Overview

overview

10

Static

static

3

1980712458...18.exe

windows7-x64

10

1980712458...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/06/2024, 08:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    1980712458a4b2b97eba5f0cfdbca6ab

  • SHA1

    8912771a25ba4e073b0b774a4d7420ef886089fe

  • SHA256

    b38dc61a16db2a727f5bce5610614bc986d2920cc170d565a040805373db9b66

  • SHA512

    c87a3fd4a94485a69906803ac5a7d264958e512e15b08fc5964cf42b3a0e4762135d71b0d093609baf977e3ba242143453a8e27d558143760cf97bb60a8530c7

  • SSDEEP

    49152:1AJYJOsBshId2l9SaxlK/HrY2oR2GveCQL+iRHy:GJYJrKh2vHrVoRDv+L+iRS

Score
10/10
rmsevasionexecutionrattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Deletes itself 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 11 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 10 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Users\Admin\AppData\Local\Temp\foto.exe
        "C:\Users\Admin\AppData\Local\Temp\foto.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\1600.tmp\foto.bat" "
          4⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2492
          • C:\Windows\SysWOW64\sc.exe
            sc delete SharedAccess
            5⤵
            • Launches sc.exe
            PID:2480
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h +s +r "C:\Windows\system32\rfusclient.exe"
            5⤵
            • Drops file in System32 directory
            • Views/modifies file attributes
            PID:2508
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h +s +r "C:\Windows\system32\rutserv.exe"
            5⤵
            • Drops file in System32 directory
            • Views/modifies file attributes
            PID:1432
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s hak.reg
            5⤵
            • Runs .reg file with regedit
            PID:828
          • C:\Windows\SysWOW64\rutserv.exe
            "C:\Windows\system32\rutserv.exe" /server /silentinstall
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:2056
          • C:\Windows\SysWOW64\rutserv.exe
            "C:\Windows\system32\rutserv.exe" /server /start
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:2288
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
      • Deletes itself
      PID:2744
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2908
  • C:\Windows\SysWOW64\rutserv.exe
    C:\Windows\SysWOW64\rutserv.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\SysWOW64\rfusclient.exe
      C:\Windows\SysWOW64\rfusclient.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\SysWOW64\rfusclient.exe
        C:\Windows\SysWOW64\rfusclient.exe /tray
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1160
    • C:\Windows\SysWOW64\rfusclient.exe
      C:\Windows\SysWOW64\rfusclient.exe /tray
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2256

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1600.tmp\1.jpg
          Filesize

          16KB

          MD5

          42aeb1c40ec4668176a1a770cff134b6

          SHA1

          21064102b097093a73d1702f4f68b8c9c163948f

          SHA256

          a014e91ebd5b3e06a988cd06b7ca476a9023b2adf45d519a246a995e4a088f91

          SHA512

          c409964163fcf5064da9b6f3932c99ddc10e9d3268ae61194be6f5ec6d28bf101fa38b9788d1a9a827572065986e664d17adaf8828bf034706d4d55203d0c006

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1600.tmp\HookDrv.dll
          Filesize

          144KB

          MD5

          513066a38057079e232f5f99baef2b94

          SHA1

          a6da9e87415b8918447ec361ba98703d12b4ee76

          SHA256

          02dbea75e8dbcdfc12c6b92a6c08efad83d4ca742ed7aee393ab26cab0c58f9e

          SHA512

          83a074bef57f78ede2488dd586b963b92837e17eea77ebd1464f3da06954ae8ca07f040089af0c257e2836611ae39424574bd365aea4a6318a2707e031cd31a5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1600.tmp\foto.bat
          Filesize

          608B

          MD5

          cf22baa288ca6610573d870d7f68889d

          SHA1

          8b438dc561765c884e8fb6fffdc81e861fd54b40

          SHA256

          733b92c89a2f9b74d2d8b738faeb472bcbfc1668c48be4d1c35c9d54ffc55d58

          SHA512

          be9ee8f097c9d43dd5b74971171a12e1ba1a529bb7fe380c9d48d2840c34591839ad7966ddce4ef7e22ef28b270acdb7854dc2861878ac7e29d7d013901cc7d8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1600.tmp\hak.reg
          Filesize

          14KB

          MD5

          d6e314a2bd764424fc9eadb6287626c9

          SHA1

          0e4f5b516026149add33a466257cb8925b6aa857

          SHA256

          6f4845a5e709853cc2f5a5821d44ca6f74919026e7f3f41178b19daf0bdb780a

          SHA512

          ba79f21733439d14f41a9fc78ff02be4452c2b3cd217267135b055ea3b98068e4cc47cebd74fb7a5713ce91a247546fecb864ce2585b405a1f9422dc009c49be

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1600.tmp\rfusclient.exe
          Filesize

          2.8MB

          MD5

          f449d06b49e258b04bba5eaeab748aa2

          SHA1

          6de5e6fba23c681c949240f5435fba33e3034d27

          SHA256

          c18c2bbafdab4e5974ede842bd4bd854deff9135356681ff84ba2f1c047e7c7a

          SHA512

          b6441ae86e4f65e9d85a75312cc27e0bcc2992c89691be239e787ca28e69409a074e6ae0d1d45f518743fa60c664b85d120786dd57b6faf25bad6cb0b1a90e48

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1600.tmp\rutserv.exe
          Filesize

          3.2MB

          MD5

          11fe69e28c7fc7e975b6485520174de8

          SHA1

          b2e6f974adcec6b18e54e27f83805d8ce3560dea

          SHA256

          2d3c994449f1b13d55e22bbbae4bf36269f21a726c681271ecffc9fcab8f0425

          SHA512

          25a05981afc787d48bd78a2e6a5df28040bb485fc18cccde68c9337597cabff5c70258bba7cbed802075800c9918664cadae775346887544ca7c9a3829f18aa9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1600.tmp\rversionlib.dll
          Filesize

          310KB

          MD5

          16ae96fc0134c9163a404aca5c8115da

          SHA1

          a4818324c392a53166d42c879cdb70f0efea46af

          SHA256

          16e801ff476b93016930ec879181661dc7d098424d4e383935b186e5eb5c5c6d

          SHA512

          98eeb9307ad75459364cd67f341be46578d15907d657fc5c49d37a04e1fc71e6ed23d46865fca085b82027eeeebcb546861a43f6cbba537b63075224e9fb0c13

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
          Filesize

          264B

          MD5

          13430c0f8360456f801f9bc372e7624c

          SHA1

          8665531e12a3de10e21f3f450ecdbcc9f1b5f124

          SHA256

          bab6df9bb282727cd467627d63a05202808951fe9c205e2f8d0849e262d9fa67

          SHA512

          f6dc4e2f776b29a014de4eebc02fbc9de1eb9a96f52e799cd3660afa91ae66b60dcb0155a355a266dbe87097611bd8b624b4ff5b6308bf9bda1e189b0af627ce

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\foto.exe
          Filesize

          1.6MB

          MD5

          3566e183de87939f2d75c4c9ae208465

          SHA1

          44ac8d4a7206801522c80f7a6ee6c282a0359b0f

          SHA256

          4af6351a3440aa4ee3c5ad4d94fec406d0b8f9d11e06449562349ed4424c7678

          SHA512

          a49639505c5701d4f3599e0908dc55c4b6350c5ed3e2ab03af56aeae8c1623b373cadfc6ed6da4f2f062b9a7c9ab4207bcfa86e82cdf1646f2755cd4c297a007

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\stop.js
          Filesize

          212B

          MD5

          a3d0a0d32ce3c60f0b205d882435f8ac

          SHA1

          b28bad3ef81216f14fd7a262a3ebc2258fcc7d9d

          SHA256

          e7455abc7bdc2d705b007e9b0332e7c8d3793492f33324c7dd10b0a0513c2e3f

          SHA512

          ea53f374b3291ec6ede586250ba787567c37c5f44014d347ac02612071c69f51e8499f2b26e6a7e957f5ca1749495f5c7398f479dd0dbe9bd29e95fa15843af9

          Download Submit

        • memory/1160-153-0x0000000000400000-0x0000000000757000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1160-154-0x0000000000230000-0x0000000000288000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1708-10-0x00000000042E0000-0x0000000004967000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2056-126-0x00000000002B0000-0x0000000000308000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2056-124-0x00000000002B0000-0x0000000000308000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2056-125-0x0000000000400000-0x00000000007C2000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/2256-183-0x0000000000400000-0x0000000000757000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2256-160-0x0000000000230000-0x0000000000288000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2256-159-0x0000000000400000-0x0000000000757000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2288-130-0x0000000000230000-0x0000000000288000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2288-144-0x0000000000230000-0x0000000000288000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2288-143-0x0000000000400000-0x00000000007C2000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/2312-142-0x00000000002C0000-0x0000000000318000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2312-158-0x00000000002C0000-0x0000000000318000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2312-176-0x00000000002C0000-0x0000000000318000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2312-157-0x0000000000400000-0x0000000000757000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2492-100-0x0000000000660000-0x0000000000662000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2548-156-0x0000000000230000-0x0000000000288000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2548-155-0x0000000000400000-0x00000000007C2000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/2548-161-0x0000000000400000-0x00000000007C2000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/2548-167-0x0000000000400000-0x00000000007C2000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/2548-197-0x0000000000400000-0x00000000007C2000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/2588-146-0x0000000000400000-0x0000000000A87000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2588-11-0x0000000000400000-0x0000000000A87000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2908-101-0x0000000000100000-0x0000000000102000-memory.dmp

          Filesize

          8KB

          Download