Malware Analysis Report

2024-07-11 07:39

Sample ID 240507-2az99abb4y
Target 21fac61365987a8abfcd0b429a2497bf_JaffaCakes118
SHA256 8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b

Threat Level: Known bad

The file 21fac61365987a8abfcd0b429a2497bf_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

plugx trojan

Detects PlugX payload

PlugX

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-07 22:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 22:23

Reported

2024-05-07 22:25

Platform

win7-20240221-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe N/A
N/A N/A C:\ProgramData\360\RsTray.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-b1-a0-df-04-6e\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-b1-a0-df-04-6e\WpadDecisionTime = f0654579cda0da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2496C5CB-E9D9-463B-8009-CA6E9281A60F}\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2496C5CB-E9D9-463B-8009-CA6E9281A60F}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-b1-a0-df-04-6e C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-b1-a0-df-04-6e\WpadDecisionTime = 9010605fcda0da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-b1-a0-df-04-6e\WpadDecisionTime = f071625fcda0da01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2496C5CB-E9D9-463B-8009-CA6E9281A60F} C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2496C5CB-E9D9-463B-8009-CA6E9281A60F}\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2496C5CB-E9D9-463B-8009-CA6E9281A60F}\12-b1-a0-df-04-6e C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2496C5CB-E9D9-463B-8009-CA6E9281A60F}\WpadDecisionTime = 9010605fcda0da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2496C5CB-E9D9-463B-8009-CA6E9281A60F}\WpadDecisionTime = f071625fcda0da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2496C5CB-E9D9-463B-8009-CA6E9281A60F}\WpadDecisionTime = f0654579cda0da01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-b1-a0-df-04-6e\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-b1-a0-df-04-6e\WpadDetectedUrl C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 39003200330046004500370034003500340044003300460036004100350032000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\360\RsTray.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\360\RsTray.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe
PID 1632 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe
PID 1632 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe
PID 1632 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe
PID 1632 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe
PID 1632 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe
PID 1632 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe
PID 2624 wrote to memory of 2432 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 2624 wrote to memory of 2432 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 2624 wrote to memory of 2432 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 2624 wrote to memory of 2432 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 2624 wrote to memory of 2432 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 2624 wrote to memory of 2432 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 2624 wrote to memory of 2432 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 2624 wrote to memory of 2432 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 2624 wrote to memory of 2432 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 2432 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2432 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2432 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2432 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2432 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2432 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2432 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2432 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2432 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2432 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2432 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2432 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe"

C:\ProgramData\360\RsTray.exe

C:\ProgramData\360\RsTray.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2432

Network

Country Destination Domain Proto
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 okidokid.oicp.net udp
CN 47.111.82.157:8000 okidokid.oicp.net tcp
US 8.8.8.8:53 okidokid.oicp.net udp
CN 47.111.82.157:8000 okidokid.oicp.net tcp
US 8.8.8.8:53 okidokid.oicp.net udp
CN 47.111.82.157:8000 okidokid.oicp.net udp
US 8.8.8.8:53 cn99test.3322.org udp
US 8.8.8.8:53 cn99test.3322.org udp
US 8.8.8.8:53 cn99test.3322.org udp
US 8.8.8.8:53 okidokid.oicp.net udp
CN 47.111.82.157:8000 okidokid.oicp.net tcp
CN 47.111.82.157:8000 okidokid.oicp.net tcp
US 8.8.8.8:53 okidokid.oicp.net udp
CN 47.111.82.157:8000 okidokid.oicp.net udp
US 8.8.8.8:53 cn99test.3322.org udp
US 8.8.8.8:53 cn99test.3322.org udp

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe

MD5 d65adc7ad95e88fab486707b8c228f17
SHA1 dfa0589b58a469e34695a22313d184e5352a3282
SHA256 a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2
SHA512 3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

C:\Users\Admin\AppData\Local\Temp\RarSFX0\comserv.dll.url

MD5 7a2b112e3291887512f318865b5205e3
SHA1 9719a3e9cd3a4f91954a689d4bfef26cc63cc8c0
SHA256 d863346dcbf9a3926e50af34b2b7c148ef15ca5d6942c1a0b5ccd7f06bbc902a
SHA512 70c5beccd1efd0c70201c7632bd795a7410c225ddf0318affcc8f5e22b4a02af4ae32221c42a69184c9a05961c5d50e331ac7cba88e6663ceeb30372685996a9

memory/1700-37-0x00000000006B0000-0x00000000006E1000-memory.dmp

memory/2624-42-0x00000000002A0000-0x00000000002D1000-memory.dmp

memory/2432-49-0x00000000001D0000-0x0000000000201000-memory.dmp

memory/2432-48-0x00000000000C0000-0x00000000000C2000-memory.dmp

memory/2624-47-0x00000000002A0000-0x00000000002D1000-memory.dmp

memory/2432-46-0x00000000000A0000-0x00000000000BD000-memory.dmp

memory/2432-44-0x0000000000080000-0x0000000000081000-memory.dmp

\ProgramData\360\comserv.dll

MD5 b1253aa4e944916ab10235348cd6a3dd
SHA1 0046b288ba631f7363350e797ceb703ec8ae830e
SHA256 cb974a188d63849431ffe8868ee4faf020c3ff8679c0f0dd08d10fa91fa9c1eb
SHA512 d5134a43457ebb64e4d523cdb74ed1fda4b1d9d6f16919a5f7021858740d85832b8a7954631801f46bd460a5f2df7e6c5b70d37ef61a4e85deffb6cb9460d023

