rms | 45286d2370fe25ea8420ef92e566f20306b2e64ef6acc81a6959b184012c9a8e

Analysis

max time kernel
148s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 15:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d24781ae13182fe929d8321e621ce370_JaffaCakes118.exe
Size

14.8MB
MD5

d24781ae13182fe929d8321e621ce370
SHA1

b95cfb6a3b2c194babca769633394eb95cc0fa06
SHA256

45286d2370fe25ea8420ef92e566f20306b2e64ef6acc81a6959b184012c9a8e
SHA512

526fe44c7e24c6d286949dff33d3990aa9ba739f0e7ef7ce4be5cceb0945a0903e4062451223215d4e8ba6e50496024ec7281aaaf8647d725984424922b26f99
SSDEEP

393216:TjLZjiU1lUKyYE2qJc2GONB2amSNJir9:MAv

Score

10^/10

rms discovery rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	d24781ae13182fe929d8321e621ce370_JaffaCakes118.exe

Executes dropped EXE 8 IoCs

pid	Process
5072	rutserv.exe
912	rutserv.exe
1984	rutserv.exe
4056	rutserv.exe
2528	rutserv.exe
4500	rfusclient.exe
3612	rfusclient.exe
4640	rfusclient.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\HookDrv.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\RIPCServer.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File created	C:\Windows\SysWOW64\gdiplus.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe
File created	C:\Windows\SysWOW64\dsfVorbisEncoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dsfVorbisDecoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\rfusclient.exe	cmd.exe
File created	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File created	C:\Windows\SysWOW64\rutserv.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\RWLN.dll	cmd.exe
File created	C:\Windows\SysWOW64\vp8decoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\vp8encoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\msvcp90.dll	cmd.exe
File created	C:\Windows\SysWOW64\HookDrv.dll	cmd.exe
File created	C:\Windows\SysWOW64\msvcp90.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\msvcr90.dll	cmd.exe
File created	C:\Windows\SysWOW64\vp8encoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dsfVorbisEncoder.dll	cmd.exe
File created	C:\Windows\SysWOW64\RIPCServer.dll	cmd.exe
File created	C:\Windows\SysWOW64\RWLN.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\vp8decoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\gdiplus.dll	cmd.exe
File created	C:\Windows\SysWOW64\msvcr90.dll	cmd.exe
File created	C:\Windows\SysWOW64\rfusclient.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\dsfVorbisDecoder.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d24781ae13182fe929d8321e621ce370_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4104	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2528	rutserv.exe
2528	rutserv.exe
2528	rutserv.exe
2528	rutserv.exe
4500	rfusclient.exe
4500	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4640	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5072	rutserv.exe
Token: SeDebugPrivilege	912	rutserv.exe
Token: SeDebugPrivilege	4056	rutserv.exe
Token: SeTakeOwnershipPrivilege	2528	rutserv.exe
Token: SeTcbPrivilege	2528	rutserv.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 5020	3812	d24781ae13182fe929d8321e621ce370_JaffaCakes118.exe	86
PID 3812 wrote to memory of 5020	3812	d24781ae13182fe929d8321e621ce370_JaffaCakes118.exe	86
PID 3812 wrote to memory of 5020	3812	d24781ae13182fe929d8321e621ce370_JaffaCakes118.exe	86
PID 5020 wrote to memory of 4104	5020	cmd.exe	89
PID 5020 wrote to memory of 4104	5020	cmd.exe	89
PID 5020 wrote to memory of 4104	5020	cmd.exe	89
PID 5020 wrote to memory of 5072	5020	cmd.exe	90
PID 5020 wrote to memory of 5072	5020	cmd.exe	90
PID 5020 wrote to memory of 5072	5020	cmd.exe	90
PID 5020 wrote to memory of 912	5020	cmd.exe	91
PID 5020 wrote to memory of 912	5020	cmd.exe	91
PID 5020 wrote to memory of 912	5020	cmd.exe	91
PID 5020 wrote to memory of 1984	5020	cmd.exe	92
PID 5020 wrote to memory of 1984	5020	cmd.exe	92
PID 5020 wrote to memory of 1984	5020	cmd.exe	92
PID 5020 wrote to memory of 4056	5020	cmd.exe	93
PID 5020 wrote to memory of 4056	5020	cmd.exe	93
PID 5020 wrote to memory of 4056	5020	cmd.exe	93
PID 2528 wrote to memory of 4500	2528	rutserv.exe	96
PID 2528 wrote to memory of 4500	2528	rutserv.exe	96
PID 2528 wrote to memory of 4500	2528	rutserv.exe	96
PID 2528 wrote to memory of 3612	2528	rutserv.exe	97
PID 2528 wrote to memory of 3612	2528	rutserv.exe	97
PID 2528 wrote to memory of 3612	2528	rutserv.exe	97
PID 4500 wrote to memory of 4640	4500	rfusclient.exe	100
PID 4500 wrote to memory of 4640	4500	rfusclient.exe	100
PID 4500 wrote to memory of 4640	4500	rfusclient.exe	100

C:\Users\Admin\AppData\Local\Temp\d24781ae13182fe929d8321e621ce370_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d24781ae13182fe929d8321e621ce370_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\123.bat" "
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s 1234.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:4104
- - C:\Windows\SysWOW64\rutserv.exe
    "C:\Windows/System32/rutserv.exe" /silentuninstall
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5072
- - C:\Windows\SysWOW64\rutserv.exe
    "C:\Windows/System32/rutserv.exe" /silentinstall
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- - C:\Windows\SysWOW64\rutserv.exe
    "C:\Windows/System32/rutserv.exe" /firewall
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1984
- - C:\Windows\SysWOW64\rutserv.exe
    "C:\Windows/System32/rutserv.exe" /start
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4056

