Overview

overview

10

Static

static

3

b313bbe17b...18.exe

windows7-x64

10

b313bbe17b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-06-2024 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe

  • Size

    257KB

  • MD5

    b313bbe17bd5ee9c00acff3bfccdb48a

  • SHA1

    2efd3fc16f44525e4a1bb5f7c2e01e2a87b2cf04

  • SHA256

    71f7a9da99b5e3c9520bc2cc73e520598d469be6539b3c243fb435fe02e44338

  • SHA512

    2244a9b0a24d763c6bfff4c38957ba9d9bbeca43c7659f7e3589c9f11080fe0905883a77fe666892813167251e94ee2604b77c6cc48632f71ed4a9eb45094e10

  • SSDEEP

    6144:yz+92mhAMJ/cPl3iej1LV3j+uHe9PoV9o2xjKHUkcVW:yK2mhAMJ/cPlfTX+Ao8/kco

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 20 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4756
  • C:\ProgramData\SxS\Nv.exe
    "C:\ProgramData\SxS\Nv.exe" 100 4756
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:396
  • C:\ProgramData\SxS\Nv.exe
    "C:\ProgramData\SxS\Nv.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4156
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2372
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
    Filesize

    7KB

    MD5

    0aa39c6eafc45d18d4a15f1ed6dff6a8

    SHA1

    daa921673a22a6b3c03e311e51d7e74ac1710fc2

    SHA256

    5e2ca5276edc4f5df39b40733acfd1298192432a66fa477ac32056a473a4636a

    SHA512

    0c107b57fd7678c169f62a085a90f5ad6eed56b431c5a67fd2c195b1960a2a38f19e9d1e2bff8b3a0cc39c7ae32608459b82f91e99a6852d059ad6567c22ec6e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll.URL
    Filesize

    131KB

    MD5

    bbb5f685f91b0d0d8e272d1c23911e19

    SHA1

    aa2154c4549e37397588f3a38b1d0f906bc87e9a

    SHA256

    29641dccedf3a220524ce2fff5d1fa48576aa92de9dfc4ec3da39ca5bf5d8bdd

    SHA512

    86f8dd3b9a904ae5a687be5370ced5bcb677608747c4f5576435a3d421a9e49d3101056bf09fb76711800cc6f1f0dbe78da7cdcb0c0329b7866c432a2317d69c

    Download Submit
  • memory/396-40-0x0000000000400000-0x000000000040D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/396-39-0x00000000006D0000-0x0000000000709000-memory.dmp
    Filesize

    228KB

    Download
  • memory/396-68-0x00000000006D0000-0x0000000000709000-memory.dmp
    Filesize

    228KB

    Download
  • memory/1352-71-0x0000000002540000-0x0000000002579000-memory.dmp
    Filesize

    228KB

    Download
  • memory/1352-72-0x0000000002540000-0x0000000002579000-memory.dmp
    Filesize

    228KB

    Download
  • memory/1352-70-0x0000000000B90000-0x0000000000B91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1352-69-0x0000000002540000-0x0000000002579000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2372-58-0x0000000000970000-0x0000000000971000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2372-46-0x0000000001190000-0x00000000011C9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2372-75-0x0000000001190000-0x00000000011C9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2372-48-0x0000000001190000-0x00000000011C9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2372-45-0x0000000000970000-0x0000000000971000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2372-74-0x0000000001190000-0x00000000011C9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2372-64-0x0000000001190000-0x00000000011C9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2372-65-0x0000000001190000-0x00000000011C9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2372-63-0x0000000001190000-0x00000000011C9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2372-62-0x0000000001190000-0x00000000011C9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2372-60-0x0000000001190000-0x00000000011C9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2372-59-0x0000000001190000-0x00000000011C9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2372-73-0x0000000001190000-0x00000000011C9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/4156-43-0x0000000000E30000-0x0000000000E69000-memory.dmp
    Filesize

    228KB

    Download
  • memory/4156-44-0x0000000000400000-0x000000000040D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/4156-47-0x0000000000E30000-0x0000000000E69000-memory.dmp
    Filesize

    228KB

    Download
  • memory/4756-21-0x0000000000400000-0x000000000040D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/4756-20-0x0000000002190000-0x00000000021C9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/4756-19-0x0000000000401000-0x0000000000402000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4756-61-0x0000000002190000-0x00000000021C9000-memory.dmp
    Filesize

    228KB

    Download