Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-10-2024 17:28
General
-
Target
3115ae3f07c79e025c5f1d443b9599aa_JaffaCakes118.exe
-
Size
3.9MB
-
MD5
3115ae3f07c79e025c5f1d443b9599aa
-
SHA1
6afa27129ccb2d60143813b860a6c8fb5a9fc14d
-
SHA256
ce980dfdde975dea04d30301133ef8057bcf06669f7a023215cab1387b9e90e7
-
SHA512
bf52d506389be07b540b98cd6d132ec2d461cc4e53448862af560aead087a76f5a1ac96f8ba81e31e52617da9a494f9278287f9dfa2f4e71035c8127a61a49ab
-
SSDEEP
49152:N0kwPNXIDzdVl5g9QW2LA7KVbfmaL4CcTsikCSfJ6uBg6hASFpsa4krLWlzxfjgH:G/INaaW8A7KR+YxcTsiq0uBHxrLWldgx
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Indicator Removal: Network Share Connection Removal 1 TTPs 2 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Modifies Windows Firewall 2 TTPs 7 IoCs
-
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Drops file in System32 directory 27 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 45 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Kills process with taskkill 1 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3115ae3f07c79e025c5f1d443b9599aa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3115ae3f07c79e025c5f1d443b9599aa_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zvuk.exe"C:\Users\Admin\AppData\Local\Temp\zvuk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CF08.tmp\5.bat" "3⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im RManServer.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\System32\3078"4⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/realip.exe"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\install.bat"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\system32\cam_server.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\SysWOW64\cam_server.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\system32\rserver30"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\SysWOW64\rserver30"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\system32\r_server.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\SysWOW64\r_server.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\net.exenet stop Telnet4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Telnet5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\sc.exesc config tlntsvr start= disabled4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet stop "Service Host Controller"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Service Host Controller"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet user HelpAssistant /delete4⤵
- Indicator Removal: Network Share Connection Removal
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user HelpAssistant /delete5⤵
- Indicator Removal: Network Share Connection Removal
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn security /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Microsoft Outlook Express"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Service Host Controller"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ß½πªí Windows"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ºáñáτ Windows"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete portopening tcp 570094⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="cam_server"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete portopening tcp 57011 all4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Ä»Ñαᵿ«¡¡á∩ ß¿ßΓѼá Microsoft Windows" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Service Host Controller" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v HelpAssistant /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "cam_server.exe" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\System\CurrentControlSet\Services\RServer3" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\3078\svshoct.exe"svshoct.exe" /silentinstall4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\3078\svshoct.exe"svshoct.exe" /firewall4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s ses.reg4⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\3078\svshoct.exe"svshoct.exe" /start4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/HookLib.dll"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/realip.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Users\Admin\AppData\Local\Temp\install.bat"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\3078\svshoct.exeC:\Windows\SysWOW64\3078\svshoct.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\3078\explolerte.exeC:\Windows\SysWOW64\3078\explolerte.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\3078\explolerte.exeC:\Windows\SysWOW64\3078\explolerte.exe /tray3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: SetClipboardViewer
-
-
-
C:\Windows\SysWOW64\3078\explolerte.exeC:\Windows\SysWOW64\3078\explolerte.exe /tray2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1Network Share Connection Removal
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f48e14ca469d6cfa222d9dc290477ab2
SHA1a27215a31fd96e529f79f23550d1aca6f0b3824d
SHA25659eee02533f8d0f0a6d52f122687d0ee18c25518e204005db3f4dbc6e170c6a7
SHA512161d4937a6134fc882544bb1d3511ce500cd047c5a504352b24eef00fc789e4a26f547b8444439aa06511a8e7038d6a283659e1a86f20f3b5f2f244feef7552f
-
Filesize
1KB
MD553213fc8c2cb0d6f77ca6cbd40fff22c
SHA1d8ba81ed6586825835b76e9d566077466ee41a85
SHA25603d0776812368478ce60e8160ec3c6938782db1832f5cb53b7842e5840f9dbc5
SHA512e3ced32a2eabfd0028ec16e62687573d86c0112b2b1d965f1f9d0bb5557cef5fdf5233e87fe73be621a52affe4ce53bedf958558aa899646fa390f4541cf11eb
-
Filesize
144KB
MD530e269f850baf6ca25187815912e21c5
SHA1eb160de97d12b4e96f350dd0d0126d41d658afb3
SHA256379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90
SHA5129b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7
-
Filesize
357KB
MD5bb1f3e716d12734d1d2d9219a3979a62
SHA10ef66eed2f2ae45ec2d478902833b830334109cb
SHA256d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077
SHA512bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c
-
Filesize
234KB
MD58e3f59b8c9dfc933fca30edefeb76186
SHA137a78089d5936d1bc3b60915971604c611a94dbd
SHA256528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8
SHA5123224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d
-
Filesize
1.6MB
MD5ff622a8812d8b1eff8f8d1a32087f9d2
SHA1910615c9374b8734794ac885707ff5370db42ef1
SHA2561b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf
SHA5121a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931
-
Filesize
3.9MB
MD564c3c2e5e0f1020aca5379a867ebfc53
SHA19fc98bc3f3affeb2310f067a7af27ead0dc0851f
SHA25663a57b1ad18eddfb72246678aef894b5c209679075747e15733e4a9fdfafbfa8
SHA51291734f49acd54f11240605bb779372d76fac53aff0c07b87acaad9fb44328e4c28302c953ac853d573bd9045e4772c0f29cb231d4852d967cf2399c577840506
-
Filesize
1.6MB
MD5871c903a90c45ca08a9d42803916c3f7
SHA1d962a12bc15bfb4c505bb63f603ca211588958db
SHA256f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645
SHA512985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145
-
Filesize
556KB
MD5b2eee3dee31f50e082e9c720a6d7757d
SHA13322840fef43c92fb55dc31e682d19970daf159d
SHA2564608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01
SHA5128b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3
-
Filesize
637KB
MD57538050656fe5d63cb4b80349dd1cfe3
SHA1f825c40fee87cc9952a61c8c34e9f6eee8da742d
SHA256e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099
SHA512843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8
-
Filesize
24KB
MD535d6ee5717cce608d224bf476820e879
SHA1febc0f3b8be6489d777122463c04bec580c38b52
SHA256b8ee6b470a3214d0d5be2800de0a4dad5a8b712f2edb6b4fabab0a7e608c2ee5
SHA5123e965ab39690d354c30c35ed120420097984f578dbe942a6860f66cdc37d283c2ec6ad4a23b0d85c2375dfddaa9cb867da5e00cc3b6cb15ff1e350ffd38fa6be
-
Filesize
5.0MB
MD5fb110624e99bb64aa9d6d50878ef9a48
SHA142756227deffd53a432b44be23c7482efaf24f38
SHA256a88006d123a2465d2aacd99705ee0afaf51ad5a23156231a9a5f657c41dcaca2
SHA51273e61f1234d20381a6fcd92b0cf1b07b9fe8cffa5e7abf0521bdb0830e91261da7a3a0130a907788a1877d6dff9048a500878ab0a27350812f6bbd6ff32ff0e5
-
Filesize
403KB
MD56f6bfe02e84a595a56b456f72debd4ee
SHA190bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2
SHA2565e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51
SHA512ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50
-
Filesize
685KB
MD5c638bca1a67911af7f9ed67e7b501154
SHA10fd74d2f1bd78f678b897a776d8bce36742c39b7
SHA256519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8
SHA512ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f
-
Filesize
3.8MB
MD593f84b4493c7158f6b7cef35a2fdc27d
SHA15ba76588ee20a8a7d077e87f6d2dabd11a673473
SHA256e39be88d657d3c65dadb8df7ca09a0028b23f1167f33435315f64cb7a924da2e
SHA5128f2fddcedf77aab13432dc65320ccc1234335c9b0745759e424b0c8c977f49fed6d42758e0dc4eda3aeeb7498cb8de1e502d83c60d1c472eb0a4ce8af78afcd1
-
Filesize
5.6MB
-
Filesize
4.4MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB