Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 18:49
Static task
static1
Behavioral task
behavioral1
Sample
a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe
-
Size
4.3MB
-
MD5
a389e09c036ecdf3a84ea4bbe65e8b88
-
SHA1
0044fb8a60a621d8366ad93e9e99b8e99ea37bf8
-
SHA256
e22cbaeb92b791e43ee4c70ad079fa2bb31faf721ce507390b41eadc1ca31cad
-
SHA512
103de51314420c6b84a4ef2e7111beebaa04004ecc3ccacfbc5f86c451e551e97590af570b86d9162a8c32d1e5c777e3bcbafa3edaffe28a8055cec971c4ba9c
-
SSDEEP
98304:7JYnakukyg+fCpLG9fevK46z4hF42Xp+wsTWgIZY3THkxfqvcQ9:7J+aHDnfCBsfewzcF42Xp+wZgIm3zkxw
Malware Config
Signatures
-
Rms family
-
Indicator Removal: Network Share Connection Removal 1 TTPs 2 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
Processes:
net.exenet1.exepid Process 3824 net.exe 2884 net1.exe -
Modifies Windows Firewall 2 TTPs 8 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid Process 4968 netsh.exe 3116 netsh.exe 4324 netsh.exe 2036 netsh.exe 4912 netsh.exe 4036 netsh.exe 3920 netsh.exe 1920 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exeWScript.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 8 IoCs
Processes:
rms.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exepid Process 4296 rms.exe 396 rutserv.exe 2636 rutserv.exe 1132 rutserv.exe 2936 rutserv.exe 1780 rfusclient.exe 3940 rfusclient.exe 5116 rfusclient.exe -
Loads dropped DLL 7 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exepid Process 396 rutserv.exe 2636 rutserv.exe 1132 rutserv.exe 2936 rutserv.exe 1780 rfusclient.exe 3940 rfusclient.exe 5116 rfusclient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rms.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svсhosts.exe = "C:\\Windows\\SysWOW64\\catroot3\\\\svсhosts.exe" rms.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/files/0x000a000000023b89-72.dat autoit_exe behavioral2/memory/4296-95-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4296-100-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4296-109-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Drops file in System32 directory 19 IoCs
Processes:
rms.exerutserv.exedescription ioc Process File created C:\Windows\SysWOW64\catroot3\dsfVorbisEncoder.dll rms.exe File created C:\Windows\SysWOW64\catroot3\vp8decoder.dll rms.exe File created C:\Windows\SysWOW64\catroot3\svchosts.exe rms.exe File created C:\Windows\SysWOW64\catroot3\dsfVorbisDecoder.dll rms.exe File created C:\Windows\SysWOW64\catroot3\gdiplus.dll rms.exe File created C:\Windows\SysWOW64\catroot3\msvcp90.dll rms.exe File created C:\Windows\SysWOW64\catroot3\vp8encoder.dll rms.exe File created C:\Windows\SysWOW64\catroot3\ID.txt rms.exe File created C:\Windows\SysWOW64\catroot3\rfusclient.exe rms.exe File created C:\Windows\SysWOW64\catroot3\RIPCServer.dll rms.exe File created C:\Windows\SysWOW64\catroot3\RWLN.dll rms.exe File created C:\Windows\SysWOW64\RWLN.dll rutserv.exe File opened for modification C:\Windows\SysWOW64\RWLN.dll rutserv.exe File opened for modification C:\Windows\SysWOW64\catroot3\dsfVorbisDecoder.dll rms.exe File created C:\Windows\SysWOW64\catroot3\Microsoft.VC90.CRT.manifest rms.exe File created C:\Windows\SysWOW64\catroot3\msvcr90.dll rms.exe File created C:\Windows\SysWOW64\catroot3\rutserv.exe rms.exe File created C:\Windows\SysWOW64\catroot3\set.reg rms.exe File opened for modification C:\Windows\SysWOW64\catroot3 rms.exe -
Processes:
resource yara_rule behavioral2/files/0x000a000000023b8a-39.dat upx behavioral2/memory/4296-41-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4296-95-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4296-100-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4296-109-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid Process 1632 sc.exe 5012 sc.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rfusclient.execmd.exesc.exeschtasks.exenetsh.exerutserv.exerutserv.exenet1.exenet.exenet.exenetsh.exenetsh.exenet.exenet.exenet1.exenetsh.exerfusclient.exeWScript.exesc.exenetsh.exerutserv.exerutserv.exenetsh.exenet1.exeregedit.exerfusclient.exea389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exerms.exenetsh.exenetsh.exenet1.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rms.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Modifies registry class 1 IoCs
Processes:
a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid Process 4360 regedit.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
rms.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exepid Process 4296 rms.exe 4296 rms.exe 4296 rms.exe 4296 rms.exe 4296 rms.exe 4296 rms.exe 4296 rms.exe 4296 rms.exe 4296 rms.exe 4296 rms.exe 4296 rms.exe 4296 rms.exe 4296 rms.exe 4296 rms.exe 396 rutserv.exe 396 rutserv.exe 2636 rutserv.exe 2636 rutserv.exe 1132 rutserv.exe 1132 rutserv.exe 2936 rutserv.exe 2936 rutserv.exe 2936 rutserv.exe 2936 rutserv.exe 2936 rutserv.exe 2936 rutserv.exe 1780 rfusclient.exe 1780 rfusclient.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
rfusclient.exepid Process 5116 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rutserv.exerutserv.exerutserv.exedescription pid Process Token: SeDebugPrivilege 396 rutserv.exe Token: SeDebugPrivilege 1132 rutserv.exe Token: SeTakeOwnershipPrivilege 2936 rutserv.exe Token: SeTcbPrivilege 2936 rutserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exeWScript.exerms.exenet.exenet.exenet.exenet.exedescription pid Process procid_target PID 808 wrote to memory of 4652 808 a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe 83 PID 808 wrote to memory of 4652 808 a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe 83 PID 808 wrote to memory of 4652 808 a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe 83 PID 4652 wrote to memory of 4296 4652 WScript.exe 84 PID 4652 wrote to memory of 4296 4652 WScript.exe 84 PID 4652 wrote to memory of 4296 4652 WScript.exe 84 PID 808 wrote to memory of 1880 808 a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe 85 PID 808 wrote to memory of 1880 808 a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe 85 PID 808 wrote to memory of 1880 808 a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe 85 PID 4296 wrote to memory of 3116 4296 rms.exe 87 PID 4296 wrote to memory of 3116 4296 rms.exe 87 PID 4296 wrote to memory of 3116 4296 rms.exe 87 PID 4296 wrote to memory of 1632 4296 rms.exe 89 PID 4296 wrote to memory of 1632 4296 rms.exe 89 PID 4296 wrote to memory of 1632 4296 rms.exe 89 PID 4296 wrote to memory of 960 4296 rms.exe 94 PID 4296 wrote to memory of 960 4296 rms.exe 94 PID 4296 wrote to memory of 960 4296 rms.exe 94 PID 960 wrote to memory of 3952 960 net.exe 96 PID 960 wrote to memory of 3952 960 net.exe 96 PID 960 wrote to memory of 3952 960 net.exe 96 PID 4296 wrote to memory of 3900 4296 rms.exe 97 PID 4296 wrote to memory of 3900 4296 rms.exe 97 PID 4296 wrote to memory of 3900 4296 rms.exe 97 PID 3900 wrote to memory of 4896 3900 net.exe 99 PID 3900 wrote to memory of 4896 3900 net.exe 99 PID 3900 wrote to memory of 4896 3900 net.exe 99 PID 4296 wrote to memory of 5012 4296 rms.exe 100 PID 4296 wrote to memory of 5012 4296 rms.exe 100 PID 4296 wrote to memory of 5012 4296 rms.exe 100 PID 4296 wrote to memory of 2960 4296 rms.exe 102 PID 4296 wrote to memory of 2960 4296 rms.exe 102 PID 4296 wrote to memory of 2960 4296 rms.exe 102 PID 2960 wrote to memory of 648 2960 net.exe 104 PID 2960 wrote to memory of 648 2960 net.exe 104 PID 2960 wrote to memory of 648 2960 net.exe 104 PID 4296 wrote to memory of 3824 4296 rms.exe 105 PID 4296 wrote to memory of 3824 4296 rms.exe 105 PID 4296 wrote to memory of 3824 4296 rms.exe 105 PID 3824 wrote to memory of 2884 3824 net.exe 107 PID 3824 wrote to memory of 2884 3824 net.exe 107 PID 3824 wrote to memory of 2884 3824 net.exe 107 PID 4296 wrote to memory of 920 4296 rms.exe 108 PID 4296 wrote to memory of 920 4296 rms.exe 108 PID 4296 wrote to memory of 920 4296 rms.exe 108 PID 4296 wrote to memory of 4324 4296 rms.exe 110 PID 4296 wrote to memory of 4324 4296 rms.exe 110 PID 4296 wrote to memory of 4324 4296 rms.exe 110 PID 4296 wrote to memory of 2036 4296 rms.exe 112 PID 4296 wrote to memory of 2036 4296 rms.exe 112 PID 4296 wrote to memory of 2036 4296 rms.exe 112 PID 4296 wrote to memory of 4912 4296 rms.exe 117 PID 4296 wrote to memory of 4912 4296 rms.exe 117 PID 4296 wrote to memory of 4912 4296 rms.exe 117 PID 4296 wrote to memory of 4036 4296 rms.exe 119 PID 4296 wrote to memory of 4036 4296 rms.exe 119 PID 4296 wrote to memory of 4036 4296 rms.exe 119 PID 4296 wrote to memory of 3920 4296 rms.exe 121 PID 4296 wrote to memory of 3920 4296 rms.exe 121 PID 4296 wrote to memory of 3920 4296 rms.exe 121 PID 4296 wrote to memory of 1920 4296 rms.exe 123 PID 4296 wrote to memory of 1920 4296 rms.exe 123 PID 4296 wrote to memory of 1920 4296 rms.exe 123 PID 4296 wrote to memory of 4968 4296 rms.exe 125
Processes
-
C:\Users\Admin\AppData\Local\Temp\a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\rms.exe"C:\Users\Admin\AppData\Local\Temp\rms.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3116
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1632
-
-
C:\Windows\SysWOW64\net.exenet stop rserver34⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rserver35⤵
- System Location Discovery: System Language Discovery
PID:3952
-
-
-
C:\Windows\SysWOW64\net.exenet stop Telnet4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Telnet5⤵
- System Location Discovery: System Language Discovery
PID:4896
-
-
-
C:\Windows\SysWOW64\sc.exesc config tlntsvr start= disabled4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5012
-
-
C:\Windows\SysWOW64\net.exenet stop "Service Host Controller"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Service Host Controller"5⤵
- System Location Discovery: System Language Discovery
PID:648
-
-
-
C:\Windows\SysWOW64\net.exenet user HelpAssistant /delete4⤵
- Indicator Removal: Network Share Connection Removal
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user HelpAssistant /delete5⤵
- Indicator Removal: Network Share Connection Removal
- System Location Discovery: System Language Discovery
PID:2884
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn security /f4⤵
- System Location Discovery: System Language Discovery
PID:920
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Microsoft Outlook Express"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4324
