Overview

overview

10

Static

static

3

bce37dd072...18.exe

windows7-x64

10

bce37dd072...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe

  • Size

    253KB

  • MD5

    bce37dd072dc0eeeba64a67f92e9e7c3

  • SHA1

    a04ad84a2dabb2271c94faced586a90f4a460584

  • SHA256

    6be45f6054be1bcd7e91aab715f3e4342c3ad988d4f53ebb41cb79caea1da70b

  • SHA512

    fcaa1eb9f77a8bf3018454a9d0117c70c58d0f6e332cfb674bafd752a2a823d63081b2a0116c45caeda5bb44ffd3ef1372fd8f23014db6c3f39061ee85c69947

  • SSDEEP

    6144:iz+92mhAMJ/cPl3i+eLbbIv2fbj+ufiTiONUXHH/wlTekOehkQ:iK2mhAMJ/cPlQbF/XfbJX/wl/OvQ

Score
10/10
latentbotplugxtrojan

Malware Config

Extracted

Family

latentbot

C2

jinyuan2012.zapto.org

Signatures

  • Detects PlugX payload 20 IoCs
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1368
  • C:\ProgramData\SxS\Nv.exe
    "C:\ProgramData\SxS\Nv.exe" 100 1368
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2960
  • C:\ProgramData\SxS\Nv.exe
    "C:\ProgramData\SxS\Nv.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2844
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
    Filesize

    48KB

    MD5

    d659d95d46f71f172cd4f2aca9532949

    SHA1

    13a4a93c5a76ad1ea95cc6e9c7e2282f1981c85d

    SHA256

    9e4800663e62415d01f844195d8bae0be71a1bd14b9d4103c6dedb9266957837

    SHA512

    ad423ef32635358f8c47854a95c9e18dde7fe1e31c450aee7fd16f5a4043a8fd135ad5eac7491909acdf5afd6d013f8fd9b1f07809d8ff88458dbad31dddaba5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll.URL
    Filesize

    110KB

    MD5

    c889dc4f6294e882c8ce08f1f9a0aa12

    SHA1

    2522d785f2f78d0bb2841723695e1ab55afa1313

    SHA256

    d6ad656de945a3e4a8179bae85173bcdf986c85d8328d5e788a8a695faf1576b

    SHA512

    44d16808678fcbd5936e1a22f715865c948026fdf283b121f3ae17e8f40809f4d75e055b84daf60808a5a9f59f585402b4ce73d9dac0d86524baf207226c6662

    Download Submit

  • memory/1368-19-0x0000000002100000-0x0000000002200000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1368-21-0x0000000002090000-0x00000000020BC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1368-69-0x0000000002090000-0x00000000020BC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2308-46-0x00000000006C0000-0x00000000006EC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2308-45-0x00000000006C0000-0x00000000006EC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2844-75-0x0000000000A00000-0x0000000000A2C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2844-47-0x0000000000A00000-0x0000000000A2C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2844-60-0x0000000000A00000-0x0000000000A2C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2844-62-0x0000000000A00000-0x0000000000A2C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2844-59-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2844-48-0x0000000000A00000-0x0000000000A2C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2844-61-0x0000000000A00000-0x0000000000A2C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2844-63-0x0000000000A00000-0x0000000000A2C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2844-64-0x0000000000A00000-0x0000000000A2C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2844-77-0x0000000000A00000-0x0000000000A2C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2844-76-0x0000000000A00000-0x0000000000A2C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2960-44-0x0000000002160000-0x000000000218C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2960-70-0x0000000002160000-0x000000000218C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2960-40-0x0000000002160000-0x000000000218C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4024-73-0x0000000002B90000-0x0000000002BBC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4024-72-0x00000000011A0000-0x00000000011A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4024-71-0x0000000002B90000-0x0000000002BBC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4024-74-0x0000000002B90000-0x0000000002BBC000-memory.dmp

    Filesize

    176KB

    Download