Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 16:28
Static task
static1
Behavioral task
behavioral1
Sample
bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe
-
Size
253KB
-
MD5
bce37dd072dc0eeeba64a67f92e9e7c3
-
SHA1
a04ad84a2dabb2271c94faced586a90f4a460584
-
SHA256
6be45f6054be1bcd7e91aab715f3e4342c3ad988d4f53ebb41cb79caea1da70b
-
SHA512
fcaa1eb9f77a8bf3018454a9d0117c70c58d0f6e332cfb674bafd752a2a823d63081b2a0116c45caeda5bb44ffd3ef1372fd8f23014db6c3f39061ee85c69947
-
SSDEEP
6144:iz+92mhAMJ/cPl3i+eLbbIv2fbj+ufiTiONUXHH/wlTekOehkQ:iK2mhAMJ/cPlQbF/XfbJX/wl/OvQ
Malware Config
Extracted
latentbot
jinyuan2012.zapto.org
Signatures
-
Detects PlugX payload 20 IoCs
resource yara_rule behavioral2/memory/1368-21-0x0000000002090000-0x00000000020BC000-memory.dmp family_plugx behavioral2/memory/2960-40-0x0000000002160000-0x000000000218C000-memory.dmp family_plugx behavioral2/memory/2960-44-0x0000000002160000-0x000000000218C000-memory.dmp family_plugx behavioral2/memory/2308-45-0x00000000006C0000-0x00000000006EC000-memory.dmp family_plugx behavioral2/memory/2308-46-0x00000000006C0000-0x00000000006EC000-memory.dmp family_plugx behavioral2/memory/2844-47-0x0000000000A00000-0x0000000000A2C000-memory.dmp family_plugx behavioral2/memory/2844-60-0x0000000000A00000-0x0000000000A2C000-memory.dmp family_plugx behavioral2/memory/2844-62-0x0000000000A00000-0x0000000000A2C000-memory.dmp family_plugx behavioral2/memory/2844-48-0x0000000000A00000-0x0000000000A2C000-memory.dmp family_plugx behavioral2/memory/2844-61-0x0000000000A00000-0x0000000000A2C000-memory.dmp family_plugx behavioral2/memory/2844-63-0x0000000000A00000-0x0000000000A2C000-memory.dmp family_plugx behavioral2/memory/2844-64-0x0000000000A00000-0x0000000000A2C000-memory.dmp family_plugx behavioral2/memory/1368-69-0x0000000002090000-0x00000000020BC000-memory.dmp family_plugx behavioral2/memory/2960-70-0x0000000002160000-0x000000000218C000-memory.dmp family_plugx behavioral2/memory/4024-74-0x0000000002B90000-0x0000000002BBC000-memory.dmp family_plugx behavioral2/memory/4024-73-0x0000000002B90000-0x0000000002BBC000-memory.dmp family_plugx behavioral2/memory/4024-71-0x0000000002B90000-0x0000000002BBC000-memory.dmp family_plugx behavioral2/memory/2844-75-0x0000000000A00000-0x0000000000A2C000-memory.dmp family_plugx behavioral2/memory/2844-76-0x0000000000A00000-0x0000000000A2C000-memory.dmp family_plugx behavioral2/memory/2844-77-0x0000000000A00000-0x0000000000A2C000-memory.dmp family_plugx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 1368 Nv.exe -
Executes dropped EXE 3 IoCs
pid Process 1368 Nv.exe 2960 Nv.exe 2308 Nv.exe -
Loads dropped DLL 3 IoCs
pid Process 1368 Nv.exe 2960 Nv.exe 2308 Nv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44003400340042004500330034003500320030003900390034004300310042000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1368 Nv.exe 1368 Nv.exe 2844 svchost.exe 2844 svchost.exe 2844 svchost.exe 2844 svchost.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 2844 svchost.exe 2844 svchost.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 2844 svchost.exe 2844 svchost.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 2844 svchost.exe 2844 svchost.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 2844 svchost.exe 2844 svchost.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe 4024 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2844 svchost.exe 4024 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1368 Nv.exe Token: SeTcbPrivilege 1368 Nv.exe Token: SeDebugPrivilege 2960 Nv.exe Token: SeTcbPrivilege 2960 Nv.exe Token: SeDebugPrivilege 2308 Nv.exe Token: SeTcbPrivilege 2308 Nv.exe Token: SeDebugPrivilege 2844 svchost.exe Token: SeTcbPrivilege 2844 svchost.exe Token: SeDebugPrivilege 4024 msiexec.exe Token: SeTcbPrivilege 4024 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1696 wrote to memory of 1368 1696 bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe 81 PID 1696 wrote to memory of 1368 1696 bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe 81 PID 1696 wrote to memory of 1368 1696 bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe 81 PID 2308 wrote to memory of 2844 2308 Nv.exe 86 PID 2308 wrote to memory of 2844 2308 Nv.exe 86 PID 2308 wrote to memory of 2844 2308 Nv.exe 86 PID 2308 wrote to memory of 2844 2308 Nv.exe 86 PID 2308 wrote to memory of 2844 2308 Nv.exe 86 PID 2308 wrote to memory of 2844 2308 Nv.exe 86 PID 2308 wrote to memory of 2844 2308 Nv.exe 86 PID 2308 wrote to memory of 2844 2308 Nv.exe 86 PID 2844 wrote to memory of 4024 2844 svchost.exe 87 PID 2844 wrote to memory of 4024 2844 svchost.exe 87 PID 2844 wrote to memory of 4024 2844 svchost.exe 87 PID 2844 wrote to memory of 4024 2844 svchost.exe 87 PID 2844 wrote to memory of 4024 2844 svchost.exe 87 PID 2844 wrote to memory of 4024 2844 svchost.exe 87 PID 2844 wrote to memory of 4024 2844 svchost.exe 87 PID 2844 wrote to memory of 4024 2844 svchost.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
-
C:\ProgramData\SxS\Nv.exe"C:\ProgramData\SxS\Nv.exe" 100 13681⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
C:\ProgramData\SxS\Nv.exe"C:\ProgramData\SxS\Nv.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 28443⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7
-
Filesize
48KB
MD5d659d95d46f71f172cd4f2aca9532949
SHA113a4a93c5a76ad1ea95cc6e9c7e2282f1981c85d
SHA2569e4800663e62415d01f844195d8bae0be71a1bd14b9d4103c6dedb9266957837
SHA512ad423ef32635358f8c47854a95c9e18dde7fe1e31c450aee7fd16f5a4043a8fd135ad5eac7491909acdf5afd6d013f8fd9b1f07809d8ff88458dbad31dddaba5
-
Filesize
110KB
MD5c889dc4f6294e882c8ce08f1f9a0aa12
SHA12522d785f2f78d0bb2841723695e1ab55afa1313
SHA256d6ad656de945a3e4a8179bae85173bcdf986c85d8328d5e788a8a695faf1576b
SHA51244d16808678fcbd5936e1a22f715865c948026fdf283b121f3ae17e8f40809f4d75e055b84daf60808a5a9f59f585402b4ce73d9dac0d86524baf207226c6662