Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 10:57
Behavioral task
behavioral1
Sample
29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe
-
Size
120KB
-
MD5
29a0d1bc5abfbbf0bdf15ffa762cac27
-
SHA1
76d716d41e3387f6a8854cdbda653efe844e2262
-
SHA256
4e55885791569c17891d8620a28b7563f441e0c80e875df828b33a5a006d544a
-
SHA512
05dcf37e6425a932fe55099767aab0c4a6de6ee2b1fbf2abde61e442ef8dc4d71a3e3c88b75b54e3bc9c8864d65ff68c2ba3d4c718bf0b563f80ed9b7dfa3413
-
SSDEEP
3072:NFNUcekHxRkuHxSWMDUajQJf/p/itxBCBpEzImXnr+vHI+zIcdhrPx2u1p:NHUcLxRkuRSWMDUaGf/p/sxWpEzImXqn
Malware Config
Extracted
remcos
2.0.5 Pro
NEW
195.154.242.51:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
syscmd.exe
-
copy_folder
Syscmd
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Syscmd
-
keylog_path
%AppData%
-
mouse_option
true
-
mutex
Syscmd-1WBY6V
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
syscmd
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ syscmd.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 1996 syscmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syscmd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Syscmd\\syscmd.exe\"" 29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syscmd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Syscmd\\syscmd.exe\"" syscmd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3644 1948 WerFault.exe 88 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1996 set thread context of 1948 1996 syscmd.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4204 wrote to memory of 4272 4204 29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe 82 PID 4204 wrote to memory of 4272 4204 29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe 82 PID 4204 wrote to memory of 4272 4204 29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe 82 PID 4272 wrote to memory of 4580 4272 WScript.exe 85 PID 4272 wrote to memory of 4580 4272 WScript.exe 85 PID 4272 wrote to memory of 4580 4272 WScript.exe 85 PID 4580 wrote to memory of 1996 4580 cmd.exe 87 PID 4580 wrote to memory of 1996 4580 cmd.exe 87 PID 4580 wrote to memory of 1996 4580 cmd.exe 87 PID 1996 wrote to memory of 1948 1996 syscmd.exe 88 PID 1996 wrote to memory of 1948 1996 syscmd.exe 88 PID 1996 wrote to memory of 1948 1996 syscmd.exe 88 PID 1996 wrote to memory of 1948 1996 syscmd.exe 88 PID 1996 wrote to memory of 1948 1996 syscmd.exe 88 PID 1996 wrote to memory of 1948 1996 syscmd.exe 88 PID 1996 wrote to memory of 1948 1996 syscmd.exe 88 PID 1996 wrote to memory of 1948 1996 syscmd.exe 88 PID 1996 wrote to memory of 1948 1996 syscmd.exe 88 PID 1996 wrote to memory of 1948 1996 syscmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Syscmd\syscmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Users\Admin\AppData\Roaming\Syscmd\syscmd.exeC:\Users\Admin\AppData\Roaming\Syscmd\syscmd.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵PID:1948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 5366⤵
- Program crash
PID:3644
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1948 -ip 19481⤵PID:1080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418B
MD5a188db36cc78c3a687fefe769400911f
SHA1c76a6749da9941cabadbf26399ee950aa4dc2782
SHA25666ba60e9d8ecda66fcee8ce0a80855a67e14704f823d5c058751746208e7d4d3
SHA5129587847ede7ad801c22eb2d1c3ffdc09aec9fd249b5835ba40b75b150ae87982b13e7828cd9e11290db8a8e28dec02a1b3a712de9694a24349c75b190857f929
-
Filesize
120KB
MD529a0d1bc5abfbbf0bdf15ffa762cac27
SHA176d716d41e3387f6a8854cdbda653efe844e2262
SHA2564e55885791569c17891d8620a28b7563f441e0c80e875df828b33a5a006d544a
SHA51205dcf37e6425a932fe55099767aab0c4a6de6ee2b1fbf2abde61e442ef8dc4d71a3e3c88b75b54e3bc9c8864d65ff68c2ba3d4c718bf0b563f80ed9b7dfa3413