Overview

overview

10

Static

static

3

CoreFoundation.dll

windows7-x64

3

CoreFoundation.dll

windows10-2004-x64

3

iTunesHelper.exe

windows7-x64

10

iTunesHelper.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2025 10:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    iTunesHelper.exe

  • Size

    299KB

  • MD5

    6ce6784df5fc5b8550c44f90382c2cdd

  • SHA1

    cdb8736bc0ef8298377961adc500242dbe47c5d9

  • SHA256

    883c97df8c1e6f310ae655c0dff076dbb845b67df1499e746f63c951c842d6fb

  • SHA512

    1a1d90534a10989c1aa78ea7bda5cad203b75e12f18b4f0b5fc411a1b21af8c38bf6e0b7352458d28e69fe177f87d43a7f816d5a7f5366a5c76507a9228e0df9

  • SSDEEP

    6144:NnD7PE0+kEvmOpQe/u3g83A8+123+FM2+zIv++r:FDAmEvmOpQeX8Bt4f

Score
10/10
plugxdiscoverytrojan

Malware Config

Signatures

  • Detects PlugX payload 20 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Plugx family
    plugx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\iTunesHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\iTunesHelper.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1980
  • C:\ProgramData\Microsoft\Diagnosis\Squadcloud\iTunesHelper.exe
    "C:\ProgramData\Microsoft\Diagnosis\Squadcloud\iTunesHelper.exe" 100 1980
    1⤵
    • Deletes itself
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2700
  • C:\ProgramData\Microsoft\Diagnosis\Squadcloud\iTunesHelper.exe
    "C:\ProgramData\Microsoft\Diagnosis\Squadcloud\iTunesHelper.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\SysWOW64\Synchost.exe
      C:\Windows\system32\Synchost.exe 201 0
      2⤵
      • Unexpected DNS network traffic destination
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\dllhost.exe
        C:\Windows\system32\dllhost.exe 209 2688
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Diagnosis\Squadcloud\CoreFoundation.dat
    Filesize

    132KB

    MD5

    f26a51ad40a4012a008b46567f61f394

    SHA1

    0ae9ceff0d16b9761027866b317dffc20bb1fed6

    SHA256

    b84427899190f362573e3bdf0b54fec7a0b91c3da9eb0a3beb8ee2870d6f7b7a

    SHA512

    449e02040fee80a5e59a26e81a5fe51d5093013ebd5dae852414e06ba7da2ec13fee0f4211c5acbf5e0c9676b5686a5c2347e81b54dc56920a6dbc181fc020fc

    Download Submit

  • C:\ProgramData\Microsoft\Diagnosis\Squadcloud\CoreFoundation.dll
    Filesize

    53KB

    MD5

    5afe443ddabb1ade4e5bb4b0eb80894b

    SHA1

    26de33b0d6db22b956e53958f1e600d732945bdc

    SHA256

    38428e93bfa1d4130b948826b763806a3fb06cf9323a960fded41fe60cd18057

    SHA512

    33d27ffc32cd60c51f3d4b19102ecce5c24087691006e778555e53fbc84faa898766da89b1f6a70364e43b49e69c449d16ce0e30daf6f64c19d29af4b2d87823

    Download Submit

  • C:\ProgramData\Microsoft\Diagnosis\Squadcloud\iTunesHelper.exe
    Filesize

    299KB

    MD5

    6ce6784df5fc5b8550c44f90382c2cdd

    SHA1

    cdb8736bc0ef8298377961adc500242dbe47c5d9

    SHA256

    883c97df8c1e6f310ae655c0dff076dbb845b67df1499e746f63c951c842d6fb

    SHA512

    1a1d90534a10989c1aa78ea7bda5cad203b75e12f18b4f0b5fc411a1b21af8c38bf6e0b7352458d28e69fe177f87d43a7f816d5a7f5366a5c76507a9228e0df9

    Download Submit

  • memory/1980-0-0x0000000000C00000-0x0000000000D00000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1980-4-0x0000000000180000-0x00000000001B6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1980-5-0x0000000000180000-0x00000000001B6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1980-63-0x0000000000180000-0x00000000001B6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2608-82-0x0000000000180000-0x00000000001B6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2608-80-0x0000000000070000-0x0000000000071000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-81-0x0000000000180000-0x00000000001B6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2608-83-0x0000000000180000-0x00000000001B6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2608-78-0x0000000000180000-0x00000000001B6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2608-77-0x0000000000070000-0x0000000000071000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-79-0x0000000000180000-0x00000000001B6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2688-65-0x00000000002A0000-0x00000000002D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2688-42-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2688-84-0x00000000002A0000-0x00000000002D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2688-57-0x00000000002A0000-0x00000000002D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2688-60-0x00000000002A0000-0x00000000002D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2688-62-0x00000000002A0000-0x00000000002D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2688-56-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2688-46-0x00000000002A0000-0x00000000002D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2688-37-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2688-59-0x00000000002A0000-0x00000000002D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2688-43-0x00000000002A0000-0x00000000002D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2688-41-0x00000000000A0000-0x00000000000A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2688-39-0x00000000000F0000-0x0000000000110000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2700-69-0x0000000000100000-0x0000000000136000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2700-27-0x0000000000100000-0x0000000000136000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2852-34-0x00000000000C0000-0x00000000000F6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2852-58-0x00000000000C0000-0x00000000000F6000-memory.dmp

    Filesize

    216KB

    Download