Overview

overview

10

Static

static

3

JaffaCakes...9a.exe

windows7-x64

10

JaffaCakes...9a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-02-2025 11:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_87e8d91f41bdf424ede7d2d0139d7f9a.exe

  • Size

    158KB

  • MD5

    87e8d91f41bdf424ede7d2d0139d7f9a

  • SHA1

    549490ff753f5f8aaab5a57fd143d8e9b32aee9b

  • SHA256

    738525e6f38822a0466ea9859c368d2625ff598e870db0cd41499eafe19519cb

  • SHA512

    ab6859473afc86a46b07f0a8301e7697d67de3272627543bbf0d7bf35fe768524d48c6ca6eb9be706e748e1fb03bbb6975f7605a2f78530e7b45bc0c30aec929

  • SSDEEP

    3072:qnvTqkBbgv/inBu6XIX88vTglZTvY6CB6SmIvbp99:qnrBJAVX88bgTTw6CcvIvbp9

Score
10/10
plugxdiscoverytrojan

Malware Config

Signatures

  • Detects PlugX payload 19 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Plugx family
    plugx
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87e8d91f41bdf424ede7d2d0139d7f9a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87e8d91f41bdf424ede7d2d0139d7f9a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\ProgramData\NVIDIASmart\nvSmartMaxapp.exe
      "C:\ProgramData\NVIDIASmart\nvSmartMaxapp.exe" 100 4872
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2864
  • C:\ProgramData\NVIDIASmart\nvSmartMaxapp.exe
    "C:\ProgramData\NVIDIASmart\nvSmartMaxapp.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4492
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2228
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\NVIDIASmart\NvSmartMax.dll
    Filesize

    4KB

    MD5

    37b32c7adf4fdc896dca8df046443b1d

    SHA1

    2714c65216434f106c2e6365896bc5683a65dd0f

    SHA256

    8de7b19abd5e19dab255db20dc4c6a8fe3318ecd2a8dca2f66f345537168265c

    SHA512

    371170869578214bc51e1e65361839abd857d6bd827e52f35b12324c697b9280ba2248bb6bb586ef70bc69ea2d23e7d14bc3645ee838a220c184c2d57750ce53

    Download Submit

  • C:\ProgramData\NVIDIASmart\boot.ldr
    Filesize

    115KB

    MD5

    45c254f9cabc15b3f71583354a16262b

    SHA1

    78e24aacad37d643b0953d9c57d4d6fa33e146db

    SHA256

    2e2baa4548461dcfac103f0cad4585b4b9260381996857a155ebdfbf1420bde8

    SHA512

    57c6ef12542d75b6126ea70e30d870da3312f11691a722f00d2e27d4251a6c7e4aea11ca79c9cac777cc0c86d7992a7b8740ee3f588734fff64656d47bdba2e1

    Download Submit

  • C:\ProgramData\NVIDIASmart\nvSmartMaxapp.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\ProgramData\bug.log
    Filesize

    376B

    MD5

    0cc5e87631499364fce0b9daa532d956

    SHA1

    de08b27ee3d62ea99368abb8af5a7f5da105449b

    SHA256

    7cc2ce617ab0e781cb9ed06994f240acba218448cb2da0839de5931e54b26e83

    SHA512

    ed5cdeb9c7422493796cef7306c71cd95c21a7c089c098738fa31fe8a1de92f7a631e72fca05828ffdaa9d151559c14d950a95e1b46e552f3368108b1704969d

    Download Submit

  • memory/756-59-0x0000000000660000-0x000000000068E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/756-54-0x00000000005E0000-0x00000000005E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/756-55-0x0000000000660000-0x000000000068E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/756-56-0x0000000000660000-0x000000000068E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/756-53-0x0000000000660000-0x000000000068E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/756-51-0x0000000000160000-0x0000000000161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2228-22-0x00000000009D0000-0x00000000009D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2228-49-0x0000000001290000-0x00000000012BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2228-39-0x0000000001290000-0x00000000012BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2228-36-0x0000000001280000-0x0000000001281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2228-25-0x0000000001290000-0x00000000012BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2228-41-0x0000000001290000-0x00000000012BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2228-58-0x0000000001290000-0x00000000012BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2228-38-0x0000000001290000-0x00000000012BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2228-57-0x00000000009D0000-0x00000000009D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2228-37-0x0000000001290000-0x00000000012BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2228-50-0x0000000001290000-0x00000000012BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2228-24-0x0000000001290000-0x00000000012BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2228-23-0x0000000001290000-0x00000000012BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2864-13-0x0000000002160000-0x000000000218E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2864-48-0x0000000002160000-0x000000000218E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2864-12-0x0000000002030000-0x0000000002130000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4492-18-0x0000000000E20000-0x0000000000E4E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4492-19-0x0000000000E20000-0x0000000000E4E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4492-45-0x0000000000E20000-0x0000000000E4E000-memory.dmp

    Filesize

    184KB

    Download