Malware Analysis Report

2024-12-07 22:31

Sample ID 240407-c5p1bsbd97
Target e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118
SHA256 5d94b24f251b4fd9b9a59a3d60b86512528add9c95a880d8e32e76b1f54b8eea
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d94b24f251b4fd9b9a59a3d60b86512528add9c95a880d8e32e76b1f54b8eea

Threat Level: Known bad

The file e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 02:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 02:39

Reported

2024-04-07 02:42

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5056 set thread context of 4792 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5056 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 5056 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 5056 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 5056 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5056 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5056 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5056 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5056 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5056 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5056 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5056 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5056 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5056 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5056 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5056 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XeTozECCRX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4C94.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
HK 172.111.234.10:8088 tcp
HK 172.111.234.10:8088 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
HK 172.111.234.10:8088 tcp
HK 172.111.234.10:8088 tcp
HK 172.111.234.10:8088 tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/5056-0-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/5056-1-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/5056-2-0x0000000000BF0000-0x0000000000C00000-memory.dmp

memory/5056-3-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/5056-4-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/5056-5-0x0000000000BF0000-0x0000000000C00000-memory.dmp

memory/5056-6-0x0000000000BF0000-0x0000000000C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4C94.tmp

MD5 3e084bf3421c235b89ac83bfbe0c147d
SHA1 e50858c01350b1e9e415f64818cb654f879faae1
SHA256 3d6cd6a52551b0baeb8d885a267c31425ebbf816c8c37149b51161f4ec92959f
SHA512 9f2110ae6b612caef382c70ff40f3bd2cf1496d56d36af82fcac3751f274e511e5cec7aae90d1a1174860f032281ca72316120bd5df49ad600a982352e670158

memory/4792-10-0x0000000000400000-0x0000000000479000-memory.dmp

memory/4792-11-0x0000000000400000-0x0000000000479000-memory.dmp

memory/4792-13-0x0000000000400000-0x0000000000479000-memory.dmp

memory/5056-15-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/4792-16-0x0000000000400000-0x0000000000479000-memory.dmp

memory/4792-17-0x0000000000400000-0x0000000000479000-memory.dmp

memory/4792-18-0x0000000000400000-0x0000000000479000-memory.dmp

memory/4792-19-0x0000000000400000-0x0000000000479000-memory.dmp

memory/4792-20-0x0000000000400000-0x0000000000479000-memory.dmp

memory/4792-21-0x0000000000400000-0x0000000000479000-memory.dmp

memory/4792-22-0x0000000000400000-0x0000000000479000-memory.dmp

memory/4792-23-0x0000000000400000-0x0000000000479000-memory.dmp

memory/4792-24-0x0000000000400000-0x0000000000479000-memory.dmp

memory/4792-25-0x0000000000400000-0x0000000000479000-memory.dmp

memory/4792-26-0x0000000000400000-0x0000000000479000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 02:39

Reported

2024-04-07 02:42

Platform

win7-20240221-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1984 set thread context of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1984 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1984 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1984 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XeTozECCRX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp98E5.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"{path}"

Network

Country Destination Domain Proto
HK 172.111.234.10:8088 tcp
HK 172.111.234.10:8088 tcp
HK 172.111.234.10:8088 tcp
HK 172.111.234.10:8088 tcp
HK 172.111.234.10:8088 tcp
HK 172.111.234.10:8088 tcp

Files

memory/1984-2-0x00000000007D0000-0x0000000000810000-memory.dmp

memory/1984-1-0x0000000074120000-0x00000000746CB000-memory.dmp

memory/1984-0-0x0000000074120000-0x00000000746CB000-memory.dmp

memory/1984-3-0x0000000074120000-0x00000000746CB000-memory.dmp

memory/1984-4-0x00000000007D0000-0x0000000000810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp98E5.tmp

MD5 e65c566553729bc6f398e62bb8c7267d
SHA1 2b10d77726aa58a7f88eb55bb48af1b5b50ae898
SHA256 be7b32c1d7a9caae5ccef4cd54318acb3427143662b4b78c0c090c47fad59b59
SHA512 c627941baf1c689858ed197033e6a51fdacc35b6a1a1db095aff552291fbb37f9ad40540af787b7b90039e5e6ce572d11a9d31f65159ad80c0299b102b4567ed

memory/2604-8-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2604-10-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2604-11-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2604-12-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2604-13-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2604-14-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2604-15-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2604-16-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2604-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2604-19-0x0000000000400000-0x0000000000479000-memory.dmp

memory/1984-22-0x0000000074120000-0x00000000746CB000-memory.dmp

memory/2604-23-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2604-21-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2604-24-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2604-25-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2604-26-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2604-27-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2604-28-0x0000000000400000-0x0000000000479000-memory.dmp