rms

Sharing

Copy URL

Twitter E-mail

General

Target

a9f05c13d758f4f34386042d85847bab_JaffaCakes118
Size

4.7MB
Sample

240819-g624hayemd
MD5

a9f05c13d758f4f34386042d85847bab
SHA1

d2af2b04fee943433395cd307ac6f9f405505071
SHA256

5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
SHA512

1fb0a82895f95120a7648ff695af32249c38397a4444f8f32b8d3b347b6c40a2d01006a3dfb37f9f54132379150d8b3055ce38a0412a571e1d05b2467e4676b1
SSDEEP

98304:6I3IDNhT/Shhfm7D0PzBnC9W7oe2UfCqEdEwZnDbje8BziWU:6saOhFTD7oeJfnqPnDbjL2

Score

10^/10

Malware Config

Targets

- Target
  
  a9f05c13d758f4f34386042d85847bab_JaffaCakes118
- Size
  
  4.7MB
- MD5
  
  a9f05c13d758f4f34386042d85847bab
- SHA1
  
  d2af2b04fee943433395cd307ac6f9f405505071
- SHA256
  
  5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
- SHA512
  
  1fb0a82895f95120a7648ff695af32249c38397a4444f8f32b8d3b347b6c40a2d01006a3dfb37f9f54132379150d8b3055ce38a0412a571e1d05b2467e4676b1
- SSDEEP
  
  98304:6I3IDNhT/Shhfm7D0PzBnC9W7oe2UfCqEdEwZnDbje8BziWU:6saOhFTD7oeJfnqPnDbjL2
Score

10^/10

rms defense_evasion discovery evasion lateral_movement persistence privilege_escalation rat trojan
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Remote Service Session Hijacking: RDP Hijacking
  Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
  lateral_movement
- Modifies Windows Firewall
  evasion
- Server Software Component: Terminal Services DLL
  persistence
- Allows Network login with blank passwords
  Allows local user accounts with blank passwords to access device from the network.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Hide Artifacts: Hidden Users
  defense_evasion
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/NSISList.dll
- Size
  
  105KB
- MD5
  
  4b0617493f32b2b5fe5e838eeb885819
- SHA1
  
  336e84380420a9caaa9c12af7c8e530135e63c57
- SHA256
  
  df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402
- SHA512
  
  5c50cf97cd9a6c699ec7928a08f77f4eaa68105e87a974432e39b637f926f0df8a95ec19bd63465fc438a4ef6349398938bc8d7651de125d13ccab89d1d49143
- SSDEEP
  
  3072:NIgAGTHvtyzvUnB26s2oZtX0Uzi/t6zhy9:ygAuvtRno30V/t6z
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  8cf2ac271d7679b1d68eefc1ae0c5618
- SHA1
  
  7cc1caaa747ee16dc894a600a4256f64fa65a9b8
- SHA256
  
  6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
- SHA512
  
  ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
- SSDEEP
  
  192:BenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XB9IwL:B8+Qlt70Fj/lQRY/9VjjlL
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  7KB
- MD5
  
  f27689c513e7d12c7c974d5f8ef710d6
- SHA1
  
  e305f2a2898d765a64c82c449dfb528665b4a892
- SHA256
  
  1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47
- SHA512
  
  734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc
- SSDEEP
  
  96:JpmkmwmHDPVhklfSoRPB+YSvWvZckH69MSz00vQFHhAVvSGYuHnUNy2DCP:J+PVhYfSokvW2CsQFBAVaGdHnUNR
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/nsProcess.dll
- Size
  
  4KB
- MD5
  
  f0438a894f3a7e01a4aae8d1b5dd0289
- SHA1
  
  b058e3fcfb7b550041da16bf10d8837024c38bf6
- SHA256
  
  30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
- SHA512
  
  f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
- SSDEEP
  
  48:Sz4joMeH+Iwdf8Rom/L+rOnnk5/OCnXeAdbdOAa4GPI+CJ87eILzlq7gthwIsEQW:64c/eFdfS/SSnkxNa4G+ueqPuCtGsj
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  $PLUGINSDIR/registry.dll
- Size
  
  24KB
- MD5
  
  2b7007ed0262ca02ef69d8990815cbeb
- SHA1
  
  2eabe4f755213666dbbbde024a5235ddde02b47f
- SHA256
  
  0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
- SHA512
  
  aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca
- SSDEEP
  
  384:W2mvyNjH3rPnAZ4wu2QbnC7qB7PnrvScaeYA4CIDEge/QqL2AQ:/75w/OfrzB4CUxuQfA
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  $TEMP/RDP_5166.exe
- Size
  
  569KB
- MD5
  
  a46ab91afbba2a657bce8e961bf2632f
- SHA1
  
  7c1a484a381fc4915c6904358f7a3611ad9323d2
- SHA256
  
  740b1c1498915271214824fa1c5f1a373efdcf13adee853f70d582cec353a1a1
- SHA512
  
  a1a519c05dea2ab7db4dcea2945c6afb5292d1701404b0de7c530df13ffe81db986fd9c7d703225178f9df4468c17c9db0a78029ae87112e35c51490576a17c4
- SSDEEP
  
  12288:8W7IR23s4x7/6GDG9e9WJX08vV0CjUsZl4VXqnxq:h7J5D6GDGc9WJk8d0wLIaq
Score

9^/10

defense_evasion discovery evasion lateral_movement persistence privilege_escalation
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Remote Service Session Hijacking: RDP Hijacking
  Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
  lateral_movement
- Modifies Windows Firewall
  evasion
- Server Software Component: Terminal Services DLL
  persistence
- Allows Network login with blank passwords
  Allows local user accounts with blank passwords to access device from the network.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Hide Artifacts: Hidden Users
  defense_evasion
behavioral13 behavioral14
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  0063d48afe5a0cdc02833145667b6641
- SHA1
  
  e7eb614805d183ecb1127c62decb1a6be1b4f7a8
- SHA256
  
  ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
- SHA512
  
  71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
- SSDEEP
  
  192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  293165db1e46070410b4209519e67494
- SHA1
  
  777b96a4f74b6c34d43a4e7c7e656757d1c97f01
- SHA256
  
  49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
- SHA512
  
  97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19
- SSDEEP
  
  96:4BNbUVOFvfcxEAxxxJzxLp+eELeoMEskzYzeHd0+uoyVeNSsX4:EUVOFvf9ABJFHE+FkEad0PLVeN
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  $TEMP/SETUP_73538.exe
- Size
  
  1.5MB
- MD5
  
  9adce164113ec09d243a78029aecfa2e
- SHA1
  
  403fb3148345800ca6f0374459e3f6d5ef3b613e
- SHA256
  
  d577804cf39a7af100747f2dcc00c525a19fa3cb0498885d020cc2a0f10a9436
- SHA512
  
  c938ccc8b89181e2d5113f31e4adc532b0c62793ba3549dbc7ece22a30219d4f0885e89b1ac01499bed5ea1dd653cbee3b61bdb0883d9980ea4c518ac70b01f5
- SSDEEP
  
  24576:4PKxoVT2iXc+8ZJX+6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKQ8BB7d:BrZJupdqYH8ia6GcKh7
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  $_1_/abashed.exe
- Size
  
  12.3MB
- MD5
  
  ceead38e6521ea6bcf26c3cf266baec7
- SHA1
  
  d7523a46243b459deb53663e5bfa5a85cb760ff0
- SHA256
  
  8c62370f1ff4d32794b8b554ae75a3c3b457561542ed9795c1819bbb6746599b
- SHA512
  
  0691bcf9b29fb996ab02c8a184900d8b10c1475519dbc66d331dd2ea0fcd6a82957e129b7edc440a23145f24cf4fa0eb433388477939e58f7186527febccf0ab
- SSDEEP
  
  98304:J6OwlI2RKvm132+y6gH70DNGyTu9+62rkYePy45pZGXVb+3ZYOx5EOAt3:n6fRKvm13Tyf0DNwXpZGV+Jvx51I3
Score

10^/10

rms discovery rat trojan
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral21 behavioral22
- Target
  
  $_1_/libeay32.dll
- Size
  
  1.3MB
- MD5
  
  4cb2e1b9294ddae1bf7dcaaf42b365d1
- SHA1
  
  a225f53a8403d9b73d77bcbb075194520cce5a14
- SHA256
  
  a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
- SHA512
  
  46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb
- SSDEEP
  
  24576:VD8B+KpPexB6mqwktXUcAVEaFQXhL0porIqo+Frzba:WKkmlktXUcAVEDhQporIqo+Frzba
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  $_1_/ssleay32.dll
- Size
  
  337KB
- MD5
  
  5c268ca919854fc22d85f916d102ee7f
- SHA1
  
  0957cf86e0334673eb45945985b5c033b412be0e
- SHA256
  
  1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
- SHA512
  
  76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310
- SSDEEP
  
  6144:8EXfWSXFKIsrpivdM+kPsmWak8dfthPDP0wrE90k7DUT/NaDB7JlwScihgbX5/GU:8EXfWSVKIsrpivdM+msmWak8dfnPDPPz
Score

3^/10

discovery
behavioral25 behavioral26