General
-
Target
17aabf6d007520c94f8df8196c8066b6_JaffaCakes118
-
Size
288KB
-
Sample
240505-pnejgsdc34
-
MD5
17aabf6d007520c94f8df8196c8066b6
-
SHA1
941456ee84371a09d11e4b15f3887f660e260d34
-
SHA256
f57baf38587fe0245e396c9b57664994be9a6f92e96d959fb251a6b7f00ddad5
-
SHA512
b78e80fe53080cfee4e75ac481f199243f68a6c662ff691604247fc06ae306ce65680b4f7d31e5f2d65795752508e6c1b63a1150a49a073d3adea57e72fb5cd9
-
SSDEEP
6144:AuBQ3fWB3qOyuBGrl3/8xhKqwX7oAGdb+bDt6GbkLgHp7Lm:AuielqAB0P5qMGmDtzALcp7
Static task
static1
Behavioral task
behavioral1
Sample
17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
remcos
RemoteHost
185.84.181.89:3363
185.84.181.89:3362
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-MRGC3E
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
remcos
2.0.5 Pro
RemoteHost
185.84.181.89:3363
185.84.181.89:3362
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-MRGC3E
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
17aabf6d007520c94f8df8196c8066b6_JaffaCakes118
-
Size
288KB
-
MD5
17aabf6d007520c94f8df8196c8066b6
-
SHA1
941456ee84371a09d11e4b15f3887f660e260d34
-
SHA256
f57baf38587fe0245e396c9b57664994be9a6f92e96d959fb251a6b7f00ddad5
-
SHA512
b78e80fe53080cfee4e75ac481f199243f68a6c662ff691604247fc06ae306ce65680b4f7d31e5f2d65795752508e6c1b63a1150a49a073d3adea57e72fb5cd9
-
SSDEEP
6144:AuBQ3fWB3qOyuBGrl3/8xhKqwX7oAGdb+bDt6GbkLgHp7Lm:AuielqAB0P5qMGmDtzALcp7
Score10/10-
Detect ZGRat V1
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext
-