Overview

overview

10

Static

static

3

b1c2b3fa4e...18.exe

windows7-x64

10

b1c2b3fa4e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2024 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1c2b3fa4e8094cc0c93c3d1e341678c_JaffaCakes118.exe

  • Size

    7.2MB

  • MD5

    b1c2b3fa4e8094cc0c93c3d1e341678c

  • SHA1

    8c35dba41ca1a411a18b416ed515be0129b58f91

  • SHA256

    8e61615de91718b4662d4a99e0e5113c34237c316e6646c5a906ef2208d8da8b

  • SHA512

    eede8112c49dbaacf70c1f1616159d38e542d35a81d47016d8bbbe508d9710371e51da18bf1242fcf21b1183d125f75aa446fe663459153acf5118c9b8623779

  • SSDEEP

    196608:YkoCOc7n/+FEqkbVruOFwtfqS0b1KqQ6UrQ0Q8fAd17b+QXnjf0+2:Ykac7WFEFbVfwAS4Y13Q8817b+Qa

Score
10/10
rmsdiscoveryrattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Rms family
    rms
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 8 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 58 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 25 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1c2b3fa4e8094cc0c93c3d1e341678c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b1c2b3fa4e8094cc0c93c3d1e341678c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
      2⤵
      • Checks computer location settings
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4276
      • C:\Windows\SysWOW64\chcp.com
        chcp 1251
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4480
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\error.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2308
      • C:\Windows\SysWOW64\msiexec.exe
        MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4600
      • C:\Windows\SysWOW64\msiexec.exe
        MsiExec /x {54067864-C0E7-47DB-A0C1-D6C874CE6BD8} /qn REBOOT=ReallySuppress
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4788
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2504
      • C:\Windows\SysWOW64\msiexec.exe
        MsiExec /I "system32.msi" /qn
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2328
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 63E3C1713A8EC6BC7501371EB3769CD5
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4588
    • C:\Program Files (x86)\Common Files\rutserv.exe
      "C:\Program Files (x86)\Common Files\rutserv.exe" /silentinstall
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:868
    • C:\Program Files (x86)\Common Files\rutserv.exe
      "C:\Program Files (x86)\Common Files\rutserv.exe" /firewall
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4668
    • C:\Program Files (x86)\Common Files\rutserv.exe
      "C:\Program Files (x86)\Common Files\rutserv.exe" /start
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2064
  • C:\Program Files (x86)\Common Files\rutserv.exe
    "C:\Program Files (x86)\Common Files\rutserv.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2968
    • C:\Program Files (x86)\Common Files\rfusclient.exe
      "C:\Program Files (x86)\Common Files\rfusclient.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4792
      • C:\Program Files (x86)\Common Files\rfusclient.exe
        "C:\Program Files (x86)\Common Files\rfusclient.exe" /tray
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: SetClipboardViewer
        PID:740
    • C:\Program Files (x86)\Common Files\rfusclient.exe
      "C:\Program Files (x86)\Common Files\rfusclient.exe" /tray
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e577b2e.rbs
    Filesize

    21KB

    MD5

    05d3fd6c012f77592be257bd89c20134

    SHA1

    dca049d45175e96ae55cd80c1e4b11406a31e9e2

    SHA256

    a183d8c6890a54ac2479b53ce2b4db98216f073bc2e26d98db2149ffa0b66173

    SHA512

    f30530bae073261ffe5346394a98cd9bc0aeb3862d6669334441f167b44bc5346b7e4aff62cdcfe5928a7782f71f0aa644ccb0c52ab51cbc1c5387010207f281

    Download Submit

  • C:\Program Files (x86)\Common Files\English.lg
    Filesize

    43KB

    MD5

    90dea654be9ff2a477a874ede3b8919e

    SHA1

    53e2e671335c55e16dde8913e09509b4ecd9b39e

    SHA256

    3b6d4e43df68eadef9def8e7e8b4472114459385853cea859f2185a5ecfab24e

    SHA512

    297dbf1fb868e56fe5175e70d6c88c8f5932ddb838f415ea97835a994ca2958657ed58eb920abc33417aa7386a532a6412449b08989290d4749efe2270f62bd9

    Download Submit

  • C:\Program Files (x86)\Common Files\rfusclient.exe
    Filesize

    4.8MB

    MD5

    1d6f0b1752b19af83f1acffac80d02a9

    SHA1

    e9c4bce6a1999e399a0fe69f6377c816d0241fdc

    SHA256

    a8f5fa708123f8471bcd790725a021a3e3edfec3371cdffcb7788b9eb20c1d22

    SHA512

    e04bbb7761236dd177a97bd68e191f6678a583bb5a6626eca7ec918356fb6cc37f9b41169bdce3060c6b0898dabe14b933df7771863762fcb91239ec45ed4731

    Download Submit

  • C:\Program Files (x86)\Common Files\rutserv.exe
    Filesize

    5.7MB

    MD5

    84abcb8cc5427479c3e4ebe66300c78a

    SHA1

    4227f7850eaebf08f18aa6a2769a600a05bfbf70

    SHA256

    a0487ebd599580d2364bafcd8990970436e40e4979021e02866d0652067d6dbd

    SHA512

    2f3c5dcba1ea204e7abe9dcc47c40097a2d3ddd52b979a8bdd773977e64195a3b71cb5bd2bdb196e5c55071a918326bed34dadc48f1927067b9011bb3633039a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\error.vbs
    Filesize

    294B

    MD5

    62496e15da713dca3beea9f057afc878

    SHA1

    b019a427189aebf4bec151d0ac11f033775e6386

    SHA256

    062c60102064e1e4f8fc9780ca83dd61843677c2f8a59a002cda8cd7a0ff6744

    SHA512

    1f158f06e2d7a2aa5014611c48b23bb9564899afe0f25d62b593ddc7c0d71e5bf10e4d6470f73af06398192b64572eac4b4c9c3a6f5be839129e17e29288cdd2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd
    Filesize

    283B

    MD5

    1290a35d991c49cd0dfe50ae3db8022c

    SHA1

    bb6db05d3a34376bcd2e024b4ec79b88c09104c2

    SHA256

    342d51d06b58fee8bb35cf4b578d3771fde41a8533563158da42098974255323

    SHA512

    b3e8435f70997aff475eb06f58d9e6425ac2e018494ce7d631ea99037f59a1c47b084c6acb9059333dfde3dbe57c3a4d896f993d216cdbdf414d31ffb9948327

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\system32.msi
    Filesize

    7.9MB

    MD5

    9e26598905ce79dd78ec338b7e12ea22

    SHA1

    ac29b2625db791128cf9fcdaa1fdcee90ac69f70

    SHA256

    65c4acd3866a6a7ee6441b68cd4275a169a3d8c55917a8cd683b40905dd33b2a

    SHA512

    e409a0820261f96fc034905ad32441e2f2a6309b8f0c0eda9050e6db7fdde61e1648c58d29a20b951bee9e82486ef7c02eec1faf479857ccf81511f3d8696054

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\winmm.dll
    Filesize

    21KB

    MD5

    91b769ba7d48157f452bd26be72160ec

    SHA1

    b61e2369084235ebc0bc277c16d3a56ac20a95b9

    SHA256

    58e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9

    SHA512

    1c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2

    Download Submit

  • C:\Windows\Installer\MSI7D5E.tmp
    Filesize

    125KB

    MD5

    b0bcc622f1fff0eec99e487fa1a4ddd9

    SHA1

    49aa392454bd5869fa23794196aedc38e8eea6f5

    SHA256

    b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

    SHA512

    1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

    Download Submit

  • C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_start_C00864331B9D4391A8A26292A601EBE2.exe
    Filesize

    96KB

    MD5

    9e2c097647125ee25068784acb01d7d3

    SHA1

    1a90c40c7f89eec18f47f0dae3f1d5cd3a3d49b5

    SHA256

    b4614281771ed482970fd0d091604b3a65c7e048f7d7fa8794abd0a0c638f5d2

    SHA512

    e2f334f31361ea1ffc206184808cb51002486fe583dc23b4f617bead0e3940fdc97b72cda2a971e2cf00462940b31e065228f643835d156e7166e8803e3181f1

    Download Submit

  • memory/740-140-0x0000000000400000-0x0000000000951000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/740-139-0x0000000074480000-0x0000000074487000-memory.dmp

    Filesize

    28KB

    Download

  • memory/868-106-0x0000000073310000-0x0000000073317000-memory.dmp

    Filesize

    28KB

    Download

  • memory/868-108-0x0000000073310000-0x0000000073317000-memory.dmp

    Filesize

    28KB

    Download

  • memory/868-107-0x0000000000400000-0x0000000000A5B000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/1624-146-0x0000000000400000-0x0000000000951000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/1624-165-0x0000000074480000-0x0000000074487000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1624-143-0x0000000000400000-0x0000000000951000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/1624-155-0x0000000000400000-0x0000000000951000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/1624-149-0x0000000000400000-0x0000000000951000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2064-135-0x0000000000400000-0x0000000000A5B000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/2064-118-0x0000000074480000-0x0000000074487000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2968-153-0x0000000000400000-0x0000000000A5B000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/2968-128-0x0000000074480000-0x0000000074487000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2968-160-0x0000000000400000-0x0000000000A5B000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/2968-141-0x0000000000400000-0x0000000000A5B000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/2968-147-0x0000000000400000-0x0000000000A5B000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/4668-112-0x0000000000400000-0x0000000000A5B000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/4668-111-0x0000000074480000-0x0000000074487000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4792-142-0x0000000000400000-0x0000000000951000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4792-134-0x0000000074480000-0x0000000074487000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4792-164-0x0000000074480000-0x0000000074487000-memory.dmp

    Filesize

    28KB

    Download