rms | 32a9a87298f5bbe570861146fc10288f9b371d824fb82873fc17433100477d70

General

Target

af8c925cc7c1feb68038feeed05ac757_JaffaCakes118.exe
Size

2.7MB
MD5

af8c925cc7c1feb68038feeed05ac757
SHA1

7897dedf8b6c4f9680098f55393c6d52514f3a13
SHA256

32a9a87298f5bbe570861146fc10288f9b371d824fb82873fc17433100477d70
SHA512

c61978544bbb48ea1af667dd335962a339761b5b9b0377da147d0c7671e298d9dc99190507bc4caba4cf2a6e0b977f402ba5cf5c4cc0d323f5a6360953e97f19
SSDEEP

49152:zKgO60nWmCRtLFZvKWnKJbM2JLPQ2Yk5yViksCG7YZdJe1DGEaGz+G:zKgP0WttLFUW6bxE2JYVCZ7Ka1iEaGzH

Score

10^/10

rms rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000015bba-26.dat	acprotect
behavioral1/files/0x0007000000015670-25.dat	acprotect

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.lnk	af8c925cc7c1feb68038feeed05ac757_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2940	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
2388	af8c925cc7c1feb68038feeed05ac757_JaffaCakes118.exe
2388	af8c925cc7c1feb68038feeed05ac757_JaffaCakes118.exe
2388	af8c925cc7c1feb68038feeed05ac757_JaffaCakes118.exe
2388	af8c925cc7c1feb68038feeed05ac757_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015bba-26.dat	upx
behavioral1/files/0x0007000000015670-25.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2940	svchost.exe
2940	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2940	svchost.exe
Token: SeTcbPrivilege	2940	svchost.exe
Token: SeTcbPrivilege	2940	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2940	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2940	2388	af8c925cc7c1feb68038feeed05ac757_JaffaCakes118.exe	28
PID 2388 wrote to memory of 2940	2388	af8c925cc7c1feb68038feeed05ac757_JaffaCakes118.exe	28
PID 2388 wrote to memory of 2940	2388	af8c925cc7c1feb68038feeed05ac757_JaffaCakes118.exe	28
PID 2388 wrote to memory of 2940	2388	af8c925cc7c1feb68038feeed05ac757_JaffaCakes118.exe	28
PID 2388 wrote to memory of 2940	2388	af8c925cc7c1feb68038feeed05ac757_JaffaCakes118.exe	28
PID 2388 wrote to memory of 2940	2388	af8c925cc7c1feb68038feeed05ac757_JaffaCakes118.exe	28
PID 2388 wrote to memory of 2940	2388	af8c925cc7c1feb68038feeed05ac757_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\af8c925cc7c1feb68038feeed05ac757_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af8c925cc7c1feb68038feeed05ac757_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Roaming\SysX64\svchost.exe
  "C:\Users\Admin\AppData\Roaming\SysX64\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SysX64\settings.dat

Filesize
2KB

MD5
95178f193f6167c1f22c5570edf8ed0d

SHA1
7a581ae7fcb117571c05ab17efd23bf311fc9039

SHA256
8026754e723f00ce17dc4ca7b9417b93e8e20aa3f5e10fb75e93664b659f9cb7

SHA512
c4aa87ca98ff6b4ee77eae686f0f9d4f2aea7ef6b386fb39848f868df08561dbb9110629152e8f29d9fb0d6fd4c23fc897a4fcab7950b1446a8e88d7b24df7ee

Download Submit
C:\Users\Admin\AppData\Roaming\SysX64\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\Users\Admin\AppData\Roaming\SysX64\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
\Users\Admin\AppData\Roaming\SysX64\svchost.exe

Filesize
6.0MB

MD5
ef7892551607b0d8e1a15291f8097821

SHA1
2ac49e13473112d0a5f44f2f4fed6cecc26b430a

SHA256
ba23f70910997133ed7efe92031e64860f16a04700b395fe8321d36f204585de

SHA512
074b04f74d85ca8a0468232a7731df40e839225503f8b7a15c03f694ff7b6025f801cbd921aa616fc61185c3ba3557628baf9bb97738628801cd343318fd97e7

Download Submit
memory/2940-24-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2940-30-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2940-32-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2940-34-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2940-35-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2940-37-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2940-40-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download

Analysis

Sharing