Overview

overview

10

Static

static

3

1980712458...18.exe

windows7-x64

10

1980712458...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    1980712458a4b2b97eba5f0cfdbca6ab

  • SHA1

    8912771a25ba4e073b0b774a4d7420ef886089fe

  • SHA256

    b38dc61a16db2a727f5bce5610614bc986d2920cc170d565a040805373db9b66

  • SHA512

    c87a3fd4a94485a69906803ac5a7d264958e512e15b08fc5964cf42b3a0e4762135d71b0d093609baf977e3ba242143453a8e27d558143760cf97bb60a8530c7

  • SSDEEP

    49152:1AJYJOsBshId2l9SaxlK/HrY2oR2GveCQL+iRHy:GJYJrKh2vHrVoRDv+L+iRS

Score
10/10
rmsevasionexecutionrattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 13 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4172
      • C:\Users\Admin\AppData\Local\Temp\foto.exe
        "C:\Users\Admin\AppData\Local\Temp\foto.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4596
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\31ED.tmp\foto.bat" "
          4⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:4468
          • C:\Windows\SysWOW64\sc.exe
            sc delete SharedAccess
            5⤵
            • Launches sc.exe
            PID:1792
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h +s +r "C:\Windows\system32\rfusclient.exe"
            5⤵
            • Drops file in System32 directory
            • Views/modifies file attributes
            PID:1864
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h +s +r "C:\Windows\system32\rutserv.exe"
            5⤵
            • Drops file in System32 directory
            • Views/modifies file attributes
            PID:548
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s hak.reg
            5⤵
            • Runs .reg file with regedit
            PID:864
          • C:\Windows\SysWOW64\rutserv.exe
            "C:\Windows\system32\rutserv.exe" /server /silentinstall
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:404
          • C:\Windows\SysWOW64\rutserv.exe
            "C:\Windows\system32\rutserv.exe" /server /start
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:5048
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
        PID:1316
    • C:\Windows\SysWOW64\rutserv.exe
      C:\Windows\SysWOW64\rutserv.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:628
      • C:\Windows\SysWOW64\rfusclient.exe
        C:\Windows\SysWOW64\rfusclient.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3352
        • C:\Windows\SysWOW64\rfusclient.exe
          C:\Windows\SysWOW64\rfusclient.exe /tray
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:5080
      • C:\Windows\SysWOW64\rfusclient.exe
        C:\Windows\SysWOW64\rfusclient.exe /tray
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3476

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\31ED.tmp\1.jpg
      Filesize

      16KB

      MD5

      42aeb1c40ec4668176a1a770cff134b6

      SHA1

      21064102b097093a73d1702f4f68b8c9c163948f

      SHA256

      a014e91ebd5b3e06a988cd06b7ca476a9023b2adf45d519a246a995e4a088f91

      SHA512

      c409964163fcf5064da9b6f3932c99ddc10e9d3268ae61194be6f5ec6d28bf101fa38b9788d1a9a827572065986e664d17adaf8828bf034706d4d55203d0c006

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\31ED.tmp\HookDrv.dll
      Filesize

      144KB

      MD5

      513066a38057079e232f5f99baef2b94

      SHA1

      a6da9e87415b8918447ec361ba98703d12b4ee76

      SHA256

      02dbea75e8dbcdfc12c6b92a6c08efad83d4ca742ed7aee393ab26cab0c58f9e

      SHA512

      83a074bef57f78ede2488dd586b963b92837e17eea77ebd1464f3da06954ae8ca07f040089af0c257e2836611ae39424574bd365aea4a6318a2707e031cd31a5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\31ED.tmp\foto.bat
      Filesize

      608B

      MD5

      cf22baa288ca6610573d870d7f68889d

      SHA1

      8b438dc561765c884e8fb6fffdc81e861fd54b40

      SHA256

      733b92c89a2f9b74d2d8b738faeb472bcbfc1668c48be4d1c35c9d54ffc55d58

      SHA512

      be9ee8f097c9d43dd5b74971171a12e1ba1a529bb7fe380c9d48d2840c34591839ad7966ddce4ef7e22ef28b270acdb7854dc2861878ac7e29d7d013901cc7d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\31ED.tmp\hak.reg
      Filesize

      14KB

      MD5

      d6e314a2bd764424fc9eadb6287626c9

      SHA1

      0e4f5b516026149add33a466257cb8925b6aa857

      SHA256

      6f4845a5e709853cc2f5a5821d44ca6f74919026e7f3f41178b19daf0bdb780a

      SHA512

      ba79f21733439d14f41a9fc78ff02be4452c2b3cd217267135b055ea3b98068e4cc47cebd74fb7a5713ce91a247546fecb864ce2585b405a1f9422dc009c49be

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\31ED.tmp\rfusclient.exe
      Filesize

      2.8MB

      MD5

      f449d06b49e258b04bba5eaeab748aa2

      SHA1

      6de5e6fba23c681c949240f5435fba33e3034d27

      SHA256

      c18c2bbafdab4e5974ede842bd4bd854deff9135356681ff84ba2f1c047e7c7a

      SHA512

      b6441ae86e4f65e9d85a75312cc27e0bcc2992c89691be239e787ca28e69409a074e6ae0d1d45f518743fa60c664b85d120786dd57b6faf25bad6cb0b1a90e48

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\31ED.tmp\rutserv.exe
      Filesize

      3.2MB

      MD5

      11fe69e28c7fc7e975b6485520174de8

      SHA1

      b2e6f974adcec6b18e54e27f83805d8ce3560dea

      SHA256

      2d3c994449f1b13d55e22bbbae4bf36269f21a726c681271ecffc9fcab8f0425

      SHA512

      25a05981afc787d48bd78a2e6a5df28040bb485fc18cccde68c9337597cabff5c70258bba7cbed802075800c9918664cadae775346887544ca7c9a3829f18aa9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\31ED.tmp\rversionlib.dll
      Filesize

      310KB

      MD5

      16ae96fc0134c9163a404aca5c8115da

      SHA1

      a4818324c392a53166d42c879cdb70f0efea46af

      SHA256

      16e801ff476b93016930ec879181661dc7d098424d4e383935b186e5eb5c5c6d

      SHA512

      98eeb9307ad75459364cd67f341be46578d15907d657fc5c49d37a04e1fc71e6ed23d46865fca085b82027eeeebcb546861a43f6cbba537b63075224e9fb0c13

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
      Filesize

      264B

      MD5

      13430c0f8360456f801f9bc372e7624c

      SHA1

      8665531e12a3de10e21f3f450ecdbcc9f1b5f124

      SHA256

      bab6df9bb282727cd467627d63a05202808951fe9c205e2f8d0849e262d9fa67

      SHA512

      f6dc4e2f776b29a014de4eebc02fbc9de1eb9a96f52e799cd3660afa91ae66b60dcb0155a355a266dbe87097611bd8b624b4ff5b6308bf9bda1e189b0af627ce

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\foto.exe
      Filesize

      1.6MB

      MD5

      3566e183de87939f2d75c4c9ae208465

      SHA1

      44ac8d4a7206801522c80f7a6ee6c282a0359b0f

      SHA256

      4af6351a3440aa4ee3c5ad4d94fec406d0b8f9d11e06449562349ed4424c7678

      SHA512

      a49639505c5701d4f3599e0908dc55c4b6350c5ed3e2ab03af56aeae8c1623b373cadfc6ed6da4f2f062b9a7c9ab4207bcfa86e82cdf1646f2755cd4c297a007

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\stop.js
      Filesize

      212B

      MD5

      a3d0a0d32ce3c60f0b205d882435f8ac

      SHA1

      b28bad3ef81216f14fd7a262a3ebc2258fcc7d9d

      SHA256

      e7455abc7bdc2d705b007e9b0332e7c8d3793492f33324c7dd10b0a0513c2e3f

      SHA512

      ea53f374b3291ec6ede586250ba787567c37c5f44014d347ac02612071c69f51e8499f2b26e6a7e957f5ca1749495f5c7398f479dd0dbe9bd29e95fa15843af9

      Download Submit

    • memory/404-54-0x0000000000D80000-0x0000000000DD8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/404-52-0x0000000000D80000-0x0000000000DD8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/404-53-0x0000000000400000-0x00000000007C2000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/628-131-0x0000000000400000-0x00000000007C2000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/628-108-0x0000000000950000-0x00000000009A8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/628-62-0x0000000000950000-0x00000000009A8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/628-95-0x0000000000400000-0x00000000007C2000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/628-89-0x0000000000400000-0x00000000007C2000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/628-83-0x0000000000400000-0x00000000007C2000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/628-84-0x0000000000950000-0x00000000009A8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/3352-85-0x0000000000400000-0x0000000000757000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3352-86-0x0000000000BE0000-0x0000000000C38000-memory.dmp

      Filesize

      352KB

      Download

    • memory/3476-87-0x0000000000400000-0x0000000000757000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3476-88-0x0000000000BE0000-0x0000000000C38000-memory.dmp

      Filesize

      352KB

      Download

    • memory/3476-69-0x0000000000BE0000-0x0000000000C38000-memory.dmp

      Filesize

      352KB

      Download

    • memory/3476-93-0x0000000000400000-0x0000000000757000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4596-74-0x0000000000400000-0x0000000000A87000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4596-9-0x0000000000400000-0x0000000000A87000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/5048-70-0x0000000000400000-0x00000000007C2000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/5048-71-0x0000000000C50000-0x0000000000CA8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/5048-58-0x0000000000C50000-0x0000000000CA8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/5080-81-0x0000000000400000-0x0000000000757000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5080-82-0x0000000000BF0000-0x0000000000C48000-memory.dmp

      Filesize

      352KB

      Download

    • memory/5080-80-0x0000000000BF0000-0x0000000000C48000-memory.dmp

      Filesize

      352KB

      Download