Overview

overview

10

Static

static

3

01468a69ca...18.exe

windows7-x64

10

01468a69ca...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 04:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    01468a69ca8676b51a357676e0856c88

  • SHA1

    4413a7f864255767a6d84c3e8362b9873a7e224b

  • SHA256

    fcccc611730474775ff1cfd4c60481deef586f01191348b07d7a143d174a07b0

  • SHA512

    d0d516c96c14e4ec5dded82e80f82a3ff6b2f8c2aae63b8f0e8667aea6e07e52e8dcf2ee7939304ef2303b07a4b8ca6e6c64f985a508d57aad79440d479d68b8

  • SSDEEP

    49152:Na175O/mZxrkaH1EN5/yxnxEil7F8vSZBWwj186KQGwi38KQrF+FO7p1FzohbJqE:uO/mZxbHW7yxnxECF8vSZBW+Pbi38KQU

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 15 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5100
    • C:\Users\Admin\AppData\Local\Temp\rudiment.exe
      C:\Users\Admin\AppData\Local\Temp\rudiment.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3188
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\SysWOW64\msiexec.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2304
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TCD9522.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\psychiatry.dat
    Filesize

    116KB

    MD5

    654c5fe3e9e5134f69a683ba17d21512

    SHA1

    8a5fe839f2ff04369928a64745d0d975c72937a2

    SHA256

    5080d2c9a0a5bd2de0a00386dae99fa63a3ebc18299cc01114b4966c16eaae7e

    SHA512

    e881bd59267b8947235fafafad3229967db02b92aa92c12eb3acf34cf82932abac24ff709a46e8b8d2ae823a25cf32b3811b955ea5259d4b4c69a7781f9b4e66

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rudiment.exe
    Filesize

    47KB

    MD5

    b5bdaba69689e8be57ce78bb6845e4f0

    SHA1

    573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a

    SHA256

    1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad

    SHA512

    e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vsodscpl.DLL
    Filesize

    112KB

    MD5

    c6110df133b583488587974c5485bfbe

    SHA1

    25882d89fe1c65893e3a328e3676da614e261509

    SHA256

    6dba4f30583ce37d537ed06623de941ba5de22197504664ff1fad89f8a372520

    SHA512

    9b2ebb8172ef93d667848136e0a67cee6a3c6cfb2e66533b98acc2ae4cad38388e422c8d5c616a5a4f9f05325e228c9623d4f16db59f8e4a287c068f91bdb38a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • memory/2304-67-0x0000000001010000-0x0000000001011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2304-66-0x0000000001220000-0x000000000124E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2304-69-0x0000000001220000-0x000000000124E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2304-68-0x0000000001220000-0x000000000124E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3188-552-0x00000000017A0000-0x00000000017CE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3188-299-0x00000000017A0000-0x00000000017CE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3188-41-0x00000000017A0000-0x00000000017CE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3188-54-0x00000000017A0000-0x00000000017CE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3188-55-0x00000000017A0000-0x00000000017CE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3188-574-0x00000000017A0000-0x00000000017CE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3188-575-0x00000000017A0000-0x00000000017CE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3188-40-0x00000000017A0000-0x00000000017CE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3188-53-0x00000000017A0000-0x00000000017CE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3188-51-0x0000000001790000-0x0000000001791000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3188-52-0x00000000017A0000-0x00000000017CE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3372-17-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3372-20-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3372-7-0x00007FF980350000-0x00007FF980360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3372-8-0x00007FF980350000-0x00007FF980360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3372-10-0x00007FF9C036D000-0x00007FF9C036E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3372-15-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3372-12-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3372-9-0x00007FF980350000-0x00007FF980360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3372-19-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3372-23-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3372-22-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3372-11-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3372-21-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3372-5-0x00007FF980350000-0x00007FF980360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3372-6-0x00007FF980350000-0x00007FF980360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3372-18-0x00007FF97DFF0000-0x00007FF97E000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3372-16-0x00007FF97DFF0000-0x00007FF97E000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3372-14-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3372-70-0x000002744E5B0000-0x000002744E5DC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3372-13-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3372-554-0x00007FF9C02D0000-0x00007FF9C04C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3540-56-0x00000000026D0000-0x00000000026FE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3540-39-0x00000000026D0000-0x00000000026FE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5100-1-0x00000000004A0000-0x00000000006A3000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5100-0-0x00000000004A0000-0x00000000006A3000-memory.dmp

    Filesize

    2.0MB

    Download