General
-
Target
fa5da3d28e0cef76033130da3b8eef63_JaffaCakes118
-
Size
108KB
-
Sample
240419-qe17kadc32
-
MD5
fa5da3d28e0cef76033130da3b8eef63
-
SHA1
6dc00e91c4ce1a264ab281e0990644e7fadeb58b
-
SHA256
ed7f89f0ac458f6347a838703dde8fad21227620b836970cb83e3030244e22a7
-
SHA512
d3a5a4aba0666c2c14aae54d9ae1657bada6a770502f3baa1bff5c027453f51eb0649369a3453ba6b63311e73ab1aef01baffab72528a13914707db949718996
-
SSDEEP
1536:LTSpG2bEOFPX53rseoINqmxnWh9W78a1JYAbxaL5FwYc7BTx:6pXEuf53X9N7WhsAYNcFGj
Static task
static1
Behavioral task
behavioral1
Sample
fa5da3d28e0cef76033130da3b8eef63_JaffaCakes118.exe
Resource
win7-20240221-en
Malware Config
Extracted
remcos
3.1.4 Pro
Support8
5.61.52.60:8008
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
1.bin
-
keylog_flag
false
-
keylog_folder
TeamViewer
-
keylog_path
%Temp%
-
mouse_option
false
-
mutex
-0P6NO9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
fa5da3d28e0cef76033130da3b8eef63_JaffaCakes118
-
Size
108KB
-
MD5
fa5da3d28e0cef76033130da3b8eef63
-
SHA1
6dc00e91c4ce1a264ab281e0990644e7fadeb58b
-
SHA256
ed7f89f0ac458f6347a838703dde8fad21227620b836970cb83e3030244e22a7
-
SHA512
d3a5a4aba0666c2c14aae54d9ae1657bada6a770502f3baa1bff5c027453f51eb0649369a3453ba6b63311e73ab1aef01baffab72528a13914707db949718996
-
SSDEEP
1536:LTSpG2bEOFPX53rseoINqmxnWh9W78a1JYAbxaL5FwYc7BTx:6pXEuf53X9N7WhsAYNcFGj
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Suspicious use of SetThreadContext
-