Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 17:21
Behavioral task
behavioral1
Sample
JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39.exe
-
Size
3.5MB
-
MD5
42009d9ac7ef4a0211165c2c2ffedf39
-
SHA1
ad2fe7fdc29bca8e545bd9433b359707a04a1459
-
SHA256
817221fcb088aba938a3aa441fd4128f4e7a158845e37249286e3624416ab503
-
SHA512
772125c698ba3cba416f82262fa924533d5ed088f0819ed807c20617d6642b19ddfe8a19181218da895aca65a126794c25e17ef4c14132860b51c58a1f9f7570
-
SSDEEP
98304:6Ew1tFnCCfh01zPcm2mXklKyUdzFvJBG90XWAykhY5W0:SoSIzPOOUOFvi9WpG5
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Rms family
-
Indicator Removal: Network Share Connection Removal 1 TTPs 2 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
pid Process 1904 net.exe 2460 net1.exe -
Modifies Windows Firewall 2 TTPs 8 IoCs
pid Process 2076 netsh.exe 1760 netsh.exe 2500 netsh.exe 1900 netsh.exe 2984 netsh.exe 1324 netsh.exe 1884 netsh.exe 2212 netsh.exe -
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2728 attrib.exe 268 attrib.exe 1420 attrib.exe -
Executes dropped EXE 7 IoCs
pid Process 1336 rutserv.exe 1716 rutserv.exe 864 rutserv.exe 356 rutserv.exe 2092 rfusclient.exe 1264 rfusclient.exe 1664 rfusclient.exe -
Loads dropped DLL 5 IoCs
pid Process 2936 cmd.exe 2936 cmd.exe 2936 cmd.exe 356 rutserv.exe 356 rutserv.exe -
Drops file in System32 directory 28 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\catroot9 attrib.exe File created C:\Windows\SysWOW64\catroot9\Microsoft.VC90.CRT.manifest cmd.exe File created C:\Windows\SysWOW64\catroot9\msvcp90.dll cmd.exe File created C:\Windows\SysWOW64\catroot9\RIPCServer.dll cmd.exe File created C:\Windows\SysWOW64\catroot9\vp8encoder.dll cmd.exe File created C:\Windows\SysWOW64\catroot9\dsfVorbisDecoder.dll cmd.exe File created C:\Windows\SysWOW64\catroot9\gdiplus.dll cmd.exe File opened for modification C:\Windows\SysWOW64\catroot9\rutserv.exe cmd.exe File opened for modification C:\Windows\SysWOW64\catroot9\RWLN.dll cmd.exe File opened for modification C:\Windows\SysWOW64\catroot9\settings.bat cmd.exe File opened for modification C:\Windows\SysWOW64\catroot9\dsfVorbisDecoder.dll cmd.exe File opened for modification C:\Windows\SysWOW64\catroot9\gdiplus.dll cmd.exe File created C:\Windows\SysWOW64\catroot9\settings.bat cmd.exe File created C:\Windows\SysWOW64\RWLN.dll rutserv.exe File created C:\Windows\SysWOW64\catroot9\vp8decoder.dll cmd.exe File created C:\Windows\SysWOW64\catroot9\Logs\rms_log_2025-01.html rutserv.exe File opened for modification C:\Windows\SysWOW64\catroot9\msvcp90.dll cmd.exe File opened for modification C:\Windows\SysWOW64\catroot9\Microsoft.VC90.CRT.manifest cmd.exe File created C:\Windows\SysWOW64\catroot9\msvcr90.dll cmd.exe File created C:\Windows\SysWOW64\catroot9\rutserv.exe cmd.exe File created C:\Windows\SysWOW64\catroot9\RWLN.dll cmd.exe File opened for modification C:\Windows\SysWOW64\RWLN.dll rutserv.exe File opened for modification C:\Windows\SysWOW64\catroot9\rfusclient.exe cmd.exe File opened for modification C:\Windows\SysWOW64\catroot9\RIPCServer.dll cmd.exe File opened for modification C:\Windows\SysWOW64\catroot9\msvcr90.dll cmd.exe File created C:\Windows\SysWOW64\catroot9\rfusclient.exe cmd.exe File opened for modification C:\Windows\SysWOW64\catroot9\vp8decoder.dll cmd.exe File opened for modification C:\Windows\SysWOW64\catroot9\vp8encoder.dll cmd.exe -
resource yara_rule behavioral1/memory/2464-0-0x0000000000400000-0x000000000128D000-memory.dmp upx behavioral1/memory/2464-110-0x0000000000400000-0x000000000128D000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1000 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 49 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe -
Kills process with taskkill 5 IoCs
pid Process 2800 taskkill.exe 2716 taskkill.exe 2012 taskkill.exe 1808 taskkill.exe 1744 taskkill.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 2872 reg.exe 2668 reg.exe -
Runs net.exe
-
Runs regedit.exe 1 IoCs
pid Process 1756 regedit.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 356 rutserv.exe 356 rutserv.exe 1264 rfusclient.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 1664 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2800 taskkill.exe Token: SeDebugPrivilege 2716 taskkill.exe Token: SeDebugPrivilege 2012 taskkill.exe Token: SeDebugPrivilege 1808 taskkill.exe Token: SeDebugPrivilege 1744 taskkill.exe Token: SeDebugPrivilege 1336 rutserv.exe Token: SeDebugPrivilege 864 rutserv.exe Token: SeTakeOwnershipPrivilege 356 rutserv.exe Token: SeTcbPrivilege 356 rutserv.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2092 rfusclient.exe 2092 rfusclient.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2092 rfusclient.exe 2092 rfusclient.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2936 2464 JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39.exe 30 PID 2464 wrote to memory of 2936 2464 JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39.exe 30 PID 2464 wrote to memory of 2936 2464 JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39.exe 30 PID 2464 wrote to memory of 2936 2464 JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39.exe 30 PID 2936 wrote to memory of 2800 2936 cmd.exe 32 PID 2936 wrote to memory of 2800 2936 cmd.exe 32 PID 2936 wrote to memory of 2800 2936 cmd.exe 32 PID 2936 wrote to memory of 2800 2936 cmd.exe 32 PID 2936 wrote to memory of 2716 2936 cmd.exe 34 PID 2936 wrote to memory of 2716 2936 cmd.exe 34 PID 2936 wrote to memory of 2716 2936 cmd.exe 34 PID 2936 wrote to memory of 2716 2936 cmd.exe 34 PID 2936 wrote to memory of 2944 2936 cmd.exe 35 PID 2936 wrote to memory of 2944 2936 cmd.exe 35 PID 2936 wrote to memory of 2944 2936 cmd.exe 35 PID 2936 wrote to memory of 2944 2936 cmd.exe 35 PID 2936 wrote to memory of 2728 2936 cmd.exe 36 PID 2936 wrote to memory of 2728 2936 cmd.exe 36 PID 2936 wrote to memory of 2728 2936 cmd.exe 36 PID 2936 wrote to memory of 2728 2936 cmd.exe 36 PID 2936 wrote to memory of 268 2936 cmd.exe 37 PID 2936 wrote to memory of 268 2936 cmd.exe 37 PID 2936 wrote to memory of 268 2936 cmd.exe 37 PID 2936 wrote to memory of 268 2936 cmd.exe 37 PID 2936 wrote to memory of 1420 2936 cmd.exe 38 PID 2936 wrote to memory of 1420 2936 cmd.exe 38 PID 2936 wrote to memory of 1420 2936 cmd.exe 38 PID 2936 wrote to memory of 1420 2936 cmd.exe 38 PID 2936 wrote to memory of 1340 2936 cmd.exe 39 PID 2936 wrote to memory of 1340 2936 cmd.exe 39 PID 2936 wrote to memory of 1340 2936 cmd.exe 39 PID 2936 wrote to memory of 1340 2936 cmd.exe 39 PID 1340 wrote to memory of 2028 1340 net.exe 40 PID 1340 wrote to memory of 2028 1340 net.exe 40 PID 1340 wrote to memory of 2028 1340 net.exe 40 PID 1340 wrote to memory of 2028 1340 net.exe 40 PID 2936 wrote to memory of 2012 2936 cmd.exe 41 PID 2936 wrote to memory of 2012 2936 cmd.exe 41 PID 2936 wrote to memory of 2012 2936 cmd.exe 41 PID 2936 wrote to memory of 2012 2936 cmd.exe 41 PID 2936 wrote to memory of 1808 2936 cmd.exe 42 PID 2936 wrote to memory of 1808 2936 cmd.exe 42 PID 2936 wrote to memory of 1808 2936 cmd.exe 42 PID 2936 wrote to memory of 1808 2936 cmd.exe 42 PID 2936 wrote to memory of 1744 2936 cmd.exe 43 PID 2936 wrote to memory of 1744 2936 cmd.exe 43 PID 2936 wrote to memory of 1744 2936 cmd.exe 43 PID 2936 wrote to memory of 1744 2936 cmd.exe 43 PID 2936 wrote to memory of 320 2936 cmd.exe 44 PID 2936 wrote to memory of 320 2936 cmd.exe 44 PID 2936 wrote to memory of 320 2936 cmd.exe 44 PID 2936 wrote to memory of 320 2936 cmd.exe 44 PID 2936 wrote to memory of 580 2936 cmd.exe 45 PID 2936 wrote to memory of 580 2936 cmd.exe 45 PID 2936 wrote to memory of 580 2936 cmd.exe 45 PID 2936 wrote to memory of 580 2936 cmd.exe 45 PID 2936 wrote to memory of 332 2936 cmd.exe 46 PID 2936 wrote to memory of 332 2936 cmd.exe 46 PID 2936 wrote to memory of 332 2936 cmd.exe 46 PID 2936 wrote to memory of 332 2936 cmd.exe 46 PID 2936 wrote to memory of 2748 2936 cmd.exe 47 PID 2936 wrote to memory of 2748 2936 cmd.exe 47 PID 2936 wrote to memory of 2748 2936 cmd.exe 47 PID 2936 wrote to memory of 2748 2936 cmd.exe 47 -
Views/modifies file attributes 1 TTPs 10 IoCs
pid Process 2748 attrib.exe 2024 attrib.exe 320 attrib.exe 580 attrib.exe 1420 attrib.exe 332 attrib.exe 1720 attrib.exe 1372 attrib.exe 2728 attrib.exe 268 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9DA6.tmp\microsoft.bat" "2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im RManServer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f3⤵
- System Location Discovery: System Language Discovery
PID:2944
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\System32\catroot9"3⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2728
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\microsoft.bat"3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:268
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Windows\System32\miki913\de.exe"3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1420
-
-
C:\Windows\SysWOW64\net.exenet stop rserver33⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rserver34⤵
- System Location Discovery: System Language Discovery
PID:2028
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rserver3.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im r_server.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im cam_server.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\system32\cam_server.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:320
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\SysWOW64\cam_server.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:580
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\system32\rserver30"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:332
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\SysWOW64\rserver30"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2748
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\system32\r_server.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1720
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\SysWOW64\r_server.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1372
-
-
C:\Windows\SysWOW64\net.exenet stop Telnet3⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Telnet4⤵
- System Location Discovery: System Language Discovery
PID:1740
-
-
-
C:\Windows\SysWOW64\sc.exesc config tlntsvr start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1000
-
-
C:\Windows\SysWOW64\net.exenet stop "Service Host Controller"3⤵
- System Location Discovery: System Language Discovery
PID:304 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Service Host Controller"4⤵
- System Location Discovery: System Language Discovery
PID:1564
-
-
-
C:\Windows\SysWOW64\net.exenet user HelpAssistant /delete3⤵
- Indicator Removal: Network Share Connection Removal
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user HelpAssistant /delete4⤵
- Indicator Removal: Network Share Connection Removal
- System Location Discovery: System Language Discovery
PID:2460
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn security /f3⤵
- System Location Discovery: System Language Discovery
PID:1824
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="RealIP"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1900
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Microsoft Outlook Express"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2984
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Service Host Controller"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1324
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ß½πªí Windows"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1884
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ºáñáτ Windows"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2212
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete portopening tcp 570093⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2076
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="cam_server"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1760
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete portopening tcp 57011 all3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2500
-
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Ä»Ñαᵿ«¡¡á∩ ß¿ßΓѼá Microsoft Windows" /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2872
-
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Service Host Controller" /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2668
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v HelpAssistant /f3⤵
- System Location Discovery: System Language Discovery
PID:1960
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "cam_server.exe" /f3⤵
- System Location Discovery: System Language Discovery
PID:1488
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\System\CurrentControlSet\Services\RServer3" /f3⤵
- System Location Discovery: System Language Discovery
PID:964
-
-
C:\Windows\SysWOW64\catroot9\rutserv.exe"rutserv.exe" /silentinstall3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
C:\Windows\SysWOW64\catroot9\rutserv.exe"rutserv.exe" /firewall3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s settings.bat3⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:1756
-
-
C:\Windows\SysWOW64\catroot9\rutserv.exe"rutserv.exe" /start3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Users\Admin\AppData\Local\Temp\microsoft.bat"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2024
-
-
-
C:\Windows\SysWOW64\catroot9\rutserv.exeC:\Windows\SysWOW64\catroot9\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:356 -
C:\Windows\SysWOW64\catroot9\rfusclient.exeC:\Windows\SysWOW64\catroot9\rfusclient.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1264 -
C:\Windows\SysWOW64\catroot9\rfusclient.exeC:\Windows\SysWOW64\catroot9\rfusclient.exe /tray3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: SetClipboardViewer
PID:1664
-
-
-
C:\Windows\SysWOW64\catroot9\rfusclient.exeC:\Windows\SysWOW64\catroot9\rfusclient.exe /tray2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2092
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1Network Share Connection Removal
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD553213fc8c2cb0d6f77ca6cbd40fff22c
SHA1d8ba81ed6586825835b76e9d566077466ee41a85
SHA25603d0776812368478ce60e8160ec3c6938782db1832f5cb53b7842e5840f9dbc5
SHA512e3ced32a2eabfd0028ec16e62687573d86c0112b2b1d965f1f9d0bb5557cef5fdf5233e87fe73be621a52affe4ce53bedf958558aa899646fa390f4541cf11eb
-
Filesize
144KB
MD530e269f850baf6ca25187815912e21c5
SHA1eb160de97d12b4e96f350dd0d0126d41d658afb3
SHA256379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90
SHA5129b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7
-
Filesize
357KB
MD5bb1f3e716d12734d1d2d9219a3979a62
SHA10ef66eed2f2ae45ec2d478902833b830334109cb
SHA256d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077
SHA512bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c
-
Filesize
234KB
MD58e3f59b8c9dfc933fca30edefeb76186
SHA137a78089d5936d1bc3b60915971604c611a94dbd
SHA256528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8
SHA5123224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d
-
Filesize
1.6MB
MD5871c903a90c45ca08a9d42803916c3f7
SHA1d962a12bc15bfb4c505bb63f603ca211588958db
SHA256f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645
SHA512985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145
-
Filesize
4KB
MD5b158481e20280844437ee65c96c823ae
SHA198a975e14e3e8088dc3a2531620b56f224220abd
SHA25692a36d2792837f9c48b7dabef46608cbf64f63753c9d403d63f65dea78e20d05
SHA512697aff838853be80f4f2bd5e5966e1f6f3b357c2c42b611da1b320df5f0ff36758e8ce23b86e7992303e05d43a80194cedb05afebf7ba61cf874df4b7894986a
-
Filesize
556KB
MD5b2eee3dee31f50e082e9c720a6d7757d
SHA13322840fef43c92fb55dc31e682d19970daf159d
SHA2564608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01
SHA5128b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3
-
Filesize
637KB
MD57538050656fe5d63cb4b80349dd1cfe3
SHA1f825c40fee87cc9952a61c8c34e9f6eee8da742d
SHA256e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099
SHA512843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8
-
Filesize
3.8MB
MD5ebdfd6c8e430a012004a1366816bd18e
SHA148234645e99c9a8c3a714a0e1892ec2cb1a9503b
SHA256211ae4639da26766e25d1b09466a3c0ae786930d24551ad5e3a9c29cb44e1cdb
SHA512b58e7e35281935a581c3b51ba070c17b6deadd5514bc9b39dbdb35130ebc60d7bdeb8607fe868d5099c83a97be8f28ac4d4fea1cc3df643eda9cf7874545e2e0
-
Filesize
4.5MB
MD57751c37d01685b0d7b99a48b72b6e4a1
SHA1d4e07b40dcdb3d2d2430466bb010b3aaa92f3e0c
SHA2561470278fbc092ceb5f820fa964546f24fa87d58f13ba6838e4e31bfcb65a16ee
SHA512dca0e7b5106b7376282dc65cae71673e64f0e7c227fb103caae9c30e67c70060371a7984a42c4589696142a1cd95d7ae733fd71a730af45a5bdfa49deeba6286
-
Filesize
5KB
MD5e889ea342e2fb9cc3299f8e210bc0f93
SHA17420d4e0e0d71218e980da5cc1a46b6b263734ad
SHA2564c601d3a79faff5015de6f6912560a1384028688c0fa630d7609182e2f0579f5
SHA512d73cf0250d0f87a68e69dfd6205173b6a01e244cceceeb2f2fd438a7ef7cdcb97f56199f2df1a26788ffc0ab41cd538dd079e362329a89f7723c80523c8a5eec
-
Filesize
403KB
MD56f6bfe02e84a595a56b456f72debd4ee
SHA190bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2
SHA2565e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51
SHA512ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50
-
Filesize
685KB
MD5c638bca1a67911af7f9ed67e7b501154
SHA10fd74d2f1bd78f678b897a776d8bce36742c39b7
SHA256519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8
SHA512ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f