rms | 1fb6087e4c6654baf677b60bf6f12b8a19e232e5e74713e6beb37678c674bf1c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe
Size

5.4MB
MD5

4c5649e9b9a2d9997ac2600a804e0aeb
SHA1

331d9ae7b80822be15a4256363b2e6b53bed518a
SHA256

1fb6087e4c6654baf677b60bf6f12b8a19e232e5e74713e6beb37678c674bf1c
SHA512

554780243d990b04b7d2990a7263a4f25b1440f79d917b03e9e2f059a24ecea5053d7929c1ec81907446df6de828a2d9a3a581e896a0abca69b7495e9a3fcaa1
SSDEEP

98304:MRD7FbH8l1LFjqhSctecEK+uk251fNp/lDWPaN+RCDIx0hzUuC/EnVa:MZlyDjWSc7K2fNbDWSARCDsviE

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsalosv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	lsalosv.exe

Executes dropped EXE 3 IoCs

pid	Process
2616	lsalosv.exe
2684	lsalosv.exe
3132	lsalosv.exe

Loads dropped DLL 12 IoCs

pid	Process
4480	4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe
4480	4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe
4480	4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe
4480	4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe
4480	4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe
2616	lsalosv.exe
2616	lsalosv.exe
2684	lsalosv.exe
2684	lsalosv.exe
4480	4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe
3132	lsalosv.exe
3132	lsalosv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\hardware\description\system\centralProcessor\0	lsalosv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	lsalosv.exe
Key opened	\REGISTRY\MACHINE\hardware\description\system\centralProcessor\16	lsalosv.exe
Key opened	\REGISTRY\MACHINE\hardware\description\system\centralProcessor\1	lsalosv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	lsalosv.exe
Key opened	\REGISTRY\MACHINE\hardware\description\system\centralProcessor\2	lsalosv.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2616	lsalosv.exe
2616	lsalosv.exe
2616	lsalosv.exe
2616	lsalosv.exe
2616	lsalosv.exe
2616	lsalosv.exe
2616	lsalosv.exe
2616	lsalosv.exe
2616	lsalosv.exe
2616	lsalosv.exe
2616	lsalosv.exe
2616	lsalosv.exe
2684	lsalosv.exe
2684	lsalosv.exe
2684	lsalosv.exe
2684	lsalosv.exe
2684	lsalosv.exe
2684	lsalosv.exe
2684	lsalosv.exe
2684	lsalosv.exe
3132	lsalosv.exe
3132	lsalosv.exe
3132	lsalosv.exe
3132	lsalosv.exe
3132	lsalosv.exe
3132	lsalosv.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	lsalosv.exe
Token: SeDebugPrivilege	2616	lsalosv.exe
Token: SeTakeOwnershipPrivilege	2684	lsalosv.exe
Token: SeTcbPrivilege	2684	lsalosv.exe
Token: SeTcbPrivilege	2684	lsalosv.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2616	lsalosv.exe
2616	lsalosv.exe
2616	lsalosv.exe
2616	lsalosv.exe
2684	lsalosv.exe
2684	lsalosv.exe
2684	lsalosv.exe
2684	lsalosv.exe
3132	lsalosv.exe
3132	lsalosv.exe
3132	lsalosv.exe
3132	lsalosv.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 2616	4480	4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe	89
PID 4480 wrote to memory of 2616	4480	4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe	89
PID 4480 wrote to memory of 2616	4480	4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe	89
PID 4480 wrote to memory of 4228	4480	4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe	94
PID 4480 wrote to memory of 4228	4480	4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe	94
PID 4228 wrote to memory of 2788	4228	cmd.exe	97
PID 4228 wrote to memory of 2788	4228	cmd.exe	97
PID 4228 wrote to memory of 2100	4228	cmd.exe	98
PID 4228 wrote to memory of 2100	4228	cmd.exe	98
PID 4228 wrote to memory of 4940	4228	cmd.exe	99
PID 4228 wrote to memory of 4940	4228	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4c5649e9b9a2d9997ac2600a804e0aeb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Public\Dynamic Library\lsalosv.exe
  "C:\Users\Public\Dynamic Library\lsalosv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2616
- - C:\Users\Public\Dynamic Library\lsalosv.exe
    "C:\Users\Public\Dynamic Library\lsalosv.exe" -run_agent -second
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SchTasks /create /f /XML %temp%\Log593.xml /TN \microsoft\windows\defrag\scheduleddefrag && schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE && schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\system32\schtasks.exe
    SchTasks /create /f /XML C:\Users\Admin\AppData\Local\Temp\Log593.xml /TN \microsoft\windows\defrag\scheduleddefrag
    3⤵
    - Creates scheduled task(s)
    PID:2788
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE
    3⤵
    PID:2100
- - C:\Windows\system32\schtasks.exe
    schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
    3⤵
    PID:4940

C:\Users\Public\Dynamic Library\lsalosv.exe
"C:\Users\Public\Dynamic Library\lsalosv.exe" -run_agent -second
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Log593.xml

Filesize
1KB

MD5
992d6ac150192b9e450056a2c1f72393

SHA1
f93deceef49df93626595faff85ed3857b9d0fac

SHA256
c67370bac5ff2d030461dd56e54dea186cc9c75ffe4a9d053705875aafaa0134

SHA512
6ef511289c171a34afb83157997fc65c4437f4f23467bf63c91781cdda44e7b1f473f8d4afb878f6df38843ce9a33924983b356713676534b5c44459c739ff18

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse440F.tmp\Math.dll

Filesize
67KB

MD5
37910b34631528f2e10e0d93b298c22f

SHA1
2fee188da91ffc4e14c5f1d355aa6ab50a531576

SHA256
d02deb104b8119cb39c6104794d0b76ad5365db68f4eb316d8823e338424d7f7

SHA512
0acecb4df3e923a982a2b2af56797299743fe54ec74557c04d5256cde5f6d0fae24bf96edd61375fdb29ad93af9052317b73ef1457a13c14e354feae3e173168

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse440F.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse440F.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse440F.tmp\nsis7z.dll

Filesize
175KB

MD5
7cd97d946e10e902ed2822508e2a11c4

SHA1
fc64d292d1c239abc82bb49a063a58ff8d0609fb

SHA256
f2fc2a430833ed9fef374ec73cb3302d66471aaaddb2f63d3e6e4139b212b78b

SHA512
52513e03fdb79eaeb3d43d28f6862515c13ad65483a2786ca4aa4e5b1eaa5e34ad3c627b9b1bfb5f89b192cdc1c6b6073f3b34bce36fd2fabf6d286e13987621

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse440F.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
C:\Users\Public\Dynamic Library\libeay32.dll

Filesize
1.3MB

MD5
0d51927274281007657c7f3e0df7becb

SHA1
6de3746d9d0980f5715cec6c676a8eb53b5efc49

SHA256
dfc847405be60c29e86e3e3222e7f63c1ff584727d87d3c35c25c4893e19fda0

SHA512
eef74088a94635184192d82bb6dcc0758749cb290c8deeff211881e8a280aec73a53334eff8846df618204b0f318e757eab23e76951a472ba6e086905000d9a5

Download Submit
C:\Users\Public\Dynamic Library\lsalosv.exe

Filesize
17.2MB

MD5
2cb63c18a16fcabca10cf6769d90c7e1

SHA1
f6d6bad7625f91a371a1bf98870d7912c7e4cf50

SHA256
63c742f5fa5fd99159da9b51e4e21ac4d874a76f6a39d3d91d4d15b87c8fb9f4

SHA512
658dfe19b11447faa40ec8f140cee147c4b5d45609f79c8eda5d7eea0964199870687f44c1be6531b2a4b1044e316d57df102796a3f9138c3075960934ad3a72

Download Submit
C:\Users\Public\Dynamic Library\ssleay32.dll

Filesize
337KB

MD5
197da919e4c91125656bf905877c9b5a

SHA1
9574ec3e87bb0f7acce72d4d59d176296741aa83

SHA256
303c78aba3b776472c245f17020f9aa5a53f09a6f6c1e4f34b8e18e33906b5ee

SHA512
33c1b853181f83cab2f57f47fb7e093badf83963613e7328ebd23f0d62f59416d7a93063c6237435fbb6833a69bc44ebbc13aa585da010f491c680b2ea335c47

Download Submit
memory/2616-43-0x0000000003760000-0x0000000003761000-memory.dmp

Filesize
4KB

Download
memory/2616-51-0x0000000000400000-0x00000000015E9000-memory.dmp

Filesize
17.9MB

Download
memory/2616-49-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/2616-48-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/2684-64-0x0000000005E50000-0x0000000005E51000-memory.dmp

Filesize
4KB

Download
memory/2684-92-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

Filesize
4KB

Download
memory/2684-58-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2684-59-0x00000000060D0000-0x00000000060D1000-memory.dmp

Filesize
4KB

Download
memory/2684-61-0x0000000005EF0000-0x0000000005EF1000-memory.dmp

Filesize
4KB

Download
memory/2684-60-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

Filesize
4KB

Download
memory/2684-62-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/2684-63-0x0000000006620000-0x0000000006621000-memory.dmp

Filesize
4KB

Download
memory/2684-56-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/2684-55-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/2684-52-0x0000000001B30000-0x0000000001B31000-memory.dmp

Filesize
4KB

Download
memory/2684-72-0x00000000068C0000-0x00000000068C1000-memory.dmp

Filesize
4KB

Download
memory/2684-109-0x0000000000400000-0x00000000015E9000-memory.dmp

Filesize
17.9MB

Download
memory/2684-108-0x0000000000400000-0x00000000015E9000-memory.dmp

Filesize
17.9MB

Download
memory/2684-107-0x0000000000400000-0x00000000015E9000-memory.dmp

Filesize
17.9MB

Download
memory/2684-106-0x0000000000400000-0x00000000015E9000-memory.dmp

Filesize
17.9MB

Download
memory/2684-91-0x0000000006A10000-0x0000000006A11000-memory.dmp

Filesize
4KB

Download
memory/2684-57-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/2684-93-0x0000000001B30000-0x0000000001B31000-memory.dmp

Filesize
4KB

Download
memory/2684-94-0x0000000000400000-0x00000000015E9000-memory.dmp

Filesize
17.9MB

Download
memory/2684-95-0x0000000000400000-0x00000000015E9000-memory.dmp

Filesize
17.9MB

Download
memory/2684-96-0x0000000000400000-0x00000000015E9000-memory.dmp

Filesize
17.9MB

Download
memory/2684-97-0x0000000000400000-0x00000000015E9000-memory.dmp

Filesize
17.9MB

Download
memory/2684-98-0x0000000000400000-0x00000000015E9000-memory.dmp

Filesize
17.9MB

Download
memory/2684-101-0x0000000000400000-0x00000000015E9000-memory.dmp

Filesize
17.9MB

Download
memory/2684-102-0x0000000000400000-0x00000000015E9000-memory.dmp

Filesize
17.9MB

Download
memory/2684-103-0x0000000000400000-0x00000000015E9000-memory.dmp

Filesize
17.9MB

Download
memory/2684-104-0x0000000000400000-0x00000000015E9000-memory.dmp

Filesize
17.9MB

Download
memory/2684-105-0x0000000000400000-0x00000000015E9000-memory.dmp

Filesize
17.9MB

Download
memory/3132-79-0x0000000000400000-0x00000000015E9000-memory.dmp

Filesize
17.9MB

Download
memory/3132-78-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3132-77-0x0000000001B00000-0x0000000001B01000-memory.dmp

Filesize
4KB

Download
memory/4480-19-0x0000000002B50000-0x0000000002B81000-memory.dmp

Filesize
196KB

Download