Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 10:57
Behavioral task
behavioral1
Sample
29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe
-
Size
120KB
-
MD5
29a0d1bc5abfbbf0bdf15ffa762cac27
-
SHA1
76d716d41e3387f6a8854cdbda653efe844e2262
-
SHA256
4e55885791569c17891d8620a28b7563f441e0c80e875df828b33a5a006d544a
-
SHA512
05dcf37e6425a932fe55099767aab0c4a6de6ee2b1fbf2abde61e442ef8dc4d71a3e3c88b75b54e3bc9c8864d65ff68c2ba3d4c718bf0b563f80ed9b7dfa3413
-
SSDEEP
3072:NFNUcekHxRkuHxSWMDUajQJf/p/itxBCBpEzImXnr+vHI+zIcdhrPx2u1p:NHUcLxRkuRSWMDUaGf/p/sxWpEzImXqn
Malware Config
Extracted
remcos
2.0.5 Pro
NEW
195.154.242.51:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
syscmd.exe
-
copy_folder
Syscmd
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Syscmd
-
keylog_path
%AppData%
-
mouse_option
true
-
mutex
Syscmd-1WBY6V
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
syscmd
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ syscmd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2148 syscmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2848 cmd.exe 2848 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\syscmd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Syscmd\\syscmd.exe\"" 29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\syscmd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Syscmd\\syscmd.exe\"" syscmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2148 syscmd.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3056 wrote to memory of 1544 3056 29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe 28 PID 3056 wrote to memory of 1544 3056 29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe 28 PID 3056 wrote to memory of 1544 3056 29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe 28 PID 3056 wrote to memory of 1544 3056 29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe 28 PID 1544 wrote to memory of 2848 1544 WScript.exe 29 PID 1544 wrote to memory of 2848 1544 WScript.exe 29 PID 1544 wrote to memory of 2848 1544 WScript.exe 29 PID 1544 wrote to memory of 2848 1544 WScript.exe 29 PID 2848 wrote to memory of 2148 2848 cmd.exe 31 PID 2848 wrote to memory of 2148 2848 cmd.exe 31 PID 2848 wrote to memory of 2148 2848 cmd.exe 31 PID 2848 wrote to memory of 2148 2848 cmd.exe 31 PID 2148 wrote to memory of 2660 2148 syscmd.exe 32 PID 2148 wrote to memory of 2660 2148 syscmd.exe 32 PID 2148 wrote to memory of 2660 2148 syscmd.exe 32 PID 2148 wrote to memory of 2660 2148 syscmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Syscmd\syscmd.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Roaming\Syscmd\syscmd.exeC:\Users\Admin\AppData\Roaming\Syscmd\syscmd.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵PID:2660
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418B
MD5a188db36cc78c3a687fefe769400911f
SHA1c76a6749da9941cabadbf26399ee950aa4dc2782
SHA25666ba60e9d8ecda66fcee8ce0a80855a67e14704f823d5c058751746208e7d4d3
SHA5129587847ede7ad801c22eb2d1c3ffdc09aec9fd249b5835ba40b75b150ae87982b13e7828cd9e11290db8a8e28dec02a1b3a712de9694a24349c75b190857f929
-
Filesize
79B
MD597333fd24793cb730455176fb32be9e4
SHA148841d737f10581e514c5567afb1ac0f064f2794
SHA25686ce735e2ed2d9d33247810caba22af46933cdfa10479b0e08547c4395ea96ed
SHA5126437981379ae9e312fb9dff5849a385ba95b71cbad70972988f48ce0d650626b7f6790dd5b6a05bd5549ee8d38b683f81e3c497cbdc7678b85f7bbb52cf8a844
-
Filesize
120KB
MD529a0d1bc5abfbbf0bdf15ffa762cac27
SHA176d716d41e3387f6a8854cdbda653efe844e2262
SHA2564e55885791569c17891d8620a28b7563f441e0c80e875df828b33a5a006d544a
SHA51205dcf37e6425a932fe55099767aab0c4a6de6ee2b1fbf2abde61e442ef8dc4d71a3e3c88b75b54e3bc9c8864d65ff68c2ba3d4c718bf0b563f80ed9b7dfa3413