Overview

overview

10

Static

static

7

6937dfddb0...18.exe

windows7-x64

10

6937dfddb0...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-07-2024 22:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6937dfddb0cd7f3e2726bca7d92d9ba8_JaffaCakes118.exe

  • Size

    2.4MB

  • MD5

    6937dfddb0cd7f3e2726bca7d92d9ba8

  • SHA1

    fa3b2f995c9f4bfa33d43d954e64fa494d163ca8

  • SHA256

    8cac57fe99b554f1333421d66088f330715ba06900613d40fb0cfdf180afcfe2

  • SHA512

    501f48a355faafb9c5898b46b2b70d0a5f250593c63a2e29f0626894cdee5c67740048e9ca9f7801d8900132bcba44b9ac1b1c483536f3651685838449b98ad0

  • SSDEEP

    49152:Is1stZLse/u2xCWiduW1U61GtF4x9S+cV4ubH86JW:Pise/umJhWaHGx9AVlrW

Score
10/10
rmsdiscoverypersistencerattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 14 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 31 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs .reg file with regedit 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6937dfddb0cd7f3e2726bca7d92d9ba8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6937dfddb0cd7f3e2726bca7d92d9ba8_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A27A.tmp\hlserverprivate 1.18.bat" "
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Windows\SysWOW64\reg.exe
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:968
      • C:\Windows\SysWOW64\rutserv.exe
        "C:\Windows\System32\rutserv.exe" /silentinstall
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:656
      • C:\Windows\SysWOW64\rutserv.exe
        "C:\Windows\System32\rutserv.exe" /firewall
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1108
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s "settings.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2856
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s "Autorun.reg"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:4868
      • C:\Windows\SysWOW64\rutserv.exe
        "C:\Windows\System32\rutserv.exe" /start
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
  • C:\Windows\SysWOW64\rutserv.exe
    C:\Windows\SysWOW64\rutserv.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4312
    • C:\Windows\SysWOW64\rfusclient.exe
      C:\Windows\SysWOW64\rfusclient.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1400
      • C:\Windows\SysWOW64\rfusclient.exe
        C:\Windows\SysWOW64\rfusclient.exe /tray
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4416
    • C:\Windows\SysWOW64\rfusclient.exe
      C:\Windows\SysWOW64\rfusclient.exe /tray
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\A27A.tmp\Autorun.reg
    Filesize

    338B

    MD5

    838adedefbfc54ea749dbb3cbf889e04

    SHA1

    3ab9a263996437a5c9b9a62fa7562c34ee9d730b

    SHA256

    996b4bed9fefd6a4310292f294d54879dbf9e523f143f94837503710ba7fb542

    SHA512

    71b5ed6a702628b6b70aca5c7932882922c5630c2a8aa58a1a7896517281efb8b39a997f3bbb6b8e7c2d9bd9a3826538568c07ab1ed2d6ccbde5e00c3db2790a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A27A.tmp\Microsoft.VC80.CRT.manifest
    Filesize

    1KB

    MD5

    d34b3da03c59f38a510eaa8ccc151ec7

    SHA1

    41b978588a9902f5e14b2b693973cb210ed900b2

    SHA256

    a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc

    SHA512

    231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A27A.tmp\PushSource.ax
    Filesize

    448KB

    MD5

    d7eb741be9c97a6d1063102f0e4ca44d

    SHA1

    bf8bdca7f56ed39fb96141ae9593dec497f4e2c8

    SHA256

    0914ab04bfd258008fec4605c3fa0e23c0d5111b9cfc374cfa4eaa1b4208dff7

    SHA512

    cbcaedf5aca641313ba2708e4be3ea0d18dd63e4543f2c2fdcbd31964a2c01ff42724ec666da24bf7bf7b8faaa5eceae761edf82c71919753d42695c9588e65e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A27A.tmp\RIPCServer.dll
    Filesize

    96KB

    MD5

    329354f10504d225384e19c8c1c575db

    SHA1

    9ef0b6256f3c5bbeb444cb00ee4b278847e8aa66

    SHA256

    24735b40df2cdac4da4e3201fc597eed5566c5c662aa312fa491b7a24e244844

    SHA512

    876585dd23f799f1b7cef365d3030213338b3c88bc2b20174e7c109248319bb5a3feaef43c0b962f459b2f4d90ff252c4704d6f1a0908b087e24b4f03eba9c0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A27A.tmp\RWLN.dll
    Filesize

    325KB

    MD5

    cf6ce6b13673dd11f0cd4b597ac56edb

    SHA1

    2017888be6edbea723b9b888ac548db5115df09e

    SHA256

    7bda291b7f50049088ea418b5695929b9be11cc014f6ec0f43f495285d1d6f74

    SHA512

    e5b69b4ee2ff8d9682913a2f846dc2eca8223d3100d626aea9763653fe7b8b35b8e6dc918f4c32e8ae2fc1761611dcd0b16d623ede954f173db33216b33f49dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A27A.tmp\dsfOggMux.dll
    Filesize

    84KB

    MD5

    65889701199e41ae2abee652a232af6e

    SHA1

    3f76c39fde130b550013a4f13bfea2862b5628cf

    SHA256

    ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e

    SHA512

    edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A27A.tmp\dsfTheoraEncoder.dll
    Filesize

    240KB

    MD5

    5f2fc8a0d96a1e796a4daae9465f5dd6

    SHA1

    224f13f3cbaa441c0cb6d6300715fda7136408ea

    SHA256

    f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f

    SHA512

    da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A27A.tmp\dsfVorbisEncoder.dll
    Filesize

    1.6MB

    MD5

    086a9fd9179aad7911561eeff08cf7e2

    SHA1

    d390c28376e08769a06a4a8b46609b3a668f728b

    SHA256

    2cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282

    SHA512

    a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A27A.tmp\hlserverprivate 1.18.bat
    Filesize

    1KB

    MD5

    9a60ac0196c550cd3a71dc19a76e600b

    SHA1

    9392c592ee4347835f9462b840ea136c6ec8d064

    SHA256

    a43cf033756280dd6ea92c797b1ba02ee419684b9524ae8aab98806af921a7d5

    SHA512

    2864604e359f7c00cf6fb518ea0249778b1db5f95a9e8142e64d6b872773c04046fa0c6a6b4cfe0c701ea0ff828bd5854a4991977725005857d3ccbbb903be29

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A27A.tmp\msvcp80.dll
    Filesize

    541KB

    MD5

    8c53ccd787c381cd535d8dcca12584d8

    SHA1

    bc7ce60270a58450596aa3e3e5d0a99f731333d9

    SHA256

    384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528

    SHA512

    e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A27A.tmp\msvcr80.dll
    Filesize

    617KB

    MD5

    1169436ee42f860c7db37a4692b38f0e

    SHA1

    4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3

    SHA256

    9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46

    SHA512

    e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A27A.tmp\rfusclient.exe
    Filesize

    2.8MB

    MD5

    a90c6e72a9e2602560c521a1647664ad

    SHA1

    22f7f0ddb0af04df7109c3ddbb7027909041fa73

    SHA256

    579e5984ad5eb6e5e4b004acd01c95f609a1330f3900cd9851562eb4ac879197

    SHA512

    fbba623cab28c0648e8bdd03c99df9e2a84180d72ea8e63367e943f8b432ebc36a7e10a8bfce11ad1803e54a8514f1ded4fec72e680ee04386965b5eb6a5d6c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A27A.tmp\rutserv.exe
    Filesize

    3.2MB

    MD5

    62dbd11dc36780e35af1aafaa6a8f0f1

    SHA1

    dc6aaac7171b351be3397c3e0e1769dffa848723

    SHA256

    b06604ee55206b081a8378f771f3501f48df1c0023b1d6edcbc5f781aa521f57

    SHA512

    b7f311286387ab39a0a54ac3dbcb74d9db3de4e2657dd6f0e182e38e9ed5400e87f1000c7b978fd4bb34fc373dd99bcb18271296f03248366a9cb52afdaa695d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A27A.tmp\rversionlib.dll
    Filesize

    310KB

    MD5

    3f95a06f40eaf51b86cef2bf036ebd7a

    SHA1

    64009c5f79661eb2f82c9a76a843c0d3a856695d

    SHA256

    1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

    SHA512

    6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A27A.tmp\settings.reg
    Filesize

    13KB

    MD5

    0da3aa4d1553b15e27dbdf10325941b9

    SHA1

    77aab2051761d039ed0a42e429209aa28645c84c

    SHA256

    3c0ebce65c5003f7c0d5f25a5f6c2377462ee6f5170b862e943e5dcfded3dfc5

    SHA512

    d55f1bec1c0652a136a6d7e652f900117336efca9089f7becaf0883e66c753940f33eba7f9f48abde3ea9cea7cf8ddc1aa4bd406b834f81eda7132224599b32a

    Download Submit

  • memory/656-80-0x0000000000DB0000-0x0000000000E08000-memory.dmp

    Filesize

    352KB

    Download

  • memory/656-77-0x0000000000DB0000-0x0000000000E08000-memory.dmp

    Filesize

    352KB

    Download

  • memory/656-79-0x0000000000400000-0x00000000007C6000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1108-85-0x0000000000400000-0x00000000007C6000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1108-86-0x0000000000B70000-0x0000000000BC8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1108-84-0x0000000000B70000-0x0000000000BC8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1400-130-0x0000000000400000-0x000000000075E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1400-131-0x0000000000BC0000-0x0000000000C18000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1400-113-0x0000000000BC0000-0x0000000000C18000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2196-0-0x0000000000400000-0x0000000000EC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2196-118-0x0000000000400000-0x0000000000EC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2700-92-0x00000000008E0000-0x0000000000938000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2700-110-0x00000000008E0000-0x0000000000938000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2700-108-0x0000000000400000-0x00000000007C6000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4312-96-0x0000000000B40000-0x0000000000B98000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4312-134-0x0000000000400000-0x00000000007C6000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4312-129-0x0000000000B40000-0x0000000000B98000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4312-128-0x0000000000400000-0x00000000007C6000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4312-140-0x0000000000400000-0x00000000007C6000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4312-135-0x0000000000B40000-0x0000000000B98000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4416-125-0x0000000000C00000-0x0000000000C58000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4416-126-0x0000000000400000-0x000000000075E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4416-127-0x0000000000C00000-0x0000000000C58000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4772-132-0x0000000000400000-0x000000000075E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4772-133-0x0000000000BC0000-0x0000000000C18000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4772-138-0x0000000000400000-0x000000000075E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4772-174-0x0000000000400000-0x000000000075E000-memory.dmp

    Filesize

    3.4MB

    Download