Malware Analysis Report

2025-01-02 03:15

Sample ID 240330-z6v93aeg7s
Target 447680709f1a10e68bd5d3c16a0d35b9_JaffaCakes118
SHA256 e2279f8c70121685d8895ceff6611e07ed19e2bdbd8869c02e3de3533f6a4fbd
Tags
remotehost remcos
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2279f8c70121685d8895ceff6611e07ed19e2bdbd8869c02e3de3533f6a4fbd

Threat Level: Known bad

The file 447680709f1a10e68bd5d3c16a0d35b9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remotehost remcos

Remcos family

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-30 21:20

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-30 21:20

Reported

2024-03-30 21:22

Platform

win7-20240319-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\447680709f1a10e68bd5d3c16a0d35b9_JaffaCakes118.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\447680709f1a10e68bd5d3c16a0d35b9_JaffaCakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\447680709f1a10e68bd5d3c16a0d35b9_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\447680709f1a10e68bd5d3c16a0d35b9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\447680709f1a10e68bd5d3c16a0d35b9_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 3.144.195.31:443 tcp
US 3.144.195.31:443 tcp
US 3.144.195.31:443 tcp
US 3.144.195.31:443 tcp
US 3.144.195.31:443 tcp
US 3.144.195.31:443 tcp
US 3.144.195.31:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-30 21:20

Reported

2024-03-30 21:23

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\447680709f1a10e68bd5d3c16a0d35b9_JaffaCakes118.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\447680709f1a10e68bd5d3c16a0d35b9_JaffaCakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\447680709f1a10e68bd5d3c16a0d35b9_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\447680709f1a10e68bd5d3c16a0d35b9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\447680709f1a10e68bd5d3c16a0d35b9_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 3.144.195.31:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 3.144.195.31:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 3.144.195.31:443 tcp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 3.144.195.31:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 3.144.195.31:443 tcp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 3.144.195.31:443 tcp
US 3.144.195.31:443 tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

N/A