remcos | af546dfa96da5ae43eac5a07a6639c3a420348d7029d279d20ec233b0003f470

General

Target

01ae33c89615b8823ed30a3d9647b4b8_JaffaCakes118.exe
Size

132KB
MD5

01ae33c89615b8823ed30a3d9647b4b8
SHA1

23f589b6c81552cf693b0a5367f244085a169b5b
SHA256

af546dfa96da5ae43eac5a07a6639c3a420348d7029d279d20ec233b0003f470
SHA512

895723248fd83af42590924033024ba5c5f7866f5a60160f4d7592fde6bdc8cf0f95cd279d5de4d8a252fbc3dba23524aa7396dd396f1c9cf940678c2b207519
SSDEEP

1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjKe:xPd4n/M+WLcilrpgGH/GwY87mVmIXxI

Score

10^/10

remcos host persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
OfficeUpgrade.exe
copy_folder
OfficeUpgrade
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
Upgrader.dat
keylog_flag
false
keylog_folder
Upgrader
keylog_path
%AppData%
mouse_option
false
mutex
req_khauflaoyr
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
OfficeUpgrade
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

wn2ra4ohzdr.exewn2ra4ohzdr.exe

pid process

2836 wn2ra4ohzdr.exe
2584 wn2ra4ohzdr.exe
Loads dropped DLL 1 IoCs

Processes:

01ae33c89615b8823ed30a3d9647b4b8_JaffaCakes118.exe

pid process

2964 01ae33c89615b8823ed30a3d9647b4b8_JaffaCakes118.exe

pid	process
2836	wn2ra4ohzdr.exe
2584	wn2ra4ohzdr.exe

pid	process
2964	01ae33c89615b8823ed30a3d9647b4b8_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

01ae33c89615b8823ed30a3d9647b4b8_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raj4dkhhiap = "C:\\Users\\Admin\\AppData\\Roaming\\raj4dkhhiap\\wn2ra4ohzdr.exe"	01ae33c89615b8823ed30a3d9647b4b8_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wn2ra4ohzdr.exe

description pid process target process

PID 2836 set thread context of 2584 2836 wn2ra4ohzdr.exe wn2ra4ohzdr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wn2ra4ohzdr.exe

pid process

2584 wn2ra4ohzdr.exe

description	pid	process	target process
PID 2836 set thread context of 2584	2836	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe

pid	process
2584	wn2ra4ohzdr.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

01ae33c89615b8823ed30a3d9647b4b8_JaffaCakes118.exewn2ra4ohzdr.exe

description	pid	process	target process
PID 2964 wrote to memory of 2836	2964	01ae33c89615b8823ed30a3d9647b4b8_JaffaCakes118.exe	wn2ra4ohzdr.exe
PID 2964 wrote to memory of 2836	2964	01ae33c89615b8823ed30a3d9647b4b8_JaffaCakes118.exe	wn2ra4ohzdr.exe
PID 2964 wrote to memory of 2836	2964	01ae33c89615b8823ed30a3d9647b4b8_JaffaCakes118.exe	wn2ra4ohzdr.exe
PID 2964 wrote to memory of 2836	2964	01ae33c89615b8823ed30a3d9647b4b8_JaffaCakes118.exe	wn2ra4ohzdr.exe
PID 2836 wrote to memory of 2584	2836	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2836 wrote to memory of 2584	2836	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2836 wrote to memory of 2584	2836	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2836 wrote to memory of 2584	2836	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2836 wrote to memory of 2584	2836	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2836 wrote to memory of 2584	2836	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2836 wrote to memory of 2584	2836	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2836 wrote to memory of 2584	2836	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2836 wrote to memory of 2584	2836	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2836 wrote to memory of 2584	2836	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe

C:\Users\Admin\AppData\Local\Temp\01ae33c89615b8823ed30a3d9647b4b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01ae33c89615b8823ed30a3d9647b4b8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2964

C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
"C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
"C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
Filesize
132KB

MD5
5ba9ff6e3d613d37905033ea6d540854

SHA1
a3098b763e754b43e1d23f5f8d36e711280bfc3d

SHA256
5b1676609ad04157b14f4cba0e8cff36dee6379a4a66b177e78cb7c31219dbf2

SHA512
3d3e73e4e907de976b5564b1115646639538d3e12277840f97c1ef59d49db337e2015007c97f8afef5f2d9ba3eb755a82ca10de8acb7603f8f8655ef0c6e5060

Download Submit
memory/2584-28-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-17-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-15-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-16-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2584-19-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2836-12-0x0000000000C80000-0x0000000000CA8000-memory.dmp

Filesize
160KB

Download
memory/2836-33-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2836-14-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/2836-13-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2964-3-0x0000000000620000-0x0000000000640000-memory.dmp

Filesize
128KB

Download
memory/2964-0-0x00000000010B0000-0x00000000010D8000-memory.dmp

Filesize
160KB

Download
memory/2964-2-0x0000000001010000-0x0000000001050000-memory.dmp

Filesize
256KB

Download
memory/2964-32-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2964-1-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads