Overview

overview

10

Static

static

3

1efcd37814...18.exe

windows7-x64

10

1efcd37814...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1efcd378148d820ca9af363976597b03_JaffaCakes118

  • Size

    5.5MB

  • Sample

    241008-chmlpaxepb

  • MD5

    1efcd378148d820ca9af363976597b03

  • SHA1

    646a91c6a85b992e20c9d681fa42c7e309844c9a

  • SHA256

    b2c5593ff16f6c5f45ea569dffc4e12ef9161240e938de9c4e9eb1cb148b3e31

  • SHA512

    c958032a1f892d797a20a4c2d00b410f99da8b0d11615d3283c1e81ec006844f0f679d23dba835db689818015fc59e1bdf2d78a106798330e746f2b111f681bb

  • SSDEEP

    98304:7JYz+TnI90/Dcf2+p/2yFlw989s9eyflBsQDPK7w+HwtMmtXTi:7Ju+rIq/I15Pw9OsLflBLAw+CMmVTi

Score
10/10
rmsdiscoveryevasionexecutionrattrojan

Malware Config

Targets

    • Target

      1efcd378148d820ca9af363976597b03_JaffaCakes118

    • Size

      5.5MB

    • MD5

      1efcd378148d820ca9af363976597b03

    • SHA1

      646a91c6a85b992e20c9d681fa42c7e309844c9a

    • SHA256

      b2c5593ff16f6c5f45ea569dffc4e12ef9161240e938de9c4e9eb1cb148b3e31

    • SHA512

      c958032a1f892d797a20a4c2d00b410f99da8b0d11615d3283c1e81ec006844f0f679d23dba835db689818015fc59e1bdf2d78a106798330e746f2b111f681bb

    • SSDEEP

      98304:7JYz+TnI90/Dcf2+p/2yFlw989s9eyflBsQDPK7w+HwtMmtXTi:7Ju+rIq/I15Pw9OsLflBLAw+CMmVTi

    Score
    10/10
    rmsdiscoveryevasionexecutionrattrojan

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • UAC bypass

      evasiontrojan

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

JavaScript

1
T1059.007

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks