plugx | ab04624c6c23905350f2526ee1813f7a7d4519b2351158e73d9465e4b68c36c5

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe
Size

437KB
MD5

36877a5b3cc6e763976ca0ba166991cc
SHA1

4f48f82a7dc50051328b124a9e377bd2a9868b05
SHA256

ab04624c6c23905350f2526ee1813f7a7d4519b2351158e73d9465e4b68c36c5
SHA512

c650150584955e030a7249aef3eece9114d77fdcf9ef51180a44322de91de49212f832c951dfb3184cb3cb60a5e7c3a073d1269aee41f769f6e5d9bc11bffd8c
SSDEEP

12288:vkWAehJuqT4SPkDh1e2EEwkbBHClfuwiSg705/9j:vkWAAuqkAwJwYHufc7s/B

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

Detects PlugX payload 18 IoCs

resource	yara_rule
behavioral1/memory/2064-33-0x00000000002A0000-0x00000000002D0000-memory.dmp	family_plugx
behavioral1/memory/2984-55-0x0000000000200000-0x0000000000230000-memory.dmp	family_plugx
behavioral1/memory/2220-59-0x00000000001E0000-0x0000000000210000-memory.dmp	family_plugx
behavioral1/memory/2852-65-0x0000000000100000-0x0000000000130000-memory.dmp	family_plugx
behavioral1/memory/2852-83-0x0000000000100000-0x0000000000130000-memory.dmp	family_plugx
behavioral1/memory/2852-82-0x0000000000100000-0x0000000000130000-memory.dmp	family_plugx
behavioral1/memory/2852-87-0x0000000000100000-0x0000000000130000-memory.dmp	family_plugx
behavioral1/memory/2852-81-0x0000000000100000-0x0000000000130000-memory.dmp	family_plugx
behavioral1/memory/2064-77-0x00000000002A0000-0x00000000002D0000-memory.dmp	family_plugx
behavioral1/memory/2852-67-0x0000000000100000-0x0000000000130000-memory.dmp	family_plugx
behavioral1/memory/2220-66-0x00000000001E0000-0x0000000000210000-memory.dmp	family_plugx
behavioral1/memory/2852-88-0x0000000000100000-0x0000000000130000-memory.dmp	family_plugx
behavioral1/memory/2984-92-0x0000000000200000-0x0000000000230000-memory.dmp	family_plugx
behavioral1/memory/1688-98-0x0000000000250000-0x0000000000280000-memory.dmp	family_plugx
behavioral1/memory/1688-101-0x0000000000250000-0x0000000000280000-memory.dmp	family_plugx
behavioral1/memory/1688-100-0x0000000000250000-0x0000000000280000-memory.dmp	family_plugx
behavioral1/memory/2852-102-0x0000000000100000-0x0000000000130000-memory.dmp	family_plugx
behavioral1/memory/2852-104-0x0000000000100000-0x0000000000130000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 4 IoCs

pid	Process
1820	svchost.exe
2064	MSIDB.exe
2984	MSIDB.exe
2220	MSIDB.exe

Loads dropped DLL 9 IoCs

pid	Process
1156	36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
2064	MSIDB.exe
2064	MSIDB.exe
2984	MSIDB.exe
2220	MSIDB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIDB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIDB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIDB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 43003500370032004400310041003800430031003400360044004200370036000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	MSIDB.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
2852	svchost.exe
2852	svchost.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
2852	svchost.exe
2852	svchost.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
2852	svchost.exe
2852	svchost.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
2852	svchost.exe
2852	svchost.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
1688	msiexec.exe
2852	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2852	svchost.exe
1688	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	MSIDB.exe
Token: SeTcbPrivilege	2064	MSIDB.exe
Token: SeDebugPrivilege	2984	MSIDB.exe
Token: SeTcbPrivilege	2984	MSIDB.exe
Token: SeDebugPrivilege	2220	MSIDB.exe
Token: SeTcbPrivilege	2220	MSIDB.exe
Token: SeDebugPrivilege	2852	svchost.exe
Token: SeTcbPrivilege	2852	svchost.exe
Token: SeDebugPrivilege	1688	msiexec.exe
Token: SeTcbPrivilege	1688	msiexec.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 1820	1156	36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe	30
PID 1156 wrote to memory of 1820	1156	36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe	30
PID 1156 wrote to memory of 1820	1156	36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe	30
PID 1156 wrote to memory of 1820	1156	36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe	30
PID 1156 wrote to memory of 1820	1156	36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe	30
PID 1156 wrote to memory of 1820	1156	36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe	30
PID 1156 wrote to memory of 1820	1156	36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe	30
PID 1820 wrote to memory of 2064	1820	svchost.exe	31
PID 1820 wrote to memory of 2064	1820	svchost.exe	31
PID 1820 wrote to memory of 2064	1820	svchost.exe	31
PID 1820 wrote to memory of 2064	1820	svchost.exe	31
PID 1820 wrote to memory of 2064	1820	svchost.exe	31
PID 1820 wrote to memory of 2064	1820	svchost.exe	31
PID 1820 wrote to memory of 2064	1820	svchost.exe	31
PID 2064 wrote to memory of 2984	2064	MSIDB.exe	32
PID 2064 wrote to memory of 2984	2064	MSIDB.exe	32
PID 2064 wrote to memory of 2984	2064	MSIDB.exe	32
PID 2064 wrote to memory of 2984	2064	MSIDB.exe	32
PID 2064 wrote to memory of 2984	2064	MSIDB.exe	32
PID 2064 wrote to memory of 2984	2064	MSIDB.exe	32
PID 2064 wrote to memory of 2984	2064	MSIDB.exe	32
PID 2220 wrote to memory of 2852	2220	MSIDB.exe	34
PID 2220 wrote to memory of 2852	2220	MSIDB.exe	34
PID 2220 wrote to memory of 2852	2220	MSIDB.exe	34
PID 2220 wrote to memory of 2852	2220	MSIDB.exe	34
PID 2220 wrote to memory of 2852	2220	MSIDB.exe	34
PID 2220 wrote to memory of 2852	2220	MSIDB.exe	34
PID 2220 wrote to memory of 2852	2220	MSIDB.exe	34
PID 2220 wrote to memory of 2852	2220	MSIDB.exe	34
PID 2220 wrote to memory of 2852	2220	MSIDB.exe	34
PID 2852 wrote to memory of 1688	2852	svchost.exe	35
PID 2852 wrote to memory of 1688	2852	svchost.exe	35
PID 2852 wrote to memory of 1688	2852	svchost.exe	35
PID 2852 wrote to memory of 1688	2852	svchost.exe	35
PID 2852 wrote to memory of 1688	2852	svchost.exe	35
PID 2852 wrote to memory of 1688	2852	svchost.exe	35
PID 2852 wrote to memory of 1688	2852	svchost.exe	35
PID 2852 wrote to memory of 1688	2852	svchost.exe	35
PID 2852 wrote to memory of 1688	2852	svchost.exe	35
PID 2852 wrote to memory of 1688	2852	svchost.exe	35
PID 2852 wrote to memory of 1688	2852	svchost.exe	35
PID 2852 wrote to memory of 1688	2852	svchost.exe	35

C:\Users\Admin\AppData\Local\Temp\36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1156
- C:\ProgramData\svchost.exe
  "C:\ProgramData\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\ProgramData\SxS\MSIDB.exe
      "C:\ProgramData\SxS\MSIDB.exe" 100 2064
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2984

C:\ProgramData\SxS\MSIDB.exe
"C:\ProgramData\SxS\MSIDB.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2852
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log

Filesize
622B

MD5
ec852d98c76df12fcfe89b3e730a469e

SHA1
75e060a49db77b57433291ac8b35dfba0e8662eb

SHA256
f6f869d39fe57b7ddd766d814c537d276ea1ee970c4449c4850818c94820c3c5

SHA512
1b3152643feeff7f644db3a5a3d088595acd9d7c173ed4a915c9ae2751086d2fca94357738683fc6095db64c48b042c1f64a80a9201036a9ac6218a206eea465

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msi.dll

Filesize
45KB

MD5
9fabffc5382fd812239790802df74637

SHA1
b640e095141495a6904e52a87312d81470753441

SHA256
a01928402f9780c04e500f50631254fece3b53066fde20146ee9d94ea8ad8865

SHA512
20dd2e04cf2ec53d761e613a50c284f92fb891a9e59399df0949d5e7b3a076f994d99b3f97b8e3195d2209e700a453535dbf4362443b54a4d13faa9f6e5ca623

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msi.dll.iso

Filesize
120KB

MD5
66b7b2035dfcefc976eccea6e5023214

SHA1
3108f9efc7d8208e619048d70925956b2937fe20

SHA256
1896247d690978b0346ec41c87163bc3f1e305da595a6e453f2b4e77df2110ea

SHA512
98e5a8cb53f4234eb4305de49622f27f8629a65cfa6ce845f86ef19aec952f03b27f3f2161c242f50ec36fabefcee0c5fdc74284e3ada7581de46f2f717aa872

Download Submit
\ProgramData\svchost.exe

Filesize
289KB

MD5
85678dc8f03dce5e8fb4215ec10e88b0

SHA1
c0dd7b916de9a354255414837d7c89cf71e900be

SHA256
b0cd7582500d4230210250e6457658f91389065618590048dd1c2f7f007518a8

SHA512
bcad69bbf88eeb01f93ca6b82592caef6186f1f4779eee93d072e83c54beec759782a5d907b7dbf5b7f838a58e5eeabec0f32e7340d70f7ae4c8b7c3cd305eed

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe

Filesize
152KB

MD5
211494b619971b7fa34c456116a70adb

SHA1
0da44929534dc7104f8b661280586f4021bbb896

SHA256
cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4

SHA512
13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d

Download Submit
memory/1688-101-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/1688-99-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1688-100-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/1688-98-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/2064-33-0x00000000002A0000-0x00000000002D0000-memory.dmp

Filesize
192KB

Download
memory/2064-77-0x00000000002A0000-0x00000000002D0000-memory.dmp

Filesize
192KB

Download
memory/2064-32-0x0000000001E90000-0x0000000001F90000-memory.dmp

Filesize
1024KB

Download
memory/2220-59-0x00000000001E0000-0x0000000000210000-memory.dmp

Filesize
192KB

Download
memory/2220-66-0x00000000001E0000-0x0000000000210000-memory.dmp

Filesize
192KB

Download
memory/2852-87-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/2852-88-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/2852-81-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/2852-80-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2852-83-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/2852-67-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/2852-65-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/2852-82-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/2852-104-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/2852-60-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2852-64-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/2852-63-0x00000000000A0000-0x00000000000BD000-memory.dmp

Filesize
116KB

Download
memory/2852-102-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/2984-55-0x0000000000200000-0x0000000000230000-memory.dmp

Filesize
192KB

Download
memory/2984-92-0x0000000000200000-0x0000000000230000-memory.dmp

Filesize
192KB

Download