Overview

overview

10

Static

static

3

b313bbe17b...18.exe

windows7-x64

10

b313bbe17b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe

  • Size

    257KB

  • MD5

    b313bbe17bd5ee9c00acff3bfccdb48a

  • SHA1

    2efd3fc16f44525e4a1bb5f7c2e01e2a87b2cf04

  • SHA256

    71f7a9da99b5e3c9520bc2cc73e520598d469be6539b3c243fb435fe02e44338

  • SHA512

    2244a9b0a24d763c6bfff4c38957ba9d9bbeca43c7659f7e3589c9f11080fe0905883a77fe666892813167251e94ee2604b77c6cc48632f71ed4a9eb45094e10

  • SSDEEP

    6144:yz+92mhAMJ/cPl3iej1LV3j+uHe9PoV9o2xjKHUkcVW:yK2mhAMJ/cPlfTX+Ao8/kco

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 20 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 37 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2216
  • C:\ProgramData\SxS\Nv.exe
    "C:\ProgramData\SxS\Nv.exe" 100 2216
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:3024
  • C:\ProgramData\SxS\Nv.exe
    "C:\ProgramData\SxS\Nv.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2528
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2104

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
    Filesize

    7KB

    MD5

    0aa39c6eafc45d18d4a15f1ed6dff6a8

    SHA1

    daa921673a22a6b3c03e311e51d7e74ac1710fc2

    SHA256

    5e2ca5276edc4f5df39b40733acfd1298192432a66fa477ac32056a473a4636a

    SHA512

    0c107b57fd7678c169f62a085a90f5ad6eed56b431c5a67fd2c195b1960a2a38f19e9d1e2bff8b3a0cc39c7ae32608459b82f91e99a6852d059ad6567c22ec6e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll.URL
    Filesize

    131KB

    MD5

    bbb5f685f91b0d0d8e272d1c23911e19

    SHA1

    aa2154c4549e37397588f3a38b1d0f906bc87e9a

    SHA256

    29641dccedf3a220524ce2fff5d1fa48576aa92de9dfc4ec3da39ca5bf5d8bdd

    SHA512

    86f8dd3b9a904ae5a687be5370ced5bcb677608747c4f5576435a3d421a9e49d3101056bf09fb76711800cc6f1f0dbe78da7cdcb0c0329b7866c432a2317d69c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit
  • memory/2104-86-0x00000000008D0000-0x0000000000909000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2104-83-0x00000000008D0000-0x0000000000909000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2104-85-0x00000000008D0000-0x0000000000909000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2104-84-0x0000000000130000-0x0000000000131000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2216-26-0x0000000000400000-0x000000000040D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2216-25-0x0000000000401000-0x0000000000402000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2216-27-0x0000000000320000-0x0000000000359000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2216-57-0x0000000000320000-0x0000000000359000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2528-71-0x0000000000250000-0x0000000000289000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2528-70-0x0000000000250000-0x0000000000289000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2528-58-0x0000000000250000-0x0000000000289000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2528-50-0x0000000000080000-0x0000000000081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2528-74-0x0000000000250000-0x0000000000289000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2528-73-0x0000000000250000-0x0000000000289000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2528-72-0x0000000000250000-0x0000000000289000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2528-69-0x0000000000250000-0x0000000000289000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2528-68-0x0000000000020000-0x0000000000021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2528-55-0x0000000000250000-0x0000000000289000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2528-53-0x00000000000A0000-0x00000000000C0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2528-89-0x0000000000250000-0x0000000000289000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2528-88-0x0000000000250000-0x0000000000289000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2528-54-0x00000000000C0000-0x00000000000C2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2528-87-0x0000000000250000-0x0000000000289000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2716-49-0x0000000000450000-0x0000000000489000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2716-56-0x0000000000450000-0x0000000000489000-memory.dmp
    Filesize

    228KB

    Download
  • memory/3024-46-0x0000000000450000-0x0000000000489000-memory.dmp
    Filesize

    228KB

    Download
  • memory/3024-45-0x0000000000400000-0x000000000040D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/3024-77-0x0000000000450000-0x0000000000489000-memory.dmp
    Filesize

    228KB

    Download