Overview

overview

10

Static

static

3

21fac61365...18.exe

windows7-x64

10

21fac61365...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2024 22:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe

  • Size

    302KB

  • MD5

    21fac61365987a8abfcd0b429a2497bf

  • SHA1

    114fc4d7533b3fd0dd4d034ae55847d4885d1c70

  • SHA256

    8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b

  • SHA512

    d86ab5c4e3f1a33a929a99fa57df943e7ae4086543f947f8178a1216d19c1c16c68f350b36a53b062b55d63f0491f6065a7c3e0813edac7f806158c7035da66b

  • SSDEEP

    6144:+z+92mhAMJ/cPl3ix0LcjsyBhpH3AY4n3ZfJUh+HsgpqR0r8sqPTAv:+K2mhAMJ/cPlijsyBhpH3AY+3ZGe

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 19 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:1512
  • C:\ProgramData\360\RsTray.exe
    C:\ProgramData\360\RsTray.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:392
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 3404
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\SxS\bug.log
    Filesize

    7KB

    MD5

    02559014187d8799d5db13bae331b060

    SHA1

    625c8a5c7d19262c16cf0a73f0e060b5d0604ddf

    SHA256

    0e65a5991c4dd8174b841196792dc908b573c2b497e7770a25197a0e8bfed377

    SHA512

    8d55edfb5e9cca6ebac05761b76ac8360a54cb8afd35f20fe22412b27ed4af04ac719683d686e2543edff61c870fb61d2a3259cf49543b06971ba6a574278830

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    7KB

    MD5

    d5561c4d5ddb2277be4084b7b30b9709

    SHA1

    e3e4f3a3923f269c84187729697b3cd412b45f87

    SHA256

    c38362d1b07575506b9086951fe7b031bdcd573b9efb6fc827e8d025067b3272

    SHA512

    960fad12f399389d5d088d9a4ac2289be935a16c6ae80391bbe7ecd273d6e332be4eedc11f542a7d06265697ef830581cf2200148159ddfe865779305ada58a7

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    5KB

    MD5

    ceea3ba5689893d522554d7bf2bde7b0

    SHA1

    33edd1c1527421492f31b092fa0a410261f0b1cb

    SHA256

    26efc950db2c42ff7ca13111b2df2ca2f052da7d64175a4898e03697a329a328

    SHA512

    e114940527305e54108ef0d482199c77cdae65f98a32cffb18cb45d883795028cb1c19021cf6d48aa34e846266a3f849b2d60e7fe81c75f8ad26bf04780aa487

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe
    Filesize

    174KB

    MD5

    d65adc7ad95e88fab486707b8c228f17

    SHA1

    dfa0589b58a469e34695a22313d184e5352a3282

    SHA256

    a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

    SHA512

    3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\comserv.dll
    Filesize

    41KB

    MD5

    b1253aa4e944916ab10235348cd6a3dd

    SHA1

    0046b288ba631f7363350e797ceb703ec8ae830e

    SHA256

    cb974a188d63849431ffe8868ee4faf020c3ff8679c0f0dd08d10fa91fa9c1eb

    SHA512

    d5134a43457ebb64e4d523cdb74ed1fda4b1d9d6f16919a5f7021858740d85832b8a7954631801f46bd460a5f2df7e6c5b70d37ef61a4e85deffb6cb9460d023

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\comserv.dll.url
    Filesize

    122KB

    MD5

    7a2b112e3291887512f318865b5205e3

    SHA1

    9719a3e9cd3a4f91954a689d4bfef26cc63cc8c0

    SHA256

    d863346dcbf9a3926e50af34b2b7c148ef15ca5d6942c1a0b5ccd7f06bbc902a

    SHA512

    70c5beccd1efd0c70201c7632bd795a7410c225ddf0318affcc8f5e22b4a02af4ae32221c42a69184c9a05961c5d50e331ac7cba88e6663ceeb30372685996a9

    Download Submit

  • memory/392-39-0x0000000000DD0000-0x0000000000E01000-memory.dmp

    Filesize

    196KB

    Download

  • memory/392-40-0x0000000000DD0000-0x0000000000E01000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1512-19-0x0000000002310000-0x0000000002410000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1512-20-0x0000000002150000-0x0000000002181000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1512-33-0x0000000002150000-0x0000000002181000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3404-89-0x00000000018D0000-0x0000000001901000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3404-46-0x00000000018D0000-0x0000000001901000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3404-90-0x00000000018D0000-0x0000000001901000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3404-45-0x00000000012C0000-0x00000000012C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3404-88-0x00000000012C0000-0x00000000012C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3404-78-0x00000000018D0000-0x0000000001901000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3404-94-0x00000000018D0000-0x0000000001901000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3404-95-0x00000000018D0000-0x0000000001901000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3404-118-0x00000000018D0000-0x0000000001901000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3404-91-0x00000000018D0000-0x0000000001901000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3404-41-0x00000000018D0000-0x0000000001901000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3404-110-0x00000000018D0000-0x0000000001901000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3404-107-0x00000000018D0000-0x0000000001901000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3404-106-0x00000000018D0000-0x0000000001901000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4756-105-0x0000000002D40000-0x0000000002D71000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4756-103-0x0000000000F90000-0x0000000000F91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4756-104-0x0000000002D40000-0x0000000002D71000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4756-99-0x0000000002D40000-0x0000000002D71000-memory.dmp

    Filesize

    196KB

    Download