plugx | ab04624c6c23905350f2526ee1813f7a7d4519b2351158e73d9465e4b68c36c5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe
Size

437KB
MD5

36877a5b3cc6e763976ca0ba166991cc
SHA1

4f48f82a7dc50051328b124a9e377bd2a9868b05
SHA256

ab04624c6c23905350f2526ee1813f7a7d4519b2351158e73d9465e4b68c36c5
SHA512

c650150584955e030a7249aef3eece9114d77fdcf9ef51180a44322de91de49212f832c951dfb3184cb3cb60a5e7c3a073d1269aee41f769f6e5d9bc11bffd8c
SSDEEP

12288:vkWAehJuqT4SPkDh1e2EEwkbBHClfuwiSg705/9j:vkWAAuqkAwJwYHufc7s/B

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

Detects PlugX payload 18 IoCs

resource	yara_rule
behavioral2/memory/920-31-0x00000000022F0000-0x0000000002320000-memory.dmp	family_plugx
behavioral2/memory/2316-51-0x00000000027C0000-0x00000000027F0000-memory.dmp	family_plugx
behavioral2/memory/2136-55-0x00000000017B0000-0x00000000017E0000-memory.dmp	family_plugx
behavioral2/memory/1812-56-0x0000000000CF0000-0x0000000000D20000-memory.dmp	family_plugx
behavioral2/memory/1812-57-0x0000000000CF0000-0x0000000000D20000-memory.dmp	family_plugx
behavioral2/memory/1812-70-0x0000000000CF0000-0x0000000000D20000-memory.dmp	family_plugx
behavioral2/memory/1812-69-0x0000000000CF0000-0x0000000000D20000-memory.dmp	family_plugx
behavioral2/memory/1812-74-0x0000000000CF0000-0x0000000000D20000-memory.dmp	family_plugx
behavioral2/memory/1812-75-0x0000000000CF0000-0x0000000000D20000-memory.dmp	family_plugx
behavioral2/memory/1812-71-0x0000000000CF0000-0x0000000000D20000-memory.dmp	family_plugx
behavioral2/memory/2136-79-0x00000000017B0000-0x00000000017E0000-memory.dmp	family_plugx
behavioral2/memory/920-82-0x00000000022F0000-0x0000000002320000-memory.dmp	family_plugx
behavioral2/memory/2316-83-0x00000000027C0000-0x00000000027F0000-memory.dmp	family_plugx
behavioral2/memory/3696-84-0x0000000002E50000-0x0000000002E80000-memory.dmp	family_plugx
behavioral2/memory/3696-87-0x0000000002E50000-0x0000000002E80000-memory.dmp	family_plugx
behavioral2/memory/3696-86-0x0000000002E50000-0x0000000002E80000-memory.dmp	family_plugx
behavioral2/memory/1812-88-0x0000000000CF0000-0x0000000000D20000-memory.dmp	family_plugx
behavioral2/memory/1812-91-0x0000000000CF0000-0x0000000000D20000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4984	svchost.exe
920	MSIDB.exe
2316	MSIDB.exe
2136	MSIDB.exe

Loads dropped DLL 3 IoCs

pid	Process
920	MSIDB.exe
2316	MSIDB.exe
2136	MSIDB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIDB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIDB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIDB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38003200370039003100360046003700420042003400410044003200440037000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
920	MSIDB.exe
920	MSIDB.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
1812	svchost.exe
1812	svchost.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
1812	svchost.exe
1812	svchost.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
1812	svchost.exe
3696	msiexec.exe
3696	msiexec.exe
1812	svchost.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
1812	svchost.exe
1812	svchost.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe
3696	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1812	svchost.exe
3696	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	920	MSIDB.exe
Token: SeTcbPrivilege	920	MSIDB.exe
Token: SeDebugPrivilege	2316	MSIDB.exe
Token: SeTcbPrivilege	2316	MSIDB.exe
Token: SeDebugPrivilege	2136	MSIDB.exe
Token: SeTcbPrivilege	2136	MSIDB.exe
Token: SeDebugPrivilege	1812	svchost.exe
Token: SeTcbPrivilege	1812	svchost.exe
Token: SeDebugPrivilege	3696	msiexec.exe
Token: SeTcbPrivilege	3696	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4984	4752	36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe	86
PID 4752 wrote to memory of 4984	4752	36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe	86
PID 4752 wrote to memory of 4984	4752	36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe	86
PID 4984 wrote to memory of 920	4984	svchost.exe	87
PID 4984 wrote to memory of 920	4984	svchost.exe	87
PID 4984 wrote to memory of 920	4984	svchost.exe	87
PID 920 wrote to memory of 2316	920	MSIDB.exe	89
PID 920 wrote to memory of 2316	920	MSIDB.exe	89
PID 920 wrote to memory of 2316	920	MSIDB.exe	89
PID 2136 wrote to memory of 1812	2136	MSIDB.exe	91
PID 2136 wrote to memory of 1812	2136	MSIDB.exe	91
PID 2136 wrote to memory of 1812	2136	MSIDB.exe	91
PID 2136 wrote to memory of 1812	2136	MSIDB.exe	91
PID 2136 wrote to memory of 1812	2136	MSIDB.exe	91
PID 2136 wrote to memory of 1812	2136	MSIDB.exe	91
PID 2136 wrote to memory of 1812	2136	MSIDB.exe	91
PID 2136 wrote to memory of 1812	2136	MSIDB.exe	91
PID 1812 wrote to memory of 3696	1812	svchost.exe	92
PID 1812 wrote to memory of 3696	1812	svchost.exe	92
PID 1812 wrote to memory of 3696	1812	svchost.exe	92
PID 1812 wrote to memory of 3696	1812	svchost.exe	92
PID 1812 wrote to memory of 3696	1812	svchost.exe	92
PID 1812 wrote to memory of 3696	1812	svchost.exe	92
PID 1812 wrote to memory of 3696	1812	svchost.exe	92
PID 1812 wrote to memory of 3696	1812	svchost.exe	92

C:\Users\Admin\AppData\Local\Temp\36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752
- C:\ProgramData\svchost.exe
  "C:\ProgramData\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\ProgramData\SxS\MSIDB.exe
      "C:\ProgramData\SxS\MSIDB.exe" 100 920
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2316

C:\ProgramData\SxS\MSIDB.exe
"C:\ProgramData\SxS\MSIDB.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1812
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log

Filesize
622B

MD5
e1b9ef227c45dc83f300cc779b37fae4

SHA1
1e673e5b953007e1487309921d2b2265da1a0c25

SHA256
7fe1e7a2669d44fbb3d53224f0268512a66f2ddf9f795b449ee1d0a26e8ce896

SHA512
e7bea53b0c6cb1c5a764ce78acfdfc71f838076f85ebf532816db2f08c0923547bae5fb5c9b618b891cdaef217957c061ad606e3e9de04f40b58b82d4123dbc0

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
764B

MD5
0ec8b234688a562b77bd0cccf95e141d

SHA1
f3c38c66e544d02b0206b4ee896e601e9b7ce670

SHA256
5aaefd4922553ec959620e9a429641edaff8e5ae253ca9a372cb0c0b67eef8d5

SHA512
b950cad40a6ce040703c47545a9c9e8d636c5582aaaa5f0e520a8480b77bca769e40ef22a721e6724729aa952f4baae1d49e486d064ef62385ec2753acfc3306

Download Submit
C:\ProgramData\svchost.exe

Filesize
289KB

MD5
85678dc8f03dce5e8fb4215ec10e88b0

SHA1
c0dd7b916de9a354255414837d7c89cf71e900be

SHA256
b0cd7582500d4230210250e6457658f91389065618590048dd1c2f7f007518a8

SHA512
bcad69bbf88eeb01f93ca6b82592caef6186f1f4779eee93d072e83c54beec759782a5d907b7dbf5b7f838a58e5eeabec0f32e7340d70f7ae4c8b7c3cd305eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe

Filesize
152KB

MD5
211494b619971b7fa34c456116a70adb

SHA1
0da44929534dc7104f8b661280586f4021bbb896

SHA256
cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4

SHA512
13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msi.dll

Filesize
45KB

MD5
9fabffc5382fd812239790802df74637

SHA1
b640e095141495a6904e52a87312d81470753441

SHA256
a01928402f9780c04e500f50631254fece3b53066fde20146ee9d94ea8ad8865

SHA512
20dd2e04cf2ec53d761e613a50c284f92fb891a9e59399df0949d5e7b3a076f994d99b3f97b8e3195d2209e700a453535dbf4362443b54a4d13faa9f6e5ca623

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msi.dll.iso

Filesize
120KB

MD5
66b7b2035dfcefc976eccea6e5023214

SHA1
3108f9efc7d8208e619048d70925956b2937fe20

SHA256
1896247d690978b0346ec41c87163bc3f1e305da595a6e453f2b4e77df2110ea

SHA512
98e5a8cb53f4234eb4305de49622f27f8629a65cfa6ce845f86ef19aec952f03b27f3f2161c242f50ec36fabefcee0c5fdc74284e3ada7581de46f2f717aa872

Download Submit
memory/920-30-0x0000000002440000-0x0000000002540000-memory.dmp

Filesize
1024KB

Download
memory/920-31-0x00000000022F0000-0x0000000002320000-memory.dmp

Filesize
192KB

Download
memory/920-82-0x00000000022F0000-0x0000000002320000-memory.dmp

Filesize
192KB

Download
memory/1812-68-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/1812-88-0x0000000000CF0000-0x0000000000D20000-memory.dmp

Filesize
192KB

Download
memory/1812-69-0x0000000000CF0000-0x0000000000D20000-memory.dmp

Filesize
192KB

Download
memory/1812-57-0x0000000000CF0000-0x0000000000D20000-memory.dmp

Filesize
192KB

Download
memory/1812-74-0x0000000000CF0000-0x0000000000D20000-memory.dmp

Filesize
192KB

Download
memory/1812-75-0x0000000000CF0000-0x0000000000D20000-memory.dmp

Filesize
192KB

Download
memory/1812-71-0x0000000000CF0000-0x0000000000D20000-memory.dmp

Filesize
192KB

Download
memory/1812-91-0x0000000000CF0000-0x0000000000D20000-memory.dmp

Filesize
192KB

Download
memory/1812-56-0x0000000000CF0000-0x0000000000D20000-memory.dmp

Filesize
192KB

Download
memory/1812-70-0x0000000000CF0000-0x0000000000D20000-memory.dmp

Filesize
192KB

Download
memory/2136-55-0x00000000017B0000-0x00000000017E0000-memory.dmp

Filesize
192KB

Download
memory/2136-79-0x00000000017B0000-0x00000000017E0000-memory.dmp

Filesize
192KB

Download
memory/2316-83-0x00000000027C0000-0x00000000027F0000-memory.dmp

Filesize
192KB

Download
memory/2316-51-0x00000000027C0000-0x00000000027F0000-memory.dmp

Filesize
192KB

Download
memory/3696-84-0x0000000002E50000-0x0000000002E80000-memory.dmp

Filesize
192KB

Download
memory/3696-87-0x0000000002E50000-0x0000000002E80000-memory.dmp

Filesize
192KB

Download
memory/3696-86-0x0000000002E50000-0x0000000002E80000-memory.dmp

Filesize
192KB

Download
memory/3696-85-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download