plugx | 738525e6f38822a0466ea9859c368d2625ff598e870db0cd41499eafe19519cb

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-02-2025 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_87e8d91f41bdf424ede7d2d0139d7f9a.exe
Size

158KB
MD5

87e8d91f41bdf424ede7d2d0139d7f9a
SHA1

549490ff753f5f8aaab5a57fd143d8e9b32aee9b
SHA256

738525e6f38822a0466ea9859c368d2625ff598e870db0cd41499eafe19519cb
SHA512

ab6859473afc86a46b07f0a8301e7697d67de3272627543bbf0d7bf35fe768524d48c6ca6eb9be706e748e1fb03bbb6975f7605a2f78530e7b45bc0c30aec929
SSDEEP

3072:qnvTqkBbgv/inBu6XIX88vTglZTvY6CB6SmIvbp99:qnrBJAVX88bgTTw6CcvIvbp9

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

Detects PlugX payload 17 IoCs

resource	yara_rule
behavioral1/memory/2524-17-0x0000000000770000-0x000000000079E000-memory.dmp	family_plugx
behavioral1/memory/3008-22-0x0000000000310000-0x000000000033E000-memory.dmp	family_plugx
behavioral1/memory/2232-31-0x0000000000270000-0x000000000029E000-memory.dmp	family_plugx
behavioral1/memory/2232-33-0x0000000000270000-0x000000000029E000-memory.dmp	family_plugx
behavioral1/memory/2232-52-0x0000000000270000-0x000000000029E000-memory.dmp	family_plugx
behavioral1/memory/2232-51-0x0000000000270000-0x000000000029E000-memory.dmp	family_plugx
behavioral1/memory/2232-50-0x0000000000270000-0x000000000029E000-memory.dmp	family_plugx
behavioral1/memory/2232-47-0x0000000000270000-0x000000000029E000-memory.dmp	family_plugx
behavioral1/memory/3008-43-0x0000000000310000-0x000000000033E000-memory.dmp	family_plugx
behavioral1/memory/2232-53-0x0000000000270000-0x000000000029E000-memory.dmp	family_plugx
behavioral1/memory/2232-54-0x0000000000270000-0x000000000029E000-memory.dmp	family_plugx
behavioral1/memory/2524-57-0x0000000000770000-0x000000000079E000-memory.dmp	family_plugx
behavioral1/memory/2232-58-0x0000000000270000-0x000000000029E000-memory.dmp	family_plugx
behavioral1/memory/2164-65-0x0000000000250000-0x000000000027E000-memory.dmp	family_plugx
behavioral1/memory/2164-67-0x0000000000250000-0x000000000027E000-memory.dmp	family_plugx
behavioral1/memory/2164-68-0x0000000000250000-0x000000000027E000-memory.dmp	family_plugx
behavioral1/memory/2232-69-0x0000000000270000-0x000000000029E000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Plugx family
plugx

Deletes itself 1 IoCs

pid	Process
2524	nvSmartMaxapp.exe

Executes dropped EXE 2 IoCs

pid	Process
2524	nvSmartMaxapp.exe
3008	nvSmartMaxapp.exe

Loads dropped DLL 4 IoCs

pid	Process
1924	JaffaCakes118_87e8d91f41bdf424ede7d2d0139d7f9a.exe
1924	JaffaCakes118_87e8d91f41bdf424ede7d2d0139d7f9a.exe
2524	nvSmartMaxapp.exe
3008	nvSmartMaxapp.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_87e8d91f41bdf424ede7d2d0139d7f9a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvSmartMaxapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvSmartMaxapp.exe

Modifies data under HKEY_USERS 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C516145-FEF4-44FA-8817-A61CA3B822E3}\WpadNetworkName = "Network 3"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C516145-FEF4-44FA-8817-A61CA3B822E3}\8e-ed-f9-c3-b4-fc	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C516145-FEF4-44FA-8817-A61CA3B822E3}\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-ed-f9-c3-b4-fc\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-ed-f9-c3-b4-fc\WpadDecisionTime = 502703732d76db01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C516145-FEF4-44FA-8817-A61CA3B822E3}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-ed-f9-c3-b4-fc	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C516145-FEF4-44FA-8817-A61CA3B822E3}\WpadDecisionTime = 502703732d76db01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C516145-FEF4-44FA-8817-A61CA3B822E3}\WpadDecision = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-ed-f9-c3-b4-fc\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 46003400460033003000450035003800310037003300310032004100360030000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3008	nvSmartMaxapp.exe
3008	nvSmartMaxapp.exe
2232	svchost.exe
2232	svchost.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2232	svchost.exe
2232	svchost.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2232	svchost.exe
2232	svchost.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2232	svchost.exe
2232	svchost.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2232	svchost.exe
2232	svchost.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2164	msiexec.exe
2232	svchost.exe
2232	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2232	svchost.exe
2164	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	nvSmartMaxapp.exe
Token: SeTcbPrivilege	2524	nvSmartMaxapp.exe
Token: SeDebugPrivilege	3008	nvSmartMaxapp.exe
Token: SeTcbPrivilege	3008	nvSmartMaxapp.exe
Token: SeDebugPrivilege	2232	svchost.exe
Token: SeTcbPrivilege	2232	svchost.exe
Token: SeDebugPrivilege	2164	msiexec.exe
Token: SeTcbPrivilege	2164	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2524	1924	JaffaCakes118_87e8d91f41bdf424ede7d2d0139d7f9a.exe	30
PID 1924 wrote to memory of 2524	1924	JaffaCakes118_87e8d91f41bdf424ede7d2d0139d7f9a.exe	30
PID 1924 wrote to memory of 2524	1924	JaffaCakes118_87e8d91f41bdf424ede7d2d0139d7f9a.exe	30
PID 1924 wrote to memory of 2524	1924	JaffaCakes118_87e8d91f41bdf424ede7d2d0139d7f9a.exe	30
PID 3008 wrote to memory of 2232	3008	nvSmartMaxapp.exe	32
PID 3008 wrote to memory of 2232	3008	nvSmartMaxapp.exe	32
PID 3008 wrote to memory of 2232	3008	nvSmartMaxapp.exe	32
PID 3008 wrote to memory of 2232	3008	nvSmartMaxapp.exe	32
PID 3008 wrote to memory of 2232	3008	nvSmartMaxapp.exe	32
PID 3008 wrote to memory of 2232	3008	nvSmartMaxapp.exe	32
PID 3008 wrote to memory of 2232	3008	nvSmartMaxapp.exe	32
PID 3008 wrote to memory of 2232	3008	nvSmartMaxapp.exe	32
PID 3008 wrote to memory of 2232	3008	nvSmartMaxapp.exe	32
PID 2232 wrote to memory of 2164	2232	svchost.exe	33
PID 2232 wrote to memory of 2164	2232	svchost.exe	33
PID 2232 wrote to memory of 2164	2232	svchost.exe	33
PID 2232 wrote to memory of 2164	2232	svchost.exe	33
PID 2232 wrote to memory of 2164	2232	svchost.exe	33
PID 2232 wrote to memory of 2164	2232	svchost.exe	33
PID 2232 wrote to memory of 2164	2232	svchost.exe	33
PID 2232 wrote to memory of 2164	2232	svchost.exe	33
PID 2232 wrote to memory of 2164	2232	svchost.exe	33
PID 2232 wrote to memory of 2164	2232	svchost.exe	33
PID 2232 wrote to memory of 2164	2232	svchost.exe	33
PID 2232 wrote to memory of 2164	2232	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87e8d91f41bdf424ede7d2d0139d7f9a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87e8d91f41bdf424ede7d2d0139d7f9a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\ProgramData\NVIDIASmart\nvSmartMaxapp.exe
  "C:\ProgramData\NVIDIASmart\nvSmartMaxapp.exe" 100 1924
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2524

C:\ProgramData\NVIDIASmart\nvSmartMaxapp.exe
"C:\ProgramData\NVIDIASmart\nvSmartMaxapp.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2232
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NVIDIASmart\NvSmartMax.dll

Filesize
4KB

MD5
37b32c7adf4fdc896dca8df046443b1d

SHA1
2714c65216434f106c2e6365896bc5683a65dd0f

SHA256
8de7b19abd5e19dab255db20dc4c6a8fe3318ecd2a8dca2f66f345537168265c

SHA512
371170869578214bc51e1e65361839abd857d6bd827e52f35b12324c697b9280ba2248bb6bb586ef70bc69ea2d23e7d14bc3645ee838a220c184c2d57750ce53

Download Submit
C:\ProgramData\NVIDIASmart\boot.ldr

Filesize
115KB

MD5
45c254f9cabc15b3f71583354a16262b

SHA1
78e24aacad37d643b0953d9c57d4d6fa33e146db

SHA256
2e2baa4548461dcfac103f0cad4585b4b9260381996857a155ebdfbf1420bde8

SHA512
57c6ef12542d75b6126ea70e30d870da3312f11691a722f00d2e27d4251a6c7e4aea11ca79c9cac777cc0c86d7992a7b8740ee3f588734fff64656d47bdba2e1

Download Submit
C:\ProgramData\bug.log

Filesize
376B

MD5
0cc5e87631499364fce0b9daa532d956

SHA1
de08b27ee3d62ea99368abb8af5a7f5da105449b

SHA256
7cc2ce617ab0e781cb9ed06994f240acba218448cb2da0839de5931e54b26e83

SHA512
ed5cdeb9c7422493796cef7306c71cd95c21a7c089c098738fa31fe8a1de92f7a631e72fca05828ffdaa9d151559c14d950a95e1b46e552f3368108b1704969d

Download Submit
\ProgramData\NVIDIASmart\nvSmartMaxapp.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
memory/2164-68-0x0000000000250000-0x000000000027E000-memory.dmp

Filesize
184KB

Download
memory/2164-66-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2164-67-0x0000000000250000-0x000000000027E000-memory.dmp

Filesize
184KB

Download
memory/2164-65-0x0000000000250000-0x000000000027E000-memory.dmp

Filesize
184KB

Download
memory/2164-64-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2232-28-0x00000000000E0000-0x00000000000FC000-memory.dmp

Filesize
112KB

Download
memory/2232-53-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/2232-52-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/2232-51-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/2232-50-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/2232-31-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/2232-47-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/2232-46-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2232-69-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/2232-33-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/2232-54-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/2232-26-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2232-58-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/2232-30-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2524-57-0x0000000000770000-0x000000000079E000-memory.dmp

Filesize
184KB

Download
memory/2524-17-0x0000000000770000-0x000000000079E000-memory.dmp

Filesize
184KB

Download
memory/2524-16-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/3008-22-0x0000000000310000-0x000000000033E000-memory.dmp

Filesize
184KB

Download
memory/3008-43-0x0000000000310000-0x000000000033E000-memory.dmp

Filesize
184KB

Download