General

  • Target

    24e6decd318dbb52015ad9148bd91016_JaffaCakes118

  • Size

    416KB

  • Sample

    240508-p1cknaff99

  • MD5

    24e6decd318dbb52015ad9148bd91016

  • SHA1

    b806651869a30d3ff780b51b1946a8d625049dc7

  • SHA256

    b43036a0048cb92bf8d2741234b749d02fb0a4ef9f09740fe52858a037845877

  • SHA512

    962f3d3b67ffd2989292e7a1e7e09131022dddea6e9ab29c10ffb47f1498abae50cc49f473930aedad533a034e9e22e14bad6504fd7ee8407750d176fee312bf

  • SSDEEP

    3072:LA2psK6vCwnIE5egrp5pS8udOECzgn7qzYO+xCVulId7w/aSx/8JW+dQAfNW7R9p:kneg7fudiilg8l1vl8JW+dQdDk+yI4O

Malware Config

Extracted

Family

remcos

Version

2.2.0 Pro

Botnet

Scvhost

C2

success.publicvm.com:5060

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    3

  • copy_file

    DnasApp.exe

  • copy_folder

    DnasApp

  • delete_file

    true

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    DnasApp-GD3ZG4

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    DnasApp

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      24e6decd318dbb52015ad9148bd91016_JaffaCakes118

    • Size

      416KB

    • MD5

      24e6decd318dbb52015ad9148bd91016

    • SHA1

      b806651869a30d3ff780b51b1946a8d625049dc7

    • SHA256

      b43036a0048cb92bf8d2741234b749d02fb0a4ef9f09740fe52858a037845877

    • SHA512

      962f3d3b67ffd2989292e7a1e7e09131022dddea6e9ab29c10ffb47f1498abae50cc49f473930aedad533a034e9e22e14bad6504fd7ee8407750d176fee312bf

    • SSDEEP

      3072:LA2psK6vCwnIE5egrp5pS8udOECzgn7qzYO+xCVulId7w/aSx/8JW+dQAfNW7R9p:kneg7fudiilg8l1vl8JW+dQdDk+yI4O

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks