rms | 5158d871a7011e31c681f26a98d2b4215037261563500117875e4540c66f8706

General

Target

634b9b275dc6beaae17b4bdebcea8080_JaffaCakes118.exe
Size

2.3MB
MD5

634b9b275dc6beaae17b4bdebcea8080
SHA1

45158df97c438217892133074f1ddbb10f119e30
SHA256

5158d871a7011e31c681f26a98d2b4215037261563500117875e4540c66f8706
SHA512

824f2ac9a9776c7fafba819fc6c16b08decac478673b7cae422daf812581d6642bc7bd2a048eb37250d8b702dc6b12087509148d76f565adb5828e3037217281
SSDEEP

49152:pAI+jA+6K5XPE/KaP7B6enfDhiO9djGmYQIubnx7TlUVKodrK:pAI+M+6KFIpnf0CFY8bnxnVUrK

Score

10^/10

rms discovery rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 2 IoCs

pid	Process
2500	rutserv.exe
2872	rfusclient.exe

Loads dropped DLL 4 IoCs

pid	Process
2492	634b9b275dc6beaae17b4bdebcea8080_JaffaCakes118.exe
2500	rutserv.exe
2500	rutserv.exe
2872	rfusclient.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\liko\HookDrv.dll	634b9b275dc6beaae17b4bdebcea8080_JaffaCakes118.exe
File opened for modification	C:\Windows\liko\rfusclient.exe	634b9b275dc6beaae17b4bdebcea8080_JaffaCakes118.exe
File opened for modification	C:\Windows\liko\rutserv.exe	634b9b275dc6beaae17b4bdebcea8080_JaffaCakes118.exe
File opened for modification	C:\Windows\liko\rversionlib.dll	634b9b275dc6beaae17b4bdebcea8080_JaffaCakes118.exe
File opened for modification	C:\Windows\liko\key.reg	634b9b275dc6beaae17b4bdebcea8080_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	634b9b275dc6beaae17b4bdebcea8080_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2500	rutserv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2500	rutserv.exe
Token: SeTcbPrivilege	2500	rutserv.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2872	rfusclient.exe
2872	rfusclient.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2872	rfusclient.exe
2872	rfusclient.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2500	2492	634b9b275dc6beaae17b4bdebcea8080_JaffaCakes118.exe	30
PID 2492 wrote to memory of 2500	2492	634b9b275dc6beaae17b4bdebcea8080_JaffaCakes118.exe	30
PID 2492 wrote to memory of 2500	2492	634b9b275dc6beaae17b4bdebcea8080_JaffaCakes118.exe	30
PID 2492 wrote to memory of 2500	2492	634b9b275dc6beaae17b4bdebcea8080_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2872	2500	rutserv.exe	32
PID 2500 wrote to memory of 2872	2500	rutserv.exe	32
PID 2500 wrote to memory of 2872	2500	rutserv.exe	32
PID 2500 wrote to memory of 2872	2500	rutserv.exe	32

C:\Users\Admin\AppData\Local\Temp\634b9b275dc6beaae17b4bdebcea8080_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\634b9b275dc6beaae17b4bdebcea8080_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\liko\rutserv.exe
  "C:\Windows\liko\rutserv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\liko\rfusclient.exe
    C:\Windows\liko\rfusclient.exe /tray /user
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\liko\HookDrv.dll

Filesize
144KB

MD5
513066a38057079e232f5f99baef2b94

SHA1
a6da9e87415b8918447ec361ba98703d12b4ee76

SHA256
02dbea75e8dbcdfc12c6b92a6c08efad83d4ca742ed7aee393ab26cab0c58f9e

SHA512
83a074bef57f78ede2488dd586b963b92837e17eea77ebd1464f3da06954ae8ca07f040089af0c257e2836611ae39424574bd365aea4a6318a2707e031cd31a5

Download Submit
C:\Windows\liko\rfusclient.exe

Filesize
2.8MB

MD5
a90c6e72a9e2602560c521a1647664ad

SHA1
22f7f0ddb0af04df7109c3ddbb7027909041fa73

SHA256
579e5984ad5eb6e5e4b004acd01c95f609a1330f3900cd9851562eb4ac879197

SHA512
fbba623cab28c0648e8bdd03c99df9e2a84180d72ea8e63367e943f8b432ebc36a7e10a8bfce11ad1803e54a8514f1ded4fec72e680ee04386965b5eb6a5d6c2

Download Submit
C:\Windows\liko\rutserv.exe

Filesize
3.2MB

MD5
62dbd11dc36780e35af1aafaa6a8f0f1

SHA1
dc6aaac7171b351be3397c3e0e1769dffa848723

SHA256
b06604ee55206b081a8378f771f3501f48df1c0023b1d6edcbc5f781aa521f57

SHA512
b7f311286387ab39a0a54ac3dbcb74d9db3de4e2657dd6f0e182e38e9ed5400e87f1000c7b978fd4bb34fc373dd99bcb18271296f03248366a9cb52afdaa695d

Download Submit
C:\Windows\liko\rversionlib.dll

Filesize
310KB

MD5
3f95a06f40eaf51b86cef2bf036ebd7a

SHA1
64009c5f79661eb2f82c9a76a843c0d3a856695d

SHA256
1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

SHA512
6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

Download Submit
memory/2492-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-64-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2500-76-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2500-96-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2500-92-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2500-42-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2500-88-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2500-84-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2500-80-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2500-43-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2500-44-0x0000000000230000-0x0000000000288000-memory.dmp

Filesize
352KB

Download
memory/2500-49-0x0000000000230000-0x0000000000288000-memory.dmp

Filesize
352KB

Download
memory/2500-48-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2500-32-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2500-52-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2500-56-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2500-60-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2500-31-0x0000000000230000-0x0000000000288000-memory.dmp

Filesize
352KB

Download
memory/2500-68-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2500-72-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2872-50-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/2872-46-0x00000000001C0000-0x0000000000218000-memory.dmp

Filesize
352KB

Download
memory/2872-47-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2872-45-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/2872-39-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2872-38-0x00000000001C0000-0x0000000000218000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing