General

  • Target

    25a701c7ce27526a322bb753c8f2a39d_JaffaCakes118

  • Size

    249KB

  • Sample

    240508-tmn4racf9z

  • MD5

    25a701c7ce27526a322bb753c8f2a39d

  • SHA1

    dd936294e0f8e57dc3c1921a96200222878baebc

  • SHA256

    7dc3d8f43dee81ce5f5480615b1a2cddfcef5983e1b766b2e1368c97a98233ac

  • SHA512

    71edc20a13d981a673e7bd9d72cefc61356dad465ad2723bf84aef5aa7e67f12be72dfcba796be1c28d4f762a38556197bbcca5ca0627031cbf66395b6c31bcf

  • SSDEEP

    6144:VpDc4ZVU8Ash5eNoJC5cuCtl9xdixOtAjEViReXuA7/:XA46yJ4cuWVmEVQeeu

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

4.0CASSANDRACRYPTER

C2

www.envisiensintl.com:5200

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    CassCryp

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    CassCryp-K5ECIZ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      Fake_Companys_Names2.exe

    • Size

      324KB

    • MD5

      178f393ded898426b0375558d02ebb46

    • SHA1

      01565d709746879d6629bdd4cef811b2329f209f

    • SHA256

      b110672f40e09bdc455d7e60ab947d33bf55dc428336b2bfebb66a676520f847

    • SHA512

      baeb9ab11fa68b8336ffe3d4d6d96820e948ff6e947ab8ff07f970605effbe8719538f43ee2919d67737e6152ad856eae19e7268de7ec57978a1660994a16870

    • SSDEEP

      6144:ZZ7PS8IBAz3YdHwy8As57eNmJCfcuCtx97difitAjWVUReXyA7:ZZ7K8UHvEJccuMTmWVyeC

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks