Overview

overview

10

Static

static

3

4c5649e9b9...18.exe

windows7-x64

10

4c5649e9b9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-03-2024 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe

  • Size

    5.4MB

  • MD5

    4c5649e9b9a2d9997ac2600a804e0aeb

  • SHA1

    331d9ae7b80822be15a4256363b2e6b53bed518a

  • SHA256

    1fb6087e4c6654baf677b60bf6f12b8a19e232e5e74713e6beb37678c674bf1c

  • SHA512

    554780243d990b04b7d2990a7263a4f25b1440f79d917b03e9e2f059a24ecea5053d7929c1ec81907446df6de828a2d9a3a581e896a0abca69b7495e9a3fcaa1

  • SSDEEP

    98304:MRD7FbH8l1LFjqhSctecEK+uk251fNp/lDWPaN+RCDIx0hzUuC/EnVa:MZlyDjWSc7K2fNbDWSARCDsviE

Score
10/10
rmsrattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Users\Public\Dynamic Library\lsalosv.exe
      "C:\Users\Public\Dynamic Library\lsalosv.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2712
      • C:\Users\Public\Dynamic Library\lsalosv.exe
        "C:\Users\Public\Dynamic Library\lsalosv.exe" -run_agent -second
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2356
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SchTasks /create /f /XML %temp%\Log593.xml /TN \microsoft\windows\defrag\scheduleddefrag && schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE && schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\system32\schtasks.exe
        SchTasks /create /f /XML C:\Users\Admin\AppData\Local\Temp\Log593.xml /TN \microsoft\windows\defrag\scheduleddefrag
        3⤵
        • Creates scheduled task(s)
        PID:1948
      • C:\Windows\system32\schtasks.exe
        schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE
        3⤵
          PID:2640
        • C:\Windows\system32\schtasks.exe
          schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
          3⤵
            PID:740
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {FA88178A-FC03-4F68-BCA6-598D88DAA871} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1720
        • C:\Users\Public\Dynamic Library\lsalosv.exe
          "C:\Users\Public\Dynamic Library\lsalosv.exe" -run_agent -second
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2760

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Log593.xml
        Filesize

        1KB

        MD5

        992d6ac150192b9e450056a2c1f72393

        SHA1

        f93deceef49df93626595faff85ed3857b9d0fac

        SHA256

        c67370bac5ff2d030461dd56e54dea186cc9c75ffe4a9d053705875aafaa0134

        SHA512

        6ef511289c171a34afb83157997fc65c4437f4f23467bf63c91781cdda44e7b1f473f8d4afb878f6df38843ce9a33924983b356713676534b5c44459c739ff18

        Download Submit

      • C:\Users\Public\Dynamic Library\ssleay32.dll
        Filesize

        337KB

        MD5

        197da919e4c91125656bf905877c9b5a

        SHA1

        9574ec3e87bb0f7acce72d4d59d176296741aa83

        SHA256

        303c78aba3b776472c245f17020f9aa5a53f09a6f6c1e4f34b8e18e33906b5ee

        SHA512

        33c1b853181f83cab2f57f47fb7e093badf83963613e7328ebd23f0d62f59416d7a93063c6237435fbb6833a69bc44ebbc13aa585da010f491c680b2ea335c47

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nsy4155.tmp\Math.dll
        Filesize

        67KB

        MD5

        37910b34631528f2e10e0d93b298c22f

        SHA1

        2fee188da91ffc4e14c5f1d355aa6ab50a531576

        SHA256

        d02deb104b8119cb39c6104794d0b76ad5365db68f4eb316d8823e338424d7f7

        SHA512

        0acecb4df3e923a982a2b2af56797299743fe54ec74557c04d5256cde5f6d0fae24bf96edd61375fdb29ad93af9052317b73ef1457a13c14e354feae3e173168

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nsy4155.tmp\System.dll
        Filesize

        12KB

        MD5

        8cf2ac271d7679b1d68eefc1ae0c5618

        SHA1

        7cc1caaa747ee16dc894a600a4256f64fa65a9b8

        SHA256

        6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

        SHA512

        ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nsy4155.tmp\nsExec.dll
        Filesize

        7KB

        MD5

        f27689c513e7d12c7c974d5f8ef710d6

        SHA1

        e305f2a2898d765a64c82c449dfb528665b4a892

        SHA256

        1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

        SHA512

        734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nsy4155.tmp\nsis7z.dll
        Filesize

        175KB

        MD5

        7cd97d946e10e902ed2822508e2a11c4

        SHA1

        fc64d292d1c239abc82bb49a063a58ff8d0609fb

        SHA256

        f2fc2a430833ed9fef374ec73cb3302d66471aaaddb2f63d3e6e4139b212b78b

        SHA512

        52513e03fdb79eaeb3d43d28f6862515c13ad65483a2786ca4aa4e5b1eaa5e34ad3c627b9b1bfb5f89b192cdc1c6b6073f3b34bce36fd2fabf6d286e13987621

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nsy4155.tmp\registry.dll
        Filesize

        24KB

        MD5

        2b7007ed0262ca02ef69d8990815cbeb

        SHA1

        2eabe4f755213666dbbbde024a5235ddde02b47f

        SHA256

        0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

        SHA512

        aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

        Download Submit

      • \Users\Public\Dynamic Library\libeay32.dll
        Filesize

        1.3MB

        MD5

        0d51927274281007657c7f3e0df7becb

        SHA1

        6de3746d9d0980f5715cec6c676a8eb53b5efc49

        SHA256

        dfc847405be60c29e86e3e3222e7f63c1ff584727d87d3c35c25c4893e19fda0

        SHA512

        eef74088a94635184192d82bb6dcc0758749cb290c8deeff211881e8a280aec73a53334eff8846df618204b0f318e757eab23e76951a472ba6e086905000d9a5

        Download Submit

      • \Users\Public\Dynamic Library\lsalosv.exe
        Filesize

        17.2MB

        MD5

        2cb63c18a16fcabca10cf6769d90c7e1

        SHA1

        f6d6bad7625f91a371a1bf98870d7912c7e4cf50

        SHA256

        63c742f5fa5fd99159da9b51e4e21ac4d874a76f6a39d3d91d4d15b87c8fb9f4

        SHA512

        658dfe19b11447faa40ec8f140cee147c4b5d45609f79c8eda5d7eea0964199870687f44c1be6531b2a4b1044e316d57df102796a3f9138c3075960934ad3a72

        Download Submit

      • memory/2104-21-0x0000000002900000-0x0000000002931000-memory.dmp

        Filesize

        196KB

        Download

      • memory/2356-66-0x0000000005E40000-0x0000000005E41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2356-94-0x0000000000400000-0x00000000015E9000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2356-105-0x0000000000400000-0x00000000015E9000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2356-104-0x0000000000400000-0x00000000015E9000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2356-103-0x0000000000400000-0x00000000015E9000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2356-60-0x00000000056A0000-0x00000000056A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2356-61-0x0000000005680000-0x0000000005681000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2356-62-0x0000000005690000-0x0000000005691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2356-63-0x0000000005E70000-0x0000000005E71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2356-64-0x0000000005EC0000-0x0000000005EC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2356-67-0x0000000005E60000-0x0000000005E61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2356-68-0x00000000060D0000-0x00000000060D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2356-102-0x0000000000400000-0x00000000015E9000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2356-65-0x0000000005E30000-0x0000000005E31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2356-69-0x0000000005E50000-0x0000000005E51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2356-81-0x0000000006210000-0x0000000006211000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2356-83-0x0000000000290000-0x0000000000291000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2356-101-0x0000000000400000-0x00000000015E9000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2356-87-0x0000000006430000-0x0000000006431000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2356-100-0x0000000000400000-0x00000000015E9000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2356-89-0x00000000030E0000-0x00000000030E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2356-90-0x0000000000400000-0x00000000015E9000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2356-91-0x0000000000400000-0x00000000015E9000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2356-92-0x0000000000400000-0x00000000015E9000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2356-93-0x0000000000400000-0x00000000015E9000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2356-50-0x0000000000290000-0x0000000000291000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2356-97-0x0000000000400000-0x00000000015E9000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2356-98-0x0000000000400000-0x00000000015E9000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2356-99-0x0000000000400000-0x00000000015E9000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2712-41-0x00000000002B0000-0x00000000002B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2712-46-0x0000000003250000-0x0000000003251000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2712-49-0x0000000000400000-0x00000000015E9000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2712-47-0x0000000003260000-0x0000000003261000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2760-88-0x0000000000400000-0x00000000015E9000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2760-84-0x00000000002C0000-0x00000000002C1000-memory.dmp

        Filesize

        4KB

        Download