General
-
Target
25a701c7ce27526a322bb753c8f2a39d_JaffaCakes118
-
Size
249KB
-
Sample
240508-tmn4racf9z
-
MD5
25a701c7ce27526a322bb753c8f2a39d
-
SHA1
dd936294e0f8e57dc3c1921a96200222878baebc
-
SHA256
7dc3d8f43dee81ce5f5480615b1a2cddfcef5983e1b766b2e1368c97a98233ac
-
SHA512
71edc20a13d981a673e7bd9d72cefc61356dad465ad2723bf84aef5aa7e67f12be72dfcba796be1c28d4f762a38556197bbcca5ca0627031cbf66395b6c31bcf
-
SSDEEP
6144:VpDc4ZVU8Ash5eNoJC5cuCtl9xdixOtAjEViReXuA7/:XA46yJ4cuWVmEVQeeu
Static task
static1
Behavioral task
behavioral1
Sample
Fake_Companys_Names2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Fake_Companys_Names2.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
remcos
2.5.1 Pro
4.0CASSANDRACRYPTER
www.envisiensintl.com:5200
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
CassCryp
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
CassCryp-K5ECIZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
Fake_Companys_Names2.exe
-
Size
324KB
-
MD5
178f393ded898426b0375558d02ebb46
-
SHA1
01565d709746879d6629bdd4cef811b2329f209f
-
SHA256
b110672f40e09bdc455d7e60ab947d33bf55dc428336b2bfebb66a676520f847
-
SHA512
baeb9ab11fa68b8336ffe3d4d6d96820e948ff6e947ab8ff07f970605effbe8719538f43ee2919d67737e6152ad856eae19e7268de7ec57978a1660994a16870
-
SSDEEP
6144:ZZ7PS8IBAz3YdHwy8As57eNmJCfcuCtx97difitAjWVUReXyA7:ZZ7K8UHvEJccuMTmWVyeC
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-