Overview

overview

10

Static

static

3

AvastProxy...xy.exe

windows7-x64

10

AvastProxy...xy.exe

windows10-2004-x64

10

AvastProxyQUY/wsc.dll

windows7-x64

1

AvastProxyQUY/wsc.dll

windows10-2004-x64

1

How Cathol...e.docx

windows7-x64

4

How Cathol...e.docx

windows10-2004-x64

1

How Cathol...ve.exe

windows7-x64

4

How Cathol...ve.exe

windows10-2004-x64

7

wwlib.dll

windows7-x64

8

wwlib.dll

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8637fcef69115517c88cd620adff819b_JaffaCakes118

  • Size

    620KB

  • Sample

    240531-hbhl2sah54

  • MD5

    8637fcef69115517c88cd620adff819b

  • SHA1

    4c8a8a4ec8f5402bd29f09556d9d9ca29880c818

  • SHA256

    dc20e0bcdd7fc623dc93dbafa35c8a8cf1821018155def3aa2612ab2d9bd4788

  • SHA512

    cd0163c2d1db6ade757544319cc58ec1b6e3850e6b2a4179094f31d3f0f20d11c05da57735e14fc0fb0fe1a4a4fc6d9a13cbd1654fc12d25210a6ff29eaeee56

  • SSDEEP

    12288:0zONZbleC306xAGKyb6ENnT6FbxyYGyzUeh3p6p+ou8:0Uzk+RrNaboYoeZUcou8

Score
10/10
plugxpersistencetrojan

Malware Config

Extracted

Family

plugx

C2

www.quochoice.com:53

www.quochoice.com:8080

www.quochoice.com:965
Attributes
  • folder

    AvastProxyQUY

Targets

    • Target

      AvastProxyQUY/AvastProxy.exe

    • Size

      56KB

    • MD5

      9381e36ebba4ace88aa190f1b8a30a43

    • SHA1

      21980f1be5e60fd28e340fec103949d28453a3d4

    • SHA256

      95480f8950e9f185c42e34dc045ee802d729e757dd03253ad22e287f566de913

    • SHA512

      06d615c9c55976702b48aa200b1a40bfaecab2427c5dc61f7380f339e7825cd29cdd9acf8f29ba2d830b58c4eeb889b053dfdb53764f1c88afa24643da9eb0c2

    • SSDEEP

      768:Qb1I/PzmESYUawSgUhqr5KgUpDGIwUf2hL+Gx8:Qb1cPz+cwSgU4d68Ufm+M8

    Score
    10/10
    plugxpersistencetrojan

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

      trojanplugx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      AvastProxyQUY/wsc.dll

    • Size

      76KB

    • MD5

      53d595328512b3e30d14c69a0c16ebbe

    • SHA1

      1f0a08cd1c4b6558557ad31337f78153e4b55e0e

    • SHA256

      daedb4c0bb841423f66a67d169d6831075c4df98d7823857be76f280752127c7

    • SHA512

      819c61b6867538d33610102f20b1921f19fc940e6f4df7489aae697086869c01405be852a03da78ad18114c98dcf8f1d259e6474c1c9deca24e9216bfe64d4de

    • SSDEEP

      768:YkLNJ1Eim6gd/yi04rjnojhKKjLrG3I93XghCbtee9pe:TJ6LdZfKsIOktee9g

    Score
    1/10
    behavioral3behavioral4

    • Target

      How Catholics Adapt to Changes in China A Missiological Perspective.docx

    • Size

      39KB

    • MD5

      b9c4cfefa7917160f4f0aa9d33c36eb1

    • SHA1

      01f5b14973d3e29bd091a34df813d4959d2a2893

    • SHA256

      a4bfbccb9b567e077d1998cd081df974ebde88ce8f2c8319353fb404a3293a73

    • SHA512

      0cdca0417af28bac87499e5d104ddc6fc41b998fa5aea34eaa48101c422cbfa4f1507dbee95963e71846b3036f4940160f013f8d29ba8366e02da45f9275dbed

    • SSDEEP

      768:0L76x0FjWv46eMVf6+o77KzJdKLEoUwoB9hImRVkcZXIkLlJS1Ah14vuV:036GWQ679o77Kl0Evn9JKFkpQ1Ah1V

    Score
    4/10
    behavioral5behavioral6

    • Target

      How Catholics Adapt to Changes in China A Missiological Perspective.exe

    • Size

      339KB

    • MD5

      ceaa5817a65e914aa178b28f12359a46

    • SHA1

      534a7ea9c67bab3e8f2d41977bf43d41dfe951cf

    • SHA256

      6c959cfb001fbb900958441dfd8b262fb33e052342948bab338775d3e83ef7f7

    • SHA512

      fef4c0b451d18a9eb73045b3ddcd44450294f06c616cc7175850e6315a6265bd077c8fd09782c486eea624145c7d4c18f8e00a94c0deb394900f9b3e70e60320

    • SSDEEP

      6144:tlsHe0BivO39zYpmH+kAzkA7ZUgbc6AYJ8rEdrEbAgMMV6NX5ZNeVgjYf:InIO39YAeNLFjAYarEdrEb5P6VxY

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral7behavioral8

    • Target

      wwlib.dll

    • Size

      72KB

    • MD5

      08dbf918208f44f0d74d096a901358cc

    • SHA1

      0def86a1ad13283fe79f2e3d4f139eadd298d138

    • SHA256

      a64997b94ebfea461c95d445a4d13aa4c4bd49604451208746d95d106b677053

    • SHA512

      84ce422251a18bc0c3989ffd90a37f3aafe21c984fd8727384606f67f9b4f7f490dce1a960ec26b3a080204efd7bcde13b8cef19acec4ff28c534021c5f452b9

    • SSDEEP

      1536:OqZc36GWQ679o77Kl0Evn9JKFkpQ1Ah1:OqZQmz0+l0Ev9FwAh1

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Tasks