remcos | 3ff078acafa70ffbfcbc5331d14298b0e43a59b80769993de69aece376ac10e8

General

Target

fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe
Size

1.0MB
MD5

fd207a395742b0ff3aafc447f1f362b5
SHA1

fa87a70741d18f6ec194a380eba3d14f2147e40e
SHA256

3ff078acafa70ffbfcbc5331d14298b0e43a59b80769993de69aece376ac10e8
SHA512

d068df81bd697baa4953d58442097558f92b1faca790ae27d943b7fcfb4c8682e619288c53ed11218a2f994ffed479484ead216a7c5eefe534baee4dcceca767
SSDEEP

24576:y4lavt0LkLL9IMixoEFNYQV527Yd6FEgk:lkwkn9IMSNYQV07UMEg

Score

10^/10

remcos remotehostcomp persistence rat upx

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

RemoteHostComp

C2

edwardjamie.duckdns.org:3956

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcosx.exe
copy_folder
Remcosx
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcosx-QQSGPF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcosx
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Extracted

Family

remcos

Botnet

RemoteHostComp

C2

edwardjamie.duckdns.org:3956

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcosx.exe
copy_folder
Remcosx
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcosx-QQSGPF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcosx
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

2168 WScript.exe
Executes dropped EXE 2 IoCs

Processes:

remcosx.exeremcosx.exe

pid process

1732 remcosx.exe
2872 remcosx.exe

pid	process
2168	WScript.exe

pid	process
1732	remcosx.exe
2872	remcosx.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2968-10-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2968-11-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2968-12-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2968-13-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2968-14-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2968-20-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2872-38-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2872-39-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2872-40-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2872-41-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2872-43-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2872-44-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2872-47-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2872-53-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2872-59-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2872-65-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2872-71-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/2872-80-0x0000000000400000-0x0000000000481000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exeremcosx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcosx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcosx\\remcosx.exe\""	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcosx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcosx\\remcosx.exe\""	remcosx.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4484-0-0x0000000000400000-0x000000000050D000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Roaming\Remcosx\remcosx.exe	autoit_exe
behavioral2/memory/1732-26-0x0000000000400000-0x000000000050D000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exeremcosx.exe

description	pid	process	target process
PID 4484 set thread context of 2968	4484	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe
PID 1732 set thread context of 2872	1732	remcosx.exe	remcosx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exeremcosx.exe

pid process

4484 fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe
1732 remcosx.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcosx.exe

pid process

2872 remcosx.exe

pid	process
4484	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe
1732	remcosx.exe

pid	process
2872	remcosx.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exefd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exeWScript.execmd.exeremcosx.exe

description	pid	process	target process
PID 4484 wrote to memory of 2968	4484	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe
PID 4484 wrote to memory of 2968	4484	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe
PID 4484 wrote to memory of 2968	4484	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe
PID 4484 wrote to memory of 2968	4484	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe
PID 2968 wrote to memory of 2168	2968	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe	WScript.exe
PID 2968 wrote to memory of 2168	2968	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe	WScript.exe
PID 2968 wrote to memory of 2168	2968	fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe	WScript.exe
PID 2168 wrote to memory of 4576	2168	WScript.exe	cmd.exe
PID 2168 wrote to memory of 4576	2168	WScript.exe	cmd.exe
PID 2168 wrote to memory of 4576	2168	WScript.exe	cmd.exe
PID 4576 wrote to memory of 1732	4576	cmd.exe	remcosx.exe
PID 4576 wrote to memory of 1732	4576	cmd.exe	remcosx.exe
PID 4576 wrote to memory of 1732	4576	cmd.exe	remcosx.exe
PID 1732 wrote to memory of 2872	1732	remcosx.exe	remcosx.exe
PID 1732 wrote to memory of 2872	1732	remcosx.exe	remcosx.exe
PID 1732 wrote to memory of 2872	1732	remcosx.exe	remcosx.exe
PID 1732 wrote to memory of 2872	1732	remcosx.exe	remcosx.exe

C:\Users\Admin\AppData\Local\Temp\fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4484

C:\Users\Admin\AppData\Local\Temp\fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd207a395742b0ff3aafc447f1f362b5_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Checks computer location settings
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcosx\remcosx.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Roaming\Remcosx\remcosx.exe
C:\Users\Admin\AppData\Roaming\Remcosx\remcosx.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Roaming\Remcosx\remcosx.exe
C:\Users\Admin\AppData\Roaming\Remcosx\remcosx.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut1A1.tmp
Filesize
226KB

MD5
78195b3f07db2beb1f4c96049db81ee0

SHA1
531ad3ec157125b0f017f62e44d64b27b218be00

SHA256
bbe71852290a579a002af2191e2fd7e02798b28b1abf194184f68fe1fcc5cb47

SHA512
fd32aaf4c30047391fa7813bb4ea12371c7bfcca524c5f9b59c8560201cbe625cba1d1554a396a06eedec3929ed008d51bc42e52f8a29e72609cdf288dc4be32

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
626B

MD5
74c33ab48cf95a72049d5bb0778e48a2

SHA1
1cee2ed720d5ee3c2c964b81df277fadc2ef3288

SHA256
b6dfe87a1ce468cd0811fd3b169e0bb6b3613b16d21a06552a607cc2601aa62a

SHA512
1088f82dbb514a127acadf458bfa5c6d6f32f8081e8110a87960f79e88e980b1d9707e253094dd9392a557f2ff5d800f589b24a8ad14fa2780c83835279a78ae

Download Submit
C:\Users\Admin\AppData\Roaming\Remcosx\remcosx.exe
Filesize
1.0MB

MD5
fd207a395742b0ff3aafc447f1f362b5

SHA1
fa87a70741d18f6ec194a380eba3d14f2147e40e

SHA256
3ff078acafa70ffbfcbc5331d14298b0e43a59b80769993de69aece376ac10e8

SHA512
d068df81bd697baa4953d58442097558f92b1faca790ae27d943b7fcfb4c8682e619288c53ed11218a2f994ffed479484ead216a7c5eefe534baee4dcceca767

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat
Filesize
148B

MD5
d1fbff9ba6a159d9d7f181e4425f9dcc

SHA1
c81e678ee6add10d5df4e70bb129ae3e99a03b50

SHA256
01a0ef5dc297285d926b1aa21b71d9d3a5fffa00ade044d6ee06cbd713901722

SHA512
fd115e296801253b6c804960fce2b68d382533d4fe3371163f732c8b612663fc8b3fbc8598a1b500eab0eb4150ec14f1a9ca5d26bea713276ddce7bc2afff052

Download Submit
memory/1732-26-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2872-44-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2872-53-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2872-80-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2872-71-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2872-65-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2872-59-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2872-47-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2872-43-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2872-38-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2872-39-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2872-40-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2872-41-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2968-10-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2968-12-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2968-11-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2968-20-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2968-14-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2968-13-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4484-9-0x0000000003FD0000-0x0000000003FD2000-memory.dmp

Filesize
8KB

Download
memory/4484-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4484-8-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads