Overview

overview

10

Static

static

3

8c4248712d...18.exe

windows7-x64

10

8c4248712d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 15:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c4248712dc21b0c906298184f4a9d37_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    8c4248712dc21b0c906298184f4a9d37

  • SHA1

    c8aae07384e9764395355ed7e82f6cffd672f9c9

  • SHA256

    a0fc8ca5b0dea7804ab3a90e8fc76c6f7860ba2bf2fb334022841a14e4c080d2

  • SHA512

    aa7924f053ca54ab9d2842279b967e572f810288ab2962ece54138585c24faed539f6c7dde1be92bc3533baaa1c576b06ee57b42a5d5e217c12b209b1513cf5c

  • SSDEEP

    49152:43JOba0ycVSDhdh2T9tn/QYN1sz35Re8i4GWzpG:4gm0VVSDhdA5aS4GWlG

Score
10/10
rmsdiscoveryevasionpersistenceprivilege_escalationrattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Rms family
    rms
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 8 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c4248712dc21b0c906298184f4a9d37_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8c4248712dc21b0c906298184f4a9d37_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\inlll.exe
      "C:\Windows\system32\inlll.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\84D9.tmp\install.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall add portopening tcp 5650 win
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2820
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h +s +r +a "C:\Windows\system32\HookDrv.dll"
          4⤵
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:996
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h +s +r +a "C:\Windows\system32\RManFUSClient.exe"
          4⤵
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2468
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h +s +r +a "C:\Windows\system32\RManServer.exe"
          4⤵
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1448
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s raka.reg
          4⤵
          • System Location Discovery: System Language Discovery
          • Runs .reg file with regedit
          PID:1544
        • C:\Windows\SysWOW64\RManServer.exe
          "C:\Windows\system32\RManServer.exe" /server /firewall
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1748
        • C:\Windows\SysWOW64\RManServer.exe
          "C:\Windows\system32\RManServer.exe" /server /silentinstall
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2928
        • C:\Windows\SysWOW64\RManServer.exe
          "C:\Windows\system32\RManServer.exe" /server /start
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2876
  • C:\Windows\SysWOW64\RManServer.exe
    C:\Windows\SysWOW64\RManServer.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\RManFUSClient.exe
      "C:\Windows\SysWOW64\RManFUSClient.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1988
    • C:\Windows\SysWOW64\RManFUSClient.exe
      C:\Windows\SysWOW64\RManFUSClient.exe /tray
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\84D9.tmp\install.bat
    Filesize

    514B

    MD5

    a4c53ec2a48d7f226ffdbde3ceac2a33

    SHA1

    2c90fee836bd34dda243f64f12970dfb4d73f4ec

    SHA256

    ba5372c6d8a76a9b9a8c8ea7bff78c83874e119f35acd2be09fbf52232dee4c9

    SHA512

    7894a7d192b3f06aed568561891860ee888ce0a314767b56399c73624b37906f2421af74496023a3f19c49e36fd77483d35ae9b75b8c0a4b37191fb2c9d036c0

    Download Submit

  • C:\Windows\SysWOW64\HookDrv.dll
    Filesize

    174KB

    MD5

    895d68b21984db50bfbffc88d289f5da

    SHA1

    2cc6625e1fcdeac9dceb6a0f381f52ba574365a8

    SHA256

    d3b6c19376b95cb9501181b42b7cbebd44b994d9652ef5fc103eec0d747b8e7d

    SHA512

    7d4d78b985c13fcd3ea835db7eab5373881257830e2f3f8cac3efc22b1e6d38ac99d1245539cf286beb6f67f077bb2582980c9f7c4250fd8546ff65edabcd68b

    Download Submit

  • C:\Windows\SysWOW64\RManFUSClient.exe
    Filesize

    2.5MB

    MD5

    ef5fcd5ccda74185734515c783c7f5c9

    SHA1

    f1cb2ab838542d2a14b52c1d9213d1993b8f9e4d

    SHA256

    a76d7d4f6c2b1cf72ac7f2f7a434f9a7914f0c364548c8272cf7e3e2e7e5c01a

    SHA512

    3d531cfe3888c09156b66512b68a871f46c3a6a0c9f1572e835ba538d6265fe0551e33f26049766ef667344dbc9cc73dfc1a3322db176df67437e14326f3f05c

    Download Submit

  • C:\Windows\SysWOW64\RManServer.exe
    Filesize

    3.0MB

    MD5

    d9f8684825a5a9caf57d819aaa21e647

    SHA1

    826e8a595a93b39630eb192d5c4122a291043aac

    SHA256

    646d77df8970bcf22538f4b608585a3a88ca8c44a4f249045a3279211f456c74

    SHA512

    f8dd703ba5494c010dad86dff5171439922abb499418eba88b3fc161c4681bada3f9fc7fb054d758c0c3da15303e56f165fd282de282cc939f3b4fc82cbe7050

    Download Submit

  • C:\Windows\SysWOW64\inlll.exe
    Filesize

    29KB

    MD5

    0c6bd7a3f0c9e9f83ca098d3d3f44320

    SHA1

    4d24cc0b6c4ea06374260d3386d6539ef8e0e18f

    SHA256

    1655a42b5ebd43b2fa927061d486e85a46b10107fed77618498d713ca84b67ce

    SHA512

    0250cee0786b5b3ed093bca03469947a8963ef6fdffb8590185e4b54d72fc64fe369eb9d4e1765c3433f1564fdd991defe53456f7109d94587d8920edc764304

    Download Submit

  • memory/1640-31-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1732-70-0x0000000000400000-0x0000000000786000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/1748-53-0x0000000000400000-0x0000000000786000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/1796-72-0x0000000000400000-0x0000000000718000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1988-71-0x0000000000400000-0x0000000000718000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2704-32-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2704-66-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2876-60-0x0000000000400000-0x0000000000786000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2928-56-0x0000000000400000-0x0000000000786000-memory.dmp

    Filesize

    3.5MB

    Download