Analysis
-
max time kernel
147s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
22-06-2024 00:01
General
-
Target
00542b9d21af209948ad923d035e53fe_JaffaCakes118.exe
-
Size
2.3MB
-
MD5
00542b9d21af209948ad923d035e53fe
-
SHA1
eeb88fcc92a58309dd26019052a7ae5bcfc02110
-
SHA256
d7841d55e43d7bc435dadaae9997d975ed0001ab18fa4f7e4f2fce6a36105093
-
SHA512
8a01d01f7bd7df1a7371cda7158c1e69dcc98d078af626eb47ac4f1cc7e78aa67008210ad850f4a1bfbcd4e1f2b39e3c669eb4425e8acb85ef97585d6169b69e
-
SSDEEP
49152:tglKw04wX6NOzrqYFxZoZ3H0sm9NnlKGDMeXOIpaQqGcKX:tOK7lzOYF4JH03JKvuOqn
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Modifies Windows Firewall 2 TTPs 8 IoCs
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 11 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 31 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Kills process with taskkill 2 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\00542b9d21af209948ad923d035e53fe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00542b9d21af209948ad923d035e53fe_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6E8B.tmp\msi.bat" "2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im RManServer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\System32\catroot7"3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\sc.exesc config tlntsvr start= disabled3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop "Service Host Controller"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Service Host Controller"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn security /f3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="RealIP"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Microsoft Outlook Express"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Service Host Controller"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ß½πªí Windows"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ºáñáτ Windows"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete portopening tcp 570093⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="cam_server"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete portopening tcp 57011 all3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Ä»Ñαᵿ«¡¡á∩ ß¿ßΓѼá Microsoft Windows" /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Service Host Controller" /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\catroot7\rutserv.exe"rutserv.exe" /silentinstall3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\catroot7\rutserv.exe"rutserv.exe" /firewall3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\regedit.exeregedit /s set.reg3⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\catroot7\rutserv.exe"rutserv.exe" /start3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\catroot7\rutserv.exeC:\Windows\SysWOW64\catroot7\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\catroot7\rfusclient.exeC:\Windows\SysWOW64\catroot7\rfusclient.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\catroot7\rfusclient.exeC:\Windows\SysWOW64\catroot7\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\catroot7\rfusclient.exeC:\Windows\SysWOW64\catroot7\rfusclient.exe /tray2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6E8B.tmp\HookDrv.dllFilesize
144KB
MD5513066a38057079e232f5f99baef2b94
SHA1a6da9e87415b8918447ec361ba98703d12b4ee76
SHA25602dbea75e8dbcdfc12c6b92a6c08efad83d4ca742ed7aee393ab26cab0c58f9e
