rms | 6ca850fac33082ef52cf2f7807f4a803f8bd226a3d3b69d67e3b341bbcf228ec

General

Target

1d3927ab5a7bf751eefc87decf255df0_JaffaCakes118.exe
Size

4.8MB
MD5

1d3927ab5a7bf751eefc87decf255df0
SHA1

1e91fead74385d5fd89f861d0cf2fafa58a3f22c
SHA256

6ca850fac33082ef52cf2f7807f4a803f8bd226a3d3b69d67e3b341bbcf228ec
SHA512

1e91a5cc937a920842078277a2d73d13133cdc7c007c1d8171f063217d94da87039d8df9d1b8fa448195426db1859e27a5adabc7c25bb5efa515452053cebf3c
SSDEEP

98304:Q8sjk1jz8etZPOekUfZErJogi3SlcjOSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSvB:SjZQrDeSz3rI9a

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Device Identifier 6.3.576.lnk	taskhosttw.exe

Executes dropped EXE 4 IoCs

pid	Process
2828	taskhosttw.exe
2852	taskhosttw.exe
2704	taskhosttw.exe
2720	taskhosttw.exe

Loads dropped DLL 4 IoCs

pid	Process
2764	1d3927ab5a7bf751eefc87decf255df0_JaffaCakes118.exe
2828	taskhosttw.exe
2828	taskhosttw.exe
2704	taskhosttw.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0032000000015d85-2.dat	autoit_exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\茸Ē䇱뀀\Device Identifier 6.3.576.lnk	taskhosttw.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 2852	2828	taskhosttw.exe	29
PID 2704 set thread context of 2720	2704	taskhosttw.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Usoris\Remote Utilities\Server\Parameters	taskhosttw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Usoris\Remote Utilities\Server\Parameters\Password = 33004400340046003900310034004600370030003900310031003600320036004100350034003700460039003100420030003200360034004200380032003900390032003500430041003300390045003900450031003100300030003000330043003800440044003900460044003600300030003500360045003900420037003400390032003700350041003500360046003700310042003100350045004200450033004400390037003800420030004300300045004500450031003600440043003100320033003100440043003200390037003400370041003600310032003600330030003000460045004100370038004400310042003400360035004500	taskhosttw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Usoris\Remote Utilities\Server\Parameters	taskhosttw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	taskhosttw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Usoris	taskhosttw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Usoris\Remote Utilities	taskhosttw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Usoris\Remote Utilities\Server	taskhosttw.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2852	taskhosttw.exe
2852	taskhosttw.exe
2852	taskhosttw.exe
2720	taskhosttw.exe
2720	taskhosttw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	taskhosttw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2852	taskhosttw.exe
2720	taskhosttw.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2828	2764	1d3927ab5a7bf751eefc87decf255df0_JaffaCakes118.exe	28
PID 2764 wrote to memory of 2828	2764	1d3927ab5a7bf751eefc87decf255df0_JaffaCakes118.exe	28
PID 2764 wrote to memory of 2828	2764	1d3927ab5a7bf751eefc87decf255df0_JaffaCakes118.exe	28
PID 2764 wrote to memory of 2828	2764	1d3927ab5a7bf751eefc87decf255df0_JaffaCakes118.exe	28
PID 2828 wrote to memory of 2852	2828	taskhosttw.exe	29
PID 2828 wrote to memory of 2852	2828	taskhosttw.exe	29
PID 2828 wrote to memory of 2852	2828	taskhosttw.exe	29
PID 2828 wrote to memory of 2852	2828	taskhosttw.exe	29
PID 2828 wrote to memory of 2852	2828	taskhosttw.exe	29
PID 2828 wrote to memory of 2852	2828	taskhosttw.exe	29
PID 2704 wrote to memory of 2720	2704	taskhosttw.exe	31
PID 2704 wrote to memory of 2720	2704	taskhosttw.exe	31
PID 2704 wrote to memory of 2720	2704	taskhosttw.exe	31
PID 2704 wrote to memory of 2720	2704	taskhosttw.exe	31
PID 2704 wrote to memory of 2720	2704	taskhosttw.exe	31
PID 2704 wrote to memory of 2720	2704	taskhosttw.exe	31

C:\Users\Admin\AppData\Local\Temp\1d3927ab5a7bf751eefc87decf255df0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d3927ab5a7bf751eefc87decf255df0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764
- C:\QFjrp41.tmp\taskhosttw.exe
  C:\QFjrp41.tmp\taskhosttw.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\QFjrp41.tmp\taskhosttw.exe
    "C:\QFjrp41.tmp\taskhosttw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2852
  - - C:\QFjrp41.tmp\taskhosttw.exe
      C:\QFjrp41.tmp\taskhosttw.exe -second
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\QFjrp41.tmp\taskhosttw.exe
        
        "C:\QFjrp41.tmp\taskhosttw.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\QFjrp41.tmp\vp8encoder.dll

Filesize
3.1MB

MD5
276b21aa558b6f0cca6f4433d98f0527

SHA1
fc4e402a7516603c820cfbd8ba9c396a55e6f2ae

SHA256
a69723fba61373f18ef19acdd822c0578ba540222a4f077ae99943b33214420d

SHA512
a25db24f87f11a54b585dd27cc588e61946cbbf7606f744f9b6bd74e6f10b869d6c89b1d3401ab6d4b899b050c9989f723deae796702a831e05ee1940d6e9594

Download Submit
\QFjrp41.tmp\taskhosttw.exe

Filesize
4.8MB

MD5
1d3927ab5a7bf751eefc87decf255df0

SHA1
1e91fead74385d5fd89f861d0cf2fafa58a3f22c

SHA256
6ca850fac33082ef52cf2f7807f4a803f8bd226a3d3b69d67e3b341bbcf228ec

SHA512
1e91a5cc937a920842078277a2d73d13133cdc7c007c1d8171f063217d94da87039d8df9d1b8fa448195426db1859e27a5adabc7c25bb5efa515452053cebf3c

Download Submit
memory/2720-33-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2852-20-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2852-18-0x0000000000F40000-0x000000000157D000-memory.dmp

Filesize
6.2MB

Download
memory/2852-19-0x0000000000F40000-0x000000000157D000-memory.dmp

Filesize
6.2MB

Download
memory/2852-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2852-22-0x0000000000F40000-0x000000000157D000-memory.dmp

Filesize
6.2MB

Download
memory/2852-23-0x0000000000F40000-0x000000000157D000-memory.dmp

Filesize
6.2MB

Download
memory/2852-24-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2852-25-0x0000000000F40000-0x000000000157D000-memory.dmp

Filesize
6.2MB

Download
memory/2852-15-0x0000000000F40000-0x000000000157D000-memory.dmp

Filesize
6.2MB

Download
memory/2852-12-0x0000000000F40000-0x000000000157D000-memory.dmp

Filesize
6.2MB

Download
memory/2852-39-0x0000000000F40000-0x000000000157D000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing