Overview

overview

10

Static

static

3

d104b4bd26...18.exe

windows7-x64

10

d104b4bd26...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    07-09-2024 03:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d104b4bd268324c54a26d52cae69b691_JaffaCakes118.exe

  • Size

    244KB

  • MD5

    d104b4bd268324c54a26d52cae69b691

  • SHA1

    2e024c710ad76c632747b48d46afd1af3a2dbd25

  • SHA256

    9442f513416e352b7b3e340a05541751d48f17fde61b1766bdd11f25bb13fcc2

  • SHA512

    e54f3e2bd3eb4cc64a4ad55200f7f28d23e79267e60dfbb438f128cc24d7ff268b065554e870f926dba41938ddf678a13479d40eae95200bd3639d130af97d37

  • SSDEEP

    3072:6wJjo1JaESMaP/pqLFNH3xVyWlEFITYS+5yARrSTpVPsibicyETEJypEkpTeVLOf:PESMSBGPy1GGveNs+ihEIJypEWTevu

Score
10/10
plugxdiscoverytrojan

Malware Config

Signatures

  • Detects PlugX payload 19 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 27 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d104b4bd268324c54a26d52cae69b691_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d104b4bd268324c54a26d52cae69b691_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2520
  • C:\ProgramData\SxS\NvSmart.exe
    "C:\ProgramData\SxS\NvSmart.exe" 100 2520
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2272
  • C:\ProgramData\SxS\NvSmart.exe
    "C:\ProgramData\SxS\NvSmart.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2792
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\SxS\NvSmart.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\ProgramData\SxS\NvSmartMax.dll
    Filesize

    5KB

    MD5

    b97483b385bf30305d5377f6c19af3f2

    SHA1

    c3a10feecf9ddad0d31d3d7b1b688fbfedc43057

    SHA256

    5942f9befba6d295b9c63bdf9b3584fe52b01143557a8283c578329ab9a90818

    SHA512

    2d10d0aa3b723baa0b08bd98d393fbe1346f9599a55fc4c8402ed08091d95a617f128b52a2fa68dcdc800ee0887f386e86afa19f0ded99e75f6a59fc341efe4f

    Download Submit

  • C:\ProgramData\SxS\boot.ldr
    Filesize

    157KB

    MD5

    06963f6fc1be43958311b8f179eb6ee1

    SHA1

    9adb3fc2abc4a83497c178809c7d7d613a9a6da4

    SHA256

    ef3afe758d2bef729993c649fe467192218df8c80592814f8b97a193709a208f

    SHA512

    c24780d8b58aebaed38696c296f2847ebb8dbc16359f0312df3b0380990382a0d8a10863da8c2d6908bff6609bd3fd0251754615e2fc4b775377aef78899832d

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    622B

    MD5

    4c40702f2a01d078022bd5d83ed19a14

    SHA1

    d4e805be1f802bd5738d08f7dd7b5f7a059752b1

    SHA256

    4bb473c963be50c34f529e4a175019f98dea39b772047a65283e964aa1765cf0

    SHA512

    f764b9b7141550ed4760c9671d5869efdffeeac3d376576054cb2492feb253eb1014cb85568a042d10502f68e6d60dc8aa0c391a6896380a6168e015b39e3288

    Download Submit

  • memory/580-67-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-65-0x0000000000090000-0x0000000000091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-66-0x00000000007E0000-0x000000000081A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/580-69-0x00000000007E0000-0x000000000081A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/580-68-0x00000000007E0000-0x000000000081A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2272-16-0x0000000000410000-0x0000000000510000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2272-17-0x00000000002D0000-0x000000000030A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2272-41-0x00000000002D0000-0x000000000030A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2320-23-0x0000000000450000-0x000000000048A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2320-34-0x0000000000450000-0x000000000048A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2520-0-0x00000000005F0000-0x0000000000618000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2520-50-0x0000000000690000-0x00000000006CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2520-2-0x0000000000690000-0x00000000006CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2792-24-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2792-49-0x00000000002D0000-0x000000000030A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2792-48-0x00000000002D0000-0x000000000030A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2792-47-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2792-51-0x00000000002D0000-0x000000000030A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2792-55-0x00000000002D0000-0x000000000030A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2792-32-0x00000000002D0000-0x000000000030A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2792-56-0x00000000002D0000-0x000000000030A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2792-30-0x00000000002D0000-0x000000000030A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2792-28-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2792-26-0x00000000000E0000-0x0000000000106000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2792-27-0x0000000000150000-0x0000000000152000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2792-70-0x00000000002D0000-0x000000000030A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2792-71-0x00000000002D0000-0x000000000030A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2792-72-0x00000000002D0000-0x000000000030A000-memory.dmp

    Filesize

    232KB

    Download