Overview

overview

10

Static

static

3

0f6b00b0c5...18.exe

windows7-x64

10

0f6b00b0c5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-06-2024 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f6b00b0c5a26a5aa8942ae356329945_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    0f6b00b0c5a26a5aa8942ae356329945

  • SHA1

    1f412a62f50ff71f0b2b2f54aaa980962ebfd8a4

  • SHA256

    6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3

  • SHA512

    e8c6ff3952b6b1066d113ce8b1e76ed20ec8eb5511045f374706fa2a44cf7b6d096e56a01e2318b872de4a5530872132053f13836d8ff4ffa75396a1ee4b34d9

  • SSDEEP

    49152:Na175O/mZxrkaH1EN5/yxnxEil7F8vSZBWwj186KQGwi38KQrF+FO7p1FzohbJq:uO/mZxbHW7yxnxECF8vSZBW+Pbi38KQs

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 14 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f6b00b0c5a26a5aa8942ae356329945_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0f6b00b0c5a26a5aa8942ae356329945_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4532
    • C:\Users\Admin\AppData\Local\Temp\rudiment.exe
      C:\Users\Admin\AppData\Local\Temp\rudiment.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4692
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\SysWOW64\msiexec.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1928
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\psychiatry.dat
    Filesize

    116KB

    MD5

    553d8c46167760c355a5b78be01fc9cb

    SHA1

    0310fde0e9ca8689ce50e8f289bc4705b8b2f2a0

    SHA256

    e3f41c94178ea5accdf0df7085e521a0e37f00c3e8a3592703ea437c845ff107

    SHA512

    530f255afb05d41dbe35117fa723662f1378ed94c3c1f2bebb60631abe8be92046452ebcdf0371812daefa27c9036d521cc513804e2c299c7f7936eabeb1cb6c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rudiment.exe
    Filesize

    47KB

    MD5

    b5bdaba69689e8be57ce78bb6845e4f0

    SHA1

    573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a

    SHA256

    1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad

    SHA512

    e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vsodscpl.DLL
    Filesize

    112KB

    MD5

    f4088f557d6fd4b5f745cbc2295c68e7

    SHA1

    de858db1019668e7f55a0f0bee48bea1d93c1701

    SHA256

    8c9f78462bf05c2ac3b5af2ad01ae764d921cf1ab7baa82763f9f7d636903a26

    SHA512

    f79e1d1bab24c4fa3622c8f11ced0f599af2783dddcfb7304d30ec72ddd82123c2bdee6d64251d50a5aa9dcc7619e7ce1097f5e26cac5869eb9c4df0a7e647f8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • memory/1928-70-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1928-69-0x0000000001430000-0x000000000145E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1928-71-0x0000000001430000-0x000000000145E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1928-72-0x0000000001430000-0x000000000145E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2568-59-0x0000000003550000-0x000000000357E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2568-42-0x0000000003550000-0x000000000357E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4532-0-0x0000000000ED0000-0x00000000010D3000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4532-1-0x0000000000ED0000-0x00000000010D3000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4640-26-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4640-10-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4640-18-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4640-20-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4640-19-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4640-21-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4640-22-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4640-23-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4640-24-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4640-16-0x00007FFBD3FE0000-0x00007FFBD3FF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4640-25-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4640-15-0x00007FFBD3FE0000-0x00007FFBD3FF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4640-13-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4640-14-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4640-12-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4640-555-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4640-11-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4640-7-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4640-9-0x00007FFC162CD000-0x00007FFC162CE000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4640-17-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4640-6-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4640-8-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4640-5-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4692-47-0x00000000012F0000-0x000000000131E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4692-57-0x0000000000C60000-0x0000000000C61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4692-58-0x00000000012F0000-0x000000000131E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4692-61-0x00000000012F0000-0x000000000131E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4692-208-0x00000000012F0000-0x000000000131E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4692-60-0x00000000012F0000-0x000000000131E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4692-554-0x00000000012F0000-0x000000000131E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4692-46-0x00000000012F0000-0x000000000131E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4692-565-0x00000000012F0000-0x000000000131E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4692-566-0x00000000012F0000-0x000000000131E000-memory.dmp

    Filesize

    184KB

    Download