Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
10-09-2024 14:35
General
-
Target
d864a0ac635e811332124e1df1458257_JaffaCakes118.exe
-
Size
10.4MB
-
MD5
d864a0ac635e811332124e1df1458257
-
SHA1
8d2e8e36ad08c6d7a38fdb3304ce25181586cd5c
-
SHA256
8edbedff95b25d5e437e4ff1ff5197c50ebce68020c9531ccaa09510c6f94a13
-
SHA512
f1cf8119708965ecf5052be88732e23031afc47676da3482227ce93b90f06064e363012448fb699ee4fdf1bd8643b3aad647de1b77d36ae0a74c6ff8f5ab0f1b
-
SSDEEP
196608:xoeZUtx0psIKcQEgNvR5ffalRn2amSNJiWa:xlqSsIiEgNvbfSlB2amSNJir
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Drops file in System32 directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d864a0ac635e811332124e1df1458257_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d864a0ac635e811332124e1df1458257_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\83F5.tmp\1213.bat" "2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rutserv.exe"C:\Windows\System32\rutserv.exe" /silentinstall3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\rutserv.exe"C:\Windows\System32\rutserv.exe" /firewall3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "settings.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\rutserv.exe"C:\Windows\System32\rutserv.exe" /start3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\rutserv.exeC:\Windows\SysWOW64\rutserv.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rfusclient.exeC:\Windows\SysWOW64\rfusclient.exe /tray2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rfusclient.exeC:\Windows\SysWOW64\rfusclient.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rfusclient.exeC:\Windows\SysWOW64\rfusclient.exe /tray3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: SetClipboardViewer
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a1b4263a202c77f63141c716e836a4ab
SHA1f3859ca14556b04192ed95ff0d9876500a9ab52d
SHA2563c85a85ca0516b3763fa370e8347da94b65b047d194847756879c8f482d78231
SHA51264498944db72ca33ff2877d60f375e67f42fc5c9624a2b7617fe5b5776db06c66f4af3763b6bb2e3b6c654a1b148494e7397286e5d69f76aaa35e3abdfbf41bd
-
Filesize
144KB
MD530e269f850baf6ca25187815912e21c5
SHA1eb160de97d12b4e96f350dd0d0126d41d658afb3
SHA256379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90
SHA5129b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7
-
Filesize
357KB
MD5bb1f3e716d12734d1d2d9219a3979a62
SHA10ef66eed2f2ae45ec2d478902833b830334109cb
SHA256d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077
SHA512bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c
-
Filesize
234KB
MD58e3f59b8c9dfc933fca30edefeb76186
SHA137a78089d5936d1bc3b60915971604c611a94dbd
SHA256528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8
SHA5123224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d
-
Filesize
3.9MB
MD5511ab5d90c2e370a942fc3b9077c38d3
SHA1a7d4f2dc7ab8ca93a4bec1bac2468166c0ed3f86
SHA2560f07353d08de0a6265d25b66a273fabeef807f868779ad79559cd17c203e313c
SHA51282861f55433d9bc6daeb9657c9b8c056fa7cfc7c09bc51d3e4cef7684e3ca4d78036ad1a07ad2336e5e49510bab41fa5a3888dae80ef674a7ff5c16305e240c4
-
Filesize
4.7MB
MD54b528d3392dbd69301ed25d816baed9f
SHA1e9d6dc6fd5765e0d177dd990788898b834560fd1
SHA2567dcf2ff3f5d01c4a0ed4cfef05fbd03f2ccaa794d6330fdb6012696b2ae7dd03
SHA512f4003e3c5abcc41a294414c6f41db37829b16bc19eb25120fabd68cebfe1318a13147c693f74473baeb49fab9383cd96b84ae99d5bbbcfcdd10b523bd2ce2a05
-
Filesize
22KB
MD5f70d5b1d76e8bd8aebcb4f5082c0f909
SHA16ab4bbf4e87c994b192282ae79136ba55d4cc82f
SHA256e6302eed15fb6ac7e71382e298c7e15e20195874a5dfa2f5075f85ac72963f38
SHA512c15e341f25cc282b15dd889e5c29db45d224f81716342786f673b7a5739866dcf203f9aceb7329ba045fda4428330dac9d084bad58c0eea20729213dedbe41b3
-
Filesize
403KB
MD56f6bfe02e84a595a56b456f72debd4ee
SHA190bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2
SHA2565e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51
SHA512ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50
-
Filesize
685KB
MD5c638bca1a67911af7f9ed67e7b501154
SHA10fd74d2f1bd78f678b897a776d8bce36742c39b7
SHA256519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8
SHA512ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f
-
Filesize
4.4MB
-
Filesize
4KB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
4.4MB
-
Filesize
5.2MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
5.2MB