rms | 96a2d431456f56877f20870ea75c9d5140e5743e73fcd402bf5a3a7d6e402b0b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47b91db13b09037c9190182824c54ff4_JaffaCakes118.exe
Size

8.3MB
MD5

47b91db13b09037c9190182824c54ff4
SHA1

6b19eec521429b0eb33d821917476cdb90e5e715
SHA256

96a2d431456f56877f20870ea75c9d5140e5743e73fcd402bf5a3a7d6e402b0b
SHA512

11bb54f3fda86ada772ec53f6a032638e95f378d4626d6afc95f94c148f056eff397ec203f4ee2ec1981917948b62bfdbca6725b8ac06282f85a29ccc2c484d7
SSDEEP

196608:PbHYOi1iRRteqsd3lMXbUJMuK5Scxoi6Z2Ba+z+IAp2FG0c+imht/:PLc1URtOqkMul689A+30cU/

Score

10^/10

rms discovery rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

47b91db13b09037c9190182824c54ff4_JaffaCakes118.exeinstaller.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	47b91db13b09037c9190182824c54ff4_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	installer.exe

Executes dropped EXE 8 IoCs

Processes:

installer.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid process

5048 installer.exe
2064 rutserv.exe
1704 rutserv.exe
3184 rutserv.exe
3548 rutserv.exe
4276 rfusclient.exe
3960 rfusclient.exe
404 rfusclient.exe
Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

2500 MsiExec.exe
Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

13 3776 msiexec.exe
16 3776 msiexec.exe
23 3776 msiexec.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2500	MsiExec.exe

flow	pid	process
13	3776	msiexec.exe
16	3776	msiexec.exe
23	3776	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in System32 directory 3 IoCs

Processes:

rutserv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe

Drops file in Program Files directory 54 IoCs

Processes:

msiexec.exerutserv.exe

description	ioc	process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.pdb	rutserv.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe

Drops file in Windows directory 19 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e573400.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI377B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D9E14363-FD66-419D-9DC9-C62471755C9F}	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\e573400.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI38A5.tmp	msiexec.exe
File created	C:\Windows\Installer\e573404.msi	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3.4ru_mod.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

installer.exemsiexec.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	process
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
3776	msiexec.exe
3776	msiexec.exe
2064	rutserv.exe
2064	rutserv.exe
2064	rutserv.exe
2064	rutserv.exe
2064	rutserv.exe
2064	rutserv.exe
1704	rutserv.exe
1704	rutserv.exe
3184	rutserv.exe
3184	rutserv.exe
3548	rutserv.exe
3548	rutserv.exe
3548	rutserv.exe
3548	rutserv.exe
3548	rutserv.exe
3548	rutserv.exe
3960	rfusclient.exe
3960	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

404 rfusclient.exe

pid	process
404	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4316	msiexec.exe
Token: SeSecurityPrivilege	3776	msiexec.exe
Token: SeCreateTokenPrivilege	4316	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4316	msiexec.exe
Token: SeLockMemoryPrivilege	4316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4316	msiexec.exe
Token: SeMachineAccountPrivilege	4316	msiexec.exe
Token: SeTcbPrivilege	4316	msiexec.exe
Token: SeSecurityPrivilege	4316	msiexec.exe
Token: SeTakeOwnershipPrivilege	4316	msiexec.exe
Token: SeLoadDriverPrivilege	4316	msiexec.exe
Token: SeSystemProfilePrivilege	4316	msiexec.exe
Token: SeSystemtimePrivilege	4316	msiexec.exe
Token: SeProfSingleProcessPrivilege	4316	msiexec.exe
Token: SeIncBasePriorityPrivilege	4316	msiexec.exe
Token: SeCreatePagefilePrivilege	4316	msiexec.exe
Token: SeCreatePermanentPrivilege	4316	msiexec.exe
Token: SeBackupPrivilege	4316	msiexec.exe
Token: SeRestorePrivilege	4316	msiexec.exe
Token: SeShutdownPrivilege	4316	msiexec.exe
Token: SeDebugPrivilege	4316	msiexec.exe
Token: SeAuditPrivilege	4316	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4316	msiexec.exe
Token: SeChangeNotifyPrivilege	4316	msiexec.exe
Token: SeRemoteShutdownPrivilege	4316	msiexec.exe
Token: SeUndockPrivilege	4316	msiexec.exe
Token: SeSyncAgentPrivilege	4316	msiexec.exe
Token: SeEnableDelegationPrivilege	4316	msiexec.exe
Token: SeManageVolumePrivilege	4316	msiexec.exe
Token: SeImpersonatePrivilege	4316	msiexec.exe
Token: SeCreateGlobalPrivilege	4316	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

installer.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid process

5048 installer.exe
2064 rutserv.exe
1704 rutserv.exe
3184 rutserv.exe
3548 rutserv.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

47b91db13b09037c9190182824c54ff4_JaffaCakes118.exeinstaller.exemsiexec.exerutserv.exerfusclient.exe

description	pid	process	target process
PID 4792 wrote to memory of 5048	4792	47b91db13b09037c9190182824c54ff4_JaffaCakes118.exe	installer.exe
PID 4792 wrote to memory of 5048	4792	47b91db13b09037c9190182824c54ff4_JaffaCakes118.exe	installer.exe
PID 4792 wrote to memory of 5048	4792	47b91db13b09037c9190182824c54ff4_JaffaCakes118.exe	installer.exe
PID 5048 wrote to memory of 4316	5048	installer.exe	msiexec.exe
PID 5048 wrote to memory of 4316	5048	installer.exe	msiexec.exe
PID 5048 wrote to memory of 4316	5048	installer.exe	msiexec.exe
PID 3776 wrote to memory of 2500	3776	msiexec.exe	MsiExec.exe
PID 3776 wrote to memory of 2500	3776	msiexec.exe	MsiExec.exe
PID 3776 wrote to memory of 2500	3776	msiexec.exe	MsiExec.exe
PID 3776 wrote to memory of 2064	3776	msiexec.exe	rutserv.exe
PID 3776 wrote to memory of 2064	3776	msiexec.exe	rutserv.exe
PID 3776 wrote to memory of 2064	3776	msiexec.exe	rutserv.exe
PID 3776 wrote to memory of 1704	3776	msiexec.exe	rutserv.exe
PID 3776 wrote to memory of 1704	3776	msiexec.exe	rutserv.exe
PID 3776 wrote to memory of 1704	3776	msiexec.exe	rutserv.exe
PID 3776 wrote to memory of 3184	3776	msiexec.exe	rutserv.exe
PID 3776 wrote to memory of 3184	3776	msiexec.exe	rutserv.exe
PID 3776 wrote to memory of 3184	3776	msiexec.exe	rutserv.exe
PID 5048 wrote to memory of 4396	5048	installer.exe	cmd.exe
PID 5048 wrote to memory of 4396	5048	installer.exe	cmd.exe
PID 5048 wrote to memory of 4396	5048	installer.exe	cmd.exe
PID 3548 wrote to memory of 3960	3548	rutserv.exe	rfusclient.exe
PID 3548 wrote to memory of 3960	3548	rutserv.exe	rfusclient.exe
PID 3548 wrote to memory of 3960	3548	rutserv.exe	rfusclient.exe
PID 3548 wrote to memory of 4276	3548	rutserv.exe	rfusclient.exe
PID 3548 wrote to memory of 4276	3548	rutserv.exe	rfusclient.exe
PID 3548 wrote to memory of 4276	3548	rutserv.exe	rfusclient.exe
PID 3960 wrote to memory of 404	3960	rfusclient.exe	rfusclient.exe
PID 3960 wrote to memory of 404	3960	rfusclient.exe	rfusclient.exe
PID 3960 wrote to memory of 404	3960	rfusclient.exe	rfusclient.exe

C:\Users\Admin\AppData\Local\Temp\47b91db13b09037c9190182824c54ff4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\47b91db13b09037c9190182824c54ff4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3.4ru_mod.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\killself.bat
    3⤵
    PID:4396

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7835A9BB3DF19402068BFE5201CF2BED
  2⤵
  - Loads dropped DLL
  PID:2500
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2064
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1704
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3184

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:404
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e573403.rbs

Filesize
19KB

MD5
18825c0413205f34f4411de81269342e

SHA1
23927f0449a3d665de75d14f3f5d54326657ecfc

SHA256
e668ea9270861dcb759c02f1cab58f218e9d347ee1d07324ef8f9fe872354d06

SHA512
b861409417bdd83c40ef68b1a322ff5636e16078bb576fa5bdf43393791ddbfd373d61e19cfce516cb57a60b1400dfe40d448c13de1ed8e996bbc91347c7a8fb

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

Filesize
43KB

MD5
bc25377ade68750b834c81fa71c233b8

SHA1
84dbb465dd2125f47668e2508e18af9bd6db2fd8

SHA256
9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3

SHA512
205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

Filesize
144KB

MD5
2ddfa39f5c2fd3f00681ef2970617e4b

SHA1
8152aa18afbacf398b92168995ec8696d3fe3659

SHA256
f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791

SHA512
f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

Filesize
975KB

MD5
3d0b27b3f8aa22575aa0faf0b2d67216

SHA1
39fc787538849692ed7352418616f467b7a86a1d

SHA256
d7782488ef29bf0fd7e8faf0bd24414a6540bf7366434692a5a485d5ae2d7d44

SHA512
19f0785d3cecce0dbbb7da1be640bffebe4daedc65a513d1db0b5e533eb96aaa0588831de74c88e5013c00405e03ca4188c4b633e39e6c49ab5c1d1b42191ca8

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
5.1MB

MD5
76ebe5fd077a62161d0ab560208b9f94

SHA1
614c218d35ba531f0bad791d52e5dcf57df5c742

SHA256
f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

SHA512
baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

Filesize
378KB

MD5
292a1748850d1fdc91d4ec23b02d6902

SHA1
8f15f1c24e11c0b45b19c82a78f7b79b1e7f932d

SHA256
acf354ad6ed94e876b29a60c5870dd91e7b3f76cc82c1a862c92024a12404a9f

SHA512
cf7579f1169ec21d9bf3c666d416d3fe2a4f9953d4d328b182452e40043f91055d301fd4b4a21454b847dbdb0af6a61c52657caded7d6fd7e88812aceeacf704

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

Filesize
1.6MB

MD5
4570f7a40357016c97afe0dd4faf749b

SHA1
ebc8a1660f1103c655559caab3a70ec23ca187f1

SHA256
a5f008bf852d4c73e001f840d6f8b233c7d9bc9570cee639d40c1c8723bf99f8

SHA512
6b16979d004adc04259f2ce043cde6f7b57f2ddf5f4cea7bb390fd6b9fb273d22355b837f1b5c2eae77ea7df792de8e6db43e31d7246f044935a8187dace493b

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

Filesize
258KB

MD5
038bf9f3a58560ad1130eeb85cdc1a87

SHA1
3571eb7293a2a3a5bf6eb21e1569cd151d995d1a

SHA256
d247afa3bd1ccc18e11eb099280802a61d3792a2018c476d95debf2091e9707d

SHA512
8ffa52b358841600b9122974079d22d4e11bc4214316cd85ac4d4af0e369112b6827029f74a9a9d3918db00c7fed3a9a1985e0b43da39783a748d78752ae2385

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

Filesize
363KB

MD5
eeb2c52abbc7eb1c029b7fec45a7f22e

SHA1
8bfeb412614e3db0a2bf0122f4d68cc27b8c3a61

SHA256
c0f0b84d587066af8f80f41a7be63b4c01547af3f1e011602ac1b6ee0ac54a2c

SHA512
0b5b83335c6f602b8397a3c2ae6d1e661d744eb27114463d53e344bf18774ccb38853d314ebe05536d4c28c29fe3fdaba041a6a46983789f064ca70881cfcb85

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

Filesize
858KB

MD5
e38372f576d927f525ef8e1a34b54664

SHA1
26af9d1db0a3f91d7fe13147e55f06c302d59389

SHA256
4046bd0b93909a41d0fd96f0405a864c79a47f493165546569251c1f73db6b0b

SHA512
78b7477b000407990304ec37624b873514d4ed9daa1b42fd988707b7374ffab442ba28fe19884724867f3f0f7a5f12f7fc8c228c050115c902d1569e4a3b13c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3.4ru_mod.msi

Filesize
7.4MB

MD5
a74f9058e24d450f209f895592252c20

SHA1
062f717ad76ed66013a3a71dae978690027e5ed3

SHA256
17846007267f4af2776577e216ca1899644f015eb7f399c52005e519e7e7fa21

SHA512
dca3266f920b0d95110647e173ff66665372c0d7fd5da99efb9e27079e84a49a8f4ee263879dd42c14c7629137a4f94148a8dceae88f83c91fdfd95e5b49824e

Download Submit
C:\Users\Admin\AppData\Local\Temp\killself.bat

Filesize
413B

MD5
b84b9bab28ef23fa881b625cb9524106

SHA1
2c1c68374a9c71d1d48d1049049705c66eae7b93

SHA256
27414b5d8d18599be1ee59eb926afb323a2e49d648e79636acaceba8b511730e

SHA512
bcdbb91811129ba0f86e59aca50fc77333218d36dd11a025f235fcbae5915984b29a3e3377ede6cb6e0e18982551299db319285f59b1fd5fc4794ef591f24a2f

Download Submit
C:\Windows\Installer\MSI377B.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

Filesize
96KB

MD5
9e2c097647125ee25068784acb01d7d3

SHA1
1a90c40c7f89eec18f47f0dae3f1d5cd3a3d49b5

SHA256
b4614281771ed482970fd0d091604b3a65c7e048f7d7fa8794abd0a0c638f5d2

SHA512
e2f334f31361ea1ffc206184808cb51002486fe583dc23b4f617bead0e3940fdc97b72cda2a971e2cf00462940b31e065228f643835d156e7166e8803e3181f1

Download Submit
memory/404-138-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1704-105-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2064-103-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3184-134-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3548-153-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3548-146-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3548-164-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3548-188-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3548-139-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3548-142-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3548-185-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3548-171-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3548-181-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3548-149-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3548-178-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3548-174-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3548-160-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3960-140-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4276-144-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4276-166-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4276-152-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4276-148-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4276-141-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/5048-119-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/5048-14-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download