Malware analysis JJSploit_8.10.8_x64_en-US.msi Malicious activity

Add for printing

File name:	JJSploit_8.10.8_x64_en-US.msi
Full analysis:	https://app.any.run/tasks/e8131e15-a9ef-4988-aa02-b7d0f51170fd
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	October 22, 2024, 09:46:24
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	generated-doc loader github
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: JJSploit, Author: wearedevs, Keywords: Installer, Comments: This installer database contains the logic and data required to install JJSploit., Template: x64;0, Revision Number: {19640AB6-B11B-4E7D-85AF-45572B21A242}, Create Time/Date: Sat Oct 19 13:04:48 2024, Last Saved Time/Date: Sat Oct 19 13:04:48 2024, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
MD5:	B837D10B9A71425DBF3D62B2CC59F447
SHA1:	85C9BA3331F7EB432C28365B0D1F36A201373A72
SHA256:	76C83D1BEBD6B01BAB76D9A94F223E1A3CF20F2040B8D58A12625074E2936F7C
SSDEEP:	98304:i2gwM94bZ3Rf46771hTuOXPtn+UqayHNg1CT5988K/DJUQqZJ4srQirZZMIcWTyp:BGDN3n2tqbYeY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: on
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Run PowerShell with an invisible window
  - powershell.exe (PID: 696)
SUSPICIOUS
- Executes as Windows Service
  - VSSVC.exe (PID: 4164)
- Manipulates environment variables
  - powershell.exe (PID: 696)
- Request a resource from the Internet using PowerShell's cmdlet
  - msiexec.exe (PID: 6680)
- Starts process via Powershell
  - powershell.exe (PID: 696)
- The process bypasses the loading of PowerShell profile settings
  - msiexec.exe (PID: 6680)
- Downloads file from URI via Powershell
  - powershell.exe (PID: 696)
- Starts POWERSHELL.EXE for commands execution
  - msiexec.exe (PID: 6680)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 696)
  - MicrosoftEdge_X64_130.0.2849.46.exe (PID: 8112)
  - MicrosoftEdgeWebview2Setup.exe (PID: 5604)
  - MicrosoftEdgeUpdate.exe (PID: 6760)
  - setup.exe (PID: 3000)
  - msedgewebview2.exe (PID: 6860)
  - JJSploit.exe (PID: 7948)
- Process drops legitimate windows executable
  - MicrosoftEdgeUpdate.exe (PID: 6760)
  - MicrosoftEdge_X64_130.0.2849.46.exe (PID: 8112)
  - powershell.exe (PID: 696)
  - MicrosoftEdgeWebview2Setup.exe (PID: 5604)
  - msedgewebview2.exe (PID: 6860)
  - setup.exe (PID: 3000)
- Application launched itself
  - setup.exe (PID: 3000)
  - MicrosoftEdgeUpdate.exe (PID: 6112)
  - msedgewebview2.exe (PID: 7288)
- Starts a Microsoft application from unusual location
  - MicrosoftEdgeWebview2Setup.exe (PID: 5604)
  - MicrosoftEdgeUpdate.exe (PID: 6760)
- Starts itself from another location
  - MicrosoftEdgeUpdate.exe (PID: 6760)
- Starts CMD.EXE for commands execution
  - JJSploit.exe (PID: 5004)
INFO
- An automatically generated document
  - msiexec.exe (PID: 6268)
- Manages system restore points
  - SrTasks.exe (PID: 6668)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 6680)
  - msiexec.exe (PID: 6268)
  - msedge.exe (PID: 3932)
- Application launched itself
  - msedge.exe (PID: 4088)
  - msedge.exe (PID: 2736)
- Manual execution by a user
  - JJSploit.exe (PID: 5004)
  - JJSploit.exe (PID: 6988)
  - JJSploit.exe (PID: 3728)
  - JJSploit.exe (PID: 1580)
  - JJSploit.exe (PID: 7368)
- The executable file from the user directory is run by the Powershell process
  - MicrosoftEdgeWebview2Setup.exe (PID: 5604)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Windows Installer (98.5)
.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	JJSploit
Author:	wearedevs
Keywords:	Installer
Comments:	This installer database contains the logic and data required to install JJSploit.
Template:	x64;0
RevisionNumber:	{19640AB6-B11B-4E7D-85AF-45572B21A242}
CreateDate:	2024:10:19 13:04:48
ModifyDate:	2024:10:19 13:04:48
Pages:	450
Words:	2
Software:	Windows Installer XML Toolset (3.14.1.8722)
Security:	Read-only recommended

