Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08-10-2024 05:11
Behavioral task
behavioral1
Sample
1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe
-
Size
2.3MB
-
MD5
1fbf1e13343007f3a60fbcca6bfd31fd
-
SHA1
48e54e874d609632a73578d8baf8acca29204afb
-
SHA256
0a976946c1fc20d370f9221c428ea4a799c663d5be5bf6c9610607d84372c1a9
-
SHA512
5b79cc008a8b9af3f9033e95280b7d6b1894d767a189e5eb461dc75c806611209a418f171c3dedf0d0fc188b9387a94dffd66074f90c8f8ec8bd21fbba4c7d30
-
SSDEEP
49152:XmjXBlvQafJMoMApwJ/Y0QuBD266B6tryc51ClzH5DWbnZdo84uuqpwmq:XmHzeApwjQ6pr3yzZDknE8nuBmq
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
Processes:
RManServer.exeRManServer.exeMonitor.exeRManServer.exeRManServer.exeRManFUSClient.exeRManFUSClient.exepid Process 1148 RManServer.exe 2324 RManServer.exe 2912 Monitor.exe 1248 RManServer.exe 2664 RManServer.exe 1848 RManFUSClient.exe 2508 RManFUSClient.exe -
Loads dropped DLL 7 IoCs
Processes:
cmd.exeRManServer.exepid Process 2612 cmd.exe 2612 cmd.exe 2612 cmd.exe 2612 cmd.exe 2612 cmd.exe 2664 RManServer.exe 2664 RManServer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Monitor = "C:\\Windows\\System32\\Monitor.exe -autorun" regedit.exe -
Drops file in System32 directory 29 IoCs
Processes:
cmd.exeRManServer.exeRManServer.exedescription ioc Process File created C:\Windows\SysWOW64\Monitor.exe cmd.exe File created C:\Windows\SysWOW64\Logs\rom_log_2024.html RManServer.exe File created C:\Windows\SysWOW64\dsfTheoraEncoder.dll cmd.exe File opened for modification C:\Windows\SysWOW64\dsfVorbisEncoder.dll cmd.exe File opened for modification C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest cmd.exe File opened for modification C:\Windows\SysWOW64\RManServer.exe cmd.exe File opened for modification C:\Windows\SysWOW64\dsfTheoraEncoder.dll cmd.exe File opened for modification C:\Windows\SysWOW64\HookDrv.dll cmd.exe File created C:\Windows\SysWOW64\RManFUSClient.exe cmd.exe File opened for modification C:\Windows\SysWOW64\Monitor.exe cmd.exe File created C:\Windows\SysWOW64\msvcp80.dll cmd.exe File opened for modification C:\Windows\SysWOW64\PushSource.ax cmd.exe File opened for modification C:\Windows\SysWOW64\RManWLN.dll cmd.exe File created C:\Windows\SysWOW64\msvcr80.dll cmd.exe File opened for modification C:\Windows\SysWOW64\dsfOggMux.dll cmd.exe File opened for modification C:\Windows\SysWOW64\msvcp80.dll cmd.exe File created C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest cmd.exe File created C:\Windows\SysWOW64\RManIpcServer.dll cmd.exe File opened for modification C:\Windows\SysWOW64\RManWLN.dll RManServer.exe File created C:\Windows\SysWOW64\RManWLN.dll RManServer.exe File created C:\Windows\SysWOW64\dsfOggMux.dll cmd.exe File created C:\Windows\SysWOW64\HookDrv.dll cmd.exe File created C:\Windows\SysWOW64\PushSource.ax cmd.exe File opened for modification C:\Windows\SysWOW64\RManFUSClient.exe cmd.exe File opened for modification C:\Windows\SysWOW64\RManIpcServer.dll cmd.exe File created C:\Windows\SysWOW64\RManServer.exe cmd.exe File created C:\Windows\SysWOW64\RManWLN.dll cmd.exe File created C:\Windows\SysWOW64\dsfVorbisEncoder.dll cmd.exe File opened for modification C:\Windows\SysWOW64\msvcr80.dll cmd.exe -
Processes:
resource yara_rule behavioral1/memory/2892-0-0x0000000000400000-0x0000000000E3B000-memory.dmp upx behavioral1/memory/2892-120-0x0000000000400000-0x0000000000E3B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RManServer.exeregedit.exe1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.execmd.exereg.exeRManServer.exeRManServer.exeRManFUSClient.exeRManFUSClient.exeRManServer.exeregedit.exeMonitor.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RManServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RManServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RManServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RManFUSClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RManFUSClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RManServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monitor.exe -
Runs .reg file with regedit 2 IoCs
Processes:
regedit.exeregedit.exepid Process 2420 regedit.exe 3000 regedit.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RManServer.exeRManFUSClient.exepid Process 2664 RManServer.exe 2664 RManServer.exe 1848 RManFUSClient.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
RManServer.exeRManServer.exeRManServer.exedescription pid Process Token: SeDebugPrivilege 1148 RManServer.exe Token: SeDebugPrivilege 1248 RManServer.exe Token: SeTakeOwnershipPrivilege 2664 RManServer.exe Token: SeTcbPrivilege 2664 RManServer.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.execmd.exeRManServer.exedescription pid Process procid_target PID 2892 wrote to memory of 2612 2892 1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe 30 PID 2892 wrote to memory of 2612 2892 1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe 30 PID 2892 wrote to memory of 2612 2892 1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe 30 PID 2892 wrote to memory of 2612 2892 1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe 30 PID 2612 wrote to memory of 2112 2612 cmd.exe 32 PID 2612 wrote to memory of 2112 2612 cmd.exe 32 PID 2612 wrote to memory of 2112 2612 cmd.exe 32 PID 2612 wrote to memory of 2112 2612 cmd.exe 32 PID 2612 wrote to memory of 1148 2612 cmd.exe 33 PID 2612 wrote to memory of 1148 2612 cmd.exe 33 PID 2612 wrote to memory of 1148 2612 cmd.exe 33 PID 2612 wrote to memory of 1148 2612 cmd.exe 33 PID 2612 wrote to memory of 2324 2612 cmd.exe 34 PID 2612 wrote to memory of 2324 2612 cmd.exe 34 PID 2612 wrote to memory of 2324 2612 cmd.exe 34 PID 2612 wrote to memory of 2324 2612 cmd.exe 34 PID 2612 wrote to memory of 2420 2612 cmd.exe 35 PID 2612 wrote to memory of 2420 2612 cmd.exe 35 PID 2612 wrote to memory of 2420 2612 cmd.exe 35 PID 2612 wrote to memory of 2420 2612 cmd.exe 35 PID 2612 wrote to memory of 3000 2612 cmd.exe 36 PID 2612 wrote to memory of 3000 2612 cmd.exe 36 PID 2612 wrote to memory of 3000 2612 cmd.exe 36 PID 2612 wrote to memory of 3000 2612 cmd.exe 36 PID 2612 wrote to memory of 2912 2612 cmd.exe 37 PID 2612 wrote to memory of 2912 2612 cmd.exe 37 PID 2612 wrote to memory of 2912 2612 cmd.exe 37 PID 2612 wrote to memory of 2912 2612 cmd.exe 37 PID 2612 wrote to memory of 1248 2612 cmd.exe 38 PID 2612 wrote to memory of 1248 2612 cmd.exe 38 PID 2612 wrote to memory of 1248 2612 cmd.exe 38 PID 2612 wrote to memory of 1248 2612 cmd.exe 38 PID 2664 wrote to memory of 1848 2664 RManServer.exe 40 PID 2664 wrote to memory of 1848 2664 RManServer.exe 40 PID 2664 wrote to memory of 1848 2664 RManServer.exe 40 PID 2664 wrote to memory of 1848 2664 RManServer.exe 40 PID 2664 wrote to memory of 2508 2664 RManServer.exe 41 PID 2664 wrote to memory of 2508 2664 RManServer.exe 41 PID 2664 wrote to memory of 2508 2664 RManServer.exe 41 PID 2664 wrote to memory of 2508 2664 RManServer.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\65F4.tmp\Remote Manipulator System - Server.bat" "2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f3⤵
- System Location Discovery: System Language Discovery
PID:2112
-
-
C:\Windows\SysWOW64\RManServer.exe"C:\Windows\System32\RManServer.exe" /silentinstall3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\SysWOW64\RManServer.exe"C:\Windows\System32\RManServer.exe" /firewall3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "settings.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2420
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "Autorun.reg"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:3000
-
-
C:\Windows\SysWOW64\Monitor.exe"C:\Windows\System32\Monitor.exe" /start3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2912
-
-
C:\Windows\SysWOW64\RManServer.exe"C:\Windows\System32\RManServer.exe" /start3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
-
-
C:\Windows\SysWOW64\RManServer.exeC:\Windows\SysWOW64\RManServer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\RManFUSClient.exe"C:\Windows\SysWOW64\RManFUSClient.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1848
-
-
C:\Windows\SysWOW64\RManFUSClient.exeC:\Windows\SysWOW64\RManFUSClient.exe /tray2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338B
MD5838adedefbfc54ea749dbb3cbf889e04
