walkthrough.lua | text | |
MD5:348E2FCFE114EF12E8DB7AE75F24DE15 | SHA256:10409B6D213DB5683EC415FA1A8CDE85B38FD057C9AA7B88C3FE4FBB19CD54B0 | |||
| 6700 | msiexec.exe | C:\Program Files\jjsploit\resources\luascripts\general\teleportto.lua | text | |
MD5:6F9AFF06C0F98D0410365578D2AD1DFB | SHA256:02BDF1C9CFACE7C7F710B4B538673B14B39BC824B1DB4EA4EC6376DD000535B4 | |||
| 6700 | msiexec.exe | C:\Program Files\jjsploit\resources\luascripts\jailbreak\walkspeed.lua | binary | |
MD5:76D6BC545A92D108FF8A18614A5DB4AD | SHA256:A7931EE89662C563637E1752228923D182F42F3A70286D4FD0A1FFF993C9766D | |||
| 6700 | msiexec.exe | C:\Program Files\jjsploit\resources\luascripts\animations\levitate.lua | text | |
MD5:D09DA2B730602A59C3289B72E63137BB | SHA256:2AF3980171CC17A4D7687B7489FE8B0BB193E5080C0CA76E5501983A0B3EFADB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
34
DNS requests
19
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.219.150.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.20.245.139:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7708 | SIHClient.exe | GET | 200 | 23.219.150.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
7708 | SIHClient.exe | GET | 200 | 23.219.150.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
772 | svchost.exe | HEAD | 200 | 208.89.74.17:80 | http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/55242085-f612-4ab8-9d05-6426b10c7b09?P1=1749499488&P2=404&P3=2&P4=G0m%2fOjbqYi9Gma3vz2vs5JcqTeK%2bDNUSceUNVmLkOoc3isRr0pFXiEbezZjdg4EB90oNhlg1j3dIx0N%2bJnu4FA%3d%3d | unknown | — | — | whitelisted |
772 | svchost.exe | GET | 200 | 208.89.74.17:80 | http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/55242085-f612-4ab8-9d05-6426b10c7b09?P1=1749499488&P2=404&P3=2&P4=G0m%2fOjbqYi9Gma3vz2vs5JcqTeK%2bDNUSceUNVmLkOoc3isRr0pFXiEbezZjdg4EB90oNhlg1j3dIx0N%2bJnu4FA%3d%3d | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 2.20.245.139:80 | crl.microsoft.com | Akamai International B.V. | SE | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.219.150.101:80 | www.microsoft.com | AKAMAI-AS | CL | whitelisted |
7864 | RUXIMICS.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6544 | svchost.exe | 40.126.32.74:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 2.23.77.188:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
7708 | SIHClient.exe | 4.245.163.56:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
msedge.sf.dl.delivery.mp.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
772 | svchost.exe | Misc activity | ET INFO Packed Executable Download |