plugx | da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e

General

Target

e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe
Size

675KB
MD5

e696b38ac71b23f50ee68da06a004af3
SHA1

480e3fe49e3acb71e1a466e8ba2d02997eaf278e
SHA256

da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e
SHA512

7373f4ae19a732058e923172482d2b15fb8bed784431b734bfd3822c29b4369bc67a94804d00d0004f9ff7781f0db5eab4c4bf0f7cdf6f97d38f44a238bd709f
SSDEEP

12288:jat0EAH49n8Bm1zXC9YWP1W/zkObvcparNFzgnfFuQvJWzcI7On1hIRlhnXqyZx:2t24V1zgYbL1fFzgfF7Wr7O1e5Tx

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

Detects PlugX payload 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2392-25-0x0000000000210000-0x000000000023E000-memory.dmp	family_plugx
behavioral1/memory/2588-33-0x0000000000280000-0x00000000002AE000-memory.dmp	family_plugx
behavioral1/memory/2588-50-0x0000000000280000-0x00000000002AE000-memory.dmp	family_plugx
behavioral1/memory/2588-49-0x0000000000280000-0x00000000002AE000-memory.dmp	family_plugx
behavioral1/memory/2588-48-0x0000000000280000-0x00000000002AE000-memory.dmp	family_plugx
behavioral1/memory/2392-47-0x0000000000210000-0x000000000023E000-memory.dmp	family_plugx
behavioral1/memory/2588-46-0x0000000000280000-0x00000000002AE000-memory.dmp	family_plugx
behavioral1/memory/2588-35-0x0000000000280000-0x00000000002AE000-memory.dmp	family_plugx
behavioral1/memory/2588-51-0x0000000000280000-0x00000000002AE000-memory.dmp	family_plugx
behavioral1/memory/1488-57-0x0000000000890000-0x00000000008BE000-memory.dmp	family_plugx
behavioral1/memory/1488-60-0x0000000000890000-0x00000000008BE000-memory.dmp	family_plugx
behavioral1/memory/1488-59-0x0000000000890000-0x00000000008BE000-memory.dmp	family_plugx
behavioral1/memory/2588-61-0x0000000000280000-0x00000000002AE000-memory.dmp	family_plugx
behavioral1/memory/2588-62-0x0000000000280000-0x00000000002AE000-memory.dmp	family_plugx
behavioral1/memory/2588-66-0x0000000000280000-0x00000000002AE000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 1 IoCs

Processes:

msseces.exe

pid process

2392 msseces.exe

pid	process
2392	msseces.exe

Loads dropped DLL 5 IoCs

Processes:

e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exemsseces.exe

pid	process
2972	e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe
2972	e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe
2972	e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe
2972	e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe
2392	msseces.exe

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	153.248.10.165
Destination IP	153.248.10.165
Destination IP	153.248.10.165
Destination IP	153.248.10.165
Destination IP	153.248.10.165
Destination IP	153.248.10.165

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.exemsiexec.exee696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exemsseces.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msseces.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\MJ	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 43003500420044004200350033003000420036003400420033003900320041000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
2588	svchost.exe
2588	svchost.exe
2588	svchost.exe
2588	svchost.exe
2588	svchost.exe
2588	svchost.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
2588	svchost.exe
2588	svchost.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
2588	svchost.exe
2588	svchost.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
2588	svchost.exe
2588	svchost.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
2588	svchost.exe
2588	svchost.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

2588 svchost.exe
1488 msiexec.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

msseces.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	2392	msseces.exe
Token: SeTcbPrivilege	2392	msseces.exe
Token: SeDebugPrivilege	2588	svchost.exe
Token: SeTcbPrivilege	2588	svchost.exe
Token: SeDebugPrivilege	1488	msiexec.exe
Token: SeTcbPrivilege	1488	msiexec.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exemsseces.exesvchost.exe

description	pid	process	target process
PID 2972 wrote to memory of 2392	2972	e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe	msseces.exe
PID 2972 wrote to memory of 2392	2972	e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe	msseces.exe
PID 2972 wrote to memory of 2392	2972	e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe	msseces.exe
PID 2972 wrote to memory of 2392	2972	e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe	msseces.exe
PID 2972 wrote to memory of 2392	2972	e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe	msseces.exe
PID 2972 wrote to memory of 2392	2972	e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe	msseces.exe
PID 2972 wrote to memory of 2392	2972	e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe	msseces.exe
PID 2392 wrote to memory of 2588	2392	msseces.exe	svchost.exe
PID 2392 wrote to memory of 2588	2392	msseces.exe	svchost.exe
PID 2392 wrote to memory of 2588	2392	msseces.exe	svchost.exe
PID 2392 wrote to memory of 2588	2392	msseces.exe	svchost.exe
PID 2392 wrote to memory of 2588	2392	msseces.exe	svchost.exe
PID 2392 wrote to memory of 2588	2392	msseces.exe	svchost.exe
PID 2392 wrote to memory of 2588	2392	msseces.exe	svchost.exe
PID 2392 wrote to memory of 2588	2392	msseces.exe	svchost.exe
PID 2392 wrote to memory of 2588	2392	msseces.exe	svchost.exe
PID 2392 wrote to memory of 2588	2392	msseces.exe	svchost.exe
PID 2392 wrote to memory of 2588	2392	msseces.exe	svchost.exe
PID 2392 wrote to memory of 2588	2392	msseces.exe	svchost.exe
PID 2588 wrote to memory of 1488	2588	svchost.exe	msiexec.exe
PID 2588 wrote to memory of 1488	2588	svchost.exe	msiexec.exe
PID 2588 wrote to memory of 1488	2588	svchost.exe	msiexec.exe
PID 2588 wrote to memory of 1488	2588	svchost.exe	msiexec.exe
PID 2588 wrote to memory of 1488	2588	svchost.exe	msiexec.exe
PID 2588 wrote to memory of 1488	2588	svchost.exe	msiexec.exe
PID 2588 wrote to memory of 1488	2588	svchost.exe	msiexec.exe
PID 2588 wrote to memory of 1488	2588	svchost.exe	msiexec.exe
PID 2588 wrote to memory of 1488	2588	svchost.exe	msiexec.exe
PID 2588 wrote to memory of 1488	2588	svchost.exe	msiexec.exe
PID 2588 wrote to memory of 1488	2588	svchost.exe	msiexec.exe
PID 2588 wrote to memory of 1488	2588	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\winsyslog\msseces.exe
  "C:\Users\Admin\AppData\Local\Temp\winsyslog\msseces.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\SysWOW64\msiexec.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winsyslog\mpclient.dll

Filesize
36KB

MD5
184dd07bc91cc915aebf157a8b28066d

SHA1
fe906d8fa97b41df64344b688471f8489fff5ac0

SHA256
7cf636ef15ffdfec2f4d5209880183d0c44103d6557eced172124fd993a6d967

SHA512
c35adc26ac6a8189dc641324f5a301c641c8bed42e420f1b344d4bd96142324cf2203c77f24cb16ba5ed534049cab956880d1c6f9f8e77920109b4a7950cb831

Download Submit
C:\Users\Admin\AppData\Local\Temp\winsyslog\msseces.asm

Filesize
116KB

MD5
200c06f1be562a09cafab07d22838767

SHA1
f724d592c8300ce88bf77ca13a55f74d175286ff

SHA256
bf145d057e0b3cfd96da733c66344a0a07c86440d11bfc907b6bc740bb04dda7

SHA512
4002e986d43e0e6956b6c184bba3a59c8d50c320a2ac928d3cade920f64c8deed1ef530ab7fdbed040c2af928a2596903ac20965f065f64a68266f54d10cc152

Download Submit
\Users\Admin\AppData\Local\Temp\winsyslog\msseces.exe

Filesize
951KB

MD5
e279e55c0d5f5da2e1fd268ebd12f268

SHA1
f98338fde49327cf1e357c6eb704ef55eaf48f8f

SHA256
06c40af999881699dd9b73440d2ed48f404864c3fb8ff7b36560759892caaa12

SHA512
701b6e637b70182caaf44f628cbfd116778ba70cf2668df210faae2f29cce85062127bc83e769fe7cf8050f180357b9405a62cf1cdab6f2094cfb493daae82da

Download Submit
memory/1488-58-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1488-59-0x0000000000890000-0x00000000008BE000-memory.dmp

Filesize
184KB

Download
memory/1488-60-0x0000000000890000-0x00000000008BE000-memory.dmp

Filesize
184KB

Download
memory/1488-57-0x0000000000890000-0x00000000008BE000-memory.dmp

Filesize
184KB

Download
memory/2392-47-0x0000000000210000-0x000000000023E000-memory.dmp

Filesize
184KB

Download
memory/2392-23-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/2392-25-0x0000000000210000-0x000000000023E000-memory.dmp

Filesize
184KB

Download
memory/2588-30-0x00000000000B0000-0x00000000000CB000-memory.dmp

Filesize
108KB

Download
memory/2588-51-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/2588-48-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/2588-50-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/2588-46-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/2588-45-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2588-35-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/2588-49-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/2588-33-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/2588-32-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2588-26-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2588-31-0x00000000000D0000-0x00000000000D2000-memory.dmp

Filesize
8KB

Download
memory/2588-61-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/2588-62-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/2588-66-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads