Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
27/01/2025, 17:21
General
-
Target
JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39.exe
-
Size
3.5MB
-
MD5
42009d9ac7ef4a0211165c2c2ffedf39
-
SHA1
ad2fe7fdc29bca8e545bd9433b359707a04a1459
-
SHA256
817221fcb088aba938a3aa441fd4128f4e7a158845e37249286e3624416ab503
-
SHA512
772125c698ba3cba416f82262fa924533d5ed088f0819ed807c20617d6642b19ddfe8a19181218da895aca65a126794c25e17ef4c14132860b51c58a1f9f7570
-
SSDEEP
98304:6Ew1tFnCCfh01zPcm2mXklKyUdzFvJBG90XWAykhY5W0:SoSIzPOOUOFvi9WpG5
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Rms family
-
Indicator Removal: Network Share Connection Removal 1 TTPs 2 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Modifies Windows Firewall 2 TTPs 8 IoCs
-
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 5 IoCs
-
Drops file in System32 directory 28 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 49 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Kills process with taskkill 5 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Runs net.exe
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42009d9ac7ef4a0211165c2c2ffedf39.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9DA6.tmp\microsoft.bat" "2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im RManServer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\System32\catroot9"3⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\microsoft.bat"3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Windows\System32\miki913\de.exe"3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\net.exenet stop rserver33⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rserver34⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rserver3.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im r_server.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im cam_server.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\system32\cam_server.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\SysWOW64\cam_server.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\system32\rserver30"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\SysWOW64\rserver30"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\system32\r_server.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\SysWOW64\r_server.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\net.exenet stop Telnet3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Telnet4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\sc.exesc config tlntsvr start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet stop "Service Host Controller"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Service Host Controller"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet user HelpAssistant /delete3⤵
- Indicator Removal: Network Share Connection Removal
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user HelpAssistant /delete4⤵
- Indicator Removal: Network Share Connection Removal
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn security /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="RealIP"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Microsoft Outlook Express"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Service Host Controller"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ß½πªí Windows"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ºáñáτ Windows"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete portopening tcp 570093⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="cam_server"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete portopening tcp 57011 all3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Ä»Ñαᵿ«¡¡á∩ ß¿ßΓѼá Microsoft Windows" /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Service Host Controller" /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v HelpAssistant /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "cam_server.exe" /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\System\CurrentControlSet\Services\RServer3" /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\catroot9\rutserv.exe"rutserv.exe" /silentinstall3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\catroot9\rutserv.exe"rutserv.exe" /firewall3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s settings.bat3⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\catroot9\rutserv.exe"rutserv.exe" /start3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Users\Admin\AppData\Local\Temp\microsoft.bat"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\catroot9\rutserv.exeC:\Windows\SysWOW64\catroot9\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\catroot9\rfusclient.exeC:\Windows\SysWOW64\catroot9\rfusclient.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\catroot9\rfusclient.exeC:\Windows\SysWOW64\catroot9\rfusclient.exe /tray3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: SetClipboardViewer
-
-
-
C:\Windows\SysWOW64\catroot9\rfusclient.exeC:\Windows\SysWOW64\catroot9\rfusclient.exe /tray2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1Network Share Connection Removal
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD553213fc8c2cb0d6f77ca6cbd40fff22c
SHA1d8ba81ed6586825835b76e9d566077466ee41a85
SHA25603d0776812368478ce60e8160ec3c6938782db1832f5cb53b7842e5840f9dbc5
SHA512e3ced32a2eabfd0028ec16e62687573d86c0112b2b1d965f1f9d0bb5557cef5fdf5233e87fe73be621a52affe4ce53bedf958558aa899646fa390f4541cf11eb
-
Filesize
144KB
MD530e269f850baf6ca25187815912e21c5
SHA1eb160de97d12b4e96f350dd0d0126d41d658afb3
SHA256379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90
SHA5129b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7
-
Filesize
357KB
MD5bb1f3e716d12734d1d2d9219a3979a62
SHA10ef66eed2f2ae45ec2d478902833b830334109cb
SHA256d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077
SHA512bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c
-
Filesize
234KB
MD58e3f59b8c9dfc933fca30edefeb76186
SHA137a78089d5936d1bc3b60915971604c611a94dbd
SHA256528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8
SHA5123224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d
-
Filesize
1.6MB
MD5871c903a90c45ca08a9d42803916c3f7
SHA1d962a12bc15bfb4c505bb63f603ca211588958db
SHA256f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645
SHA512985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145
-
Filesize
4KB
MD5b158481e20280844437ee65c96c823ae
SHA198a975e14e3e8088dc3a2531620b56f224220abd
SHA25692a36d2792837f9c48b7dabef46608cbf64f63753c9d403d63f65dea78e20d05
SHA512697aff838853be80f4f2bd5e5966e1f6f3b357c2c42b611da1b320df5f0ff36758e8ce23b86e7992303e05d43a80194cedb05afebf7ba61cf874df4b7894986a
-
Filesize
556KB
MD5b2eee3dee31f50e082e9c720a6d7757d
SHA13322840fef43c92fb55dc31e682d19970daf159d
SHA2564608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01
SHA5128b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3
-
Filesize
637KB
MD57538050656fe5d63cb4b80349dd1cfe3
SHA1f825c40fee87cc9952a61c8c34e9f6eee8da742d
SHA256e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099
SHA512843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8
-
Filesize
3.8MB
MD5ebdfd6c8e430a012004a1366816bd18e
SHA148234645e99c9a8c3a714a0e1892ec2cb1a9503b
SHA256211ae4639da26766e25d1b09466a3c0ae786930d24551ad5e3a9c29cb44e1cdb
SHA512b58e7e35281935a581c3b51ba070c17b6deadd5514bc9b39dbdb35130ebc60d7bdeb8607fe868d5099c83a97be8f28ac4d4fea1cc3df643eda9cf7874545e2e0
-
Filesize
4.5MB
MD57751c37d01685b0d7b99a48b72b6e4a1
SHA1d4e07b40dcdb3d2d2430466bb010b3aaa92f3e0c
SHA2561470278fbc092ceb5f820fa964546f24fa87d58f13ba6838e4e31bfcb65a16ee
SHA512dca0e7b5106b7376282dc65cae71673e64f0e7c227fb103caae9c30e67c70060371a7984a42c4589696142a1cd95d7ae733fd71a730af45a5bdfa49deeba6286
-
Filesize
5KB
MD5e889ea342e2fb9cc3299f8e210bc0f93
SHA17420d4e0e0d71218e980da5cc1a46b6b263734ad
SHA2564c601d3a79faff5015de6f6912560a1384028688c0fa630d7609182e2f0579f5
SHA512d73cf0250d0f87a68e69dfd6205173b6a01e244cceceeb2f2fd438a7ef7cdcb97f56199f2df1a26788ffc0ab41cd538dd079e362329a89f7723c80523c8a5eec
-
Filesize
403KB
MD56f6bfe02e84a595a56b456f72debd4ee
SHA190bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2
SHA2565e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51
SHA512ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50
-
Filesize
685KB
MD5c638bca1a67911af7f9ed67e7b501154
SHA10fd74d2f1bd78f678b897a776d8bce36742c39b7
SHA256519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8
SHA512ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
4.4MB
-
Filesize
5.1MB
-
Filesize
4.4MB
-
Filesize
5.1MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
14.6MB
-
Filesize
14.6MB