rms | 5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
Size

4.7MB
MD5

a9f05c13d758f4f34386042d85847bab
SHA1

d2af2b04fee943433395cd307ac6f9f405505071
SHA256

5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
SHA512

1fb0a82895f95120a7648ff695af32249c38397a4444f8f32b8d3b347b6c40a2d01006a3dfb37f9f54132379150d8b3055ce38a0412a571e1d05b2467e4676b1
SSDEEP

98304:6I3IDNhT/Shhfm7D0PzBnC9W7oe2UfCqEdEwZnDbje8BziWU:6saOhFTD7oeJfnqPnDbjL2

Score

10^/10

rms defense_evasion discovery evasion lateral_movement persistence privilege_escalation rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 3 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
lateral_movement

RDP Hijacking
T1563.002

Processes:

cmd.exenet.exenet1.exe

pid process

5356 cmd.exe
5284 net.exe
5252 net1.exe
Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

5500 netsh.exe
5924 netsh.exe
5708 netsh.exe

pid	process
5356	cmd.exe
5284	net.exe
5252	net1.exe

pid	process
5500	netsh.exe
5924	netsh.exe
5708	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

SETUP_73538.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Icosahedron\\disavow.dll"	SETUP_73538.exe

Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.

Remote Desktop Protocol
T1021.001

Processes:

RDP_5166.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0" RDP_5166.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0"	RDP_5166.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exeabashed.exeabashed.exeRDP_5166.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	abashed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	abashed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RDP_5166.exe

Executes dropped EXE 5 IoCs

Processes:

abashed.exeabashed.exeabashed.exeRDP_5166.exeSETUP_73538.exe

pid process

4632 abashed.exe
3124 abashed.exe
2696 abashed.exe
4844 RDP_5166.exe
5140 SETUP_73538.exe

Loads dropped DLL 64 IoCs

Processes:

a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exeabashed.exe

pid	process
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
4632	abashed.exe
4632	abashed.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

SETUP_73538.exeRDP_5166.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	SETUP_73538.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	RDP_5166.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	RDP_5166.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\wgautilacc = "0"	RDP_5166.exe

Drops file in System32 directory 1 IoCs

Processes:

SETUP_73538.exe

description ioc process

File created C:\Windows\System32\rfxvmt.dll SETUP_73538.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	SETUP_73538.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

Processes:

RDP_5166.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\wgautilacc = "0"	RDP_5166.exe

Drops file in Program Files directory 5 IoCs

Processes:

a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exeSETUP_73538.exe

description	ioc	process
File created	C:\Program Files\Defragmentation\abashed.exe	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
File created	C:\Program Files\Defragmentation\ssleay32.dll	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
File created	C:\Program Files\Defragmentation\libeay32.dll	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
File created	C:\Program Files\Icosahedron\disavow.ini	SETUP_73538.exe
File created	C:\Program Files\Icosahedron\disavow.dll	SETUP_73538.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

abashed.exeabashed.exenetsh.execmd.exenet1.exeRDP_5166.exeSETUP_73538.execmd.exenetsh.execmd.execmd.exenet.exea9f05c13d758f4f34386042d85847bab_JaffaCakes118.exeschtasks.exeschtasks.exeschtasks.exenet.exenet1.execmd.exeabashed.exenet.exenet1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abashed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abashed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDP_5166.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SETUP_73538.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abashed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RDP_5166.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\RDP_5166.exe	nsis_installer_2

Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4488 schtasks.exe

pid	process
4488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe

pid	process
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
656

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

abashed.exeabashed.exeSETUP_73538.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4632	abashed.exe
Token: SeTakeOwnershipPrivilege	3124	abashed.exe
Token: SeTcbPrivilege	3124	abashed.exe
Token: SeTcbPrivilege	3124	abashed.exe
Token: SeDebugPrivilege	5140	SETUP_73538.exe
Token: SeAuditPrivilege	5668	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

abashed.exeabashed.exeabashed.exe

pid	process
4632	abashed.exe
4632	abashed.exe
4632	abashed.exe
4632	abashed.exe
3124	abashed.exe
3124	abashed.exe
3124	abashed.exe
3124	abashed.exe
2696	abashed.exe
2696	abashed.exe
2696	abashed.exe
2696	abashed.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

a9f05c13d758f4f34386042d85847bab_JaffaCakes118.execmd.exeRDP_5166.execmd.execmd.execmd.exenet.execmd.exenet.exenet.exeSETUP_73538.exe

