General
-
Target
fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118
-
Size
1.0MB
-
Sample
240420-tfp3gacc29
-
MD5
fd207a395742b0ff3aafc447f1f362b5
-
SHA1
fa87a70741d18f6ec194a380eba3d14f2147e40e
-
SHA256
3ff078acafa70ffbfcbc5331d14298b0e43a59b80769993de69aece376ac10e8
-
SHA512
d068df81bd697baa4953d58442097558f92b1faca790ae27d943b7fcfb4c8682e619288c53ed11218a2f994ffed479484ead216a7c5eefe534baee4dcceca767
-
SSDEEP
24576:y4lavt0LkLL9IMixoEFNYQV527Yd6FEgk:lkwkn9IMSNYQV07UMEg
Static task
static1
Behavioral task
behavioral1
Sample
fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
remcos
3.2.0 Pro
RemoteHostComp
edwardjamie.duckdns.org:3956
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcosx.exe
-
copy_folder
Remcosx
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcosx-QQSGPF
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcosx
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Extracted
remcos
RemoteHostComp
edwardjamie.duckdns.org:3956
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcosx.exe
-
copy_folder
Remcosx
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcosx-QQSGPF
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcosx
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118
-
Size
1.0MB
-
MD5
fd207a395742b0ff3aafc447f1f362b5
-
SHA1
fa87a70741d18f6ec194a380eba3d14f2147e40e
-
SHA256
3ff078acafa70ffbfcbc5331d14298b0e43a59b80769993de69aece376ac10e8
-
SHA512
d068df81bd697baa4953d58442097558f92b1faca790ae27d943b7fcfb4c8682e619288c53ed11218a2f994ffed479484ead216a7c5eefe534baee4dcceca767
-
SSDEEP
24576:y4lavt0LkLL9IMixoEFNYQV527Yd6FEgk:lkwkn9IMSNYQV07UMEg
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-