plugx | bba7c47c1c2af0a0d54d2c44c3386f54b59874b9c878dfa8fdacf72937770a96

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_608abb0c39949775368837a6c068b113.exe
Size

341KB
MD5

608abb0c39949775368837a6c068b113
SHA1

24de091315d67bf66d0a089524d5742c79b90400
SHA256

bba7c47c1c2af0a0d54d2c44c3386f54b59874b9c878dfa8fdacf72937770a96
SHA512

89e843d7f7cb700c35c5bcbcdce6d800e9c6b4ccee3997ec0b38c09b452e3d6edbd638b9e9f520b7fdab4dea7c18a85ad23a94eb257b777e69e504e1dd20cb8f
SSDEEP

6144:VKs+6SrgizF3ndvz9T6LmVgcHBsnsTyXS7xTvOtNbCN0bggi9teJkEzbr:XSXndvz9T6yVgchB7xCeNvtOkEzb

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

Detects PlugX payload 20 IoCs

resource	yara_rule
behavioral1/memory/2408-1-0x00000000009C0000-0x00000000009F8000-memory.dmp	family_plugx
behavioral1/memory/2412-17-0x0000000001CC0000-0x0000000001CF8000-memory.dmp	family_plugx
behavioral1/memory/2788-22-0x0000000000320000-0x0000000000358000-memory.dmp	family_plugx
behavioral1/memory/2112-45-0x0000000000270000-0x00000000002A8000-memory.dmp	family_plugx
behavioral1/memory/2112-46-0x0000000000270000-0x00000000002A8000-memory.dmp	family_plugx
behavioral1/memory/2112-44-0x0000000000270000-0x00000000002A8000-memory.dmp	family_plugx
behavioral1/memory/2112-32-0x0000000000270000-0x00000000002A8000-memory.dmp	family_plugx
behavioral1/memory/2788-31-0x0000000000320000-0x0000000000358000-memory.dmp	family_plugx
behavioral1/memory/2112-30-0x0000000000270000-0x00000000002A8000-memory.dmp	family_plugx
behavioral1/memory/2112-29-0x0000000000270000-0x00000000002A8000-memory.dmp	family_plugx
behavioral1/memory/2112-48-0x0000000000270000-0x00000000002A8000-memory.dmp	family_plugx
behavioral1/memory/2408-53-0x00000000009C0000-0x00000000009F8000-memory.dmp	family_plugx
behavioral1/memory/2112-55-0x0000000000270000-0x00000000002A8000-memory.dmp	family_plugx
behavioral1/memory/2412-58-0x0000000001CC0000-0x0000000001CF8000-memory.dmp	family_plugx
behavioral1/memory/2112-59-0x0000000000270000-0x00000000002A8000-memory.dmp	family_plugx
behavioral1/memory/2740-69-0x00000000003A0000-0x00000000003D8000-memory.dmp	family_plugx
behavioral1/memory/2740-72-0x00000000003A0000-0x00000000003D8000-memory.dmp	family_plugx
behavioral1/memory/2740-71-0x00000000003A0000-0x00000000003D8000-memory.dmp	family_plugx
behavioral1/memory/2112-73-0x0000000000270000-0x00000000002A8000-memory.dmp	family_plugx
behavioral1/memory/2112-76-0x0000000000270000-0x00000000002A8000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Plugx family
plugx

Deletes itself 1 IoCs

pid	Process
2412	NvSmart.exe

Executes dropped EXE 2 IoCs

pid	Process
2412	NvSmart.exe
2788	NvSmart.exe

Loads dropped DLL 2 IoCs

pid	Process
2412	NvSmart.exe
2788	NvSmart.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NvSmart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_608abb0c39949775368837a6c068b113.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NvSmart.exe

Modifies data under HKEY_USERS 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-62-c3-9a-be-02	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-62-c3-9a-be-02\WpadDetectedUrl	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C29D183E-48EA-4CE3-98BC-7744BE069F34}\WpadDecisionTime = 60e08ac7e491db01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-62-c3-9a-be-02\WpadDecisionTime = 60e08ac7e491db01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C29D183E-48EA-4CE3-98BC-7744BE069F34}\WpadDecisionTime = c05afdc5e491db01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C29D183E-48EA-4CE3-98BC-7744BE069F34}\WpadDecision = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-62-c3-9a-be-02\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C29D183E-48EA-4CE3-98BC-7744BE069F34}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C29D183E-48EA-4CE3-98BC-7744BE069F34}\WpadNetworkName = "Network 3"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-62-c3-9a-be-02\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C29D183E-48EA-4CE3-98BC-7744BE069F34}\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C29D183E-48EA-4CE3-98BC-7744BE069F34}\02-62-c3-9a-be-02	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-62-c3-9a-be-02\WpadDecisionTime = c05afdc5e491db01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44004600330038004100390039003800370046003800360046003600460042000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	svchost.exe
2112	svchost.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2112	svchost.exe
2112	svchost.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2112	svchost.exe
2112	svchost.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2112	svchost.exe
2112	svchost.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2112	svchost.exe
2112	svchost.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2740	msiexec.exe
2112	svchost.exe
2112	svchost.exe
2740	msiexec.exe
2740	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2112	svchost.exe
2740	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	JaffaCakes118_608abb0c39949775368837a6c068b113.exe
Token: SeTcbPrivilege	2408	JaffaCakes118_608abb0c39949775368837a6c068b113.exe
Token: SeDebugPrivilege	2412	NvSmart.exe
Token: SeTcbPrivilege	2412	NvSmart.exe
Token: SeDebugPrivilege	2788	NvSmart.exe
Token: SeTcbPrivilege	2788	NvSmart.exe
Token: SeDebugPrivilege	2112	svchost.exe
Token: SeTcbPrivilege	2112	svchost.exe
Token: SeDebugPrivilege	2740	msiexec.exe
Token: SeTcbPrivilege	2740	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2408	JaffaCakes118_608abb0c39949775368837a6c068b113.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2112	2788	NvSmart.exe	33
PID 2788 wrote to memory of 2112	2788	NvSmart.exe	33
PID 2788 wrote to memory of 2112	2788	NvSmart.exe	33
PID 2788 wrote to memory of 2112	2788	NvSmart.exe	33
PID 2788 wrote to memory of 2112	2788	NvSmart.exe	33
PID 2788 wrote to memory of 2112	2788	NvSmart.exe	33
PID 2788 wrote to memory of 2112	2788	NvSmart.exe	33
PID 2788 wrote to memory of 2112	2788	NvSmart.exe	33
PID 2788 wrote to memory of 2112	2788	NvSmart.exe	33
PID 2112 wrote to memory of 2740	2112	svchost.exe	35
PID 2112 wrote to memory of 2740	2112	svchost.exe	35
PID 2112 wrote to memory of 2740	2112	svchost.exe	35
PID 2112 wrote to memory of 2740	2112	svchost.exe	35
PID 2112 wrote to memory of 2740	2112	svchost.exe	35
PID 2112 wrote to memory of 2740	2112	svchost.exe	35
PID 2112 wrote to memory of 2740	2112	svchost.exe	35
PID 2112 wrote to memory of 2740	2112	svchost.exe	35
PID 2112 wrote to memory of 2740	2112	svchost.exe	35
PID 2112 wrote to memory of 2740	2112	svchost.exe	35
PID 2112 wrote to memory of 2740	2112	svchost.exe	35
PID 2112 wrote to memory of 2740	2112	svchost.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_608abb0c39949775368837a6c068b113.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_608abb0c39949775368837a6c068b113.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2408

C:\ProgramData\Wins\NvSmart.exe
"C:\ProgramData\Wins\NvSmart.exe" 100 2408
1⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\ProgramData\Wins\NvSmart.exe
"C:\ProgramData\Wins\NvSmart.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2112
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log

Filesize
482B

MD5
dd5e519f10bea20497fa946add0c1b46

SHA1
ab8591a1c9f84e30c73d13c101ce8e9db538fa88

SHA256
56917ba855ee6b9f893c16c83440cfb9893e854b60fecb2b72403c40a15f0a2f

SHA512
7ed1bcd0862614fede209d9fdec3985be9573d9a0ee306319e5dd3383bcd87b3782a0e5c919e64038fb0b93b606890adbe212e064c41fffaec4e7b1d6d17411d

Download Submit
C:\ProgramData\Wins\NvSmart.chm

Filesize
155KB

MD5
c7814f4a0c42065005e82bda45e4d849

SHA1
735e60ab5b0d52344851510c2b1e5f7136d65301

SHA256
7ba3e66a633e04feac7167e19621e43b7eb0499f38e818c6dedad21f5f6b39be

SHA512
ae327466612592b4439dedfa288a54e46102f46d9afd47ad6f236964c016eefc162beffc56394cfca7db92f043f4ff4d02bbdacf70daae9463ed85ce6207dd77

Download Submit
C:\ProgramData\Wins\NvSmart.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\Wins\NvSmartMax.dll

Filesize
4KB

MD5
0674a0929aec3db11383523b40fa36d1

SHA1
9f50aa213232690e06aa49b7e7b1640127429117

SHA256
fb1c1de76504a35b5c9cf4a60c4a7497064917e0ac96b5389b5ef56c4a02bc17

SHA512
ce1a5007499232d6730bf97745bd5e931d6a26d658d3c47a4200a2e225c78e947dbca2487bae77adb65399c2985dce5cbc95f2672ca7e309b3a9f9ba4501d10b

Download Submit
memory/2112-30-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2112-28-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2112-76-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2112-73-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2112-24-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2112-27-0x00000000000D0000-0x00000000000D2000-memory.dmp

Filesize
8KB

Download
memory/2112-45-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2112-46-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2112-44-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2112-43-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2112-32-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2112-59-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2112-55-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2112-29-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2112-48-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2112-26-0x00000000000A0000-0x00000000000C6000-memory.dmp

Filesize
152KB

Download
memory/2408-54-0x0000000000DF0000-0x0000000000E4C000-memory.dmp

Filesize
368KB

Download
memory/2408-53-0x00000000009C0000-0x00000000009F8000-memory.dmp

Filesize
224KB

Download
memory/2408-1-0x00000000009C0000-0x00000000009F8000-memory.dmp

Filesize
224KB

Download
memory/2408-0-0x0000000000090000-0x00000000000B7000-memory.dmp

Filesize
156KB

Download
memory/2412-16-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2412-58-0x0000000001CC0000-0x0000000001CF8000-memory.dmp

Filesize
224KB

Download
memory/2412-17-0x0000000001CC0000-0x0000000001CF8000-memory.dmp

Filesize
224KB

Download
memory/2740-72-0x00000000003A0000-0x00000000003D8000-memory.dmp

Filesize
224KB

Download
memory/2740-69-0x00000000003A0000-0x00000000003D8000-memory.dmp

Filesize
224KB

Download
memory/2740-68-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2740-71-0x00000000003A0000-0x00000000003D8000-memory.dmp

Filesize
224KB

Download
memory/2740-70-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2788-22-0x0000000000320000-0x0000000000358000-memory.dmp

Filesize
224KB

Download
memory/2788-31-0x0000000000320000-0x0000000000358000-memory.dmp

Filesize
224KB

Download