Overview

overview

10

Static

static

3

2c7bad4f4a...18.exe

windows7-x64

10

2c7bad4f4a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    08-07-2024 13:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c7bad4f4a4df3025aa1345db27c7408_JaffaCakes118.exe

  • Size

    227KB

  • MD5

    2c7bad4f4a4df3025aa1345db27c7408

  • SHA1

    93d7fe1ec1f49e1e18c052050e7ff5df4bff4b2c

  • SHA256

    b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb

  • SHA512

    c23e5d44ca6649d6bb1e227648a6256e9ab81ac4405e748c58bc01105244aa55c3baa592dffe300d4aaafec6663a8cd839e322fd2b3fc98aff117797b0b29d62

  • SSDEEP

    6144:zLkD+fqCNAl8aVuMULdQrdas2gQntcgMly5CjrjZZ6AnR6e:zYD+iCNAl/HULdQrRfQnegMlcCjeAnRv

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 18 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies data under HKEY_USERS 14 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c7bad4f4a4df3025aa1345db27c7408_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2c7bad4f4a4df3025aa1345db27c7408_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe
      "C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe" 100 2552
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:2328
  • C:\ProgramData\SOUNDMAN\SOUNDMAN.exe
    C:\ProgramData\SOUNDMAN\SOUNDMAN.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
      • Deletes itself
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\SysWOW64\msiexec.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\SxS\bug.log
    Filesize

    456B

    MD5

    db5f498364917a06b28e8e2fe24bb713

    SHA1

    51b82ba31317f63b760cb7c5d29c0b98f385d498

    SHA256

    2e27e0ff491d45b6784fc25ba7fbd2703128f953de4cf168e89c82406cd38f25

    SHA512

    4efc938c029c14c3105f75ffd5e9728218b9ae570b519504f5b5d496224200ef7784c6a0b7befbc3e1032817363241980148f3fcba057c49418e064551139d01

    Download Submit
  • C:\ProgramData\SxS\bug.log
    Filesize

    618B

    MD5

    9911a34b2b48e694d63a90bbe187d077

    SHA1

    90bcb440a72abf57aa01f7f8780f0435ea0514c3

    SHA256

    bb77e0da3ab35906223952d01837e9fdc3ecbcc3a944ee88ffc16a1002ab43c8

    SHA512

    0499fbb6c22013d51ff5911d678d4fa410b98c9632aed120e5de28abba338c4ce7d6b602ed3f1e54cb99e37482bb8f6b564d068fd33f83adeb5b0b81a9a38d38

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\HID\HID.DLL
    Filesize

    41KB

    MD5

    89fb8ee88cfd469e14bc7493d78b70c4

    SHA1

    0f431b38ef83728e71aa044b06da6e8f989cfbbd

    SHA256

    a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

    SHA512

    2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\HID\HID.DLLx
    Filesize

    116KB

    MD5

    bfebe419cf071d70389dd40f511c26b6

    SHA1

    6802ff3f728a0c84c55aea1993101261b84ca839

    SHA256

    58302863ae0df9afd3bd8e2746550bf87531d8729c45bb433ee216c66b953094

    SHA512

    1df5d20eff499150add83444474191527158cc6ab00c67b04ccdb113116689446a2a9bb45e26f99a7e6741093e2026e15dd6c390e962591287c450d2f09883ea

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe
    Filesize

    82KB

    MD5

    798c0c1ff4e0fce646ca82ae0379ccb0

    SHA1

    3f65f997f350a59ac67e432092cf7f5cfe94a701

    SHA256

    54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

    SHA512

    be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

    Download Submit
  • memory/628-79-0x0000000000070000-0x0000000000071000-memory.dmp
    Filesize

    4KB

    Download
  • memory/628-80-0x0000000000260000-0x000000000028E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/628-81-0x0000000000260000-0x000000000028E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/628-78-0x0000000000260000-0x000000000028E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2328-49-0x0000000000340000-0x000000000036E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2328-18-0x0000000000340000-0x000000000036E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2328-16-0x0000000000405000-0x0000000000406000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2328-17-0x0000000000400000-0x0000000000415000-memory.dmp
    Filesize

    84KB

    Download
  • memory/2744-38-0x0000000000080000-0x0000000000081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2744-64-0x0000000000170000-0x000000000019E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2744-40-0x00000000000A0000-0x00000000000BB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2744-98-0x0000000000170000-0x000000000019E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2744-52-0x0000000000170000-0x000000000019E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2744-63-0x0000000000170000-0x000000000019E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2744-62-0x0000000000020000-0x0000000000021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2744-68-0x0000000000170000-0x000000000019E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2744-65-0x0000000000170000-0x000000000019E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2744-41-0x00000000000C0000-0x00000000000C2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2744-69-0x0000000000170000-0x000000000019E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2744-88-0x0000000000170000-0x000000000019E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2744-84-0x0000000000170000-0x000000000019E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2744-43-0x0000000000170000-0x000000000019E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2744-42-0x0000000000080000-0x0000000000081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2744-83-0x0000000000170000-0x000000000019E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2808-45-0x00000000002A0000-0x00000000002CE000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2808-37-0x0000000000400000-0x0000000000415000-memory.dmp
    Filesize

    84KB

    Download
  • memory/2808-36-0x00000000002A0000-0x00000000002CE000-memory.dmp
    Filesize

    184KB

    Download