File name:	JJSploit.exe
Full analysis:	https://app.any.run/tasks/86059a9c-17c0-4390-a843-910a959fa777
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	February 23, 2025, 02:25:00
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion xworm remote stealer umbralstealer discord exfiltration loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:	F29FD0BB7218E3CF63AB6040BE0A1698
SHA1:	C078E4888D6E1CF6C75A4141D51A1D375C2F71C8
SHA256:	CCBCC6269218D292A06DB3D9896DC621598A76794881FFBEB6F093D8B54E1C43
SSDEEP:	98304:04t6ZmQuYt+0ga9SiYgURFCZLQ7XYQycuKShbh854EG+kwJ9CFvlx2JgAgpF2lLu:t8GYgN5OweKf5B4xGY

.exe	\|	InstallShield setup (53.2)
.exe	\|	Win32 Executable Delphi generic (17.5)
.scr	\|	Windows screen saver (16.1)
.exe	\|	Win32 Executable (generic) (5.5)
.exe	\|	Win16/32 Executable Delphi generic (2.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1992:06:19 22:22:17+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	5120
InitializedDataSize:	6959104
UninitializedDataSize:	-
EntryPoint:	0x20cc
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	1.0.0.0
InternalName:	JJspoit.exe
LegalCopyright:
OriginalFileName:	JJspoit.exe
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(6032) JJSploitInjector.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JJSploitInjector_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6032) JJSploitInjector.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JJSploitInjector_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6032) JJSploitInjector.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JJSploitInjector_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6032) JJSploitInjector.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JJSploitInjector_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6032) JJSploitInjector.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JJSploitInjector_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6032) JJSploitInjector.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JJSploitInjector_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(6032) JJSploitInjector.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JJSploitInjector_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(6032) JJSploitInjector.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JJSploitInjector_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6032) JJSploitInjector.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JJSploitInjector_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6032) JJSploitInjector.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JJSploitInjector_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
904	JJSploit.exe	C:\Users\admin\AppData\Local\Temp\jjsploit_8.12.2_x64_en-US (1).msi		—
		MD5:—	SHA256:—
904	JJSploit.exe	C:\Users\admin\AppData\Local\Temp\JJSploitInjector.exe		executable
		MD5:760861BFE626A80DCF4D2B13F8D8C76A	SHA256:4ECF8BC1C1E327565B66512A335D72C376D4189F11FC8F751B0D2CD337EA8339
6508	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mwhv3adg.q0b.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6656	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5vvn0ni3.wou.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3260	JJSploitInjector.exe	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\1x6Uk.scr		executable
		MD5:760861BFE626A80DCF4D2B13F8D8C76A	SHA256:4ECF8BC1C1E327565B66512A335D72C376D4189F11FC8F751B0D2CD337EA8339
5392	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:8EDB30580C10A1C3E8AC4865E3776527	SHA256:511B3B4271A16158692561D445E65F0F49C4A1BE1FF8A5B4017306B191E91B0A
3092	JJSplo.exe	C:\Users\admin\AppData\Local\Temp\System32.exe		executable
		MD5:C5BA230193B7F217C0E512A5CB8606E8	SHA256:D363B1ECFAD886B1368AA54A7E0F1438A615B80010A06EE5B5E2E8CD44D1FBC9
6656	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sjsulhqr.my2.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6812	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hzs2aztx.iu1.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3208	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	142.250.186.35:443	https://gstatic.com/generate_204	US	—	—	unknown
640	svchost.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	1.01 Kb	whitelisted
3576	RUXIMICS.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	1.01 Kb	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	1.01 Kb	whitelisted
3576	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	973 b	whitelisted
6032	JJSploitInjector.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	US	text	6 b	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	973 b	whitelisted
3092	JJSplo.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	US	text	6 b	whitelisted
—	—	GET	204	142.250.186.35:443	https://gstatic.com/generate_204	US	—	—	unknown
3260	JJSploitInjector.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	US	text	6 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
640	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3576	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6032	JJSploitInjector.exe	142.250.184.227:443	gstatic.com	GOOGLE	US	whitelisted
3576	RUXIMICS.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
640	svchost.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3576	RUXIMICS.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59	whitelisted
google.com	142.250.186.110	whitelisted
gstatic.com	142.250.184.227	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
ip-api.com	208.95.112.1	whitelisted
www.bing.com	184.86.251.22 184.86.251.27	whitelisted
study-conclusions.gl.at.ply.gg	147.185.221.26	unknown
discord.com	162.159.138.232 162.159.136.232 162.159.128.233 162.159.135.232 162.159.137.232	whitelisted
go.microsoft.com	184.30.249.239	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6032	JJSploitInjector.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
6032	JJSploitInjector.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
3092	JJSplo.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
3092	JJSplo.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
3260	JJSploitInjector.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
3260	JJSploitInjector.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
2192	svchost.exe	Potentially Bad Traffic	ET INFO playit .gg Tunneling Domain in DNS Lookup
2192	svchost.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)

General Info

JJSploit.exe

F29FD0BB7218E3CF63AB6040BE0A1698

C078E4888D6E1CF6C75A4141D51A1D375C2F71C8

CCBCC6269218D292A06DB3D9896DC621598A76794881FFBEB6F093D8B54E1C43

98304:04t6ZmQuYt+0ga9SiYgURFCZLQ7XYQycuKShbh854EG+kwJ9CFvlx2JgAgpF2lLu:t8GYgN5OweKf5B4xGY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses Task Scheduler to run other applications

Create files in the Startup directory

Changes the autorun value in the registry

Adds path to the Windows Defender exclusion list

Changes settings for real-time protection

XWORM has been detected (YARA)

Changes settings for checking scripts for malicious actions

Changes settings for sending potential threat samples to Microsoft servers

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Changes settings for protection against network attacks (IPS)

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Changes Controlled Folder Access settings

XWORM has been detected (SURICATA)

Steals credentials from Web Browsers

Actions looks like stealing of personal data

UMBRALSTEALER has been detected (SURICATA)

Run PowerShell with an invisible window

Starts CMD.EXE for self-deleting

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Uses WMIC.EXE to obtain Windows Installer data

Checks for external IP

Accesses product unique identifier via WMI (SCRIPT)

Reads the date of Windows installation

Application launched itself

Uses ATTRIB.EXE to modify file attributes

Starts POWERSHELL.EXE for commands execution

Executes as Windows Service

Connects to unusual port

Script disables Windows Defender's real-time protection

Script disables Windows Defender's IPS

Contacting a server suspected of hosting an CnC

Script adds exclusion path to Windows Defender

Accesses operating system name via WMI (SCRIPT)

Uses WMIC.EXE to obtain operating system information

Uses WMIC.EXE to obtain computer system information

Uses WMIC.EXE to obtain a list of video controllers

Reads the Windows owner or organization settings

Starts process via Powershell

Downloads file from URI via Powershell

Accesses video controller name via WMI (SCRIPT)

The process connected to a server suspected of theft

The process bypasses the loading of PowerShell profile settings

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Manipulates environment variables

Gets or sets the security protocol (POWERSHELL)

Starts CMD.EXE for commands execution

Starts itself from another location

Creates/Modifies COM task schedule object

The process executes via Task Scheduler

Checks Windows Trust Settings

INFO

Reads the computer name

Checks supported languages

Process checks computer location settings

Create files in a temporary directory

Disables trace logs

Checks proxy server information

Reads Environment values

Reads the machine GUID from the registry

Reads the software policy settings

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Creates files or folders in the user directory

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)