Overview

overview

10

Static

static

3

d104b4bd26...18.exe

windows7-x64

10

d104b4bd26...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 03:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d104b4bd268324c54a26d52cae69b691_JaffaCakes118.exe

  • Size

    244KB

  • MD5

    d104b4bd268324c54a26d52cae69b691

  • SHA1

    2e024c710ad76c632747b48d46afd1af3a2dbd25

  • SHA256

    9442f513416e352b7b3e340a05541751d48f17fde61b1766bdd11f25bb13fcc2

  • SHA512

    e54f3e2bd3eb4cc64a4ad55200f7f28d23e79267e60dfbb438f128cc24d7ff268b065554e870f926dba41938ddf678a13479d40eae95200bd3639d130af97d37

  • SSDEEP

    3072:6wJjo1JaESMaP/pqLFNH3xVyWlEFITYS+5yARrSTpVPsibicyETEJypEkpTeVLOf:PESMSBGPy1GGveNs+ihEIJypEWTevu

Score
10/10
plugxdiscoverytrojan

Malware Config

Signatures

  • Detects PlugX payload 25 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d104b4bd268324c54a26d52cae69b691_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d104b4bd268324c54a26d52cae69b691_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:3332
  • C:\ProgramData\SxS\NvSmart.exe
    "C:\ProgramData\SxS\NvSmart.exe" 100 3332
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2992
  • C:\ProgramData\SxS\NvSmart.exe
    "C:\ProgramData\SxS\NvSmart.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4408
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3784
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 3784
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\SxS\NvSmart.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\ProgramData\SxS\NvSmartMax.dll
    Filesize

    5KB

    MD5

    b97483b385bf30305d5377f6c19af3f2

    SHA1

    c3a10feecf9ddad0d31d3d7b1b688fbfedc43057

    SHA256

    5942f9befba6d295b9c63bdf9b3584fe52b01143557a8283c578329ab9a90818

    SHA512

    2d10d0aa3b723baa0b08bd98d393fbe1346f9599a55fc4c8402ed08091d95a617f128b52a2fa68dcdc800ee0887f386e86afa19f0ded99e75f6a59fc341efe4f

    Download Submit

  • C:\ProgramData\SxS\boot.ldr
    Filesize

    157KB

    MD5

    06963f6fc1be43958311b8f179eb6ee1

    SHA1

    9adb3fc2abc4a83497c178809c7d7d613a9a6da4

    SHA256

    ef3afe758d2bef729993c649fe467192218df8c80592814f8b97a193709a208f

    SHA512

    c24780d8b58aebaed38696c296f2847ebb8dbc16359f0312df3b0380990382a0d8a10863da8c2d6908bff6609bd3fd0251754615e2fc4b775377aef78899832d

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    622B

    MD5

    4c40702f2a01d078022bd5d83ed19a14

    SHA1

    d4e805be1f802bd5738d08f7dd7b5f7a059752b1

    SHA256

    4bb473c963be50c34f529e4a175019f98dea39b772047a65283e964aa1765cf0

    SHA512

    f764b9b7141550ed4760c9671d5869efdffeeac3d376576054cb2492feb253eb1014cb85568a042d10502f68e6d60dc8aa0c391a6896380a6168e015b39e3288

    Download Submit

  • memory/2992-17-0x00000000020A0000-0x00000000021A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2992-18-0x00000000021A0000-0x00000000021DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2992-19-0x00000000021A0000-0x00000000021DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2992-46-0x00000000021A0000-0x00000000021DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3332-47-0x0000000002290000-0x00000000022CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3332-0-0x0000000002100000-0x0000000002128000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3332-2-0x0000000002290000-0x00000000022CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3332-1-0x0000000002290000-0x00000000022CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3784-41-0x0000000000970000-0x00000000009AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3784-27-0x0000000000970000-0x00000000009AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3784-52-0x0000000000970000-0x00000000009AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3784-53-0x0000000000970000-0x00000000009AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3784-43-0x0000000000970000-0x00000000009AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3784-65-0x0000000000970000-0x00000000009AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3784-42-0x0000000000970000-0x00000000009AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3784-64-0x0000000000970000-0x00000000009AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3784-40-0x0000000000710000-0x0000000000711000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3784-29-0x0000000000970000-0x00000000009AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3784-62-0x0000000000970000-0x00000000009AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3784-51-0x0000000000970000-0x00000000009AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3784-26-0x0000000000970000-0x00000000009AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3784-25-0x0000000000710000-0x0000000000711000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4408-28-0x0000000000D00000-0x0000000000D3A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4408-23-0x0000000000D00000-0x0000000000D3A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4408-24-0x0000000000D00000-0x0000000000D3A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4988-56-0x0000000000120000-0x0000000000121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4988-58-0x0000000000770000-0x00000000007AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4988-59-0x0000000000120000-0x0000000000121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4988-61-0x0000000000770000-0x00000000007AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4988-60-0x0000000000770000-0x00000000007AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4988-63-0x0000000000770000-0x00000000007AA000-memory.dmp

    Filesize

    232KB

    Download