plugx | 2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a

Resubmissions

30-12-2024 20:11

241230-yyqtyawqhq 10

17-09-2024 07:10

240917-hzp12azhnd 10

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e64c67b5d78a53909bfadfbf781162e9_JaffaCakes118.exe
Size

290KB
MD5

e64c67b5d78a53909bfadfbf781162e9
SHA1

aa5582e0420bd0e5905537233b94f145e039a2c6
SHA256

2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a
SHA512

8ede7ecbaa13b99276ee46fa2beeb1fa06ee2f3a5a86b3a4b8ff16f99d4e2904f035914a4b091fbe87beab72645c35cd0ae76a65757045e87f27122e2e633a77
SSDEEP

6144:+z+92mhAMJ/cPl3ix0LHoVzkLhQusXS3CCtr3S7ogs2X69A83v:+K2mhAMJ/cPlFQkCuPvr3woX2X6+8f

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

Detects PlugX payload 17 IoCs

resource	yara_rule
behavioral2/memory/1052-20-0x0000000002100000-0x000000000213F000-memory.dmp	family_plugx
behavioral2/memory/2692-39-0x0000000000DA0000-0x0000000000DDF000-memory.dmp	family_plugx
behavioral2/memory/2692-40-0x0000000000DA0000-0x0000000000DDF000-memory.dmp	family_plugx
behavioral2/memory/1092-43-0x0000000001940000-0x000000000197F000-memory.dmp	family_plugx
behavioral2/memory/2692-45-0x0000000000DA0000-0x0000000000DDF000-memory.dmp	family_plugx
behavioral2/memory/1092-42-0x0000000001940000-0x000000000197F000-memory.dmp	family_plugx
behavioral2/memory/1052-47-0x0000000002100000-0x000000000213F000-memory.dmp	family_plugx
behavioral2/memory/1052-21-0x0000000002100000-0x000000000213F000-memory.dmp	family_plugx
behavioral2/memory/1092-60-0x0000000001940000-0x000000000197F000-memory.dmp	family_plugx
behavioral2/memory/1092-61-0x0000000001940000-0x000000000197F000-memory.dmp	family_plugx
behavioral2/memory/1092-59-0x0000000001940000-0x000000000197F000-memory.dmp	family_plugx
behavioral2/memory/1092-48-0x0000000001940000-0x000000000197F000-memory.dmp	family_plugx
behavioral2/memory/1092-63-0x0000000001940000-0x000000000197F000-memory.dmp	family_plugx
behavioral2/memory/1760-68-0x0000000001480000-0x00000000014BF000-memory.dmp	family_plugx
behavioral2/memory/1760-71-0x0000000001480000-0x00000000014BF000-memory.dmp	family_plugx
behavioral2/memory/1760-70-0x0000000001480000-0x00000000014BF000-memory.dmp	family_plugx
behavioral2/memory/1092-72-0x0000000001940000-0x000000000197F000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Plugx family
plugx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	e64c67b5d78a53909bfadfbf781162e9_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1092	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
1052	TPLCDCLR.EXE
2692	TPLCDCLR.EXE

Loads dropped DLL 2 IoCs

pid	Process
1052	TPLCDCLR.EXE
2692	TPLCDCLR.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e64c67b5d78a53909bfadfbf781162e9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPLCDCLR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPLCDCLR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 36003800410045003200330039003500420038003500430042004500460034000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1092	svchost.exe
1092	svchost.exe
1092	svchost.exe
1092	svchost.exe
1092	svchost.exe
1092	svchost.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1092	svchost.exe
1092	svchost.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1092	svchost.exe
1092	svchost.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1092	svchost.exe
1092	svchost.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1092	svchost.exe
1092	svchost.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe
1760	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1092	svchost.exe
1760	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	TPLCDCLR.EXE
Token: SeTcbPrivilege	1052	TPLCDCLR.EXE
Token: SeDebugPrivilege	2692	TPLCDCLR.EXE
Token: SeTcbPrivilege	2692	TPLCDCLR.EXE
Token: SeDebugPrivilege	1092	svchost.exe
Token: SeTcbPrivilege	1092	svchost.exe
Token: SeDebugPrivilege	1760	msiexec.exe
Token: SeTcbPrivilege	1760	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1052	1436	e64c67b5d78a53909bfadfbf781162e9_JaffaCakes118.exe	83
PID 1436 wrote to memory of 1052	1436	e64c67b5d78a53909bfadfbf781162e9_JaffaCakes118.exe	83
PID 1436 wrote to memory of 1052	1436	e64c67b5d78a53909bfadfbf781162e9_JaffaCakes118.exe	83
PID 2692 wrote to memory of 1092	2692	TPLCDCLR.EXE	86
PID 2692 wrote to memory of 1092	2692	TPLCDCLR.EXE	86
PID 2692 wrote to memory of 1092	2692	TPLCDCLR.EXE	86
PID 2692 wrote to memory of 1092	2692	TPLCDCLR.EXE	86
PID 2692 wrote to memory of 1092	2692	TPLCDCLR.EXE	86
PID 2692 wrote to memory of 1092	2692	TPLCDCLR.EXE	86
PID 2692 wrote to memory of 1092	2692	TPLCDCLR.EXE	86
PID 2692 wrote to memory of 1092	2692	TPLCDCLR.EXE	86
PID 1092 wrote to memory of 1760	1092	svchost.exe	96
PID 1092 wrote to memory of 1760	1092	svchost.exe	96
PID 1092 wrote to memory of 1760	1092	svchost.exe	96
PID 1092 wrote to memory of 1760	1092	svchost.exe	96
PID 1092 wrote to memory of 1760	1092	svchost.exe	96
PID 1092 wrote to memory of 1760	1092	svchost.exe	96
PID 1092 wrote to memory of 1760	1092	svchost.exe	96
PID 1092 wrote to memory of 1760	1092	svchost.exe	96

C:\Users\Admin\AppData\Local\Temp\e64c67b5d78a53909bfadfbf781162e9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e64c67b5d78a53909bfadfbf781162e9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1052

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\TPLCDCLR.EXE
"C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\TPLCDCLR.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1092
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE

Filesize
37KB

MD5
d9978f95ce30e85943efb52c9c7d731b

SHA1
a64bb28c87c4e41be56a9bb3b887c53051eb1db5

SHA256
69c2c1733dd95f16a1e89869ec05a618c27df1e7e86a51884abcdeb709eb3d45

SHA512
766a222e9f6fc9acafd2bbf72fdf44bb486d394cbd8751d487d47e828760240b1b945775efd17e77ca6b163e9e1f140f4612715b63b390cdf86e20325112124c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WTS.CHM

Filesize
147KB

MD5
5ce1c050fb6370e5cf997313abba9947

SHA1
6751978299e9b956da914a5110438b6b262dcb75

SHA256
ab927653e27e3374aa97eb9bfdacb011a7664d930e6f356512c5ae9582c2cfe5

SHA512
e6ce9bf2392fb9610efdfa0abb460b8031cef020ffed2b4cae9b609631f0fba5ae18ea311dc8f94aa5f46a4dbac9064186b5a0648459504256a7fb17ad8c3061

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WTSAPI32.dll

Filesize
78KB

MD5
be59ff05b96b7bb251dd77932b71bbc1

SHA1
28a4a3be8606aea4f46761238d99fa4d7a96354e

SHA256
c8dd154950db3401b2e91c6a535b2f0f8853bc188e31f9d91c96bf31cebd1251

SHA512
2e06ad4dac78bd08d8c0b9925455662900bc6cf71df70ce478d18bc4cb273ab6fd15eedaa563c646001765a1a8878b752748abc1ea6c43a1acdf32a76c524050

Download Submit
memory/1052-47-0x0000000002100000-0x000000000213F000-memory.dmp

Filesize
252KB

Download
memory/1052-19-0x0000000000590000-0x00000000005B5000-memory.dmp

Filesize
148KB

Download
memory/1052-20-0x0000000002100000-0x000000000213F000-memory.dmp

Filesize
252KB

Download
memory/1052-21-0x0000000002100000-0x000000000213F000-memory.dmp

Filesize
252KB

Download
memory/1092-63-0x0000000001940000-0x000000000197F000-memory.dmp

Filesize
252KB

Download
memory/1092-48-0x0000000001940000-0x000000000197F000-memory.dmp

Filesize
252KB

Download
memory/1092-42-0x0000000001940000-0x000000000197F000-memory.dmp

Filesize
252KB

Download
memory/1092-41-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/1092-43-0x0000000001940000-0x000000000197F000-memory.dmp

Filesize
252KB

Download
memory/1092-72-0x0000000001940000-0x000000000197F000-memory.dmp

Filesize
252KB

Download
memory/1092-60-0x0000000001940000-0x000000000197F000-memory.dmp

Filesize
252KB

Download
memory/1092-61-0x0000000001940000-0x000000000197F000-memory.dmp

Filesize
252KB

Download
memory/1092-59-0x0000000001940000-0x000000000197F000-memory.dmp

Filesize
252KB

Download
memory/1092-58-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/1760-68-0x0000000001480000-0x00000000014BF000-memory.dmp

Filesize
252KB

Download
memory/1760-67-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/1760-69-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download
memory/1760-71-0x0000000001480000-0x00000000014BF000-memory.dmp

Filesize
252KB

Download
memory/1760-70-0x0000000001480000-0x00000000014BF000-memory.dmp

Filesize
252KB

Download
memory/2692-39-0x0000000000DA0000-0x0000000000DDF000-memory.dmp

Filesize
252KB

Download
memory/2692-45-0x0000000000DA0000-0x0000000000DDF000-memory.dmp

Filesize
252KB

Download
memory/2692-40-0x0000000000DA0000-0x0000000000DDF000-memory.dmp

Filesize
252KB

Download