plugx | f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe
Size

312KB
MD5

d9f87e744dbc898212a9eaa4594301b0
SHA1

6db6a193617ad688847fab965a12a9183eeda241
SHA256

f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104
SHA512

817e4326e71795982b3b637c6236a31162af0c31e38842c4d3701aed8927d944be285d448f6308818f5a5845052bc4f7baadaeb58fceab989e38f5505018b215
SSDEEP

3072:i7xf5kQoAp3Rr3zei1tmDZ5e7H5VVTt0BTnNZfsDZYanqn+S8WTul+5OMojoc:oF5kQo01Q95kzuN2DZYa2+S8YuuOM

Score

10^/10

plugx discovery persistence trojan

Malware Config

Signatures

Detects PlugX payload 24 IoCs

resource	yara_rule
behavioral2/memory/4272-1-0x0000000002E20000-0x0000000002E4E000-memory.dmp	family_plugx
behavioral2/memory/4272-3-0x0000000002FC0000-0x0000000002FEE000-memory.dmp	family_plugx
behavioral2/memory/4272-2-0x0000000002FC0000-0x0000000002FEE000-memory.dmp	family_plugx
behavioral2/memory/4676-6-0x0000000001650000-0x000000000167E000-memory.dmp	family_plugx
behavioral2/memory/3400-11-0x00000000012B0000-0x00000000012DE000-memory.dmp	family_plugx
behavioral2/memory/4676-30-0x0000000001650000-0x000000000167E000-memory.dmp	family_plugx
behavioral2/memory/4272-28-0x0000000002E20000-0x0000000002E4E000-memory.dmp	family_plugx
behavioral2/memory/4272-27-0x0000000002FC0000-0x0000000002FEE000-memory.dmp	family_plugx
behavioral2/memory/4676-24-0x0000000001650000-0x000000000167E000-memory.dmp	family_plugx
behavioral2/memory/4676-23-0x0000000001650000-0x000000000167E000-memory.dmp	family_plugx
behavioral2/memory/4676-12-0x0000000001650000-0x000000000167E000-memory.dmp	family_plugx
behavioral2/memory/3400-26-0x00000000012B0000-0x00000000012DE000-memory.dmp	family_plugx
behavioral2/memory/4676-8-0x0000000001650000-0x000000000167E000-memory.dmp	family_plugx
behavioral2/memory/3400-7-0x00000000012B0000-0x00000000012DE000-memory.dmp	family_plugx
behavioral2/memory/4676-32-0x0000000001650000-0x000000000167E000-memory.dmp	family_plugx
behavioral2/memory/4676-38-0x0000000001650000-0x000000000167E000-memory.dmp	family_plugx
behavioral2/memory/2092-39-0x00000000021D0000-0x00000000021FE000-memory.dmp	family_plugx
behavioral2/memory/2092-43-0x00000000021D0000-0x00000000021FE000-memory.dmp	family_plugx
behavioral2/memory/2092-41-0x00000000021D0000-0x00000000021FE000-memory.dmp	family_plugx
behavioral2/memory/2092-44-0x00000000021D0000-0x00000000021FE000-memory.dmp	family_plugx
behavioral2/memory/4676-45-0x0000000001650000-0x000000000167E000-memory.dmp	family_plugx
behavioral2/memory/4676-46-0x0000000001650000-0x000000000167E000-memory.dmp	family_plugx
behavioral2/memory/2092-52-0x00000000021D0000-0x00000000021FE000-memory.dmp	family_plugx
behavioral2/memory/4676-75-0x0000000001650000-0x000000000167E000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GmailBar LiveList = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe\""	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GmailBar LiveList = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe\""	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\MJ	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 34004200340035003800340043004200310032003400380038003800410031000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4676	svchost.exe
4676	svchost.exe
4676	svchost.exe
4676	svchost.exe
4676	svchost.exe
4676	svchost.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
4676	svchost.exe
4676	svchost.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
4676	svchost.exe
4676	svchost.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
4676	svchost.exe
4676	svchost.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
4676	svchost.exe
4676	svchost.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
4676	svchost.exe
4676	svchost.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
4676	svchost.exe
4676	svchost.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe
2092	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4676	svchost.exe
2092	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe
Token: SeTcbPrivilege	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe
Token: SeDebugPrivilege	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe
Token: SeTcbPrivilege	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe
Token: SeDebugPrivilege	4676	svchost.exe
Token: SeTcbPrivilege	4676	svchost.exe
Token: SeDebugPrivilege	3400	svchost.exe
Token: SeTcbPrivilege	3400	svchost.exe
Token: SeDebugPrivilege	2092	msiexec.exe
Token: SeTcbPrivilege	2092	msiexec.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 3400	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe	87
PID 4272 wrote to memory of 3400	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe	87
PID 4272 wrote to memory of 3400	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe	87
PID 4272 wrote to memory of 3400	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe	87
PID 4272 wrote to memory of 3400	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe	87
PID 4272 wrote to memory of 3400	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe	87
PID 4272 wrote to memory of 3400	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe	87
PID 4272 wrote to memory of 3400	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe	87
PID 4272 wrote to memory of 4676	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe	86
PID 4272 wrote to memory of 4676	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe	86
PID 4272 wrote to memory of 4676	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe	86
PID 4272 wrote to memory of 4676	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe	86
PID 4272 wrote to memory of 4676	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe	86
PID 4272 wrote to memory of 4676	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe	86
PID 4272 wrote to memory of 4676	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe	86
PID 4272 wrote to memory of 4676	4272	d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe	86
PID 4676 wrote to memory of 2092	4676	svchost.exe	92
PID 4676 wrote to memory of 2092	4676	svchost.exe	92
PID 4676 wrote to memory of 2092	4676	svchost.exe	92
PID 4676 wrote to memory of 2092	4676	svchost.exe	92
PID 4676 wrote to memory of 2092	4676	svchost.exe	92
PID 4676 wrote to memory of 2092	4676	svchost.exe	92
PID 4676 wrote to memory of 2092	4676	svchost.exe	92
PID 4676 wrote to memory of 2092	4676	svchost.exe	92

C:\Users\Admin\AppData\Local\Temp\d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d9f87e744dbc898212a9eaa4594301b0_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log

Filesize
450B

MD5
3e2d68128f3e59187a1da68b6a2fcfad

SHA1
956d9ce2b5ecd676b4dd9bf920bf98436f0a9498

SHA256
607b817d097aab3bab2246ddcaf87be7905200423f5a5be2e9fbb9c12f74c116

SHA512
83897e36aae815730c55afe19672ff7a4888e70a2286eb7313d08336b8a714b14c12d0424fd0492b5c3fcaba1f365f82550c68fccbdd74241d3b95dfae9aa1d3

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
5KB

MD5
7559e47042e1232730b2c9a231e87e80

SHA1
d5ee6160e32d2d4e7d388677e2cc7fb114d4e116

SHA256
3c6989d2f5284a75042d2a5ac9453a10461b6c9763108d657a0e600d5da99ea5

SHA512
5855772b6388ff6caceb8874656806b4cbb88847f4fd4b77a70ee5dcfdbf2c4408019cc6ff47804f8fea0d2dd6001fb468f53ddce9fa16142d0bf9737b25a287

Download Submit
memory/2092-52-0x00000000021D0000-0x00000000021FE000-memory.dmp

Filesize
184KB

Download
memory/2092-44-0x00000000021D0000-0x00000000021FE000-memory.dmp

Filesize
184KB

Download
memory/2092-40-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2092-41-0x00000000021D0000-0x00000000021FE000-memory.dmp

Filesize
184KB

Download
memory/2092-42-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2092-43-0x00000000021D0000-0x00000000021FE000-memory.dmp

Filesize
184KB

Download
memory/2092-39-0x00000000021D0000-0x00000000021FE000-memory.dmp

Filesize
184KB

Download
memory/3400-5-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/3400-26-0x00000000012B0000-0x00000000012DE000-memory.dmp

Filesize
184KB

Download
memory/3400-11-0x00000000012B0000-0x00000000012DE000-memory.dmp

Filesize
184KB

Download
memory/3400-7-0x00000000012B0000-0x00000000012DE000-memory.dmp

Filesize
184KB

Download
memory/4272-27-0x0000000002FC0000-0x0000000002FEE000-memory.dmp

Filesize
184KB

Download
memory/4272-28-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/4272-1-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/4272-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4272-3-0x0000000002FC0000-0x0000000002FEE000-memory.dmp

Filesize
184KB

Download
memory/4272-2-0x0000000002FC0000-0x0000000002FEE000-memory.dmp

Filesize
184KB

Download
memory/4272-29-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4676-22-0x0000000001640000-0x0000000001641000-memory.dmp

Filesize
4KB

Download
memory/4676-38-0x0000000001650000-0x000000000167E000-memory.dmp

Filesize
184KB

Download
memory/4676-24-0x0000000001650000-0x000000000167E000-memory.dmp

Filesize
184KB

Download
memory/4676-30-0x0000000001650000-0x000000000167E000-memory.dmp

Filesize
184KB

Download
memory/4676-32-0x0000000001650000-0x000000000167E000-memory.dmp

Filesize
184KB

Download
memory/4676-23-0x0000000001650000-0x000000000167E000-memory.dmp

Filesize
184KB

Download
memory/4676-6-0x0000000001650000-0x000000000167E000-memory.dmp

Filesize
184KB

Download
memory/4676-12-0x0000000001650000-0x000000000167E000-memory.dmp

Filesize
184KB

Download
memory/4676-45-0x0000000001650000-0x000000000167E000-memory.dmp

Filesize
184KB

Download
memory/4676-46-0x0000000001650000-0x000000000167E000-memory.dmp

Filesize
184KB

Download
memory/4676-4-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/4676-8-0x0000000001650000-0x000000000167E000-memory.dmp

Filesize
184KB

Download
memory/4676-75-0x0000000001650000-0x000000000167E000-memory.dmp

Filesize
184KB

Download