Malware analysis JJSploit_8.10.15_x64_en-US.exe Malicious activity

Add for printing

File name:	JJSploit_8.10.15_x64_en-US.exe
Full analysis:	https://app.any.run/tasks/0237c2ae-8801-4d64-8833-655e430b2893
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 19, 2025, 01:59:49
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer python screenshot sheetrat rat evasion discord blankgrabber
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	8DE4967DFA5AC8CFDB8BB282096FAA33
SHA1:	8B74C208562AA36D8135411B73E884D0D80AF0C3
SHA256:	1637408D126C94A8D4C1F85984ADD31B87A782D704748068264D2B7BE742ECDE
SSDEEP:	98304:WVY+YAL1N+Y4NPBWGrJQQKBoYbkDBpw1SpaeXgPuIUyouTMzKjc8q+TT1ELXdBLg:V98pBxlchxLftRKh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Bypass execution policy to execute commands
  - powershell.exe (PID: 6840)
  - powershell.exe (PID: 3816)
  - powershell.exe (PID: 7520)
- Adds path to the Windows Defender exclusion list
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
  - cmd.exe (PID: 6548)
  - AggregatorHost.exe (PID: 6240)
- Changes powershell execution policy (Bypass)
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
  - cmd.exe (PID: 6820)
- BlankGrabber has been detected
  - AggregatorHost.exe (PID: 5404)
- Executing a file with an untrusted certificate
  - AggregatorHost.exe (PID: 6240)
  - AggregatorHost.exe (PID: 5404)
- Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)
  - powershell.exe (PID: 6736)
- Changes settings for checking scripts for malicious actions
  - powershell.exe (PID: 6736)
- Changes Controlled Folder Access settings
  - powershell.exe (PID: 6736)
- Changes settings for protection against network attacks (IPS)
  - powershell.exe (PID: 6736)
- Changes settings for sending potential threat samples to Microsoft servers
  - powershell.exe (PID: 6736)
- Changes settings for reporting to Microsoft Active Protection Service (MAPS)
  - powershell.exe (PID: 6736)
- Changes settings for real-time protection
  - powershell.exe (PID: 6736)
- Antivirus name has been found in the command line (generic signature)
  - cmd.exe (PID: 4164)
- Actions looks like stealing of personal data
  - AggregatorHost.exe (PID: 6240)
  - 123.exe (PID: 720)
- Steals credentials from Web Browsers
  - AggregatorHost.exe (PID: 6240)
- Resets Windows Defender malware definitions to the base version
  - MpCmdRun.exe (PID: 7148)
- SHEETRAT mutex has been found
  - 123.exe (PID: 720)
- Uses Task Scheduler to autorun other applications
  - cmd.exe (PID: 8144)
- Changes the login/logoff helper path in the registry
  - 123.exe (PID: 720)
- Changes the AppInit_DLLs value (autorun option)
  - 123.exe (PID: 720)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 7492)
- Changes the autorun value in the registry
  - 123.exe (PID: 720)
- BLANKGRABBER has been detected (SURICATA)
  - AggregatorHost.exe (PID: 6240)
- Starts CMD.EXE for self-deleting
  - AggregatorHost.exe (PID: 6240)
- Run PowerShell with an invisible window
  - powershell.exe (PID: 4500)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - JJSploit_8.10.15_x64_en-US.exe (PID: 5684)
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
  - MicrosoftEdgeUpdate.exe (PID: 6016)
  - msiexec.exe (PID: 7164)
- Reads the date of Windows installation
  - JJSploit_8.10.15_x64_en-US.exe (PID: 5684)
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
  - SearchApp.exe (PID: 6772)
- Application launched itself
  - JJSploit_8.10.15_x64_en-US.exe (PID: 5684)
  - AggregatorHost.exe (PID: 5404)
- Starts POWERSHELL.EXE for commands execution
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
  - cmd.exe (PID: 6548)
  - cmd.exe (PID: 4164)
  - cmd.exe (PID: 3988)
  - cmd.exe (PID: 6820)
  - cmd.exe (PID: 7788)
  - cmd.exe (PID: 4764)
  - cmd.exe (PID: 3620)
  - cmd.exe (PID: 3836)
  - msiexec.exe (PID: 6964)
- Executable content was dropped or overwritten
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
  - AggregatorHost.exe (PID: 5404)
  - 123.exe (PID: 720)
  - csc.exe (PID: 3620)
  - powershell.exe (PID: 4500)
  - MicrosoftEdgeWebview2Setup.exe (PID: 5632)
- Executes as Windows Service
  - VSSVC.exe (PID: 5872)
- The process creates files with name similar to system file names
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
  - 123.exe (PID: 720)
- Script adds exclusion path to Windows Defender
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
  - cmd.exe (PID: 6548)
- Process drops legitimate windows executable
  - AggregatorHost.exe (PID: 5404)
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
  - powershell.exe (PID: 4500)
  - MicrosoftEdgeUpdate.exe (PID: 6016)
  - MicrosoftEdgeWebview2Setup.exe (PID: 5632)
- Starts a Microsoft application from unusual location
  - AggregatorHost.exe (PID: 5404)
  - AggregatorHost.exe (PID: 6240)
  - MicrosoftEdgeWebview2Setup.exe (PID: 5632)
  - MicrosoftEdgeUpdate.exe (PID: 6016)
- Process drops python dynamic module
  - AggregatorHost.exe (PID: 5404)
- The process drops C-runtime libraries
  - AggregatorHost.exe (PID: 5404)
- Loads Python modules
  - AggregatorHost.exe (PID: 6240)
- Found strings related to reading or modifying Windows Defender settings
  - AggregatorHost.exe (PID: 6240)
- Script disables Windows Defender's real-time protection
  - cmd.exe (PID: 4164)
- Starts CMD.EXE for commands execution
  - AggregatorHost.exe (PID: 6240)
  - 123.exe (PID: 720)
- Script disables Windows Defender's IPS
  - cmd.exe (PID: 4164)
- Get information on the list of running processes
  - cmd.exe (PID: 7068)
  - cmd.exe (PID: 6992)
  - cmd.exe (PID: 4804)
  - AggregatorHost.exe (PID: 6240)
- Starts application with an unusual extension
  - cmd.exe (PID: 4132)
  - cmd.exe (PID: 7356)
  - cmd.exe (PID: 7760)
  - cmd.exe (PID: 7936)
  - cmd.exe (PID: 8100)
  - cmd.exe (PID: 7828)
- Uses WMIC.EXE to obtain Windows Installer data
  - cmd.exe (PID: 4764)
  - cmd.exe (PID: 8036)
- Uses SYSTEMINFO.EXE to read the environment
  - cmd.exe (PID: 2072)
- Uses NETSH.EXE to obtain data on the network
  - cmd.exe (PID: 4076)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 5092)
- Base64-obfuscated command line is found
  - cmd.exe (PID: 6820)
- BASE64 encoded PowerShell command has been detected
  - cmd.exe (PID: 6820)
- The process bypasses the loading of PowerShell profile settings
  - cmd.exe (PID: 6820)
  - msiexec.exe (PID: 6964)
- Accesses antivirus product name via WMI (SCRIPT)
  - WMIC.exe (PID: 7432)
- CSC.EXE is used to compile C# code
  - csc.exe (PID: 3620)
- Captures screenshot (POWERSHELL)
  - powershell.exe (PID: 7520)
- The executable file from the user directory is run by the CMD process
  - rar.exe (PID: 7468)
- Uses WMIC.EXE to obtain computer system information
  - cmd.exe (PID: 7852)
- Uses WMIC.EXE to obtain operating system information
  - cmd.exe (PID: 4648)
- Accesses operating system name via WMI (SCRIPT)
  - WMIC.exe (PID: 4328)
- Accesses video controller name via WMI (SCRIPT)
  - WMIC.exe (PID: 6520)
- Accesses product unique identifier via WMI (SCRIPT)
  - WMIC.exe (PID: 7888)
- Uses WMIC.EXE to obtain a list of video controllers
  - cmd.exe (PID: 8112)
- Connects to unusual port
  - 123.exe (PID: 720)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 6964)
- Checks for external IP
  - svchost.exe (PID: 2192)
  - AggregatorHost.exe (PID: 6240)
- Starts process via Powershell
  - powershell.exe (PID: 4500)
- Manipulates environment variables
  - powershell.exe (PID: 4500)
- Downloads file from URI via Powershell
  - powershell.exe (PID: 4500)
- Hides command output
  - cmd.exe (PID: 3988)
- Runs PING.EXE to delay simulation
  - cmd.exe (PID: 3988)
- Gets or sets the security protocol (POWERSHELL)
  - powershell.exe (PID: 4500)
- Disables SEHOP
  - MicrosoftEdgeUpdate.exe (PID: 6016)
INFO
- Checks supported languages
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
  - JJSploit_8.10.15_x64_en-US.exe (PID: 5684)
  - msiexec.exe (PID: 7164)
  - 123.exe (PID: 720)
  - msiexec.exe (PID: 6964)
  - AggregatorHost.exe (PID: 5404)
  - AggregatorHost.exe (PID: 6240)
  - tree.com (PID: 6796)
  - tree.com (PID: 7672)
  - tree.com (PID: 8008)
  - tree.com (PID: 7336)
  - csc.exe (PID: 3620)
  - cvtres.exe (PID: 7792)
  - tree.com (PID: 7860)
  - tree.com (PID: 7408)
  - MpCmdRun.exe (PID: 7148)
  - rar.exe (PID: 7468)
  - SearchApp.exe (PID: 6772)
  - MicrosoftEdgeUpdate.exe (PID: 6016)
  - MicrosoftEdgeWebview2Setup.exe (PID: 5632)
  - JJSploit.exe (PID: 6168)
  - JJSploit.exe (PID: 6172)
- Reads the computer name
  - JJSploit_8.10.15_x64_en-US.exe (PID: 5684)
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
  - msiexec.exe (PID: 6964)
  - 123.exe (PID: 720)
  - msiexec.exe (PID: 7164)
  - AggregatorHost.exe (PID: 5404)
  - AggregatorHost.exe (PID: 6240)
  - MpCmdRun.exe (PID: 7148)
  - SearchApp.exe (PID: 6772)
  - MicrosoftEdgeUpdate.exe (PID: 6016)
  - JJSploit.exe (PID: 6172)
  - JJSploit.exe (PID: 6168)
- Process checks computer location settings
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
  - JJSploit_8.10.15_x64_en-US.exe (PID: 5684)
  - SearchApp.exe (PID: 6772)
  - MicrosoftEdgeUpdate.exe (PID: 6016)
  - msiexec.exe (PID: 7164)
- Reads the machine GUID from the registry
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
  - 123.exe (PID: 720)
  - csc.exe (PID: 3620)
  - rar.exe (PID: 7468)
  - SearchApp.exe (PID: 6772)
- The process uses the downloaded file
  - JJSploit_8.10.15_x64_en-US.exe (PID: 5684)
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
  - powershell.exe (PID: 4500)
- Reads Microsoft Office registry keys
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 6840)
  - powershell.exe (PID: 3816)
  - powershell.exe (PID: 6884)
  - powershell.exe (PID: 6736)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 6840)
  - powershell.exe (PID: 3816)
  - powershell.exe (PID: 6884)
  - powershell.exe (PID: 6736)
  - powershell.exe (PID: 7492)
  - powershell.exe (PID: 7508)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 6832)
  - msiexec.exe (PID: 6964)
- Create files in a temporary directory
  - AggregatorHost.exe (PID: 5404)
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
  - AggregatorHost.exe (PID: 6240)
  - cvtres.exe (PID: 7792)
  - csc.exe (PID: 3620)
  - MpCmdRun.exe (PID: 7148)
- The sample compiled with english language support
  - AggregatorHost.exe (PID: 5404)
  - JJSploit_8.10.15_x64_en-US.exe (PID: 6444)
  - powershell.exe (PID: 4500)
  - MicrosoftEdgeWebview2Setup.exe (PID: 5632)
  - MicrosoftEdgeUpdate.exe (PID: 6016)
- Checks the directory tree
  - tree.com (PID: 6796)
  - tree.com (PID: 7672)
  - tree.com (PID: 7860)
  - tree.com (PID: 8008)
  - tree.com (PID: 7408)
  - tree.com (PID: 7336)
- The Powershell gets current clipboard
  - powershell.exe (PID: 7512)
- Reads security settings of Internet Explorer
  - WMIC.exe (PID: 7432)
  - WMIC.exe (PID: 6636)
  - WMIC.exe (PID: 7888)
  - WMIC.exe (PID: 6520)
  - WMIC.exe (PID: 4328)
- Displays MAC addresses of computer network adapters
  - getmac.exe (PID: 6724)
- Creates files or folders in the user directory
  - 123.exe (PID: 720)
- Drops encrypted VBS script (Microsoft Script Encoder)
  - 123.exe (PID: 720)
- Checks proxy server information
  - 123.exe (PID: 720)
  - SearchApp.exe (PID: 6772)
  - powershell.exe (PID: 4500)
  - wermgr.exe (PID: 7356)
  - MicrosoftEdgeUpdate.exe (PID: 6016)
- Reads Environment values
  - 123.exe (PID: 720)
  - SearchApp.exe (PID: 6772)
  - MicrosoftEdgeUpdate.exe (PID: 6016)
- Disables trace logs
  - 123.exe (PID: 720)
  - powershell.exe (PID: 4500)
- Reads the software policy settings
  - 123.exe (PID: 720)
  - SearchApp.exe (PID: 6772)
  - MicrosoftEdgeUpdate.exe (PID: 6016)
  - wermgr.exe (PID: 7356)
- Manages system restore points
  - SrTasks.exe (PID: 7240)
- Creates a software uninstall entry
  - msiexec.exe (PID: 6964)
- The executable file from the user directory is run by the Powershell process
  - MicrosoftEdgeWebview2Setup.exe (PID: 5632)
- Creates files in the program directory
  - MicrosoftEdgeWebview2Setup.exe (PID: 5632)
- Manual execution by a user
  - JJSploit.exe (PID: 6168)
- Sends debugging messages
  - JJSploit.exe (PID: 6168)
  - JJSploit.exe (PID: 6172)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe	\|	Win64 Executable (generic) (23.8)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)
.exe	\|	Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:01:12 20:52:21+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	13238272
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0xca1fee
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	1.0.0.0
InternalName:	JJSploit_8.10.15_x64_en-US.exe
LegalCopyright:
OriginalFileName:	JJSploit_8.10.15_x64_en-US.exe
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

254

Monitored processes

121

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

720

"C:\Users\admin\AppData\Local\Temp\123.exe"

C:\Users\admin\AppData\Local\Temp\123.exe

JJSploit_8.10.15_x64_en-US.exe

User:

admin

Company:

Bloxstrap

Integrity Level:

HIGH

Description:

Bloxstrap

Version:

2.8.1.0

Modules

Images
c:\users\admin\appdata\local\temp\123.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2072

C:\WINDOWS\system32\cmd.exe /c "systeminfo"

C:\Windows\System32\cmd.exe

—

AggregatorHost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

2192

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2324

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2736

attrib +h +s "C:\Users\admin\AppData\Local\Temp\AggregatorHost.exe"

C:\Windows\System32\attrib.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Attribute Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

2956

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3260

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3620

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\4dr35pbu\4dr35pbu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Visual C# Command Line Compiler

Exit code:

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll

3620

C:\WINDOWS\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\cmd.exe

—

AggregatorHost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

3816

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\AggregatorHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

JJSploit_8.10.15_x64_en-US.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

Add for printing

Total events

86 917

Read events

86 440

Write events

454

Delete events

Modification events


(PID) Process:	(6444) JJSploit_8.10.15_x64_en-US.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msi\OpenWithProgids
Operation:	write	Name:	Msi.Package
Value:
(PID) Process:	(6964) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 48000000000000005BB0B3DF156ADB01341B00009C160000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6964) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 48000000000000005BB0B3DF156ADB01341B00009C160000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6964) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 4800000000000000A0E2ECDF156ADB01341B00009C160000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6964) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 4800000000000000A0E2ECDF156ADB01341B00009C160000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6964) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 480000000000000019A9F1DF156ADB01341B00009C160000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6964) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 4800000000000000D845EFDF156ADB01341B00009C160000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(720) 123.exe	Key:	HKEY_CURRENT_USER\SOFTWARE
Operation:	write	Name:	hwid
Value: MUFFQ0EyRTVDODhDMzgzNkJFQkZBM0M=
(PID) Process:	(6964) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 11
(PID) Process:	(6964) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 4800000000000000909D5AE0156ADB01341B00009C160000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

271

Suspicious files

104

Text files

188

Unknown types

Dropped files

PID	Process	Filename		Type
6444	JJSploit_8.10.15_x64_en-US.exe	C:\Users\admin\AppData\Local\Temp\JJSploit_8.10.15_x64_en-US.msi		—
		MD5:—	SHA256:—
6840	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_debu1xja.gqd.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6840	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:EEC8B84748E2DE15F326DCC1579504D0	SHA256:4CC32F8240259A2C94B7648FBA54EAD6CED06DC960B02A69D9048BABFAF693ED
5404	AggregatorHost.exe	C:\Users\admin\AppData\Local\Temp\_MEI54042\_sqlite3.pyd		executable
		MD5:D678600C8AF1EEEAA5D8C1D668190608	SHA256:D6960F4426C09A12488EB457E62506C49A58D62A1CB16FBC3AE66B260453C2ED
5404	AggregatorHost.exe	C:\Users\admin\AppData\Local\Temp\_MEI54042\_decimal.pyd		executable
		MD5:7BA541DEFE3739A888BE466C999C9787	SHA256:F90EFA10D90D940CDE48AAFE02C13A0FC0A1F0BE7F3714856B7A1435F5DECF29
5404	AggregatorHost.exe	C:\Users\admin\AppData\Local\Temp\_MEI54042\_bz2.pyd		executable
		MD5:0C13627F114F346604B0E8CBC03BAF29	SHA256:DF1E666B55AAE6EDE59EF672D173BD0D64EF3E824A64918E081082B8626A5861
5404	AggregatorHost.exe	C:\Users\admin\AppData\Local\Temp\_MEI54042\_lzma.pyd		executable
		MD5:8D9E1BB65A192C8446155A723C23D4C5	SHA256:1549FE64B710818950AA9BF45D43FE278CE59F3B87B3497D2106FF793EFA6CF7
5404	AggregatorHost.exe	C:\Users\admin\AppData\Local\Temp\_MEI54042\_socket.pyd		executable
		MD5:4351D7086E5221398B5B78906F4E84AC	SHA256:A0FA25EEF91825797F01754B7D7CF5106E355CF21322E926632F90AF01280ABE
3816	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wwp5cnln.l4s.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6444	JJSploit_8.10.15_x64_en-US.exe	C:\Users\admin\AppData\Local\Temp\123.exe		executable
		MD5:2381DBB16A86A7AB1504B63513DD3B58	SHA256:CDD3A4A0BB5BD37585CBBC19DD63B680871EEEA88C6B58791E5CD596B5CF59BA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
188	svchost.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
188	svchost.exe	GET	200	23.209.214.100:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7720	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7720	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7356	wermgr.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
968	backgroundTaskHost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
6240	AggregatorHost.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/?fields=225545	unknown	—	—	shared
7356	wermgr.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
188	svchost.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
188	svchost.exe	23.209.214.100:80	www.microsoft.com	PT. Telekomunikasi Selular	ID	whitelisted
4712	MoUsoCoreWorker.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	2.19.122.26:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1076	svchost.exe	2.18.97.227:443	go.microsoft.com	Akamai International B.V.	FR	whitelisted
5064	SearchApp.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
1176	svchost.exe	40.126.32.133:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.19.11.105 2.19.11.120 2.16.164.49 2.16.164.72	whitelisted
www.microsoft.com	23.209.214.100 2.23.246.101	whitelisted
google.com	142.250.186.174	whitelisted
www.bing.com	2.19.122.26 2.19.122.30 2.21.65.132 2.21.65.154	whitelisted
go.microsoft.com	2.18.97.227 184.28.89.167	whitelisted
ocsp.digicert.com	2.17.190.73 2.23.77.188	whitelisted
login.live.com	40.126.32.133 20.190.160.14 40.126.32.74 20.190.160.17 40.126.32.134 20.190.160.20 40.126.32.76 20.190.160.22	whitelisted
gstatic.com	216.58.206.67	whitelisted
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
arc.msn.com	20.199.58.43	whitelisted

