Overview

overview

10

Static

static

3

b4d4530877...18.exe

windows7-x64

10

b4d4530877...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b4d453087720b8fbf93147c039f4f8fb_JaffaCakes118

  • Size

    6.6MB

  • Sample

    240821-yqyvksxfma

  • MD5

    b4d453087720b8fbf93147c039f4f8fb

  • SHA1

    cfc9c30a92a61d0009bc4e21a1a808180d278218

  • SHA256

    42da9414a2faba94899ebaa84cd32841ac30db80d655c5be4d32ef568cc35014

  • SHA512

    1d498db675a631d91821786ef657d94814eadc8fc6062ad8256692bd5cf3e35632fce94e96d4672993b0fa36ed424cd7815d3ba81862ce0a75df4feebe9e9c51

  • SSDEEP

    98304:9Xz+/uvg6x/emUKoJV5ElkmPNJgpEdneZi+H02YqAQcmJ3Q/mUfBA9qcu1ccH6i1:FK21H5WV5ElzMpYXY0fBQcb7BA2hHf

Score
10/10
rmsdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationrattrojanupx

Malware Config

Targets

    • Target

      b4d453087720b8fbf93147c039f4f8fb_JaffaCakes118

    • Size

      6.6MB

    • MD5

      b4d453087720b8fbf93147c039f4f8fb

    • SHA1

      cfc9c30a92a61d0009bc4e21a1a808180d278218

    • SHA256

      42da9414a2faba94899ebaa84cd32841ac30db80d655c5be4d32ef568cc35014

    • SHA512

      1d498db675a631d91821786ef657d94814eadc8fc6062ad8256692bd5cf3e35632fce94e96d4672993b0fa36ed424cd7815d3ba81862ce0a75df4feebe9e9c51

    • SSDEEP

      98304:9Xz+/uvg6x/emUKoJV5ElkmPNJgpEdneZi+H02YqAQcmJ3Q/mUfBA9qcu1ccH6i1:FK21H5WV5ElzMpYXY0fBQcb7BA2hHf

    Score
    10/10
    rmsdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationrattrojanupx

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • UAC bypass

      evasiontrojan

    • Modifies Windows Firewall

      evasion

    • Server Software Component: Terminal Services DLL

      persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

      persistence

    • Hide Artifacts: Hidden Users

      defense_evasion
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

3
T1564

Hidden Files and Directories

2
T1564.001

Hidden Users

1
T1564.002

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks