plugx | 792eba5ba91a52bfb3b369107f38fb9a7e7b7987cd870f465338eae59e81f3f6 | Triage

Sharing

General

Target

fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118
Size

125KB
Sample

240420-b1a5yadh8t
MD5

fba356748c02da7a65ddef9470aa1cf2
SHA1

e0e3b538d015b1eb06a8a663bc746a36c3cc5848
SHA256

792eba5ba91a52bfb3b369107f38fb9a7e7b7987cd870f465338eae59e81f3f6
SHA512

f626824b33ea03f690500058c73ba662a1363535f80e7b05149dc8b580bd6bf514b334f3509283933993d0947b254c30cb6ddbf7be99d53de471997a2ef2f71d
SSDEEP

3072:DQIURTXJ+MSx7NqlTE6jSOJH9deWpA9+MlScvohy8oAYS0tzgv:Ds9Sx7NqRz9In+Ml1vob6dtK

Score

10^/10

plugx persistence trojan

Malware Config

Targets

- Target
  
  fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118
- Size
  
  125KB
- MD5
  
  fba356748c02da7a65ddef9470aa1cf2
- SHA1
  
  e0e3b538d015b1eb06a8a663bc746a36c3cc5848
- SHA256
  
  792eba5ba91a52bfb3b369107f38fb9a7e7b7987cd870f465338eae59e81f3f6
- SHA512
  
  f626824b33ea03f690500058c73ba662a1363535f80e7b05149dc8b580bd6bf514b334f3509283933993d0947b254c30cb6ddbf7be99d53de471997a2ef2f71d
- SSDEEP
  
  3072:DQIURTXJ+MSx7NqlTE6jSOJH9deWpA9+MlScvohy8oAYS0tzgv:Ds9Sx7NqRz9In+Ml1vob6dtK
Score

10^/10

plugx persistence trojan
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  $TEMP/arpa.exe
- Size
  
  95KB
- MD5
  
  28c6f235946fd694d2634c7a2f24c1ba
- SHA1
  
  e9a9ce1ff07834d6ba9a51ba0d9e7c7a0b68d3e5
- SHA256
  
  c3159d4f85ceb84c4a0f7ea9208928e729a30ddda4fead7ec6257c7dd1984763
- SHA512
  
  16865c473e010950a2aa25263af70074ad7539a86dc20e0a253df39e54e3635e99e821d4df83cd7a0eaeff10c75782966439d16d056427e824be8df953e138be
- SSDEEP
  
  1536:d4mHlQgfJA3DrnN6TU3W9bEuLJDuUVfwX9Gy5JE840gbDcCRDb9:dBFwrs9bb1VYXH5JE840Ax/9
Score

10^/10

plugx persistence trojan
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  $TEMP/http_dll.dll
- Size
  
  20KB
- MD5
  
  5b92266d9a26260b4c9920ede267ba37
- SHA1
  
  372d5455fdb689787e7e49f7799510c6c2cdf6b7
- SHA256
  
  d3c41834ea1a05eb19b6012a9c0c4a2dd9df243af0df56885edabedfe3fea261
- SHA512
  
  db9b277d74d1c50b8580b8dbeef1f5c3f54a6cf436a95c658bf7b8201d48ed651400fdde84d7297abf7f71b1f8f2bf335716833e564fa25cf10483b5f8766ec5
- SSDEEP
  
  48:qN+CUF+FoqxHGvf12FTGp8FbhOzSNuIlJb4sDfUpEoOtqFt2MEx6xglBmc:89JbcV2Fyp85zJDfMEoVWlo
Score

1^/10
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

plugxpersistencetrojan

behavioral2

plugxpersistencetrojan

behavioral3

plugxpersistencetrojan

behavioral4

plugxpersistencetrojan

behavioral5

behavioral6