Overview

overview

10

Static

static

3

fba356748c...18.exe

windows7-x64

10

fba356748c...18.exe

windows10-2004-x64

10

$TEMP/arpa.exe

windows7-x64

10

$TEMP/arpa.exe

windows10-2004-x64

10

$TEMP/http_dll.dll

windows7-x64

1

$TEMP/http_dll.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118

  • Size

    125KB

  • Sample

    240420-b1a5yadh8t

  • MD5

    fba356748c02da7a65ddef9470aa1cf2

  • SHA1

    e0e3b538d015b1eb06a8a663bc746a36c3cc5848

  • SHA256

    792eba5ba91a52bfb3b369107f38fb9a7e7b7987cd870f465338eae59e81f3f6

  • SHA512

    f626824b33ea03f690500058c73ba662a1363535f80e7b05149dc8b580bd6bf514b334f3509283933993d0947b254c30cb6ddbf7be99d53de471997a2ef2f71d

  • SSDEEP

    3072:DQIURTXJ+MSx7NqlTE6jSOJH9deWpA9+MlScvohy8oAYS0tzgv:Ds9Sx7NqRz9In+Ml1vob6dtK

Score
10/10
plugxpersistencetrojan

Malware Config

Targets

    • Target

      fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118

    • Size

      125KB

    • MD5

      fba356748c02da7a65ddef9470aa1cf2

    • SHA1

      e0e3b538d015b1eb06a8a663bc746a36c3cc5848

    • SHA256

      792eba5ba91a52bfb3b369107f38fb9a7e7b7987cd870f465338eae59e81f3f6

    • SHA512

      f626824b33ea03f690500058c73ba662a1363535f80e7b05149dc8b580bd6bf514b334f3509283933993d0947b254c30cb6ddbf7be99d53de471997a2ef2f71d

    • SSDEEP

      3072:DQIURTXJ+MSx7NqlTE6jSOJH9deWpA9+MlScvohy8oAYS0tzgv:Ds9Sx7NqRz9In+Ml1vob6dtK

    Score
    10/10
    plugxpersistencetrojan

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

      trojanplugx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      $TEMP/arpa.exe

    • Size

      95KB

    • MD5

      28c6f235946fd694d2634c7a2f24c1ba

    • SHA1

      e9a9ce1ff07834d6ba9a51ba0d9e7c7a0b68d3e5

    • SHA256

      c3159d4f85ceb84c4a0f7ea9208928e729a30ddda4fead7ec6257c7dd1984763

    • SHA512

      16865c473e010950a2aa25263af70074ad7539a86dc20e0a253df39e54e3635e99e821d4df83cd7a0eaeff10c75782966439d16d056427e824be8df953e138be

    • SSDEEP

      1536:d4mHlQgfJA3DrnN6TU3W9bEuLJDuUVfwX9Gy5JE840gbDcCRDb9:dBFwrs9bb1VYXH5JE840Ax/9

    Score
    10/10
    plugxpersistencetrojan

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

      trojanplugx

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

    • Target

      $TEMP/http_dll.dll

    • Size

      20KB

    • MD5

      5b92266d9a26260b4c9920ede267ba37

    • SHA1

      372d5455fdb689787e7e49f7799510c6c2cdf6b7

    • SHA256

      d3c41834ea1a05eb19b6012a9c0c4a2dd9df243af0df56885edabedfe3fea261

    • SHA512

      db9b277d74d1c50b8580b8dbeef1f5c3f54a6cf436a95c658bf7b8201d48ed651400fdde84d7297abf7f71b1f8f2bf335716833e564fa25cf10483b5f8766ec5

    • SSDEEP

      48:qN+CUF+FoqxHGvf12FTGp8FbhOzSNuIlJb4sDfUpEoOtqFt2MEx6xglBmc:89JbcV2Fyp85zJDfMEoVWlo

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks