Analysis

  • max time kernel
    148s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08-10-2024 05:11

General

  • Target

    1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe

  • Size

    2.3MB

  • MD5

    1fbf1e13343007f3a60fbcca6bfd31fd

  • SHA1

    48e54e874d609632a73578d8baf8acca29204afb

  • SHA256

    0a976946c1fc20d370f9221c428ea4a799c663d5be5bf6c9610607d84372c1a9

  • SHA512

    5b79cc008a8b9af3f9033e95280b7d6b1894d767a189e5eb461dc75c806611209a418f171c3dedf0d0fc188b9387a94dffd66074f90c8f8ec8bd21fbba4c7d30

  • SSDEEP

    49152:XmjXBlvQafJMoMApwJ/Y0QuBD266B6tryc51ClzH5DWbnZdo84uuqpwmq:XmHzeApwjQ6pr3yzZDknE8nuBmq

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 29 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs .reg file with regedit 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\65F4.tmp\Remote Manipulator System - Server.bat" "
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\SysWOW64\reg.exe
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2112
      • C:\Windows\SysWOW64\RManServer.exe
        "C:\Windows\System32\RManServer.exe" /silentinstall
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1148
      • C:\Windows\SysWOW64\RManServer.exe
        "C:\Windows\System32\RManServer.exe" /firewall
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2324
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s "settings.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2420
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s "Autorun.reg"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:3000
      • C:\Windows\SysWOW64\Monitor.exe
        "C:\Windows\System32\Monitor.exe" /start
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2912
      • C:\Windows\SysWOW64\RManServer.exe
        "C:\Windows\System32\RManServer.exe" /start
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1248
  • C:\Windows\SysWOW64\RManServer.exe
    C:\Windows\SysWOW64\RManServer.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\SysWOW64\RManFUSClient.exe
      "C:\Windows\SysWOW64\RManFUSClient.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1848
    • C:\Windows\SysWOW64\RManFUSClient.exe
      C:\Windows\SysWOW64\RManFUSClient.exe /tray
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\65F4.tmp\Autorun.reg

    Filesize

    338B

    MD5

    838adedefbfc54ea749dbb3cbf889e04

    SHA1

    3ab9a263996437a5c9b9a62fa7562c34ee9d730b

    SHA256

    996b4bed9fefd6a4310292f294d54879dbf9e523f143f94837503710ba7fb542

    SHA512

    71b5ed6a702628b6b70aca5c7932882922c5630c2a8aa58a1a7896517281efb8b39a997f3bbb6b8e7c2d9bd9a3826538568c07ab1ed2d6ccbde5e00c3db2790a

  • C:\Users\Admin\AppData\Local\Temp\65F4.tmp\HookDrv.dll

    Filesize

    174KB

    MD5

    895d68b21984db50bfbffc88d289f5da

    SHA1

    2cc6625e1fcdeac9dceb6a0f381f52ba574365a8

    SHA256

    d3b6c19376b95cb9501181b42b7cbebd44b994d9652ef5fc103eec0d747b8e7d

    SHA512

    7d4d78b985c13fcd3ea835db7eab5373881257830e2f3f8cac3efc22b1e6d38ac99d1245539cf286beb6f67f077bb2582980c9f7c4250fd8546ff65edabcd68b

  • C:\Users\Admin\AppData\Local\Temp\65F4.tmp\Microsoft.VC80.CRT.manifest

    Filesize

    1KB

    MD5

    d34b3da03c59f38a510eaa8ccc151ec7

    SHA1

    41b978588a9902f5e14b2b693973cb210ed900b2

    SHA256

    a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc

    SHA512

    231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7

  • C:\Users\Admin\AppData\Local\Temp\65F4.tmp\Monitor.exe

    Filesize

    485KB

    MD5

    34091d46829a8474956451e03ac8bec0

    SHA1

    e625b1e5154f9946e5434879253fada3b4a55530

    SHA256

    df9d397b2b3201072a4fff263b094852c4fd41ab174a2ad7ae8e4f98cf273d6c

    SHA512

    4cbe1ca0b0895a67a520a5478204dd849c0544b0d8cda28014b36262a2ec28e8c2daca1688edb8465e7bd49ace274d6c0711d64f557310c2b7cd9710372b2b79

  • C:\Users\Admin\AppData\Local\Temp\65F4.tmp\PushSource.ax

    Filesize

    447KB

    MD5

    fb755251b8b9ac0f35494854f21ccdbf

    SHA1

    32de2cbfaf4a6d773f3b94af8e2a6cf66a01eabb

    SHA256

    ecbc5b49263df7950fd7329dfd44d5ad4da77845ffd1981afe3bd6798e1cd9f5

    SHA512

    a78d76ebefaa276f811b16b22caf84045982b305c13efb824db8b16b668fe07421486711567bfe83ecd4509a7b2896a0decaff624209c159f5a9e8b3e1dce215

  • C:\Users\Admin\AppData\Local\Temp\65F4.tmp\RManFUSClient.exe

    Filesize

    2.5MB

    MD5

    0af0dfc7b2d726e2c698909d678f267c

    SHA1

    36b9a69a73e3e28b1b1088403bf8bb3b6fe33d6f

    SHA256

    046ec1a641abea178947313eadbb9ea4164ef59eed78437234ab6805194cd92c

    SHA512

    739116edc753e765b730203d4f609c11e541ad964fb83bd0d63f69f962f8827c9e2d17b53b99c3709441beaf94a69d3f24ffbda1cc72856ecda62ceeac8bbf14

  • C:\Users\Admin\AppData\Local\Temp\65F4.tmp\RManIpcServer.dll

    Filesize

    124KB

    MD5

    7d94872e3bbf6b60aec6bfe03f2423d7

    SHA1

    67dd0a451e5a5247d077ffe347f404a0334b2d10

    SHA256

    a39ffbec4e0df7ad55467e2954d7cbb47b8116c46e348d419daed65bf55744e7

    SHA512

    25835b2d7ed18e85ab2939e00c1de66dd7a79dd95c08b692f97f6eb9217cc43a665eeaae5e7d216581ef5fa418353b24fc9f7d9b9ff022a6057b9801968a827b

  • C:\Users\Admin\AppData\Local\Temp\65F4.tmp\RManServer.exe

    Filesize

    3.0MB

    MD5

    275ceaf3c7e10e65bf581d5476e78dba

    SHA1

    2f1964303f7ff832758b488612b3f91e88e9affb

    SHA256

    e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318

    SHA512

    a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83

  • C:\Users\Admin\AppData\Local\Temp\65F4.tmp\RManWLN.dll

    Filesize

    311KB

    MD5

    4ed36e9479243d9426b196f306d21d04

    SHA1

    e102a9b2a8101b1105f6e3996df3ce6af17f31f4

    SHA256

    f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d

    SHA512

    46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af

  • C:\Users\Admin\AppData\Local\Temp\65F4.tmp\Remote Manipulator System - Server.bat

    Filesize

    1KB

    MD5

    b8ca6a242f139d9fc202031e001b2c38

    SHA1

    9f944dc9596d64ac4cf1cda3095ee49bf46a40e1

    SHA256

    37e4a95c6e490627c070d3363f263d391740c8e5ac819c834588ac800e79d817

    SHA512

    0ac5b24778a58679af6210992a78c1d37e8f307a61a283809d356705dd3018ea6c9d65b78d266246ccedccab3e218eec0817e9561e82ef70384cae843a209699

  • C:\Users\Admin\AppData\Local\Temp\65F4.tmp\dsfOggMux.dll

    Filesize

    84KB

    MD5

    65889701199e41ae2abee652a232af6e

    SHA1

    3f76c39fde130b550013a4f13bfea2862b5628cf

    SHA256

    ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e

    SHA512

    edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5

  • C:\Users\Admin\AppData\Local\Temp\65F4.tmp\dsfTheoraEncoder.dll

    Filesize

    240KB

    MD5

    5f2fc8a0d96a1e796a4daae9465f5dd6

    SHA1

    224f13f3cbaa441c0cb6d6300715fda7136408ea

    SHA256

    f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f

    SHA512

    da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad

  • C:\Users\Admin\AppData\Local\Temp\65F4.tmp\dsfVorbisEncoder.dll

    Filesize

    1.6MB

    MD5

    086a9fd9179aad7911561eeff08cf7e2

    SHA1

    d390c28376e08769a06a4a8b46609b3a668f728b

    SHA256

    2cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282

    SHA512

    a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193

  • C:\Users\Admin\AppData\Local\Temp\65F4.tmp\msvcp80.dll

    Filesize

    541KB

    MD5

    8c53ccd787c381cd535d8dcca12584d8

    SHA1

    bc7ce60270a58450596aa3e3e5d0a99f731333d9

    SHA256

    384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528

    SHA512

    e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755

  • C:\Users\Admin\AppData\Local\Temp\65F4.tmp\msvcr80.dll

    Filesize

    617KB

    MD5

    1169436ee42f860c7db37a4692b38f0e

    SHA1

    4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3

    SHA256

    9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46

    SHA512

    e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0

  • C:\Users\Admin\AppData\Local\Temp\65F4.tmp\settings.reg

    Filesize

    11KB

    MD5

    4b3e03d85e20ed8800047413f3546caa

    SHA1

    2cccd97b59c9f63019d8db1a229ab6ebe25dba78

    SHA256

    f0535a9f2f48b59c3745350608551164f3ad0d3d82a7a4cd89facae2d98c1c4c

    SHA512

    3bf439390338642fa9420f57ea0d6f66ff9d20285c2fbbef7d817c1073f7e34a451c9308833a821dcf72d4a392dad335f07dbd385665448c4800718779549fbc

  • memory/1148-89-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/1148-91-0x0000000000400000-0x000000000078A000-memory.dmp

    Filesize

    3.5MB

  • memory/1248-117-0x0000000000400000-0x000000000078A000-memory.dmp

    Filesize

    3.5MB

  • memory/1848-125-0x0000000000400000-0x0000000000718000-memory.dmp

    Filesize

    3.1MB

  • memory/2324-96-0x0000000000400000-0x000000000078A000-memory.dmp

    Filesize

    3.5MB

  • memory/2508-126-0x0000000000400000-0x0000000000718000-memory.dmp

    Filesize

    3.1MB

  • memory/2664-124-0x0000000000400000-0x000000000078A000-memory.dmp

    Filesize

    3.5MB

  • memory/2892-120-0x0000000000400000-0x0000000000E3B000-memory.dmp

    Filesize

    10.2MB

  • memory/2892-0-0x0000000000400000-0x0000000000E3B000-memory.dmp

    Filesize

    10.2MB

  • memory/2912-106-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB