rms | 310a090e8c001419cdcb694d92a3ab2f8356eae8467a3317a2bdee8e3b9c8e60

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
06/05/2024, 02:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
Size

6.3MB
MD5

1a677c62a46e22491dd7723687ebb212
SHA1

4af1c12b3b3300fa6e8ebf80f76238ccbaa12b0d
SHA256

310a090e8c001419cdcb694d92a3ab2f8356eae8467a3317a2bdee8e3b9c8e60
SHA512

34e55b3d2393e0bd188101de12958ea610a39dbf301417248a8bc84ab7224bd4dc67d9815b1228cedaefa9bb123c103ba160c9b9ce8d490ddd6d3e93aeaed143
SSDEEP

196608:3Pfa6YMRlp30bgwOGcjwppBR5dgI8H++:3KNMRlN0bgXGGwpj5gI8e

Score

10^/10

rms persistence rat trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1systemsmss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1systemsmss.exe, explorer.exe"	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 7 IoCs

pid	Process
2960	1systemsmss.exe
2416	svnhost.exe
2532	svnhost.exe
2680	svnhost.exe
1744	svnhost.exe
1828	systemsmss.exe
2500	systemsmss.exe

Loads dropped DLL 6 IoCs

pid	Process
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
2960	1systemsmss.exe
2576	cmd.exe
1744	svnhost.exe
1744	svnhost.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\System64\1systemsmss.exe	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
File created	C:\Windows\System64\vp8decoder.dll	1systemsmss.exe
File created	C:\Windows\Zont911\Tupe.bat	1systemsmss.exe
File created	C:\Windows\System64\vp8encoder.dll	1systemsmss.exe
File created	C:\Windows\System64\svnhost.exe	1systemsmss.exe
File opened for modification	C:\Windows\System64\svnhost.exe	1systemsmss.exe
File opened for modification	C:\Windows\System64\1systemsmss.exe	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
File created	C:\Windows\Zont911\Home.zip	1systemsmss.exe
File opened for modification	C:\Windows\System64\systemsmss.exe	1systemsmss.exe
File created	C:\Windows\Zont911\Regedit.reg	1systemsmss.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	1systemsmss.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	1systemsmss.exe
File created	C:\Windows\System64\systemsmss.exe	1systemsmss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
2420	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	svnhost.exe
Token: SeDebugPrivilege	2680	svnhost.exe
Token: SeTakeOwnershipPrivilege	1744	svnhost.exe
Token: SeTcbPrivilege	1744	svnhost.exe
Token: SeTcbPrivilege	1744	svnhost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2500	systemsmss.exe
2500	systemsmss.exe
2500	systemsmss.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2500	systemsmss.exe
2500	systemsmss.exe
2500	systemsmss.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2416	svnhost.exe
2532	svnhost.exe
2680	svnhost.exe
1744	svnhost.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2960	1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe	28
PID 1600 wrote to memory of 2960	1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe	28
PID 1600 wrote to memory of 2960	1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe	28
PID 1600 wrote to memory of 2960	1600	1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe	28
PID 2960 wrote to memory of 2420	2960	1systemsmss.exe	29
PID 2960 wrote to memory of 2420	2960	1systemsmss.exe	29
PID 2960 wrote to memory of 2420	2960	1systemsmss.exe	29
PID 2960 wrote to memory of 2420	2960	1systemsmss.exe	29
PID 2960 wrote to memory of 2576	2960	1systemsmss.exe	30
PID 2960 wrote to memory of 2576	2960	1systemsmss.exe	30
PID 2960 wrote to memory of 2576	2960	1systemsmss.exe	30
PID 2960 wrote to memory of 2576	2960	1systemsmss.exe	30
PID 2576 wrote to memory of 2584	2576	cmd.exe	32
PID 2576 wrote to memory of 2584	2576	cmd.exe	32
PID 2576 wrote to memory of 2584	2576	cmd.exe	32
PID 2576 wrote to memory of 2584	2576	cmd.exe	32
PID 2576 wrote to memory of 2416	2576	cmd.exe	33
PID 2576 wrote to memory of 2416	2576	cmd.exe	33
PID 2576 wrote to memory of 2416	2576	cmd.exe	33
PID 2576 wrote to memory of 2416	2576	cmd.exe	33
PID 2576 wrote to memory of 2532	2576	cmd.exe	34
PID 2576 wrote to memory of 2532	2576	cmd.exe	34
PID 2576 wrote to memory of 2532	2576	cmd.exe	34
PID 2576 wrote to memory of 2532	2576	cmd.exe	34
PID 2576 wrote to memory of 2680	2576	cmd.exe	35
PID 2576 wrote to memory of 2680	2576	cmd.exe	35
PID 2576 wrote to memory of 2680	2576	cmd.exe	35
PID 2576 wrote to memory of 2680	2576	cmd.exe	35
PID 1744 wrote to memory of 2500	1744	svnhost.exe	37
PID 1744 wrote to memory of 2500	1744	svnhost.exe	37
PID 1744 wrote to memory of 2500	1744	svnhost.exe	37
PID 1744 wrote to memory of 2500	1744	svnhost.exe	37
PID 1744 wrote to memory of 1828	1744	svnhost.exe	38
PID 1744 wrote to memory of 1828	1744	svnhost.exe	38
PID 1744 wrote to memory of 1828	1744	svnhost.exe	38
PID 1744 wrote to memory of 1828	1744	svnhost.exe	38

C:\Users\Admin\AppData\Local\Temp\1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a677c62a46e22491dd7723687ebb212_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\System64\1systemsmss.exe
  "C:\Windows\System64\1systemsmss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\Zont911\Tupe.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\chcp.com
      Chcp 1251
      4⤵
      PID:2584
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2416
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /firewall
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2532
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /start
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2680

C:\Windows\System64\svnhost.exe
C:\Windows\System64\svnhost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe /tray
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2500
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe
  2⤵
  - Executes dropped EXE
  PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
5.1MB

MD5
bd458a26931f960f13958510e88a61a8

SHA1
be9fff29f269d649688e941e97ac03e669571837

SHA256
d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3

SHA512
afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

Download Submit
C:\Windows\System64\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Windows\System64\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\Windows\Zont911\Regedit.reg

Filesize
11KB

MD5
8652240acb0c567db26f15721b4eb7a1

SHA1
8e302e822bd83dc106d735343267dcb7c2384b93

SHA256
d86fc93ea8d3f3a2c7b09c64942ddffd1cc6fbbbf002fec07815138fa634f1b8

SHA512
e95d58d7525c16659705522bbb700ee94985da8084ca55d59d5be04e86ca5a51186c287eabf9f78e1aa6403823011323ffded3964c73691a71ef2d0036acc4d9

Download Submit
C:\Windows\Zont911\Tupe.bat

Filesize
281B

MD5
691f040de6d335962416b319dcd416dc

SHA1
db49109c0917910f7fce8b6de690a1c7e2026226

SHA256
605d0b9c2fd1972c4ee60d8eefd336be636884dcdf54a4e5f2829c46e80fdcea

SHA512
f34ba36bdeaa43a1265ec69acfa0f199f2b4d5d90b4ea890327478f4f48ec7597d660b922dd1e149de3a1ff9b48c79e4c9c53e8a482b4cb5842bc0976f93bf89

Download Submit
\Windows\System64\1systemsmss.exe

Filesize
6.3MB

MD5
1a677c62a46e22491dd7723687ebb212

SHA1
4af1c12b3b3300fa6e8ebf80f76238ccbaa12b0d

SHA256
310a090e8c001419cdcb694d92a3ab2f8356eae8467a3317a2bdee8e3b9c8e60

SHA512
34e55b3d2393e0bd188101de12958ea610a39dbf301417248a8bc84ab7224bd4dc67d9815b1228cedaefa9bb123c103ba160c9b9ce8d490ddd6d3e93aeaed143

Download Submit
memory/1600-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1600-10-0x0000000000400000-0x0000000000A50000-memory.dmp

Filesize
6.3MB

Download
memory/1744-96-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1744-65-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1744-88-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1744-83-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1744-106-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1744-56-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1744-70-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1828-58-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2416-39-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2500-57-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2500-66-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2500-71-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2500-84-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2532-41-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2680-47-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2960-73-0x0000000000400000-0x0000000000A50000-memory.dmp

Filesize
6.3MB

Download
memory/2960-82-0x0000000000400000-0x0000000000A50000-memory.dmp

Filesize
6.3MB

Download
memory/2960-55-0x0000000000400000-0x0000000000A50000-memory.dmp

Filesize
6.3MB

Download
memory/2960-91-0x0000000000400000-0x0000000000A50000-memory.dmp

Filesize
6.3MB

Download
memory/2960-100-0x0000000000400000-0x0000000000A50000-memory.dmp

Filesize
6.3MB

Download
memory/2960-11-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download