plugx | e6940c142f3bed04eb532e78516da195b35f9fdd77b465a979b96a74c738da0b

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe
Size

248KB
MD5

c0080d0f0cb610c86eb8c5b08702c32f
SHA1

307864f4256f0cba0af4968d25fd6f3f4421ee54
SHA256

e6940c142f3bed04eb532e78516da195b35f9fdd77b465a979b96a74c738da0b
SHA512

350330bd3c0406afcdc69f47568771908079573b6a9749877bdf0044a0315f48b02c9257f6ac2ffd4924409bd80b23845cf92b452d4812b68c0542e2ce6985db
SSDEEP

3072:lbd9rtYZ3XlRe4yw5n9L2Ukt6ae8nnifkkPEJJclT6mbkqFzLQwwbJEpnNJ8zzia:lbg3uc5nx+LnnSc/+xLMJWropP

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

Detects PlugX payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/712-1-0x0000000001E90000-0x0000000001EC8000-memory.dmp	family_plugx
behavioral1/memory/3024-17-0x0000000001C80000-0x0000000001CB8000-memory.dmp	family_plugx
behavioral1/memory/712-18-0x0000000001E90000-0x0000000001EC8000-memory.dmp	family_plugx
behavioral1/memory/3024-19-0x0000000001C80000-0x0000000001CB8000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Deletes itself 1 IoCs

Processes:

NvSmart.exe

pid process

3024 NvSmart.exe
Executes dropped EXE 1 IoCs

Processes:

NvSmart.exe

pid process

3024 NvSmart.exe
Loads dropped DLL 1 IoCs

Processes:

NvSmart.exe

pid process

3024 NvSmart.exe

pid	process
3024	NvSmart.exe

pid	process
3024	NvSmart.exe

pid	process
3024	NvSmart.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

NvSmart.exec0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NvSmart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exeNvSmart.exe

description	pid	process
Token: SeDebugPrivilege	712	c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe
Token: SeTcbPrivilege	712	c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe
Token: SeDebugPrivilege	3024	NvSmart.exe
Token: SeTcbPrivilege	3024	NvSmart.exe

C:\Users\Admin\AppData\Local\Temp\c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\ProgramData\Gf\NvSmart.exe
"C:\ProgramData\Gf\NvSmart.exe" 100 712
1⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3024

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Gf\NvSmart.exe
Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\Gf\NvSmartMax.dll
Filesize
5KB

MD5
b97483b385bf30305d5377f6c19af3f2

SHA1
c3a10feecf9ddad0d31d3d7b1b688fbfedc43057

SHA256
5942f9befba6d295b9c63bdf9b3584fe52b01143557a8283c578329ab9a90818

SHA512
2d10d0aa3b723baa0b08bd98d393fbe1346f9599a55fc4c8402ed08091d95a617f128b52a2fa68dcdc800ee0887f386e86afa19f0ded99e75f6a59fc341efe4f

Download Submit
C:\ProgramData\Gf\boot.ldr
Filesize
155KB

MD5
2722e434cf8fac74056649e5bb273ac2

SHA1
780d8a6d22691b48647835db1dcde7221e486696

SHA256
4c7b54753f609de05a715ba0a9a364f83277c72d2822c46fd25645055cb2c388

SHA512
69779da63dc72ca996293c8a9738aa2c6ab3f3db4fc9fd8defcc38e5b2463eb8447e658c1ee828cace30ee8515480c0811384686e78aba173996fb216676b1f5

Download Submit
memory/712-0-0x0000000000280000-0x00000000002A7000-memory.dmp

Filesize
156KB

Download
memory/712-1-0x0000000001E90000-0x0000000001EC8000-memory.dmp

Filesize
224KB

Download
memory/712-18-0x0000000001E90000-0x0000000001EC8000-memory.dmp

Filesize
224KB

Download
memory/3024-16-0x0000000000410000-0x0000000000510000-memory.dmp

Filesize
1024KB

Download
memory/3024-17-0x0000000001C80000-0x0000000001CB8000-memory.dmp

Filesize
224KB

Download
memory/3024-19-0x0000000001C80000-0x0000000001CB8000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads