Analysis
-
max time kernel
153s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 04:53
Static task
static1
Behavioral task
behavioral1
Sample
28615260996f2ee3bf717734f6714014_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
28615260996f2ee3bf717734f6714014_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
28615260996f2ee3bf717734f6714014_JaffaCakes118.exe
-
Size
344KB
-
MD5
28615260996f2ee3bf717734f6714014
-
SHA1
4d974c30ad0b91bbb81a3f4684d4c8216b602608
-
SHA256
b312190adff333d7172e87d01dbb298ad7dbac987a6ad489fca561366161ee98
-
SHA512
af93cc53e0b2299c63247e44c9ad25d065f23a7409657d40e2326f578c10022f58bc2344574c85caad1bfdf3fce65ac18742726b1ed0983a91898a2d30ee75af
-
SSDEEP
3072:9iyYjwU1EjxKqX3Q+V1r851fKI9kG5yl+9nyiPPkD2Io9McfOOgPSCzHi8eklllL:jYrqXn1r8fK+/k+9nvki1Bj4
Malware Config
Extracted
remcos
2.1.0 Pro
Rem5
camglass.sytes.net:2445
camvips.ddns.net:2445
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
15
-
connect_interval
5
-
copy_file
Rem5.exe
-
copy_folder
Rem5
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Rem5
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
WpouHTy-7HE1NU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
LKJhgtYGS
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 28615260996f2ee3bf717734f6714014_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 4308 Rem5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LKJhgtYGS = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rem5\\Rem5.exe\"" 28615260996f2ee3bf717734f6714014_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LKJhgtYGS = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rem5\\Rem5.exe\"" Rem5.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4308 set thread context of 540 4308 Rem5.exe 105 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\win.ini 28615260996f2ee3bf717734f6714014_JaffaCakes118.exe File opened for modification C:\Windows\win.ini Rem5.exe File opened for modification C:\Windows\win.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 28615260996f2ee3bf717734f6714014_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4452 28615260996f2ee3bf717734f6714014_JaffaCakes118.exe 4308 Rem5.exe 4308 Rem5.exe 540 svchost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4452 wrote to memory of 3104 4452 28615260996f2ee3bf717734f6714014_JaffaCakes118.exe 98 PID 4452 wrote to memory of 3104 4452 28615260996f2ee3bf717734f6714014_JaffaCakes118.exe 98 PID 4452 wrote to memory of 3104 4452 28615260996f2ee3bf717734f6714014_JaffaCakes118.exe 98 PID 3104 wrote to memory of 4940 3104 WScript.exe 102 PID 3104 wrote to memory of 4940 3104 WScript.exe 102 PID 3104 wrote to memory of 4940 3104 WScript.exe 102 PID 4940 wrote to memory of 4308 4940 cmd.exe 104 PID 4940 wrote to memory of 4308 4940 cmd.exe 104 PID 4940 wrote to memory of 4308 4940 cmd.exe 104 PID 4308 wrote to memory of 540 4308 Rem5.exe 105 PID 4308 wrote to memory of 540 4308 Rem5.exe 105 PID 4308 wrote to memory of 540 4308 Rem5.exe 105 PID 4308 wrote to memory of 540 4308 Rem5.exe 105 PID 4308 wrote to memory of 540 4308 Rem5.exe 105 PID 4308 wrote to memory of 540 4308 Rem5.exe 105 PID 4308 wrote to memory of 540 4308 Rem5.exe 105 PID 4308 wrote to memory of 540 4308 Rem5.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\28615260996f2ee3bf717734f6714014_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\28615260996f2ee3bf717734f6714014_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Rem5\Rem5.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Roaming\Rem5\Rem5.exeC:\Users\Admin\AppData\Roaming\Rem5\Rem5.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe5⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:540
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:2400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
410B
MD54b309959125fb954b68968bad5bed9ac
SHA1b2b805fa81f1b82fa07b718031c9a89046731146
SHA256109742373d7cca30b46ef4b05d9b86694e2a54f862afd891e7bba50cf0f18830
SHA5129d90d6f5085ac7103aee6679272b677589afe3a50835152f3c1f799080e38b975f3c246d6649926a80a7ee3bbcabf755d6a20cf768083714a359bc9a5af9cf92
-
Filesize
344KB
MD528615260996f2ee3bf717734f6714014
SHA14d974c30ad0b91bbb81a3f4684d4c8216b602608
SHA256b312190adff333d7172e87d01dbb298ad7dbac987a6ad489fca561366161ee98
SHA512af93cc53e0b2299c63247e44c9ad25d065f23a7409657d40e2326f578c10022f58bc2344574c85caad1bfdf3fce65ac18742726b1ed0983a91898a2d30ee75af
-
Filesize
79B
MD5e73f523f12c59e8f942d3bab6d2856f1
SHA13b6da83a2b6137714778ae13ee0d5cb68af1bdb1
SHA256cf8af72752d55e70fbf56ab62915710fb0f1f3fdc75a163022cedf99cc9ecc59
SHA5122154d2b502440da69a5688df3f7473371045caa3f1f0fc078a68ae7edeefab0fdd83c52a5f06f83dfb73f6e146fab9ffc37a1c1794623c24d6b319d19fdc0bc8
-
Filesize
120B
MD5fe0c4d84684551dc6429860c8e769578
SHA1f181d3731695af4873cb9ccd41098b0bd7e7a98d
SHA256e5aeb321c075f20134653784a42065464384b29690205bb2333446ade115f690
SHA51274781dbc7d17392e43679b3f138885fa38bd040d9abbe676994df785877011d7dc75a9066f00c06d5020cdae461b76fa562888484fc53ef79414c54e035971c2