Threats

PID	Process	Class	Message
2192	svchost.exe	Potentially Bad Traffic	ET INFO playit .gg Tunneling Domain in DNS Lookup
2192	svchost.exe	Misc activity	ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6240	AggregatorHost.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
6240	AggregatorHost.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
6240	AggregatorHost.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
2192	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)

Add for printing

Process	Message
JJSploit.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
JJSploit.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

JJSploit_8.10.15_x64_en-US.exe

8DE4967DFA5AC8CFDB8BB282096FAA33

8B74C208562AA36D8135411B73E884D0D80AF0C3

1637408D126C94A8D4C1F85984ADD31B87A782D704748068264D2B7BE742ECDE

98304:WVY+YAL1N+Y4NPBWGrJQQKBoYbkDBpw1SpaeXgPuIUyouTMzKjc8q+TT1ELXdBLg:V98pBxlchxLftRKh

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Adds path to the Windows Defender exclusion list

Changes powershell execution policy (Bypass)

BlankGrabber has been detected

Executing a file with an untrusted certificate

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Changes settings for checking scripts for malicious actions

Changes Controlled Folder Access settings

Changes settings for protection against network attacks (IPS)

Changes settings for sending potential threat samples to Microsoft servers

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Changes settings for real-time protection

Antivirus name has been found in the command line (generic signature)

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Resets Windows Defender malware definitions to the base version

SHEETRAT mutex has been found

Uses Task Scheduler to autorun other applications

Changes the login/logoff helper path in the registry

Changes the AppInit_DLLs value (autorun option)

Uses Task Scheduler to run other applications

Changes the autorun value in the registry

BLANKGRABBER has been detected (SURICATA)

Starts CMD.EXE for self-deleting

Run PowerShell with an invisible window

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Application launched itself

Starts POWERSHELL.EXE for commands execution

Executable content was dropped or overwritten

Executes as Windows Service

The process creates files with name similar to system file names

Script adds exclusion path to Windows Defender

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Process drops python dynamic module

The process drops C-runtime libraries

Loads Python modules

Found strings related to reading or modifying Windows Defender settings

Script disables Windows Defender's real-time protection

Starts CMD.EXE for commands execution

Script disables Windows Defender's IPS

Get information on the list of running processes

Starts application with an unusual extension

Uses WMIC.EXE to obtain Windows Installer data

Uses SYSTEMINFO.EXE to read the environment

Uses NETSH.EXE to obtain data on the network

Uses ATTRIB.EXE to modify file attributes

Base64-obfuscated command line is found

BASE64 encoded PowerShell command has been detected

The process bypasses the loading of PowerShell profile settings

Accesses antivirus product name via WMI (SCRIPT)

CSC.EXE is used to compile C# code

Captures screenshot (POWERSHELL)

The executable file from the user directory is run by the CMD process

Uses WMIC.EXE to obtain computer system information

Uses WMIC.EXE to obtain operating system information

Accesses operating system name via WMI (SCRIPT)

Accesses video controller name via WMI (SCRIPT)

Accesses product unique identifier via WMI (SCRIPT)

Uses WMIC.EXE to obtain a list of video controllers

Connects to unusual port

Reads the Windows owner or organization settings

Checks for external IP

Starts process via Powershell

Manipulates environment variables

Downloads file from URI via Powershell