memory/1700-36-0x0000000000430000-0x0000000000530000-memory.dmp

memory/1700-22-0x00000000006B0000-0x00000000006E1000-memory.dmp

memory/2432-64-0x00000000001D0000-0x0000000000201000-memory.dmp

memory/2432-82-0x00000000001D0000-0x0000000000201000-memory.dmp

memory/2432-77-0x00000000001D0000-0x0000000000201000-memory.dmp

memory/2432-81-0x00000000001D0000-0x0000000000201000-memory.dmp

memory/2432-80-0x00000000001D0000-0x0000000000201000-memory.dmp

memory/2432-76-0x00000000001D0000-0x0000000000201000-memory.dmp

memory/2432-75-0x00000000001D0000-0x0000000000201000-memory.dmp

memory/2432-74-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2512-95-0x0000000000420000-0x0000000000451000-memory.dmp

memory/2512-96-0x0000000000420000-0x0000000000451000-memory.dmp

memory/2512-94-0x0000000000090000-0x0000000000091000-memory.dmp

C:\ProgramData\SxS\bug.log

MD5 295decc75adb2474ae45d4291a9a111e
SHA1 92102f1e5868f3139b7027120524d785a674f6b9
SHA256 8d76c61be8682c425cb15e89e0179c1c8e35cb86e7b6b54c60ef8239317d3d7a
SHA512 56c3090f32c2523c55d8dbe171efd64c423ded0d3cc67993a9d81c71379ee61a250317953cfbcdcb2f46969cdf85e586690f5adbeaed1175cca7268e220c97d8

memory/2512-90-0x0000000000420000-0x0000000000451000-memory.dmp

memory/2432-97-0x00000000001D0000-0x0000000000201000-memory.dmp

C:\ProgramData\SxS\bug.log

MD5 8ec93a87c25fd93235d3668540a1126c
SHA1 b8839a0853d8f3c43c02082ff5530263cc07eba6
SHA256 5bee4bb85703a6e309820f910be3766d7b88cebd96374030803d7aec3562f4cf
SHA512 0f54f16d469f241bb58712e6b6ae4946ac1887e7dd894858bb2a0549a0c6489a216ffa09c5e14dd5e6977501bc876b175751801043c14ffff77f976ab2794dc9

memory/2432-100-0x00000000001D0000-0x0000000000201000-memory.dmp

C:\ProgramData\SxS\bug.log

MD5 8d770a9af761ffd730138dff7e7ee955
SHA1 f494f853a341d2ad634436598379194f8b1d103d
SHA256 78165bca194e098f05838a74fe8d1c6e656730601704275a440faed38e3e7948
SHA512 3653cf222bb936881b1bfef3fbe204eb58390f1b49c26192c7aae400d4378d2aefb01c8f9b6b42ecf078603f1c6ffea95cdd13e37c566fe8b5f418dadd01e1d7

memory/2432-108-0x00000000001D0000-0x0000000000201000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 22:23

Reported

2024-05-07 22:26

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe N/A
N/A N/A C:\ProgramData\360\RsTray.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe N/A
N/A N/A C:\ProgramData\360\RsTray.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 34004400440043003800300043003400460044003000330034004500390045000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\360\RsTray.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\360\RsTray.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe
PID 2504 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe
PID 2504 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe
PID 392 wrote to memory of 3404 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 392 wrote to memory of 3404 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 392 wrote to memory of 3404 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 392 wrote to memory of 3404 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 392 wrote to memory of 3404 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 392 wrote to memory of 3404 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 392 wrote to memory of 3404 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 392 wrote to memory of 3404 N/A C:\ProgramData\360\RsTray.exe C:\Windows\SysWOW64\svchost.exe
PID 3404 wrote to memory of 4756 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3404 wrote to memory of 4756 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3404 wrote to memory of 4756 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3404 wrote to memory of 4756 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3404 wrote to memory of 4756 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3404 wrote to memory of 4756 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3404 wrote to memory of 4756 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3404 wrote to memory of 4756 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe"

C:\ProgramData\360\RsTray.exe

C:\ProgramData\360\RsTray.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 3404

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 okidokid.oicp.net udp
CN 47.111.82.157:8000 okidokid.oicp.net tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 okidokid.oicp.net udp
CN 47.111.82.157:8000 okidokid.oicp.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 okidokid.oicp.net udp
CN 47.111.82.157:8000 okidokid.oicp.net udp
US 8.8.8.8:53 157.82.111.47.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 cn99test.3322.org udp
US 8.8.8.8:53 cn99test.3322.org udp
US 8.8.8.8:53 okidokid.oicp.net udp
CN 47.111.82.157:8000 okidokid.oicp.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
CN 47.111.82.157:8000 okidokid.oicp.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 okidokid.oicp.net udp
CN 47.111.82.157:8000 okidokid.oicp.net udp
US 8.8.8.8:53 cn99test.3322.org udp
US 8.8.8.8:53 cn99test.3322.org udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe

MD5 d65adc7ad95e88fab486707b8c228f17
SHA1 dfa0589b58a469e34695a22313d184e5352a3282
SHA256 a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2
SHA512 3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

C:\Users\Admin\AppData\Local\Temp\RarSFX0\comserv.dll

MD5 b1253aa4e944916ab10235348cd6a3dd
SHA1 0046b288ba631f7363350e797ceb703ec8ae830e
SHA256 cb974a188d63849431ffe8868ee4faf020c3ff8679c0f0dd08d10fa91fa9c1eb
SHA512 d5134a43457ebb64e4d523cdb74ed1fda4b1d9d6f16919a5f7021858740d85832b8a7954631801f46bd460a5f2df7e6c5b70d37ef61a4e85deffb6cb9460d023

memory/1512-19-0x0000000002310000-0x0000000002410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\comserv.dll.url

MD5 7a2b112e3291887512f318865b5205e3
SHA1 9719a3e9cd3a4f91954a689d4bfef26cc63cc8c0
SHA256 d863346dcbf9a3926e50af34b2b7c148ef15ca5d6942c1a0b5ccd7f06bbc902a
SHA512 70c5beccd1efd0c70201c7632bd795a7410c225ddf0318affcc8f5e22b4a02af4ae32221c42a69184c9a05961c5d50e331ac7cba88e6663ceeb30372685996a9

memory/1512-20-0x0000000002150000-0x0000000002181000-memory.dmp

memory/1512-33-0x0000000002150000-0x0000000002181000-memory.dmp

memory/392-39-0x0000000000DD0000-0x0000000000E01000-memory.dmp

memory/392-40-0x0000000000DD0000-0x0000000000E01000-memory.dmp

memory/3404-41-0x00000000018D0000-0x0000000001901000-memory.dmp

memory/3404-46-0x00000000018D0000-0x0000000001901000-memory.dmp

memory/3404-45-0x00000000012C0000-0x00000000012C1000-memory.dmp

C:\ProgramData\SxS\bug.log

MD5 ceea3ba5689893d522554d7bf2bde7b0
SHA1 33edd1c1527421492f31b092fa0a410261f0b1cb
SHA256 26efc950db2c42ff7ca13111b2df2ca2f052da7d64175a4898e03697a329a328
SHA512 e114940527305e54108ef0d482199c77cdae65f98a32cffb18cb45d883795028cb1c19021cf6d48aa34e846266a3f849b2d60e7fe81c75f8ad26bf04780aa487

memory/3404-91-0x00000000018D0000-0x0000000001901000-memory.dmp

memory/3404-90-0x00000000018D0000-0x0000000001901000-memory.dmp

memory/3404-89-0x00000000018D0000-0x0000000001901000-memory.dmp

memory/3404-88-0x00000000012C0000-0x00000000012C1000-memory.dmp

memory/3404-78-0x00000000018D0000-0x0000000001901000-memory.dmp

memory/3404-94-0x00000000018D0000-0x0000000001901000-memory.dmp

memory/3404-95-0x00000000018D0000-0x0000000001901000-memory.dmp

memory/4756-99-0x0000000002D40000-0x0000000002D71000-memory.dmp

C:\ProgramData\SxS\bug.log

MD5 02559014187d8799d5db13bae331b060
SHA1 625c8a5c7d19262c16cf0a73f0e060b5d0604ddf
SHA256 0e65a5991c4dd8174b841196792dc908b573c2b497e7770a25197a0e8bfed377
SHA512 8d55edfb5e9cca6ebac05761b76ac8360a54cb8afd35f20fe22412b27ed4af04ac719683d686e2543edff61c870fb61d2a3259cf49543b06971ba6a574278830

memory/4756-104-0x0000000002D40000-0x0000000002D71000-memory.dmp

memory/4756-103-0x0000000000F90000-0x0000000000F91000-memory.dmp

memory/4756-105-0x0000000002D40000-0x0000000002D71000-memory.dmp

memory/3404-106-0x00000000018D0000-0x0000000001901000-memory.dmp

memory/3404-107-0x00000000018D0000-0x0000000001901000-memory.dmp

memory/3404-110-0x00000000018D0000-0x0000000001901000-memory.dmp

C:\ProgramData\SxS\bug.log

MD5 d5561c4d5ddb2277be4084b7b30b9709
SHA1 e3e4f3a3923f269c84187729697b3cd412b45f87
SHA256 c38362d1b07575506b9086951fe7b031bdcd573b9efb6fc827e8d025067b3272
SHA512 960fad12f399389d5d088d9a4ac2289be935a16c6ae80391bbe7ecd273d6e332be4eedc11f542a7d06265697ef830581cf2200148159ddfe865779305ada58a7

memory/3404-118-0x00000000018D0000-0x0000000001901000-memory.dmp