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

226

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
696	powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		msiexec.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
700	"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\130.0.2849.46\msedgewebview2.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.8 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1792,i,10841042767142492396,9801389477798631097,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1828 /prefetch:2	C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\130.0.2849.46\msedgewebview2.exe	—	msedgewebview2.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge WebView2 Version: 130.0.2849.46
1084	"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe" /user	C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe	—	MicrosoftEdgeUpdate.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update COM Registration Helper Exit code: 0 Version: 1.3.195.25
1336	C:\Windows\syswow64\MsiExec.exe -Embedding 090261125FC2732E59B2884557DB452F C	C:\Windows\SysWOW64\msiexec.exe	—	msiexec.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800)
1376	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1512 --field-trial-handle=2380,i,5373249640529504574,16395020055844391960,262144 --variations-seed-version /prefetch:8	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	—	msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59
1440	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5080 --field-trial-handle=2380,i,5373249640529504574,16395020055844391960,262144 --variations-seed-version /prefetch:8	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	—	msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59
1580	"C:\Program Files\JJSploit\JJSploit.exe"	C:\Program Files\JJSploit\JJSploit.exe	—	explorer.exe
User: admin Integrity Level: MEDIUM Description: JJSploit Exit code: 101 Version: 8.10.8
1804	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1140 --field-trial-handle=2380,i,5373249640529504574,16395020055844391960,262144 --variations-seed-version /prefetch:8	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	—	msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59
2312	"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe" /user	C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe	—	MicrosoftEdgeUpdate.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update COM Registration Helper Exit code: 0 Version: 1.3.195.25
2464	"cmd" /C start https://www.youtube.com/@Omnidev_	C:\Windows\System32\cmd.exe	—	JJSploit.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)

Add for printing

Total events

392

Read events

392

Write events

Delete events

Modification events

No data

Add for printing

Executable files

216

Suspicious files

816

Text files

207

Unknown types

Dropped files

PID	Process	Filename		Type
6680	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
6680	msiexec.exe	C:\Windows\Installer\91ab0.msi		—
		MD5:—	SHA256:—
6680	msiexec.exe	C:\Program Files\JJSploit\resources\luascripts\jailbreak\policeesp.lua		text
		MD5:4F50FFCD1D3B9AE16550950CB634BA92	SHA256:2BEB5CDC4FA2F8B7FBFE8F29DB19E0FBCA7A00D91835AB5257D84F2B042BABEF
6680	msiexec.exe	C:\Windows\Installer\inprogressinstallinfo.ipi		binary
		MD5:B5965FCDCE02C07189BA17B0E1072258	SHA256:E38D0190367D51D5F7E0109B9C24BC5D2E7D94C71FCF2941EED2FD1F5709D901
6680	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:3861B6B7F95BD4064F325E5E25CF8D90	SHA256:CD0312916A7C088285E820E8121906DA4CA8B01BDC07D91801D318AF55E546CB
6680	msiexec.exe	C:\Windows\Installer\MSI1EA7.tmp		binary
		MD5:869033B5ADA670CCDE917172A23348DE	SHA256:FC4948863C997CD2CA8815D2C2F5A1F406937C8C2537D02C535ED291774D73C3
6680	msiexec.exe	C:\Program Files\JJSploit\resources\luascripts\animations\jumpland.lua		text
		MD5:2899EC217AEF73B127C9328785012EEF	SHA256:7D4CA7B02C90B0B21D64C2BAA6E5940DCCE895DB5BC125D0E993A5A883186721
6268	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSID4DD.tmp		executable
		MD5:CFBB8568BD3711A97E6124C56FCFA8D9	SHA256:7F47D98AB25CFEA9B3A2E898C3376CC9BA1CD893B4948B0C27CAA530FD0E34CC
6680	msiexec.exe	C:\Program Files\JJSploit\resources\luascripts\general\tptool.lua		binary
		MD5:78990037F24311727092F08334ACE6E0	SHA256:17BDAD5A7E4910982519F219B1E40525F4F5B2E4C55224E491A13CE4D98CA60C
6680	msiexec.exe	C:\Windows\Temp\~DF7FB7CC6F81169C22.TMP		binary
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

131

DNS requests

155

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
—	—	GET	200	2.18.244.216:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	2.18.244.216:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.200.189.225:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.200.189.225:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	HEAD	200	151.101.38.172:80	http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5d5241d9-7389-4e74-9a81-2fda43039830?P1=1730195234&P2=404&P3=2&P4=HmpA2U4CMwQMqrpEBX86zGCPR50CnuAIPZpit29U49hUZXfp3Unr6aBrZ%2ffpObbIpl7B2ljc6s%2b5uOkUwTNCxA%3d%3d	unknown	—	—	whitelisted
—	—	GET	200	151.101.38.172:80	http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5d5241d9-7389-4e74-9a81-2fda43039830?P1=1730195234&P2=404&P3=2&P4=HmpA2U4CMwQMqrpEBX86zGCPR50CnuAIPZpit29U49hUZXfp3Unr6aBrZ%2ffpObbIpl7B2ljc6s%2b5uOkUwTNCxA%3d%3d	unknown	—	—	whitelisted
—	—	HEAD	200	151.101.38.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/1490e18b-fab2-4eb0-b0f5-6785c3507d46?P1=1729775286&P2=404&P3=2&P4=J8AvxRtfUrgPUD8SkrTktOQtgEBiDzX5IM9X8C7PKHdnlHQe%2fx80AucUmgfuG%2fZRW1SmADnbheHM6HK8p91CDA%3d%3d	unknown	—	—	whitelisted
—	—	GET	206	151.101.38.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/1490e18b-fab2-4eb0-b0f5-6785c3507d46?P1=1729775286&P2=404&P3=2&P4=J8AvxRtfUrgPUD8SkrTktOQtgEBiDzX5IM9X8C7PKHdnlHQe%2fx80AucUmgfuG%2fZRW1SmADnbheHM6HK8p91CDA%3d%3d	unknown	—	—	whitelisted
—	—	GET	206	151.101.38.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/1490e18b-fab2-4eb0-b0f5-6785c3507d46?P1=1729775286&P2=404&P3=2&P4=J8AvxRtfUrgPUD8SkrTktOQtgEBiDzX5IM9X8C7PKHdnlHQe%2fx80AucUmgfuG%2fZRW1SmADnbheHM6HK8p91CDA%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	2.23.209.182:443	www.bing.com	Akamai International B.V.	GB	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	2.18.244.216:80	crl.microsoft.com	Akamai International B.V.	FR	whitelisted
—	—	23.200.189.225:80	www.microsoft.com	Moratelindo Internet Exchange Point	ID	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
—	—	23.220.113.159:443	go.microsoft.com	AKAMAI-AS	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
www.bing.com	2.23.209.182 2.23.209.178 2.23.209.185 2.23.209.180 2.23.209.179 2.23.209.187 2.23.209.177 2.23.209.186 2.23.209.176 2.16.106.215	whitelisted
google.com	142.251.39.110	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
crl.microsoft.com	2.18.244.216	whitelisted
www.microsoft.com	23.200.189.225	whitelisted
go.microsoft.com	23.220.113.159	whitelisted
msedge.sf.dl.delivery.mp.microsoft.com	152.199.21.175	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
msedge.api.cdp.microsoft.com	4.155.164.36	whitelisted

Threats

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub

Add for printing

No debug info

General Info

JJSploit_8.10.8_x64_en-US.msi

B837D10B9A71425DBF3D62B2CC59F447

85C9BA3331F7EB432C28365B0D1F36A201373A72

76C83D1BEBD6B01BAB76D9A94F223E1A3CF20F2040B8D58A12625074E2936F7C

98304:i2gwM94bZ3Rf46771hTuOXPtn+UqayHNg1CT5988K/DJUQqZJ4srQirZZMIcWTyp:BGDN3n2tqbYeY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

SUSPICIOUS

Executes as Windows Service

Manipulates environment variables

Request a resource from the Internet using PowerShell's cmdlet

Starts process via Powershell

The process bypasses the loading of PowerShell profile settings

Downloads file from URI via Powershell

Starts POWERSHELL.EXE for commands execution

Executable content was dropped or overwritten

Process drops legitimate windows executable

Application launched itself

Starts a Microsoft application from unusual location

Starts itself from another location

Starts CMD.EXE for commands execution

INFO

An automatically generated document

Manages system restore points

Executable content was dropped or overwritten

Application launched itself

Manual execution by a user

The executable file from the user directory is run by the Powershell process

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings