Overview

overview

10

Static

static

3

037e9f1ec8...18.exe

windows7-x64

10

037e9f1ec8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-04-2024 19:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    037e9f1ec832baabe53323cbd57603c6_JaffaCakes118.exe

  • Size

    4.3MB

  • MD5

    037e9f1ec832baabe53323cbd57603c6

  • SHA1

    89dc1f40f9a97d73b2d5ad059a61b0a3e783cc35

  • SHA256

    bc3758b4698a77d9126ad97c6bf695e2cfeb8b1ced85a948f24e7895c635ae44

  • SHA512

    16145105bc6ced023d143f21ed687d6c1dc92925af592e3bdb9510c77afe1abd2b7e92e24f2ab515d1189b5ff31529a60b950f0e5ce37dc309a14630a8de6c68

  • SSDEEP

    98304:ucMkgLrnO38RzYf0ML2x5tTDaLclizm7KQF1iEaGzMU+:u/kgLz9RzYI7Da4Ii7KQrLMU+

Score
10/10
rmsaspackv2rattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\037e9f1ec832baabe53323cbd57603c6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\037e9f1ec832baabe53323cbd57603c6_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files\word\install.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Program Files\word\install.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im rutserv.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2668
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im rfusclient.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2584
        • C:\Windows\SysWOW64\reg.exe
          reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
          4⤵
            PID:2712
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "regedit.reg"
            4⤵
            • Runs .reg file with regedit
            PID:2608
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            4⤵
            • Delays execution with timeout.exe
            PID:2452
          • C:\Program Files\word\rutserv.exe
            rutserv.exe /silentinstall
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2436
          • C:\Program Files\word\rutserv.exe
            rutserv.exe /firewall
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:2900
          • C:\Program Files\word\rutserv.exe
            rutserv.exe /start
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1040
          • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
            "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Program Files\word\1.doc"
            4⤵
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2464
            • C:\Windows\splwow64.exe
              C:\Windows\splwow64.exe 12288
              5⤵
                PID:2812
      • C:\Program Files\word\rutserv.exe
        "C:\Program Files\word\rutserv.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Program Files\word\rfusclient.exe
          "C:\Program Files\word\rfusclient.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1400
          • C:\Program Files\word\rfusclient.exe
            "C:\Program Files\word\rfusclient.exe" /tray
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: SetClipboardViewer
            PID:2144
        • C:\Program Files\word\rfusclient.exe
          "C:\Program Files\word\rfusclient.exe" /tray
          2⤵
          • Executes dropped EXE
          PID:840

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\word\1.doc
        Filesize

        49KB

        MD5

        2d17816c1b66dd964511796c037045e5

        SHA1

        4f7199f48ed081de8a904a77ed73c65f35d15bf9

        SHA256

        9585e54a4d46e70491c8098d9abeaeb470a12a2a45e1bfd00100d28d79df61c4

        SHA512

        0b0c21f94ae6d4f7687a7e1fc92e182abd39da807f4465c22830d0a9425731d603c790d85481d3fbc4d6cfd34a2bb899adf02b30f30bfb0ad9bc031b51fe37be

        Download Submit

      • C:\Program Files\word\install.bat
        Filesize

        304B

        MD5

        73e89f8df08e778feca688998addfec4

        SHA1

        a715a2dba5412da8bfd17ccff4cf931822463085

        SHA256

        0506dec7ee56d3e967dba45fa02e410a9c79530878244c2b23e6599ec7ff6bfd

        SHA512

        a93d30718fefc5b2dcf17f16b599f03f91fb7e8e99d9a2a7986d6138755866772446cd1c287b85c849b5505735f1d924aff534e5857a8a79e157c237f98892d2

        Download Submit

      • C:\Program Files\word\install.vbs
        Filesize

        117B

        MD5

        65fc32766a238ff3e95984e325357dbb

        SHA1

        3ac16a2648410be8aa75f3e2817fbf69bb0e8922

        SHA256

        a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

        SHA512

        621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

        Download Submit

      • C:\Program Files\word\regedit.reg
        Filesize

        11KB

        MD5

        7b9375d672ff35e2331439dc4bfb95a2

        SHA1

        76bef183b79906643cd95177d2f4976666ec1d76

        SHA256

        7a1071e0068f10191ff416c9133f133d63a56de1fc3c62baa4e57e3acecd7fa6

        SHA512

        4aee9306a57570e99de699f8f6cb6eb2541fdbcc35b036cd90dbe5e15468faa61372c68b15b09f827a5bea5cdcb6eef6107bec4120b7e23674e6d979499e8e22

        Download Submit

      • C:\Program Files\word\rfusclient.exe
        Filesize

        1.5MB

        MD5

        b8667a1e84567fcf7821bcefb6a444af

        SHA1

        9c1f91fe77ad357c8f81205d65c9067a270d61f0

        SHA256

        dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

        SHA512

        ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

        Download Submit

      • C:\Program Files\word\vp8decoder.dll
        Filesize

        155KB

        MD5

        88318158527985702f61d169434a4940

        SHA1

        3cc751ba256b5727eb0713aad6f554ff1e7bca57

        SHA256

        4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

        SHA512

        5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

        Download Submit

      • C:\Program Files\word\vp8encoder.dll
        Filesize

        593KB

        MD5

        6298c0af3d1d563834a218a9cc9f54bd

        SHA1

        0185cd591e454ed072e5a5077b25c612f6849dc9

        SHA256

        81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

        SHA512

        389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        07a122298d68901765bf13f03e384a13

        SHA1

        ac3dc45e2489e35294c75e8f8f225b62f6fda181

        SHA256

        68c8914ce232982ab9979320eead79c6bb1bc0655acef044a68914d383b06031

        SHA512

        b09257c0fec5ddeec6927bb45c49f044753205438156011dc68bd317728c300bf13b1e559a5ba929b728c43835572085c137c08330db0f439420066e73713e99

        Download Submit

      • \Program Files\word\rutserv.exe
        Filesize

        1.7MB

        MD5

        37a8802017a212bb7f5255abc7857969

        SHA1

        cb10c0d343c54538d12db8ed664d0a1fa35b6109

        SHA256

        1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

        SHA512

        4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

        Download Submit

      • memory/840-127-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/840-131-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/840-67-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/840-63-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/840-64-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/840-65-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/840-66-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/840-123-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/840-74-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/840-120-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1040-42-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/1040-44-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/1040-43-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/1040-46-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/1040-47-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/1040-45-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/1040-76-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/1400-119-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1400-72-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1400-71-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1400-73-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1400-70-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1400-69-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1400-68-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2144-115-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2144-113-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2144-112-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2144-117-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2144-114-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2144-111-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2144-110-0x0000000000400000-0x00000000009B6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2436-25-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2436-26-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2436-29-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2436-28-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2436-30-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2436-27-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2436-31-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2464-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2628-24-0x0000000002710000-0x0000000002DC9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2736-125-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2736-52-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2736-118-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2736-61-0x00000000034F0000-0x0000000003AA6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2736-140-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2736-132-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2736-50-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2736-128-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2736-59-0x00000000034F0000-0x0000000003AA6000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2736-49-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2736-53-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2736-51-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2900-36-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2900-37-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2900-40-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2900-33-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2900-34-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2900-35-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/2900-38-0x0000000000400000-0x0000000000AB9000-memory.dmp

        Filesize

        6.7MB

        Download