C:\Windows\SysWOW64\rutserv.exe
C:\Windows\SysWOW64\rutserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\rfusclient.exe
  C:\Windows\SysWOW64\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\rfusclient.exe
    C:\Windows\SysWOW64\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: SetClipboardViewer
    PID:4640
- C:\Windows\SysWOW64\rfusclient.exe
  C:\Windows\SysWOW64\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\123.bat

Filesize
1KB

MD5
0c42e8da9331c457b128dd2b1ebc7a20

SHA1
18f49d69196588e467c59ea0b453975f5fc5260f

SHA256
8bf6219875240da291a4e3bf4114b493fc591fbb18f33333b18192ebefebaf0e

SHA512
06c43947210d25aa865077627675c827c93b2260871cd9b3ce22f7c0577050bed89b59cc87a3f02e3293bf4dc86b93eb394c30d2cb4563955d1f065541da6d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\1234.reg

Filesize
18KB

MD5
db81d05130c5720c2875934d5a4275cd

SHA1
f568d5a8cfea180fcd89fba47cedd5d4bc0e6d56

SHA256
9c7b28923c76f77107d1e6567fcde53139555e70c20d31df183916414ba1ab80

SHA512
09de20b0f5648448d7d8ebb196d889a18668c2d7f76e5510ed614b84c86d178cea192e7e9fdd3070161348c6e3d11ea690d7a4521205ab5075c8f1891b7d6662

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\HookDrv.dll

Filesize
198KB

MD5
348af5474c0abb5769d4d75a12cca4ee

SHA1
b423c186f9cc4735f35df99bae8e72c351dfc745

SHA256
828ce0069f2f21dd9c3cf3832883ec9229831feaff4d212058e95579441d72a8

SHA512
6b6659c9b16ba523ffbf89f82194226299089cea92ee570e272a609a843d34f46e9a035b30f2cf99817e540a81bf692c1e72f4569675baf1189b256a8a5da487

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\RIPCServer.dll

Filesize
144KB

MD5
30e269f850baf6ca25187815912e21c5

SHA1
eb160de97d12b4e96f350dd0d0126d41d658afb3

SHA256
379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90

SHA512
9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\RWLN.dll

Filesize
357KB

MD5
bb1f3e716d12734d1d2d9219a3979a62

SHA1
0ef66eed2f2ae45ec2d478902833b830334109cb

SHA256
d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077

SHA512
bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\dsfVorbisDecoder.dll

Filesize
234KB

MD5
8e3f59b8c9dfc933fca30edefeb76186

SHA1
37a78089d5936d1bc3b60915971604c611a94dbd

SHA256
528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8

SHA512
3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\dsfVorbisEncoder.dll

Filesize
1.6MB

MD5
ff622a8812d8b1eff8f8d1a32087f9d2

SHA1
910615c9374b8734794ac885707ff5370db42ef1

SHA256
1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf

SHA512
1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\gdiplus.dll

Filesize
1.6MB

MD5
871c903a90c45ca08a9d42803916c3f7

SHA1
d962a12bc15bfb4c505bb63f603ca211588958db

SHA256
f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645

SHA512
985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\msvcp90.dll

Filesize
556KB

MD5
b2eee3dee31f50e082e9c720a6d7757d

SHA1
3322840fef43c92fb55dc31e682d19970daf159d

SHA256
4608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01

SHA512
8b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\msvcr90.dll

Filesize
637KB

MD5
7538050656fe5d63cb4b80349dd1cfe3

SHA1
f825c40fee87cc9952a61c8c34e9f6eee8da742d

SHA256
e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099

SHA512
843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\rfusclient.exe

Filesize
3.9MB

MD5
1c08c069e2613830d464358e64e129c0

SHA1
88b13f5b0dbe01d8e8badbe6cd1254849304509e

SHA256
c1eca4a9056a18b412cb5ce3380598ee7bae385a99faae0cf471ac9bb04fd222

SHA512
5af70d797177b6bddf41daa753214ef5ee413c11023a775d431f6494cb5b01b50e2f9221f86dc9d95074b465cb27bbabfd88ea42c9f4a90be1135f1b70991fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\rutserv.exe

Filesize
4.6MB

MD5
89d8579491b86455a3fd9dce03eebcd2

SHA1
05a46af0fc9ffc29bbf8f15979e1cd940a730f78

SHA256
7489894bf2d7995af8dbca5fcf83f0e7577b9a73da39e014db27efff4967b4e4

SHA512
d9294684648bc4b8c3d1fb0b5a5cc68d7b1d503fbf5f9c565bb30e1e4511a35771b9751b38af14c544f53892ed98be50d52ff7050cacf6ba974aaeb0e274186b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\vp8decoder.dll

Filesize
403KB

MD5
6f6bfe02e84a595a56b456f72debd4ee

SHA1
90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2

SHA256
5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51

SHA512
ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\vp8encoder.dll

Filesize
685KB

MD5
c638bca1a67911af7f9ed67e7b501154

SHA1
0fd74d2f1bd78f678b897a776d8bce36742c39b7

SHA256
519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8

SHA512
ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f

Download Submit
memory/912-72-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1984-74-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2528-121-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2528-114-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2528-128-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2528-93-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2528-135-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2528-100-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2528-107-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/3612-95-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/3612-98-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/3612-102-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/4056-88-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/4500-94-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/4640-92-0x0000000000400000-0x0000000000869000-memory.dmp

Filesize
4.4MB

Download
memory/5072-70-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/5072-68-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download