rms | a0fc8ca5b0dea7804ab3a90e8fc76c6f7860ba2bf2fb334022841a14e4c080d2

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c4248712dc21b0c906298184f4a9d37_JaffaCakes118.exe
Size

2.0MB
MD5

8c4248712dc21b0c906298184f4a9d37
SHA1

c8aae07384e9764395355ed7e82f6cffd672f9c9
SHA256

a0fc8ca5b0dea7804ab3a90e8fc76c6f7860ba2bf2fb334022841a14e4c080d2
SHA512

aa7924f053ca54ab9d2842279b967e572f810288ab2962ece54138585c24faed539f6c7dde1be92bc3533baaa1c576b06ee57b42a5d5e217c12b209b1513cf5c
SSDEEP

49152:43JOba0ycVSDhdh2T9tn/QYN1sz35Re8i4GWzpG:4gm0VVSDhdA5aS4GWlG

Score

10^/10

rms discovery evasion persistence privilege_escalation rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2272	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	8c4248712dc21b0c906298184f4a9d37_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	inlll.exe

Executes dropped EXE 7 IoCs

pid	Process
1068	inlll.exe
996	RManServer.exe
1316	RManServer.exe
2912	RManServer.exe
1892	RManServer.exe
4240	RManFUSClient.exe
3664	RManFUSClient.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\RManFUSClient.exe	8c4248712dc21b0c906298184f4a9d37_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RManServer.exe	8c4248712dc21b0c906298184f4a9d37_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\HookDrv.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\RManFUSClient.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\RManServer.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HookDrv.dll	8c4248712dc21b0c906298184f4a9d37_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inlll.exe	8c4248712dc21b0c906298184f4a9d37_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rasder.reg	8c4248712dc21b0c906298184f4a9d37_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c9f-23.dat	upx
behavioral2/memory/1068-32-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1068-52-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManFUSClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManFUSClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c4248712dc21b0c906298184f4a9d37_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inlll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1776	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1892	RManServer.exe
1892	RManServer.exe
1892	RManServer.exe
1892	RManServer.exe
4240	RManFUSClient.exe
4240	RManFUSClient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	RManServer.exe
Token: SeDebugPrivilege	2912	RManServer.exe
Token: SeTakeOwnershipPrivilege	1892	RManServer.exe
Token: SeTcbPrivilege	1892	RManServer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3664	RManFUSClient.exe
3664	RManFUSClient.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3664	RManFUSClient.exe
3664	RManFUSClient.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 1068	1332	8c4248712dc21b0c906298184f4a9d37_JaffaCakes118.exe	85
PID 1332 wrote to memory of 1068	1332	8c4248712dc21b0c906298184f4a9d37_JaffaCakes118.exe	85
PID 1332 wrote to memory of 1068	1332	8c4248712dc21b0c906298184f4a9d37_JaffaCakes118.exe	85
PID 1068 wrote to memory of 2116	1068	inlll.exe	86
PID 1068 wrote to memory of 2116	1068	inlll.exe	86
PID 1068 wrote to memory of 2116	1068	inlll.exe	86
PID 2116 wrote to memory of 2272	2116	cmd.exe	89
PID 2116 wrote to memory of 2272	2116	cmd.exe	89
PID 2116 wrote to memory of 2272	2116	cmd.exe	89
PID 2116 wrote to memory of 3688	2116	cmd.exe	91
PID 2116 wrote to memory of 3688	2116	cmd.exe	91
PID 2116 wrote to memory of 3688	2116	cmd.exe	91
PID 2116 wrote to memory of 2276	2116	cmd.exe	93
PID 2116 wrote to memory of 2276	2116	cmd.exe	93
PID 2116 wrote to memory of 2276	2116	cmd.exe	93
PID 2116 wrote to memory of 2084	2116	cmd.exe	94
PID 2116 wrote to memory of 2084	2116	cmd.exe	94
PID 2116 wrote to memory of 2084	2116	cmd.exe	94
PID 2116 wrote to memory of 1776	2116	cmd.exe	95
PID 2116 wrote to memory of 1776	2116	cmd.exe	95
PID 2116 wrote to memory of 1776	2116	cmd.exe	95
PID 2116 wrote to memory of 996	2116	cmd.exe	97
PID 2116 wrote to memory of 996	2116	cmd.exe	97
PID 2116 wrote to memory of 996	2116	cmd.exe	97
PID 2116 wrote to memory of 1316	2116	cmd.exe	98
PID 2116 wrote to memory of 1316	2116	cmd.exe	98
PID 2116 wrote to memory of 1316	2116	cmd.exe	98
PID 2116 wrote to memory of 2912	2116	cmd.exe	99
PID 2116 wrote to memory of 2912	2116	cmd.exe	99
PID 2116 wrote to memory of 2912	2116	cmd.exe	99
PID 1892 wrote to memory of 4240	1892	RManServer.exe	101
PID 1892 wrote to memory of 4240	1892	RManServer.exe	101
PID 1892 wrote to memory of 4240	1892	RManServer.exe	101
PID 1892 wrote to memory of 3664	1892	RManServer.exe	102
PID 1892 wrote to memory of 3664	1892	RManServer.exe	102
PID 1892 wrote to memory of 3664	1892	RManServer.exe	102

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3688	attrib.exe
2276	attrib.exe
2084	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8c4248712dc21b0c906298184f4a9d37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c4248712dc21b0c906298184f4a9d37_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\SysWOW64\inlll.exe
  "C:\Windows\system32\inlll.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A289.tmp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall add portopening tcp 5650 win
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2272
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s +r +a "C:\Windows\system32\HookDrv.dll"
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3688
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s +r +a "C:\Windows\system32\RManFUSClient.exe"
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2276
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s +r +a "C:\Windows\system32\RManServer.exe"
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2084
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s raka.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:1776
  - - C:\Windows\SysWOW64\RManServer.exe
      "C:\Windows\system32\RManServer.exe" /server /firewall
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:996
  - - C:\Windows\SysWOW64\RManServer.exe
      "C:\Windows\system32\RManServer.exe" /server /silentinstall
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1316
  - - C:\Windows\SysWOW64\RManServer.exe
      "C:\Windows\system32\RManServer.exe" /server /start
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2912

C:\Windows\SysWOW64\RManServer.exe
C:\Windows\SysWOW64\RManServer.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\RManFUSClient.exe
  "C:\Windows\SysWOW64\RManFUSClient.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4240
- C:\Windows\SysWOW64\RManFUSClient.exe
  C:\Windows\SysWOW64\RManFUSClient.exe /tray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A289.tmp\install.bat

Filesize
514B

MD5
a4c53ec2a48d7f226ffdbde3ceac2a33

SHA1
2c90fee836bd34dda243f64f12970dfb4d73f4ec

SHA256
ba5372c6d8a76a9b9a8c8ea7bff78c83874e119f35acd2be09fbf52232dee4c9

SHA512
7894a7d192b3f06aed568561891860ee888ce0a314767b56399c73624b37906f2421af74496023a3f19c49e36fd77483d35ae9b75b8c0a4b37191fb2c9d036c0

Download Submit
C:\Windows\SysWOW64\HookDrv.dll

Filesize
174KB

MD5
895d68b21984db50bfbffc88d289f5da

SHA1
2cc6625e1fcdeac9dceb6a0f381f52ba574365a8

SHA256
d3b6c19376b95cb9501181b42b7cbebd44b994d9652ef5fc103eec0d747b8e7d

SHA512
7d4d78b985c13fcd3ea835db7eab5373881257830e2f3f8cac3efc22b1e6d38ac99d1245539cf286beb6f67f077bb2582980c9f7c4250fd8546ff65edabcd68b

Download Submit
C:\Windows\SysWOW64\RManFUSClient.exe

Filesize
2.5MB

MD5
ef5fcd5ccda74185734515c783c7f5c9

SHA1
f1cb2ab838542d2a14b52c1d9213d1993b8f9e4d

SHA256
a76d7d4f6c2b1cf72ac7f2f7a434f9a7914f0c364548c8272cf7e3e2e7e5c01a

SHA512
3d531cfe3888c09156b66512b68a871f46c3a6a0c9f1572e835ba538d6265fe0551e33f26049766ef667344dbc9cc73dfc1a3322db176df67437e14326f3f05c

Download Submit
C:\Windows\SysWOW64\RManServer.exe

Filesize
3.0MB

MD5
d9f8684825a5a9caf57d819aaa21e647

SHA1
826e8a595a93b39630eb192d5c4122a291043aac

SHA256
646d77df8970bcf22538f4b608585a3a88ca8c44a4f249045a3279211f456c74

SHA512
f8dd703ba5494c010dad86dff5171439922abb499418eba88b3fc161c4681bada3f9fc7fb054d758c0c3da15303e56f165fd282de282cc939f3b4fc82cbe7050

Download Submit
C:\Windows\SysWOW64\inlll.exe

Filesize
29KB

MD5
0c6bd7a3f0c9e9f83ca098d3d3f44320

SHA1
4d24cc0b6c4ea06374260d3386d6539ef8e0e18f

SHA256
1655a42b5ebd43b2fa927061d486e85a46b10107fed77618498d713ca84b67ce

SHA512
0250cee0786b5b3ed093bca03469947a8963ef6fdffb8590185e4b54d72fc64fe369eb9d4e1765c3433f1564fdd991defe53456f7109d94587d8920edc764304

Download Submit
memory/996-43-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/1068-32-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1068-52-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1316-45-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/1332-34-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1892-55-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/2912-50-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/3664-57-0x0000000000400000-0x0000000000718000-memory.dmp

Filesize
3.1MB

Download
memory/4240-56-0x0000000000400000-0x0000000000718000-memory.dmp

Filesize
3.1MB

Download