Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
28-06-2024 08:46
General
-
Target
1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
1980712458a4b2b97eba5f0cfdbca6ab
-
SHA1
8912771a25ba4e073b0b774a4d7420ef886089fe
-
SHA256
b38dc61a16db2a727f5bce5610614bc986d2920cc170d565a040805373db9b66
-
SHA512
c87a3fd4a94485a69906803ac5a7d264958e512e15b08fc5964cf42b3a0e4762135d71b0d093609baf977e3ba242143453a8e27d558143760cf97bb60a8530c7
-
SSDEEP
49152:1AJYJOsBshId2l9SaxlK/HrY2oR2GveCQL+iRHy:GJYJrKh2vHrVoRDv+L+iRS
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Stops running service(s) 4 TTPs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 11 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 10 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\foto.exe"C:\Users\Admin\AppData\Local\Temp\foto.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1600.tmp\foto.bat" "4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete SharedAccess5⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s +r "C:\Windows\system32\rfusclient.exe"5⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s +r "C:\Windows\system32\rutserv.exe"5⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s hak.reg5⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\rutserv.exe"C:\Windows\system32\rutserv.exe" /server /silentinstall5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\rutserv.exe"C:\Windows\system32\rutserv.exe" /server /start5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
- Deletes itself
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\rutserv.exeC:\Windows\SysWOW64\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rfusclient.exeC:\Windows\SysWOW64\rfusclient.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rfusclient.exeC:\Windows\SysWOW64\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\rfusclient.exeC:\Windows\SysWOW64\rfusclient.exe /tray2⤵
- Executes dropped EXE
- Loads dropped DLL
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD542aeb1c40ec4668176a1a770cff134b6
SHA121064102b097093a73d1702f4f68b8c9c163948f
SHA256a014e91ebd5b3e06a988cd06b7ca476a9023b2adf45d519a246a995e4a088f91
SHA512c409964163fcf5064da9b6f3932c99ddc10e9d3268ae61194be6f5ec6d28bf101fa38b9788d1a9a827572065986e664d17adaf8828bf034706d4d55203d0c006
-
Filesize
144KB
MD5513066a38057079e232f5f99baef2b94
SHA1a6da9e87415b8918447ec361ba98703d12b4ee76
SHA25602dbea75e8dbcdfc12c6b92a6c08efad83d4ca742ed7aee393ab26cab0c58f9e
SHA51283a074bef57f78ede2488dd586b963b92837e17eea77ebd1464f3da06954ae8ca07f040089af0c257e2836611ae39424574bd365aea4a6318a2707e031cd31a5
-
Filesize
608B
MD5cf22baa288ca6610573d870d7f68889d
SHA18b438dc561765c884e8fb6fffdc81e861fd54b40
SHA256733b92c89a2f9b74d2d8b738faeb472bcbfc1668c48be4d1c35c9d54ffc55d58
SHA512be9ee8f097c9d43dd5b74971171a12e1ba1a529bb7fe380c9d48d2840c34591839ad7966ddce4ef7e22ef28b270acdb7854dc2861878ac7e29d7d013901cc7d8
-
Filesize
14KB
MD5d6e314a2bd764424fc9eadb6287626c9
SHA10e4f5b516026149add33a466257cb8925b6aa857
SHA2566f4845a5e709853cc2f5a5821d44ca6f74919026e7f3f41178b19daf0bdb780a
SHA512ba79f21733439d14f41a9fc78ff02be4452c2b3cd217267135b055ea3b98068e4cc47cebd74fb7a5713ce91a247546fecb864ce2585b405a1f9422dc009c49be
-
Filesize
2.8MB
MD5f449d06b49e258b04bba5eaeab748aa2
SHA16de5e6fba23c681c949240f5435fba33e3034d27
SHA256c18c2bbafdab4e5974ede842bd4bd854deff9135356681ff84ba2f1c047e7c7a
SHA512b6441ae86e4f65e9d85a75312cc27e0bcc2992c89691be239e787ca28e69409a074e6ae0d1d45f518743fa60c664b85d120786dd57b6faf25bad6cb0b1a90e48
-
Filesize
3.2MB
MD511fe69e28c7fc7e975b6485520174de8
SHA1b2e6f974adcec6b18e54e27f83805d8ce3560dea
SHA2562d3c994449f1b13d55e22bbbae4bf36269f21a726c681271ecffc9fcab8f0425
SHA51225a05981afc787d48bd78a2e6a5df28040bb485fc18cccde68c9337597cabff5c70258bba7cbed802075800c9918664cadae775346887544ca7c9a3829f18aa9
-
Filesize
310KB
MD516ae96fc0134c9163a404aca5c8115da
SHA1a4818324c392a53166d42c879cdb70f0efea46af
SHA25616e801ff476b93016930ec879181661dc7d098424d4e383935b186e5eb5c5c6d
SHA51298eeb9307ad75459364cd67f341be46578d15907d657fc5c49d37a04e1fc71e6ed23d46865fca085b82027eeeebcb546861a43f6cbba537b63075224e9fb0c13
-
Filesize
264B
MD513430c0f8360456f801f9bc372e7624c
SHA18665531e12a3de10e21f3f450ecdbcc9f1b5f124
SHA256bab6df9bb282727cd467627d63a05202808951fe9c205e2f8d0849e262d9fa67
SHA512f6dc4e2f776b29a014de4eebc02fbc9de1eb9a96f52e799cd3660afa91ae66b60dcb0155a355a266dbe87097611bd8b624b4ff5b6308bf9bda1e189b0af627ce
-
Filesize
1.6MB
MD53566e183de87939f2d75c4c9ae208465
SHA144ac8d4a7206801522c80f7a6ee6c282a0359b0f
SHA2564af6351a3440aa4ee3c5ad4d94fec406d0b8f9d11e06449562349ed4424c7678
SHA512a49639505c5701d4f3599e0908dc55c4b6350c5ed3e2ab03af56aeae8c1623b373cadfc6ed6da4f2f062b9a7c9ab4207bcfa86e82cdf1646f2755cd4c297a007
-
Filesize
212B
MD5a3d0a0d32ce3c60f0b205d882435f8ac
SHA1b28bad3ef81216f14fd7a262a3ebc2258fcc7d9d
SHA256e7455abc7bdc2d705b007e9b0332e7c8d3793492f33324c7dd10b0a0513c2e3f
SHA512ea53f374b3291ec6ede586250ba787567c37c5f44014d347ac02612071c69f51e8499f2b26e6a7e957f5ca1749495f5c7398f479dd0dbe9bd29e95fa15843af9
-
Filesize
3.3MB
-
Filesize
352KB
-
Filesize
6.5MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
3.8MB
-
Filesize
3.3MB
-
Filesize
352KB
-
Filesize
3.3MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
3.8MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
3.3MB
-
Filesize
8KB
-
Filesize
352KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
8KB
