Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25-08-2024 05:20

General

  • Target

    c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe

  • Size

    248KB

  • MD5

    c0080d0f0cb610c86eb8c5b08702c32f

  • SHA1

    307864f4256f0cba0af4968d25fd6f3f4421ee54

  • SHA256

    e6940c142f3bed04eb532e78516da195b35f9fdd77b465a979b96a74c738da0b

  • SHA512

    350330bd3c0406afcdc69f47568771908079573b6a9749877bdf0044a0315f48b02c9257f6ac2ffd4924409bd80b23845cf92b452d4812b68c0542e2ce6985db

  • SSDEEP

    3072:lbd9rtYZ3XlRe4yw5n9L2Ukt6ae8nnifkkPEJJclT6mbkqFzLQwwbJEpnNJ8zzia:lbg3uc5nx+LnnSc/+xLMJWropP

Score
10/10

Malware Config

Signatures

  • Detects PlugX payload 4 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:712
  • C:\ProgramData\Gf\NvSmart.exe
    "C:\ProgramData\Gf\NvSmart.exe" 100 712
    1⤵
    • Deletes itself
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:3024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Gf\NvSmart.exe

    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

  • C:\ProgramData\Gf\NvSmartMax.dll

    Filesize

    5KB

    MD5

    b97483b385bf30305d5377f6c19af3f2

    SHA1

    c3a10feecf9ddad0d31d3d7b1b688fbfedc43057

    SHA256

    5942f9befba6d295b9c63bdf9b3584fe52b01143557a8283c578329ab9a90818

    SHA512

    2d10d0aa3b723baa0b08bd98d393fbe1346f9599a55fc4c8402ed08091d95a617f128b52a2fa68dcdc800ee0887f386e86afa19f0ded99e75f6a59fc341efe4f

  • C:\ProgramData\Gf\boot.ldr

    Filesize

    155KB

    MD5

    2722e434cf8fac74056649e5bb273ac2

    SHA1

    780d8a6d22691b48647835db1dcde7221e486696

    SHA256

    4c7b54753f609de05a715ba0a9a364f83277c72d2822c46fd25645055cb2c388

    SHA512

    69779da63dc72ca996293c8a9738aa2c6ab3f3db4fc9fd8defcc38e5b2463eb8447e658c1ee828cace30ee8515480c0811384686e78aba173996fb216676b1f5

  • memory/712-0-0x0000000000280000-0x00000000002A7000-memory.dmp

    Filesize

    156KB

  • memory/712-1-0x0000000001E90000-0x0000000001EC8000-memory.dmp

    Filesize

    224KB

  • memory/712-18-0x0000000001E90000-0x0000000001EC8000-memory.dmp

    Filesize

    224KB

  • memory/3024-16-0x0000000000410000-0x0000000000510000-memory.dmp

    Filesize

    1024KB

  • memory/3024-17-0x0000000001C80000-0x0000000001CB8000-memory.dmp

    Filesize

    224KB

  • memory/3024-19-0x0000000001C80000-0x0000000001CB8000-memory.dmp

    Filesize

    224KB