SHA13ab9a263996437a5c9b9a62fa7562c34ee9d730b
SHA256996b4bed9fefd6a4310292f294d54879dbf9e523f143f94837503710ba7fb542
SHA51271b5ed6a702628b6b70aca5c7932882922c5630c2a8aa58a1a7896517281efb8b39a997f3bbb6b8e7c2d9bd9a3826538568c07ab1ed2d6ccbde5e00c3db2790a
-
Filesize
174KB
MD5895d68b21984db50bfbffc88d289f5da
SHA12cc6625e1fcdeac9dceb6a0f381f52ba574365a8
SHA256d3b6c19376b95cb9501181b42b7cbebd44b994d9652ef5fc103eec0d747b8e7d
SHA5127d4d78b985c13fcd3ea835db7eab5373881257830e2f3f8cac3efc22b1e6d38ac99d1245539cf286beb6f67f077bb2582980c9f7c4250fd8546ff65edabcd68b
-
Filesize
1KB
MD5d34b3da03c59f38a510eaa8ccc151ec7
SHA141b978588a9902f5e14b2b693973cb210ed900b2
SHA256a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc
SHA512231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7
-
Filesize
485KB
MD534091d46829a8474956451e03ac8bec0
SHA1e625b1e5154f9946e5434879253fada3b4a55530
SHA256df9d397b2b3201072a4fff263b094852c4fd41ab174a2ad7ae8e4f98cf273d6c
SHA5124cbe1ca0b0895a67a520a5478204dd849c0544b0d8cda28014b36262a2ec28e8c2daca1688edb8465e7bd49ace274d6c0711d64f557310c2b7cd9710372b2b79
-
Filesize
447KB
MD5fb755251b8b9ac0f35494854f21ccdbf
SHA132de2cbfaf4a6d773f3b94af8e2a6cf66a01eabb
SHA256ecbc5b49263df7950fd7329dfd44d5ad4da77845ffd1981afe3bd6798e1cd9f5
SHA512a78d76ebefaa276f811b16b22caf84045982b305c13efb824db8b16b668fe07421486711567bfe83ecd4509a7b2896a0decaff624209c159f5a9e8b3e1dce215
-
Filesize
2.5MB
MD50af0dfc7b2d726e2c698909d678f267c
SHA136b9a69a73e3e28b1b1088403bf8bb3b6fe33d6f
SHA256046ec1a641abea178947313eadbb9ea4164ef59eed78437234ab6805194cd92c
SHA512739116edc753e765b730203d4f609c11e541ad964fb83bd0d63f69f962f8827c9e2d17b53b99c3709441beaf94a69d3f24ffbda1cc72856ecda62ceeac8bbf14
-
Filesize
124KB
MD57d94872e3bbf6b60aec6bfe03f2423d7
SHA167dd0a451e5a5247d077ffe347f404a0334b2d10
SHA256a39ffbec4e0df7ad55467e2954d7cbb47b8116c46e348d419daed65bf55744e7
SHA51225835b2d7ed18e85ab2939e00c1de66dd7a79dd95c08b692f97f6eb9217cc43a665eeaae5e7d216581ef5fa418353b24fc9f7d9b9ff022a6057b9801968a827b
-
Filesize
3.0MB
MD5275ceaf3c7e10e65bf581d5476e78dba
SHA12f1964303f7ff832758b488612b3f91e88e9affb
SHA256e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318
SHA512a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83
-
Filesize
311KB
MD54ed36e9479243d9426b196f306d21d04
SHA1e102a9b2a8101b1105f6e3996df3ce6af17f31f4
SHA256f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d
SHA51246d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af
-
Filesize
1KB
MD5b8ca6a242f139d9fc202031e001b2c38
SHA19f944dc9596d64ac4cf1cda3095ee49bf46a40e1
SHA25637e4a95c6e490627c070d3363f263d391740c8e5ac819c834588ac800e79d817
SHA5120ac5b24778a58679af6210992a78c1d37e8f307a61a283809d356705dd3018ea6c9d65b78d266246ccedccab3e218eec0817e9561e82ef70384cae843a209699
-
Filesize
84KB
MD565889701199e41ae2abee652a232af6e
SHA13f76c39fde130b550013a4f13bfea2862b5628cf
SHA256ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e
SHA512edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5
-
Filesize
240KB
MD55f2fc8a0d96a1e796a4daae9465f5dd6
SHA1224f13f3cbaa441c0cb6d6300715fda7136408ea
SHA256f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f
SHA512da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad
-
Filesize
1.6MB
MD5086a9fd9179aad7911561eeff08cf7e2
SHA1d390c28376e08769a06a4a8b46609b3a668f728b
SHA2562cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282
SHA512a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193
-
Filesize
541KB
MD58c53ccd787c381cd535d8dcca12584d8
SHA1bc7ce60270a58450596aa3e3e5d0a99f731333d9
SHA256384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528
SHA512e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755
-
Filesize
617KB
MD51169436ee42f860c7db37a4692b38f0e
SHA14ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3
SHA2569382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46
SHA512e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0
-
Filesize
11KB
MD54b3e03d85e20ed8800047413f3546caa
SHA12cccd97b59c9f63019d8db1a229ab6ebe25dba78
SHA256f0535a9f2f48b59c3745350608551164f3ad0d3d82a7a4cd89facae2d98c1c4c
SHA5123bf439390338642fa9420f57ea0d6f66ff9d20285c2fbbef7d817c1073f7e34a451c9308833a821dcf72d4a392dad335f07dbd385665448c4800718779549fbc