rms | 6ca850fac33082ef52cf2f7807f4a803f8bd226a3d3b69d67e3b341bbcf228ec

General

Target

1d3927ab5a7bf751eefc87decf255df0_JaffaCakes118.exe
Size

4.8MB
MD5

1d3927ab5a7bf751eefc87decf255df0
SHA1

1e91fead74385d5fd89f861d0cf2fafa58a3f22c
SHA256

6ca850fac33082ef52cf2f7807f4a803f8bd226a3d3b69d67e3b341bbcf228ec
SHA512

1e91a5cc937a920842078277a2d73d13133cdc7c007c1d8171f063217d94da87039d8df9d1b8fa448195426db1859e27a5adabc7c25bb5efa515452053cebf3c
SSDEEP

98304:Q8sjk1jz8etZPOekUfZErJogi3SlcjOSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSvB:SjZQrDeSz3rI9a

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Device Identifier 6.3.576.lnk	taskhosttw.exe

Executes dropped EXE 4 IoCs

pid	Process
4580	taskhosttw.exe
4288	taskhosttw.exe
4772	taskhosttw.exe
4764	taskhosttw.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023242-3.dat	autoit_exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\喖Ŝ븖୨Ô州眪喖Ŝ\Device Identifier 6.3.576.lnk	taskhosttw.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4580 set thread context of 4288	4580	taskhosttw.exe	91
PID 4772 set thread context of 4764	4772	taskhosttw.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Usoris\Remote Utilities\Server\Parameters	taskhosttw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	taskhosttw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Usoris	taskhosttw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Usoris\Remote Utilities	taskhosttw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Usoris\Remote Utilities\Server	taskhosttw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Usoris\Remote Utilities\Server\Parameters\Password = 33004400340046003900310034004600370030003900310031003600320036004100350034003700460039003100420030003200360034004200380032003900390032003500430041003300390045003900450031003100300030003000330043003800440044003900460044003600300030003500360045003900420037003400390032003700350041003500360046003700310042003100350045004200450033004400390037003800420030004300300045004500450031003600440043003100320033003100440043003200390037003400370041003600310032003600330030003000460045004100370038004400310042003400360035004500	taskhosttw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4288	taskhosttw.exe
4288	taskhosttw.exe
4288	taskhosttw.exe
4288	taskhosttw.exe
4764	taskhosttw.exe
4764	taskhosttw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4288	taskhosttw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4288	taskhosttw.exe
4764	taskhosttw.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 4580	968	1d3927ab5a7bf751eefc87decf255df0_JaffaCakes118.exe	90
PID 968 wrote to memory of 4580	968	1d3927ab5a7bf751eefc87decf255df0_JaffaCakes118.exe	90
PID 968 wrote to memory of 4580	968	1d3927ab5a7bf751eefc87decf255df0_JaffaCakes118.exe	90
PID 4580 wrote to memory of 4288	4580	taskhosttw.exe	91
PID 4580 wrote to memory of 4288	4580	taskhosttw.exe	91
PID 4580 wrote to memory of 4288	4580	taskhosttw.exe	91
PID 4580 wrote to memory of 4288	4580	taskhosttw.exe	91
PID 4580 wrote to memory of 4288	4580	taskhosttw.exe	91
PID 4772 wrote to memory of 4764	4772	taskhosttw.exe	94
PID 4772 wrote to memory of 4764	4772	taskhosttw.exe	94
PID 4772 wrote to memory of 4764	4772	taskhosttw.exe	94
PID 4772 wrote to memory of 4764	4772	taskhosttw.exe	94
PID 4772 wrote to memory of 4764	4772	taskhosttw.exe	94

C:\Users\Admin\AppData\Local\Temp\1d3927ab5a7bf751eefc87decf255df0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d3927ab5a7bf751eefc87decf255df0_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:968
- C:\QFjrp41.tmp\taskhosttw.exe
  C:\QFjrp41.tmp\taskhosttw.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\QFjrp41.tmp\taskhosttw.exe
    "C:\QFjrp41.tmp\taskhosttw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4288
  - - C:\QFjrp41.tmp\taskhosttw.exe
      C:\QFjrp41.tmp\taskhosttw.exe -second
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\QFjrp41.tmp\taskhosttw.exe
        
        "C:\QFjrp41.tmp\taskhosttw.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\QFjrp41.tmp\taskhosttw.exe

Filesize
4.8MB

MD5
1d3927ab5a7bf751eefc87decf255df0

SHA1
1e91fead74385d5fd89f861d0cf2fafa58a3f22c

SHA256
6ca850fac33082ef52cf2f7807f4a803f8bd226a3d3b69d67e3b341bbcf228ec

SHA512
1e91a5cc937a920842078277a2d73d13133cdc7c007c1d8171f063217d94da87039d8df9d1b8fa448195426db1859e27a5adabc7c25bb5efa515452053cebf3c

Download Submit
C:\QFjrp41.tmp\vp8encoder.dll

Filesize
3.1MB

MD5
276b21aa558b6f0cca6f4433d98f0527

SHA1
fc4e402a7516603c820cfbd8ba9c396a55e6f2ae

SHA256
a69723fba61373f18ef19acdd822c0578ba540222a4f077ae99943b33214420d

SHA512
a25db24f87f11a54b585dd27cc588e61946cbbf7606f744f9b6bd74e6f10b869d6c89b1d3401ab6d4b899b050c9989f723deae796702a831e05ee1940d6e9594

Download Submit
memory/4288-12-0x0000000001400000-0x0000000001A3D000-memory.dmp

Filesize
6.2MB

Download
memory/4288-13-0x0000000000530000-0x0000000000532000-memory.dmp

Filesize
8KB

Download
memory/4288-8-0x0000000001400000-0x0000000001A3D000-memory.dmp

Filesize
6.2MB

Download
memory/4288-14-0x0000000001400000-0x0000000001A3D000-memory.dmp

Filesize
6.2MB

Download
memory/4288-16-0x0000000001400000-0x0000000001A3D000-memory.dmp

Filesize
6.2MB

Download
memory/4288-17-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/4288-18-0x0000000001400000-0x0000000001A3D000-memory.dmp

Filesize
6.2MB

Download
memory/4288-11-0x0000000001400000-0x0000000001A3D000-memory.dmp

Filesize
6.2MB

Download
memory/4288-28-0x0000000001400000-0x0000000001A3D000-memory.dmp

Filesize
6.2MB

Download
memory/4764-23-0x0000000001020000-0x000000000165D000-memory.dmp

Filesize
6.2MB

Download
memory/4764-25-0x0000000001020000-0x000000000165D000-memory.dmp

Filesize
6.2MB

Download
memory/4764-27-0x0000000001020000-0x000000000165D000-memory.dmp

Filesize
6.2MB

Download
memory/4764-26-0x0000000001020000-0x000000000165D000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing