plugx | fcccc611730474775ff1cfd4c60481deef586f01191348b07d7a143d174a07b0

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22/06/2024, 04:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe
Size

2.0MB
MD5

01468a69ca8676b51a357676e0856c88
SHA1

4413a7f864255767a6d84c3e8362b9873a7e224b
SHA256

fcccc611730474775ff1cfd4c60481deef586f01191348b07d7a143d174a07b0
SHA512

d0d516c96c14e4ec5dded82e80f82a3ff6b2f8c2aae63b8f0e8667aea6e07e52e8dcf2ee7939304ef2303b07a4b8ca6e6c64f985a508d57aad79440d479d68b8
SSDEEP

49152:Na175O/mZxrkaH1EN5/yxnxEil7F8vSZBWwj186KQGwi38KQrF+FO7p1FzohbJqE:uO/mZxbHW7yxnxECF8vSZBW+Pbi38KQU

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 17 IoCs

resource	yara_rule
behavioral1/memory/2828-20-0x00000000003A0000-0x00000000003CE000-memory.dmp	family_plugx
behavioral1/memory/2556-31-0x0000000000200000-0x000000000022E000-memory.dmp	family_plugx
behavioral1/memory/2556-32-0x0000000000200000-0x000000000022E000-memory.dmp	family_plugx
behavioral1/memory/2556-47-0x0000000000200000-0x000000000022E000-memory.dmp	family_plugx
behavioral1/memory/2556-46-0x0000000000200000-0x000000000022E000-memory.dmp	family_plugx
behavioral1/memory/2556-44-0x0000000000200000-0x000000000022E000-memory.dmp	family_plugx
behavioral1/memory/2828-34-0x00000000003A0000-0x00000000003CE000-memory.dmp	family_plugx
behavioral1/memory/2556-45-0x0000000000200000-0x000000000022E000-memory.dmp	family_plugx
behavioral1/memory/2556-48-0x0000000000200000-0x000000000022E000-memory.dmp	family_plugx
behavioral1/memory/2556-58-0x0000000000200000-0x000000000022E000-memory.dmp	family_plugx
behavioral1/memory/2496-64-0x0000000000780000-0x00000000007AE000-memory.dmp	family_plugx
behavioral1/memory/2496-66-0x0000000000780000-0x00000000007AE000-memory.dmp	family_plugx
behavioral1/memory/2496-67-0x0000000000780000-0x00000000007AE000-memory.dmp	family_plugx
behavioral1/memory/2556-69-0x0000000000200000-0x000000000022E000-memory.dmp	family_plugx
behavioral1/memory/2556-76-0x0000000000200000-0x000000000022E000-memory.dmp	family_plugx
behavioral1/memory/2556-85-0x0000000000200000-0x000000000022E000-memory.dmp	family_plugx
behavioral1/memory/2556-86-0x0000000000200000-0x000000000022E000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\meekness.lnk	rudiment.exe

Executes dropped EXE 1 IoCs

pid	Process
2828	rudiment.exe

Loads dropped DLL 3 IoCs

pid	Process
2208	01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe
2828	rudiment.exe
2828	rudiment.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 38004600390037003900380034004600390039003000440039003100360035000000	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1732	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2556	svchost.exe
2556	svchost.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2556	svchost.exe
2556	svchost.exe
2496	msiexec.exe
2496	msiexec.exe
2556	svchost.exe
2556	svchost.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2556	svchost.exe
2556	svchost.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe
2556	svchost.exe
2556	svchost.exe
2496	msiexec.exe
2496	msiexec.exe
2556	svchost.exe
2556	svchost.exe
2496	msiexec.exe
2496	msiexec.exe
2496	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2556	svchost.exe
2496	msiexec.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	rudiment.exe
Token: SeTcbPrivilege	2828	rudiment.exe
Token: SeDebugPrivilege	2556	svchost.exe
Token: SeTcbPrivilege	2556	svchost.exe
Token: SeDebugPrivilege	2496	msiexec.exe
Token: SeTcbPrivilege	2496	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2208	01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe
2208	01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe
1732	WINWORD.EXE
1732	WINWORD.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2828	2208	01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe	29
PID 2208 wrote to memory of 2828	2208	01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe	29
PID 2208 wrote to memory of 2828	2208	01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe	29
PID 2208 wrote to memory of 2828	2208	01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe	29
PID 2828 wrote to memory of 2556	2828	rudiment.exe	30
PID 2828 wrote to memory of 2556	2828	rudiment.exe	30
PID 2828 wrote to memory of 2556	2828	rudiment.exe	30
PID 2828 wrote to memory of 2556	2828	rudiment.exe	30
PID 2828 wrote to memory of 2556	2828	rudiment.exe	30
PID 2828 wrote to memory of 2556	2828	rudiment.exe	30
PID 2828 wrote to memory of 2556	2828	rudiment.exe	30
PID 2828 wrote to memory of 2556	2828	rudiment.exe	30
PID 2828 wrote to memory of 2556	2828	rudiment.exe	30
PID 2556 wrote to memory of 2496	2556	svchost.exe	34
PID 2556 wrote to memory of 2496	2556	svchost.exe	34
PID 2556 wrote to memory of 2496	2556	svchost.exe	34
PID 2556 wrote to memory of 2496	2556	svchost.exe	34
PID 2556 wrote to memory of 2496	2556	svchost.exe	34
PID 2556 wrote to memory of 2496	2556	svchost.exe	34
PID 2556 wrote to memory of 2496	2556	svchost.exe	34
PID 2556 wrote to memory of 2496	2556	svchost.exe	34
PID 2556 wrote to memory of 2496	2556	svchost.exe	34
PID 2556 wrote to memory of 2496	2556	svchost.exe	34
PID 2556 wrote to memory of 2496	2556	svchost.exe	34
PID 2556 wrote to memory of 2496	2556	svchost.exe	34
PID 1732 wrote to memory of 2736	1732	WINWORD.EXE	35
PID 1732 wrote to memory of 2736	1732	WINWORD.EXE	35
PID 1732 wrote to memory of 2736	1732	WINWORD.EXE	35
PID 1732 wrote to memory of 2736	1732	WINWORD.EXE	35

C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\rudiment.exe
  C:\Users\Admin\AppData\Local\Temp\rudiment.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\SysWOW64\msiexec.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2496

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2736

Network

DNS

nttdata.otzo.com

svchost.exe

Remote address:

8.8.8.8:53

Request

nttdata.otzo.com

IN A

Response

nttdata.otzo.com

IN A

127.0.0.1
DNS

nttdata.otzo.com

svchost.exe

Remote address:

8.8.8.8:53

Request

nttdata.otzo.com

IN A

Response

nttdata.otzo.com

IN A

127.0.0.1
DNS

nttdata.otzo.com

svchost.exe

Remote address:

8.8.8.8:53

Request

nttdata.otzo.com

IN A

Response

nttdata.otzo.com

IN A

127.0.0.1
DNS

nttdata.otzo.com

svchost.exe

Remote address:

8.8.8.8:53

Request

nttdata.otzo.com

IN A

Response

nttdata.otzo.com

IN A

127.0.0.1
DNS

nttdata.otzo.com

svchost.exe

Remote address:

8.8.8.8:53

Request

nttdata.otzo.com

IN A

Response

nttdata.otzo.com

IN A

127.0.0.1
DNS

nttdata.otzo.com

svchost.exe

Remote address:

8.8.8.8:53

Request

nttdata.otzo.com

IN A

Response

nttdata.otzo.com

IN A

127.0.0.1
DNS

nttdata.otzo.com

svchost.exe

Remote address:

8.8.8.8:53

Request

nttdata.otzo.com

IN A

Response

nttdata.otzo.com

IN A

127.0.0.1

127.0.0.1:443

svchost.exe
127.0.0.1:443

svchost.exe
127.0.0.1:53

svchost.exe
127.0.0.1:53

svchost.exe
127.0.0.1:80

svchost.exe
127.0.0.1:80

svchost.exe
127.0.0.1:443

svchost.exe
127.0.0.1:443

svchost.exe
127.0.0.1:443

svchost.exe
127.0.0.1:443

svchost.exe
127.0.0.1:53

svchost.exe
127.0.0.1:53

svchost.exe
127.0.0.1:80

svchost.exe
127.0.0.1:80

svchost.exe
127.0.0.1:443

svchost.exe
127.0.0.1:443

svchost.exe
127.0.0.1:443

svchost.exe
127.0.0.1:443

svchost.exe
127.0.0.1:53

svchost.exe
127.0.0.1:53

svchost.exe
127.0.0.1:80

svchost.exe
127.0.0.1:80

svchost.exe
127.0.0.1:443

svchost.exe
127.0.0.1:443

svchost.exe
127.0.0.1:443

svchost.exe
127.0.0.1:443

svchost.exe

8.8.8.8:53

nttdata.otzo.com

dns

svchost.exe

62 B
78 B
1
1

DNS Request

nttdata.otzo.com

DNS Response

127.0.0.1
8.8.8.8:53

nttdata.otzo.com

dns

svchost.exe

62 B
78 B
1
1

DNS Request

nttdata.otzo.com

DNS Response

127.0.0.1
8.8.8.8:53

nttdata.otzo.com

dns

svchost.exe

62 B
78 B
1
1

DNS Request

nttdata.otzo.com

DNS Response

127.0.0.1
8.8.8.8:53

nttdata.otzo.com

dns

svchost.exe

62 B
78 B
1
1

DNS Request

nttdata.otzo.com

DNS Response

127.0.0.1
8.8.8.8:53

nttdata.otzo.com

dns

svchost.exe

62 B
78 B
1
1

DNS Request

nttdata.otzo.com

DNS Response

127.0.0.1
8.8.8.8:53

nttdata.otzo.com

dns

svchost.exe

62 B
78 B
1
1

DNS Request

nttdata.otzo.com

DNS Response

127.0.0.1
8.8.8.8:53

nttdata.otzo.com

dns

svchost.exe

62 B
78 B
1
1

DNS Request

nttdata.otzo.com

DNS Response

127.0.0.1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\psychiatry.dat

Filesize
116KB

MD5
09a4e70560c2b595932a4582fd84bbf8

SHA1
8719221b5159fd47ce655fc01ec2d688ac750fb9

SHA256
ba5c35f51b5ebcb41dec480451c58cfa35fb86d465dc942cb55b0b16174c0772

SHA512
89ca096cdd1146fb317326bd9c4a9dee50b2d8bd187799073ca10e539d62b384bfaa7fb5f918c05c9347c4d9d3a8d86a4229c0c4261ca3ac0c9affb257d91b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rudiment.exe

Filesize
47KB

MD5
b5bdaba69689e8be57ce78bb6845e4f0

SHA1
573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a

SHA256
1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad

SHA512
e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\vsodscpl.dll

Filesize
112KB

MD5
8e1e29319401aa9e83be7a298b35743e

SHA1
c82d8a9dd5f00559f8a6a12bd5444c105fc81744

SHA256
42c10c024b48b59ab485cfd570875b4e88af72847acc85f5aaaa83bc8437d431

SHA512
1804d936cdb5ba8d3d62815ce0d2396e4bf8f53d004771adabacd63a6728a8ff8058215d420c28c702f406b352522ee35c7e8cc832b994dd1cb710a1a1090751

Download Submit
memory/1732-6-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1732-7-0x00000000717FD000-0x0000000071808000-memory.dmp

Filesize
44KB

Download
memory/1732-5-0x000000002FA81000-0x000000002FA82000-memory.dmp

Filesize
4KB

Download
memory/1732-71-0x00000000717FD000-0x0000000071808000-memory.dmp

Filesize
44KB

Download
memory/2208-0-0x0000000000C90000-0x0000000000E93000-memory.dmp

Filesize
2.0MB

Download
memory/2208-1-0x0000000000C90000-0x0000000000E93000-memory.dmp

Filesize
2.0MB

Download
memory/2496-65-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2496-67-0x0000000000780000-0x00000000007AE000-memory.dmp

Filesize
184KB

Download
memory/2496-66-0x0000000000780000-0x00000000007AE000-memory.dmp

Filesize
184KB

Download
memory/2496-64-0x0000000000780000-0x00000000007AE000-memory.dmp

Filesize
184KB

Download
memory/2556-46-0x0000000000200000-0x000000000022E000-memory.dmp

Filesize
184KB

Download
memory/2556-48-0x0000000000200000-0x000000000022E000-memory.dmp

Filesize
184KB

Download
memory/2556-32-0x0000000000200000-0x000000000022E000-memory.dmp

Filesize
184KB

Download
memory/2556-44-0x0000000000200000-0x000000000022E000-memory.dmp

Filesize
184KB

Download
memory/2556-43-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2556-47-0x0000000000200000-0x000000000022E000-memory.dmp

Filesize
184KB

Download
memory/2556-45-0x0000000000200000-0x000000000022E000-memory.dmp

Filesize
184KB

Download
memory/2556-76-0x0000000000200000-0x000000000022E000-memory.dmp

Filesize
184KB

Download
memory/2556-31-0x0000000000200000-0x000000000022E000-memory.dmp

Filesize
184KB

Download
memory/2556-58-0x0000000000200000-0x000000000022E000-memory.dmp

Filesize
184KB

Download
memory/2556-22-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2556-25-0x00000000000A0000-0x00000000000BB000-memory.dmp

Filesize
108KB

Download
memory/2556-26-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/2556-86-0x0000000000200000-0x000000000022E000-memory.dmp

Filesize
184KB

Download
memory/2556-69-0x0000000000200000-0x000000000022E000-memory.dmp

Filesize
184KB

Download
memory/2556-85-0x0000000000200000-0x000000000022E000-memory.dmp

Filesize
184KB

Download
memory/2828-34-0x00000000003A0000-0x00000000003CE000-memory.dmp

Filesize
184KB

Download
memory/2828-20-0x00000000003A0000-0x00000000003CE000-memory.dmp

Filesize
184KB

Download
memory/2828-21-0x0000000001DE0000-0x0000000001EE0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.