Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 05:20
Static task
static1
Behavioral task
behavioral1
Sample
c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe
-
Size
248KB
-
MD5
c0080d0f0cb610c86eb8c5b08702c32f
-
SHA1
307864f4256f0cba0af4968d25fd6f3f4421ee54
-
SHA256
e6940c142f3bed04eb532e78516da195b35f9fdd77b465a979b96a74c738da0b
-
SHA512
350330bd3c0406afcdc69f47568771908079573b6a9749877bdf0044a0315f48b02c9257f6ac2ffd4924409bd80b23845cf92b452d4812b68c0542e2ce6985db
-
SSDEEP
3072:lbd9rtYZ3XlRe4yw5n9L2Ukt6ae8nnifkkPEJJclT6mbkqFzLQwwbJEpnNJ8zzia:lbg3uc5nx+LnnSc/+xLMJWropP
Malware Config
Signatures
-
Detects PlugX payload 4 IoCs
resource yara_rule behavioral1/memory/712-1-0x0000000001E90000-0x0000000001EC8000-memory.dmp family_plugx behavioral1/memory/3024-17-0x0000000001C80000-0x0000000001CB8000-memory.dmp family_plugx behavioral1/memory/712-18-0x0000000001E90000-0x0000000001EC8000-memory.dmp family_plugx behavioral1/memory/3024-19-0x0000000001C80000-0x0000000001CB8000-memory.dmp family_plugx -
Deletes itself 1 IoCs
pid Process 3024 NvSmart.exe -
Executes dropped EXE 1 IoCs
pid Process 3024 NvSmart.exe -
Loads dropped DLL 1 IoCs
pid Process 3024 NvSmart.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NvSmart.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 712 c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe Token: SeTcbPrivilege 712 c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe Token: SeDebugPrivilege 3024 NvSmart.exe Token: SeTcbPrivilege 3024 NvSmart.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c0080d0f0cb610c86eb8c5b08702c32f_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:712
-
C:\ProgramData\Gf\NvSmart.exe"C:\ProgramData\Gf\NvSmart.exe" 100 7121⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7
-
Filesize
5KB
MD5b97483b385bf30305d5377f6c19af3f2
SHA1c3a10feecf9ddad0d31d3d7b1b688fbfedc43057
SHA2565942f9befba6d295b9c63bdf9b3584fe52b01143557a8283c578329ab9a90818
SHA5122d10d0aa3b723baa0b08bd98d393fbe1346f9599a55fc4c8402ed08091d95a617f128b52a2fa68dcdc800ee0887f386e86afa19f0ded99e75f6a59fc341efe4f
-
Filesize
155KB
MD52722e434cf8fac74056649e5bb273ac2
SHA1780d8a6d22691b48647835db1dcde7221e486696
SHA2564c7b54753f609de05a715ba0a9a364f83277c72d2822c46fd25645055cb2c388
SHA51269779da63dc72ca996293c8a9738aa2c6ab3f3db4fc9fd8defcc38e5b2463eb8447e658c1ee828cace30ee8515480c0811384686e78aba173996fb216676b1f5