Overview

overview

10

Static

static

3

70f0ef0d07...18.exe

windows7-x64

10

70f0ef0d07...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2024 05:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70f0ef0d07717e93b144a8cb9c269619_JaffaCakes118.exe

  • Size

    4.0MB

  • MD5

    70f0ef0d07717e93b144a8cb9c269619

  • SHA1

    26b28eed4f5c29b3754377ec26228faa3dca02a4

  • SHA256

    96b9d308e4fe6eaf4695236381e80a7ab129e920689e4b3b17eb07076088787d

  • SHA512

    f5fd5f94265772592b52571b299265b291643ca2865e95e466b8cb457db725f96f3ffe3e72a567270ad60e79e3b651552ec3965c9703e401947fc06f1446a57b

  • SSDEEP

    98304:ggUYAFU4f8sKGeqVLMxUFhPGXEZIeR1LsNMxyV:ghFU4QGeywU/PFzMO6

Score
10/10
rmsaspackv2rattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 2 IoCs
    evasion
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70f0ef0d07717e93b144a8cb9c269619_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\70f0ef0d07717e93b144a8cb9c269619_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files\Microsoft Games\install.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Program Files\Microsoft Games\install.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im rutserv.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2772
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im rfusclient.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2676
        • C:\Windows\SysWOW64\reg.exe
          reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
          4⤵
            PID:2696
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "regedit.reg"
            4⤵
            • Runs .reg file with regedit
            PID:2692
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            4⤵
            • Delays execution with timeout.exe
            PID:2616
          • C:\Program Files\Microsoft Games\rutserv.exe
            rutserv.exe /silentinstall
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2532
          • C:\Program Files\Microsoft Games\rutserv.exe
            rutserv.exe /firewall
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:1280
          • C:\Program Files\Microsoft Games\rutserv.exe
            rutserv.exe /start
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1572
    • C:\Program Files\Microsoft Games\rutserv.exe
      "C:\Program Files\Microsoft Games\rutserv.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Program Files\Microsoft Games\rfusclient.exe
        "C:\Program Files\Microsoft Games\rfusclient.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Program Files\Microsoft Games\rfusclient.exe
          "C:\Program Files\Microsoft Games\rfusclient.exe" /tray
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: SetClipboardViewer
          PID:2796
      • C:\Program Files\Microsoft Games\rfusclient.exe
        "C:\Program Files\Microsoft Games\rfusclient.exe" /tray
        2⤵
        • Executes dropped EXE
        PID:1808

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Games\install.bat
      Filesize

      480B

      MD5

      99db27d776e103cad354b531ee1f20b9

      SHA1

      0b82d146df8528f66d1d14756f211fd3a8b1b91a

      SHA256

      240020a1a1941d1455135b5cb134e502a13b148be16cbb1552482aa03c29f8f3

      SHA512

      bc2ed33495c0a752397b2f1b9b7ba65f94ea5be82dde74c618342c83b68f1b92a4783b672cd427843533799e1af0875e0fd000b12236852e9e2fa93005d7ac69

      Download Submit

    • C:\Program Files\Microsoft Games\install.vbs
      Filesize

      117B

      MD5

      65fc32766a238ff3e95984e325357dbb

      SHA1

      3ac16a2648410be8aa75f3e2817fbf69bb0e8922

      SHA256

      a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

      SHA512

      621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

      Download Submit

    • C:\Program Files\Microsoft Games\regedit.reg
      Filesize

      11KB

      MD5

      897b37212d4b9a127069b255d7a573fd

      SHA1

      a6ba28354aaa9d53128cc72f37baf349a17e7274

      SHA256

      f9472fc6e4c282b5566c969bbd10bd20e17398dbd2942fd7fe01c9ad1fa15764

      SHA512

      2eab07d29fd4fb454db50ab086d6de4534c0eeb9abb68a3edd36011d198277f78e10f07d9c3cfecd1a96448dd631c684228289fd5e319116b956ae53510af156

      Download Submit

    • C:\Program Files\Microsoft Games\rfusclient.exe
      Filesize

      1.5MB

      MD5

      b8667a1e84567fcf7821bcefb6a444af

      SHA1

      9c1f91fe77ad357c8f81205d65c9067a270d61f0

      SHA256

      dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

      SHA512

      ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

      Download Submit

    • C:\Program Files\Microsoft Games\rutserv.exe
      Filesize

      1.7MB

      MD5

      37a8802017a212bb7f5255abc7857969

      SHA1

      cb10c0d343c54538d12db8ed664d0a1fa35b6109

      SHA256

      1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

      SHA512

      4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

      Download Submit

    • C:\Program Files\Microsoft Games\vp8decoder.dll
      Filesize

      155KB

      MD5

      88318158527985702f61d169434a4940

      SHA1

      3cc751ba256b5727eb0713aad6f554ff1e7bca57

      SHA256

      4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

      SHA512

      5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

      Download Submit

    • C:\Program Files\Microsoft Games\vp8encoder.dll
      Filesize

      593KB

      MD5

      6298c0af3d1d563834a218a9cc9f54bd

      SHA1

      0185cd591e454ed072e5a5077b25c612f6849dc9

      SHA256

      81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

      SHA512

      389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

      Download Submit

    • memory/1032-109-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1032-102-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1032-91-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1032-88-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1032-59-0x0000000003280000-0x0000000003836000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1032-60-0x0000000003C30000-0x00000000041E6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1032-98-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1032-95-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1032-47-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1032-116-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1032-48-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1032-49-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1032-50-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1032-52-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1032-51-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1280-36-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1280-37-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1280-32-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1280-34-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1280-35-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1280-33-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1280-38-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1572-42-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1572-41-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1572-40-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1572-45-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1572-43-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1572-44-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1572-70-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1788-61-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1788-65-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1788-64-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1788-67-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1788-66-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1788-89-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1808-90-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1808-93-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1808-111-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1808-101-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1808-68-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1808-97-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2532-23-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2532-24-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2532-30-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2532-25-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2532-26-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2532-28-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2532-27-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2656-22-0x00000000026F0000-0x0000000002DA9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2796-80-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2796-87-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download