rms | 22ecf75f81c4e67a889f0f89adee960deb071e289b84c4cb6002d744b08f2492

General

Target

21234287827ffaf9893ee26bb5904a1c_JaffaCakes118.exe
Size

5.7MB
MD5

21234287827ffaf9893ee26bb5904a1c
SHA1

4ce35b410b6a96f00ba57af75cc53a68f90dce3c
SHA256

22ecf75f81c4e67a889f0f89adee960deb071e289b84c4cb6002d744b08f2492
SHA512

2b045e24415958acf4ba33a4b5f986b17500189d6f5834c8bb73c0c7e86a52e14e4d8eb741ebb5dd61928f974f1e1a70469dfdfedd1dee2f76aa15a46b0d5ffb
SSDEEP

98304:WfJoKl0OfMn3YpfkQ2MTRq0CXpBZWpnGm2m/O2cJNNaqfqUOclkN4HaXAVf:WfKKan4cQ2m40IpB4xGW2HNNaqiUBkaf

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Lighsht.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation Lighsht.exe
Executes dropped EXE 2 IoCs

Processes:

Lighsht.exeLighsht.exe

pid process

1992 Lighsht.exe
2448 Lighsht.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation	Lighsht.exe

Loads dropped DLL 9 IoCs

Processes:

21234287827ffaf9893ee26bb5904a1c_JaffaCakes118.exeLighsht.exeLighsht.exe

pid	process
2480	21234287827ffaf9893ee26bb5904a1c_JaffaCakes118.exe
2480	21234287827ffaf9893ee26bb5904a1c_JaffaCakes118.exe
2480	21234287827ffaf9893ee26bb5904a1c_JaffaCakes118.exe
2480	21234287827ffaf9893ee26bb5904a1c_JaffaCakes118.exe
2480	21234287827ffaf9893ee26bb5904a1c_JaffaCakes118.exe
1992	Lighsht.exe
1992	Lighsht.exe
2448	Lighsht.exe
2448	Lighsht.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Lighsht.exeLighsht.exe

pid	process
1992	Lighsht.exe
1992	Lighsht.exe
1992	Lighsht.exe
1992	Lighsht.exe
1992	Lighsht.exe
1992	Lighsht.exe
1992	Lighsht.exe
1992	Lighsht.exe
2448	Lighsht.exe
2448	Lighsht.exe
2448	Lighsht.exe
2448	Lighsht.exe
2448	Lighsht.exe
2448	Lighsht.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Lighsht.exeLighsht.exe

description	pid	process
Token: SeDebugPrivilege	1992	Lighsht.exe
Token: SeDebugPrivilege	1992	Lighsht.exe
Token: SeTakeOwnershipPrivilege	2448	Lighsht.exe
Token: SeTcbPrivilege	2448	Lighsht.exe
Token: SeTcbPrivilege	2448	Lighsht.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Lighsht.exeLighsht.exe

pid process

1992 Lighsht.exe
1992 Lighsht.exe
1992 Lighsht.exe
1992 Lighsht.exe
2448 Lighsht.exe
2448 Lighsht.exe
2448 Lighsht.exe
2448 Lighsht.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

21234287827ffaf9893ee26bb5904a1c_JaffaCakes118.exe

description	pid	process	target process
PID 2480 wrote to memory of 1992	2480	21234287827ffaf9893ee26bb5904a1c_JaffaCakes118.exe	Lighsht.exe
PID 2480 wrote to memory of 1992	2480	21234287827ffaf9893ee26bb5904a1c_JaffaCakes118.exe	Lighsht.exe
PID 2480 wrote to memory of 1992	2480	21234287827ffaf9893ee26bb5904a1c_JaffaCakes118.exe	Lighsht.exe
PID 2480 wrote to memory of 1992	2480	21234287827ffaf9893ee26bb5904a1c_JaffaCakes118.exe	Lighsht.exe

C:\Users\Admin\AppData\Local\Temp\21234287827ffaf9893ee26bb5904a1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21234287827ffaf9893ee26bb5904a1c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Public\Lightshot\Lighsht.exe
  "C:\Users\Public\Lightshot\Lighsht.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1992
- - C:\Users\Public\Lightshot\Lighsht.exe
    C:\Users\Public\Lightshot\Lighsht.exe -run_agent -second
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Lightshot\libeay32.dll

Filesize
1.3MB

MD5
0d51927274281007657c7f3e0df7becb

SHA1
6de3746d9d0980f5715cec6c676a8eb53b5efc49

SHA256
dfc847405be60c29e86e3e3222e7f63c1ff584727d87d3c35c25c4893e19fda0

SHA512
eef74088a94635184192d82bb6dcc0758749cb290c8deeff211881e8a280aec73a53334eff8846df618204b0f318e757eab23e76951a472ba6e086905000d9a5

Download Submit
C:\Users\Public\Lightshot\ssleay32.dll

Filesize
337KB

MD5
197da919e4c91125656bf905877c9b5a

SHA1
9574ec3e87bb0f7acce72d4d59d176296741aa83

SHA256
303c78aba3b776472c245f17020f9aa5a53f09a6f6c1e4f34b8e18e33906b5ee

SHA512
33c1b853181f83cab2f57f47fb7e093badf83963613e7328ebd23f0d62f59416d7a93063c6237435fbb6833a69bc44ebbc13aa585da010f491c680b2ea335c47

Download Submit
\Users\Admin\AppData\Local\Temp\nsi11BD.tmp\NSISList.dll

Filesize
105KB

MD5
49bb98396dc0187146319f8c130c363c

SHA1
548f11a0ba951291656da67ba5a49c439a87130b

SHA256
517a328bfed8935773d94a40812763ccdf08881ad5d71a83a629eafa62b41cf2

SHA512
290d87d644707a7096613cba4eb84f7e23f426bf98d8540def6a76ac748e4eeb34c7e2faabb39b602b2def604535cd574ce35ed15e346cf43b544fdbbaea9458

Download Submit
\Users\Admin\AppData\Local\Temp\nsi11BD.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
\Users\Admin\AppData\Local\Temp\nsi11BD.tmp\nsis7z.dll

Filesize
175KB

MD5
7cd97d946e10e902ed2822508e2a11c4

SHA1
fc64d292d1c239abc82bb49a063a58ff8d0609fb

SHA256
f2fc2a430833ed9fef374ec73cb3302d66471aaaddb2f63d3e6e4139b212b78b

SHA512
52513e03fdb79eaeb3d43d28f6862515c13ad65483a2786ca4aa4e5b1eaa5e34ad3c627b9b1bfb5f89b192cdc1c6b6073f3b34bce36fd2fabf6d286e13987621

Download Submit
\Users\Admin\AppData\Local\Temp\nsi11BD.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
\Users\Public\Lightshot\Lighsht.exe

Filesize
17.7MB

MD5
8a5361c962cbfa3e0a46f8f353ef9188

SHA1
458998cb67b3938fe15b1b5dcb871fdf27084ce8

SHA256
20f089f913b5cf084dc2e3b97652c200412764fdd27312c9e5ed444f06a38ba4

SHA512
159a0da9f80aafef96c4919f0d726e0779b3796cd79bd36a941b333ea620c780116237d36225dc6c3f1aa6f917a04c5020142d4b2083790dd0f14a0feddc4a08

Download Submit
memory/1992-48-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/1992-50-0x0000000000400000-0x0000000001674000-memory.dmp

Filesize
18.5MB

Download
memory/1992-42-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1992-47-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/2448-60-0x00000000060A0000-0x00000000060A1000-memory.dmp

Filesize
4KB

Download
memory/2448-66-0x00000000068D0000-0x00000000068D1000-memory.dmp

Filesize
4KB

Download
memory/2448-51-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2448-54-0x0000000005E60000-0x0000000005E61000-memory.dmp

Filesize
4KB

Download
memory/2448-55-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/2448-56-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/2448-62-0x0000000006140000-0x0000000006141000-memory.dmp

Filesize
4KB

Download
memory/2448-61-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/2448-63-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/2448-92-0x0000000000400000-0x0000000001674000-memory.dmp

Filesize
18.5MB

Download
memory/2448-59-0x0000000006050000-0x0000000006051000-memory.dmp

Filesize
4KB

Download
memory/2448-58-0x0000000006040000-0x0000000006041000-memory.dmp

Filesize
4KB

Download
memory/2448-57-0x0000000005E50000-0x0000000005E51000-memory.dmp

Filesize
4KB

Download
memory/2448-64-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/2448-65-0x00000000066B0000-0x00000000066B1000-memory.dmp

Filesize
4KB

Download
memory/2448-91-0x0000000000400000-0x0000000001674000-memory.dmp

Filesize
18.5MB

Download
memory/2448-67-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2448-77-0x0000000000400000-0x0000000001674000-memory.dmp

Filesize
18.5MB

Download
memory/2448-78-0x0000000000400000-0x0000000001674000-memory.dmp

Filesize
18.5MB

Download
memory/2448-79-0x0000000000400000-0x0000000001674000-memory.dmp

Filesize
18.5MB

Download
memory/2448-80-0x0000000000400000-0x0000000001674000-memory.dmp

Filesize
18.5MB

Download
memory/2448-81-0x0000000000400000-0x0000000001674000-memory.dmp

Filesize
18.5MB

Download
memory/2448-84-0x0000000000400000-0x0000000001674000-memory.dmp

Filesize
18.5MB

Download
memory/2448-85-0x0000000000400000-0x0000000001674000-memory.dmp

Filesize
18.5MB

Download
memory/2448-86-0x0000000000400000-0x0000000001674000-memory.dmp

Filesize
18.5MB

Download
memory/2448-87-0x0000000000400000-0x0000000001674000-memory.dmp

Filesize
18.5MB

Download
memory/2448-88-0x0000000000400000-0x0000000001674000-memory.dmp

Filesize
18.5MB

Download
memory/2448-89-0x0000000000400000-0x0000000001674000-memory.dmp

Filesize
18.5MB

Download
memory/2448-90-0x0000000000400000-0x0000000001674000-memory.dmp

Filesize
18.5MB

Download
memory/2480-34-0x0000000000660000-0x0000000000683000-memory.dmp

Filesize
140KB

Download
memory/2480-16-0x0000000001FF0000-0x0000000002021000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads