rms | 817221fcb088aba938a3aa441fd4128f4e7a158845e37249286e3624416ab503 | Triage

Submit
Reports

Overview

overview

Static

static

5

JaffaCakes...39.exe

windows7-x64

JaffaCakes...39.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39
Size

3.5MB
Sample

250127-vw1dtayqez
MD5

42009d9ac7ef4a0211165c2c2ffedf39
SHA1

ad2fe7fdc29bca8e545bd9433b359707a04a1459
SHA256

817221fcb088aba938a3aa441fd4128f4e7a158845e37249286e3624416ab503
SHA512

772125c698ba3cba416f82262fa924533d5ed088f0819ed807c20617d6642b19ddfe8a19181218da895aca65a126794c25e17ef4c14132860b51c58a1f9f7570
SSDEEP

98304:6Ew1tFnCCfh01zPcm2mXklKyUdzFvJBG90XWAykhY5W0:SoSIzPOOUOFvi9WpG5

Score

10^/10

rms defense_evasion discovery execution persistence privilege_escalation rat trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39.exe

Resource

win7-20241023-en

rms defense_evasion discovery execution persistence privilege_escalation rat trojan upx

windows7-x64

25 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39.exe

Resource

win10v2004-20241007-en

rms defense_evasion discovery execution persistence privilege_escalation rat trojan upx

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Targets

- Target
  
  JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39
- Size
  
  3.5MB
- MD5
  
  42009d9ac7ef4a0211165c2c2ffedf39
- SHA1
  
  ad2fe7fdc29bca8e545bd9433b359707a04a1459
- SHA256
  
  817221fcb088aba938a3aa441fd4128f4e7a158845e37249286e3624416ab503
- SHA512
  
  772125c698ba3cba416f82262fa924533d5ed088f0819ed807c20617d6642b19ddfe8a19181218da895aca65a126794c25e17ef4c14132860b51c58a1f9f7570
- SSDEEP
  
  98304:6Ew1tFnCCfh01zPcm2mXklKyUdzFvJBG90XWAykhY5W0:SoSIzPOOUOFvi9WpG5
Score

10^/10

rms defense_evasion discovery execution persistence privilege_escalation rat trojan upx
- Disables service(s)
  defense_evasion execution
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Rms family
  rms
- Indicator Removal: Network Share Connection Removal
  Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
  defense_evasion
- Modifies Windows Firewall
  defense_evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify System Firewall

Indicator Removal

Network Share Connection Removal

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

rmsdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationrattrojanupx

behavioral2

rmsdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationrattrojanupx

© 2018-2025

Terms | Privacy