remcos | 14ab9325728bdeb6e2a931564b689eedb09c9963f7fb1436e8313c628a9cfd33

General

Target

f9ee70030caa549f8d225466393aca3b_JaffaCakes118.exe
Size

892KB
MD5

f9ee70030caa549f8d225466393aca3b
SHA1

7ccfe01e796739dda4a96f05d4ff4debf8dafde0
SHA256

14ab9325728bdeb6e2a931564b689eedb09c9963f7fb1436e8313c628a9cfd33
SHA512

b10412772c680858704dab3f425104179ffc2343098ef5d78f8f0c8277f6d84ff47daacd4d680c6f7851778e011d286bbe9ff505913d6ed97547b2b73f0e94d7
SSDEEP

24576:SA/Py2lMiQGYEtj4GKR+bjnmpQk8EtwzPbDq:S0q2lLQGYEtj4xR+bjnmpQk8EtwzP6

Score

10^/10

remcos mmiri1 persistence rat upx

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

mmiri1

C2

mmiri1.ddns.net:7171

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-8CPBWM
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

test.exetest.exeWScript.exeremcos.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	test.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	test.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	remcos.exe

Executes dropped EXE 5 IoCs

Processes:

test.exetest.exetest.exeremcos.exeremcos.exe

pid process

5104 test.exe
1600 test.exe
5116 test.exe
2720 remcos.exe
764 remcos.exe

pid	process
5104	test.exe
1600	test.exe
5116	test.exe
2720	remcos.exe
764	remcos.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3700-0-0x0000000000400000-0x00000000005FE000-memory.dmp	upx
behavioral2/memory/3700-25-0x0000000000400000-0x00000000005FE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

test.exeremcos.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	test.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

test.exeremcos.exe

description pid process target process

PID 5104 set thread context of 5116 5104 test.exe test.exe
PID 2720 set thread context of 764 2720 remcos.exe remcos.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5016 schtasks.exe
1732 schtasks.exe
Modifies registry class 1 IoCs

Processes:

test.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings test.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

test.exeremcos.exe

pid process

5104 test.exe
5104 test.exe
5104 test.exe
2720 remcos.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

test.exeremcos.exe

description pid process

Token: SeDebugPrivilege 5104 test.exe
Token: SeDebugPrivilege 2720 remcos.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

764 remcos.exe

description	pid	process	target process
PID 5104 set thread context of 5116	5104	test.exe	test.exe
PID 2720 set thread context of 764	2720	remcos.exe	remcos.exe

pid	process
5016	schtasks.exe
1732	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	test.exe

pid	process
5104	test.exe
5104	test.exe
5104	test.exe
2720	remcos.exe

description	pid	process
Token: SeDebugPrivilege	5104	test.exe
Token: SeDebugPrivilege	2720	remcos.exe

pid	process
764	remcos.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

f9ee70030caa549f8d225466393aca3b_JaffaCakes118.execmd.exetest.exetest.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 3700 wrote to memory of 4292	3700	f9ee70030caa549f8d225466393aca3b_JaffaCakes118.exe	cmd.exe
PID 3700 wrote to memory of 4292	3700	f9ee70030caa549f8d225466393aca3b_JaffaCakes118.exe	cmd.exe
PID 3700 wrote to memory of 4292	3700	f9ee70030caa549f8d225466393aca3b_JaffaCakes118.exe	cmd.exe
PID 4292 wrote to memory of 5104	4292	cmd.exe	test.exe
PID 4292 wrote to memory of 5104	4292	cmd.exe	test.exe
PID 4292 wrote to memory of 5104	4292	cmd.exe	test.exe
PID 5104 wrote to memory of 5016	5104	test.exe	schtasks.exe
PID 5104 wrote to memory of 5016	5104	test.exe	schtasks.exe
PID 5104 wrote to memory of 5016	5104	test.exe	schtasks.exe
PID 5104 wrote to memory of 1600	5104	test.exe	test.exe
PID 5104 wrote to memory of 1600	5104	test.exe	test.exe
PID 5104 wrote to memory of 1600	5104	test.exe	test.exe
PID 5104 wrote to memory of 5116	5104	test.exe	test.exe
PID 5104 wrote to memory of 5116	5104	test.exe	test.exe
PID 5104 wrote to memory of 5116	5104	test.exe	test.exe
PID 5104 wrote to memory of 5116	5104	test.exe	test.exe
PID 5104 wrote to memory of 5116	5104	test.exe	test.exe
PID 5104 wrote to memory of 5116	5104	test.exe	test.exe
PID 5104 wrote to memory of 5116	5104	test.exe	test.exe
PID 5104 wrote to memory of 5116	5104	test.exe	test.exe
PID 5104 wrote to memory of 5116	5104	test.exe	test.exe
PID 5104 wrote to memory of 5116	5104	test.exe	test.exe
PID 5116 wrote to memory of 3656	5116	test.exe	WScript.exe
PID 5116 wrote to memory of 3656	5116	test.exe	WScript.exe
PID 5116 wrote to memory of 3656	5116	test.exe	WScript.exe
PID 3656 wrote to memory of 5056	3656	WScript.exe	cmd.exe
PID 3656 wrote to memory of 5056	3656	WScript.exe	cmd.exe
PID 3656 wrote to memory of 5056	3656	WScript.exe	cmd.exe
PID 5056 wrote to memory of 2720	5056	cmd.exe	remcos.exe
PID 5056 wrote to memory of 2720	5056	cmd.exe	remcos.exe
PID 5056 wrote to memory of 2720	5056	cmd.exe	remcos.exe
PID 2720 wrote to memory of 1732	2720	remcos.exe	schtasks.exe
PID 2720 wrote to memory of 1732	2720	remcos.exe	schtasks.exe
PID 2720 wrote to memory of 1732	2720	remcos.exe	schtasks.exe
PID 2720 wrote to memory of 764	2720	remcos.exe	remcos.exe
PID 2720 wrote to memory of 764	2720	remcos.exe	remcos.exe
PID 2720 wrote to memory of 764	2720	remcos.exe	remcos.exe
PID 2720 wrote to memory of 764	2720	remcos.exe	remcos.exe
PID 2720 wrote to memory of 764	2720	remcos.exe	remcos.exe
PID 2720 wrote to memory of 764	2720	remcos.exe	remcos.exe
PID 2720 wrote to memory of 764	2720	remcos.exe	remcos.exe
PID 2720 wrote to memory of 764	2720	remcos.exe	remcos.exe
PID 2720 wrote to memory of 764	2720	remcos.exe	remcos.exe
PID 2720 wrote to memory of 764	2720	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\f9ee70030caa549f8d225466393aca3b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9ee70030caa549f8d225466393aca3b_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4292

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EUfYRs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp539E.tmp"
4⤵
- Creates scheduled task(s)
PID:5016

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
4⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EUfYRs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8388.tmp"
8⤵
- Creates scheduled task(s)
PID:1732

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
418B

MD5
ff449f6f7bc5e2d800eb30e2d2c56611

SHA1
93419ea805b9ce35a766e5c56db50d54c2d3f94b

SHA256
655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

SHA512
02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
208KB

MD5
0d732290c1655a83d38311451fd94151

SHA1
23f5eefaa04e17bd419473a3625507604dba21a5

SHA256
8da62cdcfac8986a05875661dd4e4606eee2cea5284f8729dbb9afff34935810

SHA512
aae0a34c01bed35166a88c9bdc1cdca1496937246f40293ea9c96cc704bfe14bd0b6f82c2e33ba3bd9993f5eceb6add6eef796a475cbdb9e7d4cc2e377f7d5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp539E.tmp
Filesize
1KB

MD5
684010cc2f0f0793c880a1d6dc5a9e0c

SHA1
ce3c08d73eab8107dfc11c17688cfbbc289cc5f5

SHA256
34c5aa817fb4e24b10cbe560534cccbcc0bcded310e121707211e24538fbf73d

SHA512
cb4eefefd81e1d1ef76aea0e4bed9b55cd07988807c7e7880c2b6da9f1f052e99ae1fce6dae723ae54fd4c79ab6ad18ae648f3fb82c73aefb8929eeec18c81f1

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat
Filesize
74B

MD5
9043161bbadd01c54f71a95df4ef9f28

SHA1
79934dd43bc2b26ffc661680d172c1ff925bbb57

SHA256
91b2c83a65bd63075965bf2695a24327ff2262e54a36f1b6603b6ce10bdc89a0

SHA512
8aac0cec8ce63ce689dba12450cc0c1514940e791cb928bd5c4935bc7163bb51856b9097e13b1413e5a84ef471fdfe1daa9afe3222638b070f27f037c41bfe35

Download Submit
memory/764-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-74-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-52-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-84-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-45-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-34-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/2720-42-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/2720-33-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3700-0-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/3700-25-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/5104-20-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/5104-7-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/5104-6-0x0000000000C60000-0x0000000000C70000-memory.dmp

Filesize
64KB

Download
memory/5104-5-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/5116-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5116-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5116-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5116-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads