File name:

JJSploit_8.13.9.exe

Full analysis: https://app.any.run/tasks/3512aa0a-4b58-451c-9ba2-aa938136f1ef
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 16, 2024, 10:09:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
loader
evasion
meduza
stealer
exfiltration
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

FE9D7B49DAB665C66F2462AC58913202

SHA1:

3FA3A12F014E2CA04972C6EA2CFB439662EEF06F

SHA256:

B5860AA704760ECAA8CB40C378C35DBD0C1D8B29D4D6B5EB9B97FAD1DFFF27B5

SSDEEP:

3072:250SBs5wCl1zWgDYIXe9thCrqSBs5wCl1zWgtn6mz:25Cw00aJXsth/w00O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • cfg.exe (PID: 4076)

    • Steals credentials from Web Browsers

      • cfg.exe (PID: 4076)

    • MEDUZASTEALER has been detected (SURICATA)

      • cfg.exe (PID: 4076)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • JJSploit_8.13.9.exe (PID: 6800)
      • jjsploit.exe (PID: 5920)

    • Reads security settings of Internet Explorer

      • JJSploit_8.13.9.exe (PID: 6800)
      • cfg.exe (PID: 4076)

    • Application launched itself

      • cfg.exe (PID: 7112)
      • cfg.exe (PID: 6488)

    • Checks Windows Trust Settings

      • cfg.exe (PID: 4076)

    • Checks for external IP

      • cfg.exe (PID: 4076)

    • Potential Corporate Privacy Violation

      • cfg.exe (PID: 4076)
      • jjsploit.exe (PID: 5920)

    • Searches for installed software

      • cfg.exe (PID: 4076)
      • jjsploit.exe (PID: 5920)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • jjsploit.exe (PID: 5920)

    • The process creates files with name similar to system file names

      • jjsploit.exe (PID: 5920)

    • Connects to unusual port

      • cfg.exe (PID: 4076)

    • Process requests binary or script from the Internet

      • jjsploit.exe (PID: 5920)

    • Process drops legitimate windows executable

      • jjsploit.exe (PID: 5920)

    • The process connected to a server suspected of theft

      • cfg.exe (PID: 4076)

  • INFO

    • Reads the computer name

      • JJSploit_8.13.9.exe (PID: 6800)
      • cfg.exe (PID: 7128)
      • cfg.exe (PID: 4076)
      • jjsploit.exe (PID: 5920)

    • Checks supported languages

      • JJSploit_8.13.9.exe (PID: 6800)
      • cfg.exe (PID: 7112)
      • cfg.exe (PID: 7128)
      • cfg.exe (PID: 4076)
      • cfg.exe (PID: 6488)
      • jjsploit.exe (PID: 5920)

    • Create files in a temporary directory

      • JJSploit_8.13.9.exe (PID: 6800)
      • jjsploit.exe (PID: 5920)

    • Reads the machine GUID from the registry

      • JJSploit_8.13.9.exe (PID: 6800)
      • cfg.exe (PID: 7128)
      • cfg.exe (PID: 4076)

    • The process uses the downloaded file

      • dllhost.exe (PID: 5236)
      • JJSploit_8.13.9.exe (PID: 6800)

    • Process checks computer location settings

      • JJSploit_8.13.9.exe (PID: 6800)
      • cfg.exe (PID: 4076)

    • Checks transactions between databases Windows and Oracle

      • cfg.exe (PID: 7128)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 5236)

    • Reads Environment values

      • cfg.exe (PID: 4076)

    • Checks proxy server information

      • cfg.exe (PID: 4076)
      • jjsploit.exe (PID: 5920)

    • Reads product name

      • cfg.exe (PID: 4076)

    • Reads the software policy settings

      • cfg.exe (PID: 4076)

    • The sample compiled with english language support

      • JJSploit_8.13.9.exe (PID: 6800)
      • jjsploit.exe (PID: 5920)

    • Reads the time zone

      • cfg.exe (PID: 4076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2090:06:21 13:11:34+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 63488
InitializedDataSize: 36352
UninitializedDataSize: -
EntryPoint: 0x117d6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Installer
FileVersion: 1.0.0.0
InternalName: Installer.exe
LegalCopyright: Copyright © 2023
LegalTrademarks: -
OriginalFileName: Installer.exe
ProductName: Installer
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
8
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start jjsploit_8.13.9.exe cfg.exe no specs cfg.exe no specs CMSTPLUA no specs Color Management no specs cfg.exe no specs #MEDUZASTEALER cfg.exe jjsploit.exe

Process information

PID
CMD
Path
Indicators
Parent process
1904C:\WINDOWS\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
4076"C:\Users\admin\AppData\Local\Temp\cfg.exe"C:\Users\admin\AppData\Local\Temp\cfg.exe
cfg.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\cfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
5236C:\WINDOWS\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
5920"C:\Users\admin\AppData\Local\Temp\jjsploit.exe" C:\Users\admin\AppData\Local\Temp\jjsploit.exe
JJSploit_8.13.9.exe
User:
admin
Integrity Level:
MEDIUM
Version:
8.10.7
Modules
Images
c:\users\admin\appdata\local\temp\jjsploit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6488"C:\Users\admin\AppData\Local\Temp\cfg.exe" C:\Users\admin\AppData\Local\Temp\cfg.exedllhost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\cfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
6800"C:\Users\admin\Desktop\JJSploit_8.13.9.exe" C:\Users\admin\Desktop\JJSploit_8.13.9.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Installer
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\jjsploit_8.13.9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7112"C:\Users\admin\AppData\Local\Temp\cfg.exe" C:\Users\admin\AppData\Local\Temp\cfg.exeJJSploit_8.13.9.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\cfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
7128"C:\Users\admin\AppData\Local\Temp\cfg.exe"C:\Users\admin\AppData\Local\Temp\cfg.execfg.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1630
Modules
Images
c:\users\admin\appdata\local\temp\cfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
Total events
9 289
Read events
9 273
Write events
15
Delete events
1

Modification events

(PID) Process:(6800) JJSploit_8.13.9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JJSploit_8_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6800) JJSploit_8.13.9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JJSploit_8_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6800) JJSploit_8.13.9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JJSploit_8_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6800) JJSploit_8.13.9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JJSploit_8_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6800) JJSploit_8.13.9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JJSploit_8_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6800) JJSploit_8.13.9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JJSploit_8_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6800) JJSploit_8.13.9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JJSploit_8_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6800) JJSploit_8.13.9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JJSploit_8_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6800) JJSploit_8.13.9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JJSploit_8_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6800) JJSploit_8.13.9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JJSploit_8_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
7
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6800JJSploit_8.13.9.exeC:\Users\admin\AppData\Local\Temp\cfg.exeexecutable
MD5:8EDFF3F58DF24723F285AA113BA3DA4B
SHA256:82C1101855ADFF990A1A5E6DCF6BDC32103088007B1F5F1EA52D8E765FBB3AD3
5920jjsploit.exeC:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exeexecutable
MD5:EC5B2A3126F46E01E1FCBB215D4F9EC8
SHA256:09C2A441A22186CBCC90E0A79556C4C696446740955C9031F8B52E84C7CD4EC1
5920jjsploit.exeC:\Users\admin\AppData\Local\Temp\nsr32C8.tmp\StartMenu.dllexecutable
MD5:D070F3275DF715BF3708BEFF2C6C307D
SHA256:42DD4DDA3249A94E32E20F76EAFFAE784A5475ED00C60EF0197C8A2C1CCD2FB7
6800JJSploit_8.13.9.exeC:\Users\admin\AppData\Local\Temp\jjsploit.exeexecutable
MD5:87BECE829AEC9CD170070742F5CC2DB7
SHA256:88A19D3E027158E8C66D5068303532A0D56A700F718DB80AA97E5E44F39BF4A4
5920jjsploit.exeC:\Users\admin\AppData\Local\Temp\nsr32C8.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
5920jjsploit.exeC:\Users\admin\AppData\Local\Temp\nsr32C8.tmp\nsDialogs.dllexecutable
MD5:6C3F8C94D0727894D706940A8A980543
SHA256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
5920jjsploit.exeC:\Users\admin\AppData\Local\Temp\nsr32C8.tmp\NSISdl.dllexecutable
MD5:EE68463FED225C5C98D800BDBD205598
SHA256:419485A096BC7D95F872ED1B9B7B5C537231183D710363BEEE4D235BB79DBE04
5920jjsploit.exeC:\Users\admin\AppData\Local\Temp\nsr32C8.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
27
DNS requests
13
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
140.82.121.4:443
https://github.com/Marcin2123/actualka/raw/refs/heads/main/tumbler_G
unknown
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
302
140.82.121.4:443
https://github.com/Marcin2123/actualka/raw/refs/heads/main/321123123.exe
unknown
GET
302
140.82.121.4:443
https://github.com/Marcin2123/jjsploit/raw/refs/heads/main/file_jjsploit
unknown
GET
302
140.82.121.4:443
https://github.com/Marcin2123/jjsploit/raw/refs/heads/main/JJSploit_8.10.7_x64-setup.exe
unknown
5920
jjsploit.exe
GET
301
184.28.89.167:80
http://go.microsoft.com/fwlink/p/?LinkId=2124703
unknown
whitelisted
5920
jjsploit.exe
GET
200
2.22.242.129:80
http://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/3aa91245-82ae-4367-bbc2-c8d7a8fc1730/MicrosoftEdgeWebview2Setup.exe
unknown
whitelisted
POST
204
104.126.37.130:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
GET
200
140.82.121.4:443
https://raw.githubusercontent.com/Marcin2123/actualka/refs/heads/main/file
unknown
text
73 b
GET
200
140.82.121.4:443
https://raw.githubusercontent.com/Marcin2123/actualka/refs/heads/main/321123123.exe
unknown
executable
3.12 Mb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
192.168.100.255:137
whitelisted
224.0.0.251:5353
unknown
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.128:443
www.bing.com
Akamai International B.V.
DE
whitelisted
6800
JJSploit_8.13.9.exe
140.82.121.4:443
github.com
GITHUB
US
shared
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.238
whitelisted
www.bing.com
  • 104.126.37.128
  • 104.126.37.177
  • 104.126.37.186
  • 104.126.37.123
  • 104.126.37.178
  • 104.126.37.185
  • 104.126.37.131
  • 104.126.37.176
  • 104.126.37.130
whitelisted
github.com
  • 140.82.121.4
shared
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.110.133
shared
api.ipify.org
  • 104.26.13.205
  • 104.26.12.205
  • 172.67.74.152
shared
go.microsoft.com
  • 184.28.89.167
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 2.22.242.129
  • 2.22.242.107
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
4076
cfg.exe
Potential Corporate Privacy Violation
ET POLICY Possible IP Check api.ipify.org
2192
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
4076
cfg.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
4076
cfg.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1
4076
cfg.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1
4076
cfg.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
4076
cfg.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Meduza Stealer
4076
cfg.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Meduza Stealer
4076
cfg.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
JJSploit_8.13.9.exe