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Service Host Controller"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2036
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="•®бв-Їа®жҐбб ¤«п б«г¦Ў Windows"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4912
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="•®бв-Їа®жҐбб ¤«п § ¤ з Windows"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4036
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete portopening tcp 570094⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3920
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="cam_server"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1920
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete portopening tcp 57011 all4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4968
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exe"rutserv.exe" /silentinstall4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exe"rutserv.exe" /firewall4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2636
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s set.reg4⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:4360
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exe"rutserv.exe" /start4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
- System Location Discovery: System Language Discovery
PID:1880
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exeC:\Users\Admin\AppData\Local\Temp\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: SetClipboardViewer
PID:5116
-
-
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3940
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1JavaScript
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1Network Share Connection Removal
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264B
MD51ef443aaf68da2a12fc097379ba08579
SHA1a1e5e036ed6b639a17a6149ae865c648867c420a
SHA25692ca1ebb313825435d48164e3622a6a7880e9215a57b82d2d9c6f9c7a322a142
SHA512d20d86636751635d8cdd04294d4a694b7a412f897b2a409daf8d8b42aa96872bed0b9c2aa9653ceea3cc55d80c77500dfb62f36742e4f3b5e2ef850443f3ddc1
-
Filesize
20B
MD549eea68546f0d8f7bb9ad14a16698199
SHA1526bf522eee7d502af9931a2fc1a4e4f09053971
SHA256bf06442f8f473b624305425ff829e6cc9595027f3219399f0e997a7c0db39f8b
SHA512e9b8157eef33302137f033972683471ceef717031b3f9901d1fcea5e4c53b1139e1286f08da4c06c4389060769b2d33a86cc2f67223d8ccfa3be26e30db9480b
-
Filesize
1KB
MD553213fc8c2cb0d6f77ca6cbd40fff22c
SHA1d8ba81ed6586825835b76e9d566077466ee41a85
SHA25603d0776812368478ce60e8160ec3c6938782db1832f5cb53b7842e5840f9dbc5
SHA512e3ced32a2eabfd0028ec16e62687573d86c0112b2b1d965f1f9d0bb5557cef5fdf5233e87fe73be621a52affe4ce53bedf958558aa899646fa390f4541cf11eb
-
Filesize
145KB
MD5501d1108baff017b9c7d7054995082e3
SHA1ce7408993f25d615785835067bfc7c6731cb7d85
SHA256be88c1319f8741842f3ce7b7606615efb96f0f46fad9321a2b995239ccf826e3
SHA5128dd404d56cf9285e32069c1b774a565269223d30089f0d5b3a100f316cdfd96ff7246d8cc1337dc74b9f970dddc9023fa21c7059185af972d3fcda2204c0a9f8
-
Filesize
359KB
MD56d692f1ae8653afb6e478427cacefe1e
SHA1de53d27feeedf1c08e0dc911905c57a383da2626
SHA256fe1aa78691da4a8a944ee9e922e49a1712d620fb728faab135dabe081c088834
SHA5120bbb21f5515eec44aea414d17123eb2275b78db788e927878652fe876bb17f706c395f6a20309c4c7aaef6bce9c280890bce38693a9a1858f7bac9665759af6b
-
Filesize
234KB
MD58e3f59b8c9dfc933fca30edefeb76186
SHA137a78089d5936d1bc3b60915971604c611a94dbd
SHA256528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8
SHA5123224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d
-
Filesize
1.6MB
MD5ff622a8812d8b1eff8f8d1a32087f9d2
SHA1910615c9374b8734794ac885707ff5370db42ef1
SHA2561b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf
SHA5121a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931
-
Filesize
1.6MB
MD5871c903a90c45ca08a9d42803916c3f7
SHA1d962a12bc15bfb4c505bb63f603ca211588958db
SHA256f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645
SHA512985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145
-
Filesize
3KB
MD56448b4e0f7a74d8df1cef93b65bd684a
SHA1e7a7f686280b2bd2573b6c3deefd410d922ccd4f
SHA2567f64eaba96352a4ba7c5fc65b76eb5d4e8ac9726dfd10ffa50b87d467d0a6435
SHA51215fc2a2165937767720a7276125a05fb81d3b6be6144f60e9bbded8c2bdc213714840a496393d09283807a7e3c534ea7fbbe355cecab66f161f79868f7512e86
-
Filesize
556KB
MD5b2eee3dee31f50e082e9c720a6d7757d
SHA13322840fef43c92fb55dc31e682d19970daf159d
SHA2564608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01
SHA5128b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3
-
Filesize
637KB
MD57538050656fe5d63cb4b80349dd1cfe3
SHA1f825c40fee87cc9952a61c8c34e9f6eee8da742d
SHA256e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099
SHA512843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8
-
Filesize
3.9MB
MD56b00ef267e590b8aec937d4fbaa7c54b
SHA1238f121a3dba5d3a5492cda9010d3f4fb8419a04
SHA256ec893dc3e9f74479844b104fd403488abe224f4f0816f4ca2e57802814d5118a
SHA512bd747aadcc762c62db00d2304132e75f41fc4ec40a85f87b014a2b0fba2f11c3bc22abd10a24bbe73cfbad573431b3376ce1377966e39dbff2b482b7fe9f49ee
-
Filesize
380KB
MD561c9f3710cf777112e59f1f47728478e
SHA143d7d5c2a5bd5f81f37a6c864a72240ce18d2868
SHA25602f227aad9b48f00ac53a74533b331bdce4fdef9210685425b6e3335d9c4662e
SHA512f4a803dbb5ac60058553887ee3116356c079f02195d4d18a7e373a6a75e06acd09494f36d4bbc4961310cd7e6273e8cbeb9973a72d82b93f630249bd00ac0c14
-
Filesize
5.1MB
MD5a9201bd8618bdc4795a95b1755fb93b6
SHA193eabe79096041e08ad0306a5edb9746bcc7ec50
SHA256923d484040afc3a0c733df39c09c34ff3d36c78d7d60440deb101ba54a05c0e8
SHA512f8b1aad039753df2b6633f7442e9f1311474b4078208b912cff92ab4eaef905af08c0ccfaa04beca3861144dfa87443bb078d476d3d858fa017965b189468a2b
-
Filesize
19KB
MD5c2da403ccb930592be1b39aefd42b818
SHA1c0b8dbfa97ae9ade84fd65021716ec6313a71363
SHA256ea3e4308fc723a6938f13c7961f476410c0a8191aa6ac74fa2b41d76494e7257
SHA5120f0bc303542ec56b4363c3d54894e2c1b4508fca81870e1b73f198e27240f4aac4faef89ed85bab88bbb318c286ecd6e2ca6ed1dfb42b57faf9e16d044deb865
-
Filesize
211B
MD5fb5b62a32e853a51359fb598a4d5008f
SHA1f3cc4663189878044c956c1f84b9c32f3d29d2b2
SHA256b1b1b8f753e130e463f02527541389295f9b7d28c331085a2a03d83f8587550f
SHA5129304880a49bf479f8322f19089109b36cf1104fb0b581357560e3fe1c1f31ca379607797d7a757e1e85a9fbde40094b99b4a3c5830172998102d041435ccded8
-
Filesize
708KB
MD53b5e40b584904d9beebeea1e4a94ef7e
SHA188de849817a4b93b83ccb95a1f37f698cee197d9
SHA25673ce0e5045ba4b7bd2f7f2f5a1c3bb1dfd2a9a1c2c48d76dfc529d8a3e217f12
SHA5121125a94d2673105d40a45b0f8c6088bf8f9fff89cdf3d5231e73d1a15ece23bfd8e564fad63707bb4c3a559310666aedf784d78418be27953b22296d89a5faa5
-
Filesize
403KB
MD56f6bfe02e84a595a56b456f72debd4ee
SHA190bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2
SHA2565e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51
SHA512ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50
-
Filesize
685KB
MD5c638bca1a67911af7f9ed67e7b501154
SHA10fd74d2f1bd78f678b897a776d8bce36742c39b7
SHA256519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8
SHA512ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f