SHA51283a074bef57f78ede2488dd586b963b92837e17eea77ebd1464f3da06954ae8ca07f040089af0c257e2836611ae39424574bd365aea4a6318a2707e031cd31a5
-
C:\Users\Admin\AppData\Local\Temp\6E8B.tmp\Microsoft.VC80.CRT.manifestFilesize
1KB
MD5d34b3da03c59f38a510eaa8ccc151ec7
SHA141b978588a9902f5e14b2b693973cb210ed900b2
SHA256a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc
SHA512231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7
-
C:\Users\Admin\AppData\Local\Temp\6E8B.tmp\PushSource.axFilesize
448KB
MD5d7eb741be9c97a6d1063102f0e4ca44d
SHA1bf8bdca7f56ed39fb96141ae9593dec497f4e2c8
SHA2560914ab04bfd258008fec4605c3fa0e23c0d5111b9cfc374cfa4eaa1b4208dff7
SHA512cbcaedf5aca641313ba2708e4be3ea0d18dd63e4543f2c2fdcbd31964a2c01ff42724ec666da24bf7bf7b8faaa5eceae761edf82c71919753d42695c9588e65e
-
C:\Users\Admin\AppData\Local\Temp\6E8B.tmp\RIPCServer.dllFilesize
96KB
MD5329354f10504d225384e19c8c1c575db
SHA19ef0b6256f3c5bbeb444cb00ee4b278847e8aa66
SHA25624735b40df2cdac4da4e3201fc597eed5566c5c662aa312fa491b7a24e244844
SHA512876585dd23f799f1b7cef365d3030213338b3c88bc2b20174e7c109248319bb5a3feaef43c0b962f459b2f4d90ff252c4704d6f1a0908b087e24b4f03eba9c0e
-
C:\Users\Admin\AppData\Local\Temp\6E8B.tmp\RWLN.dllFilesize
325KB
MD5cf6ce6b13673dd11f0cd4b597ac56edb
SHA12017888be6edbea723b9b888ac548db5115df09e
SHA2567bda291b7f50049088ea418b5695929b9be11cc014f6ec0f43f495285d1d6f74
SHA512e5b69b4ee2ff8d9682913a2f846dc2eca8223d3100d626aea9763653fe7b8b35b8e6dc918f4c32e8ae2fc1761611dcd0b16d623ede954f173db33216b33f49dc
-
C:\Users\Admin\AppData\Local\Temp\6E8B.tmp\dsfOggMux.dllFilesize
84KB
MD565889701199e41ae2abee652a232af6e
SHA13f76c39fde130b550013a4f13bfea2862b5628cf
SHA256ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e
SHA512edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5
-
C:\Users\Admin\AppData\Local\Temp\6E8B.tmp\dsfTheoraEncoder.dllFilesize
240KB
MD55f2fc8a0d96a1e796a4daae9465f5dd6
SHA1224f13f3cbaa441c0cb6d6300715fda7136408ea
SHA256f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f
SHA512da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad
-
C:\Users\Admin\AppData\Local\Temp\6E8B.tmp\dsfVorbisEncoder.dllFilesize
1.6MB
MD5086a9fd9179aad7911561eeff08cf7e2
SHA1d390c28376e08769a06a4a8b46609b3a668f728b
SHA2562cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282
SHA512a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193
-
C:\Users\Admin\AppData\Local\Temp\6E8B.tmp\msi.batFilesize
2KB
MD57f53f668d5c3e572ceb2e3e5275e2aac
SHA1da92bbc00f55a01d150d5db15813fc3386276937
SHA256aabbc17791d5c10e5caad0a616616177896c179461d4002600fa82c50cdcae0b
SHA5122f81416e7a393cef6879e7a95acfd3d21ec06cad5f132202ef0a72ad51e6f774924fe4d7bcaf9ef2bfdfc507d01a5afb9c54af66a00780ede1b0fcb0f914f283
-
C:\Users\Admin\AppData\Local\Temp\6E8B.tmp\msvcp80.dllFilesize
541KB
MD58c53ccd787c381cd535d8dcca12584d8
SHA1bc7ce60270a58450596aa3e3e5d0a99f731333d9
SHA256384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528
SHA512e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755
-
C:\Users\Admin\AppData\Local\Temp\6E8B.tmp\msvcr80.dllFilesize
617KB
MD51169436ee42f860c7db37a4692b38f0e
SHA14ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3
SHA2569382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46
SHA512e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0
-
C:\Users\Admin\AppData\Local\Temp\6E8B.tmp\rfusclient.exeFilesize
2.8MB
MD5a90c6e72a9e2602560c521a1647664ad
SHA122f7f0ddb0af04df7109c3ddbb7027909041fa73
SHA256579e5984ad5eb6e5e4b004acd01c95f609a1330f3900cd9851562eb4ac879197
SHA512fbba623cab28c0648e8bdd03c99df9e2a84180d72ea8e63367e943f8b432ebc36a7e10a8bfce11ad1803e54a8514f1ded4fec72e680ee04386965b5eb6a5d6c2
-
C:\Users\Admin\AppData\Local\Temp\6E8B.tmp\rutserv.exeFilesize
3.2MB
MD562dbd11dc36780e35af1aafaa6a8f0f1
SHA1dc6aaac7171b351be3397c3e0e1769dffa848723
SHA256b06604ee55206b081a8378f771f3501f48df1c0023b1d6edcbc5f781aa521f57
SHA512b7f311286387ab39a0a54ac3dbcb74d9db3de4e2657dd6f0e182e38e9ed5400e87f1000c7b978fd4bb34fc373dd99bcb18271296f03248366a9cb52afdaa695d
-
C:\Users\Admin\AppData\Local\Temp\6E8B.tmp\rversionlib.dllFilesize
310KB
MD53f95a06f40eaf51b86cef2bf036ebd7a
SHA164009c5f79661eb2f82c9a76a843c0d3a856695d
SHA2561eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d
SHA5126f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897
-
C:\Users\Admin\AppData\Local\Temp\6E8B.tmp\set.regFilesize
14KB
MD54928e175849e8ac5f514f8c48aa08399
SHA1fe027601360301e4e589bf696b5dc8776dc05a2b
SHA256b12a1147baa23039f5f713e5e84038e475628ad729126a298f845911b4f82332
SHA5124b4231cde4bbea08c332bf52aaa9ab8dfb7f8abaad0734d965800ddf9680b021ef96e94494f841e0d544104114f29c11f0801a76ecb3b24f8a18578083d576b6
-
memory/1148-154-0x0000000000400000-0x000000000075E000-memory.dmpFilesize
3.4MB
-
memory/1148-149-0x0000000000230000-0x0000000000288000-memory.dmpFilesize
352KB
-
memory/1148-148-0x0000000000400000-0x000000000075E000-memory.dmpFilesize
3.4MB
-
memory/1428-146-0x0000000000400000-0x000000000075E000-memory.dmpFilesize
3.4MB
-
memory/1428-165-0x00000000007D0000-0x0000000000828000-memory.dmpFilesize
352KB
-
memory/1428-147-0x00000000007D0000-0x0000000000828000-memory.dmpFilesize
352KB
-
memory/1616-97-0x0000000000400000-0x00000000007C6000-memory.dmpFilesize
3.8MB
-
memory/1616-98-0x00000000007D0000-0x0000000000828000-memory.dmpFilesize
352KB
-
memory/1616-94-0x00000000007D0000-0x0000000000828000-memory.dmpFilesize
352KB
-
memory/1948-143-0x0000000000230000-0x0000000000288000-memory.dmpFilesize
352KB
-
memory/1948-142-0x0000000000400000-0x000000000075E000-memory.dmpFilesize
3.4MB
-
memory/2072-144-0x0000000000400000-0x00000000007C6000-memory.dmpFilesize
3.8MB
-
memory/2072-145-0x0000000000840000-0x0000000000898000-memory.dmpFilesize
352KB
-
memory/2072-117-0x0000000000840000-0x0000000000898000-memory.dmpFilesize
352KB
-
memory/2072-156-0x0000000000400000-0x00000000007C6000-memory.dmpFilesize
3.8MB
-
memory/2072-151-0x0000000000840000-0x0000000000898000-memory.dmpFilesize
352KB
-
memory/2072-150-0x0000000000400000-0x00000000007C6000-memory.dmpFilesize
3.8MB
-
memory/2148-106-0x0000000000230000-0x0000000000288000-memory.dmpFilesize
352KB
-
memory/2148-104-0x0000000000230000-0x0000000000288000-memory.dmpFilesize
352KB
-
memory/2148-105-0x0000000000400000-0x00000000007C6000-memory.dmpFilesize
3.8MB
-
memory/2400-134-0x0000000000230000-0x0000000000288000-memory.dmpFilesize
352KB
-
memory/2400-133-0x0000000000400000-0x00000000007C6000-memory.dmpFilesize
3.8MB
-
memory/3048-0-0x0000000000400000-0x0000000000E8A000-memory.dmpFilesize
10.5MB
-
memory/3048-110-0x0000000000400000-0x0000000000E8A000-memory.dmpFilesize
10.5MB
-
memory/3048-136-0x0000000000400000-0x0000000000E8A000-memory.dmpFilesize
10.5MB