description	pid	process	target process
PID 2880 wrote to memory of 4632	2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	abashed.exe
PID 2880 wrote to memory of 4632	2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	abashed.exe
PID 2880 wrote to memory of 4632	2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	abashed.exe
PID 2880 wrote to memory of 1880	2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	cmd.exe
PID 2880 wrote to memory of 1880	2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	cmd.exe
PID 2880 wrote to memory of 1880	2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	cmd.exe
PID 1880 wrote to memory of 4488	1880	cmd.exe	schtasks.exe
PID 1880 wrote to memory of 4488	1880	cmd.exe	schtasks.exe
PID 1880 wrote to memory of 4488	1880	cmd.exe	schtasks.exe
PID 1880 wrote to memory of 652	1880	cmd.exe	schtasks.exe
PID 1880 wrote to memory of 652	1880	cmd.exe	schtasks.exe
PID 1880 wrote to memory of 652	1880	cmd.exe	schtasks.exe
PID 1880 wrote to memory of 3136	1880	cmd.exe	schtasks.exe
PID 1880 wrote to memory of 3136	1880	cmd.exe	schtasks.exe
PID 1880 wrote to memory of 3136	1880	cmd.exe	schtasks.exe
PID 2880 wrote to memory of 4844	2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	RDP_5166.exe
PID 2880 wrote to memory of 4844	2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	RDP_5166.exe
PID 2880 wrote to memory of 4844	2880	a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe	RDP_5166.exe
PID 4844 wrote to memory of 5140	4844	RDP_5166.exe	SETUP_73538.exe
PID 4844 wrote to memory of 5140	4844	RDP_5166.exe	SETUP_73538.exe
PID 4844 wrote to memory of 5140	4844	RDP_5166.exe	SETUP_73538.exe
PID 4844 wrote to memory of 5164	4844	RDP_5166.exe	cmd.exe
PID 4844 wrote to memory of 5164	4844	RDP_5166.exe	cmd.exe
PID 4844 wrote to memory of 5164	4844	RDP_5166.exe	cmd.exe
PID 5164 wrote to memory of 5708	5164	cmd.exe	netsh.exe
PID 5164 wrote to memory of 5708	5164	cmd.exe	netsh.exe
PID 5164 wrote to memory of 5708	5164	cmd.exe	netsh.exe
PID 4844 wrote to memory of 5576	4844	RDP_5166.exe	cmd.exe
PID 4844 wrote to memory of 5576	4844	RDP_5166.exe	cmd.exe
PID 4844 wrote to memory of 5576	4844	RDP_5166.exe	cmd.exe
PID 5576 wrote to memory of 5500	5576	cmd.exe	netsh.exe
PID 5576 wrote to memory of 5500	5576	cmd.exe	netsh.exe
PID 5576 wrote to memory of 5500	5576	cmd.exe	netsh.exe
PID 4844 wrote to memory of 5460	4844	RDP_5166.exe	cmd.exe
PID 4844 wrote to memory of 5460	4844	RDP_5166.exe	cmd.exe
PID 4844 wrote to memory of 5460	4844	RDP_5166.exe	cmd.exe
PID 5460 wrote to memory of 5412	5460	cmd.exe	net.exe
PID 5460 wrote to memory of 5412	5460	cmd.exe	net.exe
PID 5460 wrote to memory of 5412	5460	cmd.exe	net.exe
PID 5412 wrote to memory of 5388	5412	net.exe	net1.exe
PID 5412 wrote to memory of 5388	5412	net.exe	net1.exe
PID 5412 wrote to memory of 5388	5412	net.exe	net1.exe
PID 4844 wrote to memory of 5356	4844	RDP_5166.exe	cmd.exe
PID 4844 wrote to memory of 5356	4844	RDP_5166.exe	cmd.exe
PID 4844 wrote to memory of 5356	4844	RDP_5166.exe	cmd.exe
PID 5356 wrote to memory of 5308	5356	cmd.exe	net.exe
PID 5356 wrote to memory of 5308	5356	cmd.exe	net.exe
PID 5356 wrote to memory of 5308	5356	cmd.exe	net.exe
PID 5308 wrote to memory of 5288	5308	net.exe	net1.exe
PID 5308 wrote to memory of 5288	5308	net.exe	net1.exe
PID 5308 wrote to memory of 5288	5308	net.exe	net1.exe
PID 5356 wrote to memory of 5284	5356	cmd.exe	net.exe
PID 5356 wrote to memory of 5284	5356	cmd.exe	net.exe
PID 5356 wrote to memory of 5284	5356	cmd.exe	net.exe
PID 5284 wrote to memory of 5252	5284	net.exe	net1.exe
PID 5284 wrote to memory of 5252	5284	net.exe	net1.exe
PID 5284 wrote to memory of 5252	5284	net.exe	net1.exe
PID 5140 wrote to memory of 5924	5140	SETUP_73538.exe	netsh.exe
PID 5140 wrote to memory of 5924	5140	SETUP_73538.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Program Files\Defragmentation\abashed.exe
  "C:\Program Files\Defragmentation\abashed.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4632
- - C:\Program Files\Defragmentation\abashed.exe
    "C:\Program Files\Defragmentation\abashed.exe" -second
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SchTasks /create /f /XML %temp%\Log547.xml /TN \microsoft\windows\defrag\scheduleddefrag && schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE && schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\schtasks.exe
    SchTasks /create /f /XML C:\Users\Admin\AppData\Local\Temp\Log547.xml /TN \microsoft\windows\defrag\scheduleddefrag
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4488
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:652
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3136
- C:\Users\Admin\AppData\Local\Temp\RDP_5166.exe
  "C:\Users\Admin\AppData\Local\Temp\RDP_5166.exe"
  2⤵
  - Allows Network login with blank passwords
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies WinLogon
  - Hide Artifacts: Hidden Users
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\SETUP_73538.exe
    "C:\Users\Admin\AppData\Local\Temp\SETUP_73538.exe" -i
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5140
  - - C:\Windows\SYSTEM32\netsh.exe
      netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall add rule name="Port reconnecting" protocol="TCP" localport=3389 action=block dir=IN
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5164
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port reconnecting" protocol="TCP" localport=3389 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:5708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall add rule name="Port reconnecting" protocol="TCP" localport=5939 action=block dir=IN
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5576
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port reconnecting" protocol="TCP" localport=5939 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:5500
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net user "wgautilacc" "1234" /add /active:yes /comment:"DefaultUser" /expires:never
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5460
  - - C:\Windows\SysWOW64\net.exe
      net user "wgautilacc" "1234" /add /active:yes /comment:"DefaultUser" /expires:never
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5412
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "wgautilacc" "1234" /add /active:yes /comment:"DefaultUser" /expires:never
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net localgroup "Administrators" "wgautilacc" /add & net localgroup "Remote Desktop Users" "wgautilacc" /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5356
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Administrators" "wgautilacc" /add
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5308
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" "wgautilacc" /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5288
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Remote Desktop Users" "wgautilacc" /add
      4⤵
      Remote Service Session Hijacking: RDP Hijacking
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5284
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" "wgautilacc" /add
        5⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:5252

C:\Program Files\Defragmentation\abashed.exe
"C:\Program Files\Defragmentation\abashed.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:5724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Defragmentation\abashed.exe

Filesize
12.3MB

MD5
ceead38e6521ea6bcf26c3cf266baec7

SHA1
d7523a46243b459deb53663e5bfa5a85cb760ff0

SHA256
8c62370f1ff4d32794b8b554ae75a3c3b457561542ed9795c1819bbb6746599b

SHA512
0691bcf9b29fb996ab02c8a184900d8b10c1475519dbc66d331dd2ea0fcd6a82957e129b7edc440a23145f24cf4fa0eb433388477939e58f7186527febccf0ab

Download Submit
C:\Program Files\Defragmentation\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\Program Files\Defragmentation\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Users\Admin\AppData\Local\Temp\RDP_5166.exe

Filesize
569KB

MD5
a46ab91afbba2a657bce8e961bf2632f

SHA1
7c1a484a381fc4915c6904358f7a3611ad9323d2

SHA256
740b1c1498915271214824fa1c5f1a373efdcf13adee853f70d582cec353a1a1

SHA512
a1a519c05dea2ab7db4dcea2945c6afb5292d1701404b0de7c530df13ffe81db986fd9c7d703225178f9df4468c17c9db0a78029ae87112e35c51490576a17c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_73538.exe

Filesize
1.5MB

MD5
9adce164113ec09d243a78029aecfa2e

SHA1
403fb3148345800ca6f0374459e3f6d5ef3b613e

SHA256
d577804cf39a7af100747f2dcc00c525a19fa3cb0498885d020cc2a0f10a9436

SHA512
c938ccc8b89181e2d5113f31e4adc532b0c62793ba3549dbc7ece22a30219d4f0885e89b1ac01499bed5ea1dd653cbee3b61bdb0883d9980ea4c518ac70b01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB18E.tmp\NSISList.dll

Filesize
105KB

MD5
4b0617493f32b2b5fe5e838eeb885819

SHA1
336e84380420a9caaa9c12af7c8e530135e63c57

SHA256
df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402

SHA512
5c50cf97cd9a6c699ec7928a08f77f4eaa68105e87a974432e39b637f926f0df8a95ec19bd63465fc438a4ef6349398938bc8d7651de125d13ccab89d1d49143

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB18E.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB18E.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB18E.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmD775.tmp\nsExec.dll

Filesize
6KB

MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
memory/2696-4624-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/2880-18-0x0000000003150000-0x0000000003174000-memory.dmp

Filesize
144KB

Download
memory/2880-25-0x00000000032C0000-0x0000000003319000-memory.dmp

Filesize
356KB

Download
memory/3124-4650-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/3124-4652-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/3124-4654-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/3124-4659-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/3124-4661-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/3124-4662-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/3124-4664-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/3124-4665-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/4632-457-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/4632-81-0x00000000017D0000-0x00000000017D1000-memory.dmp

Filesize
4KB

Download
memory/5140-4651-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download