Analysis

  • max time kernel
    93s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 10:57

General

  • Target

    29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe

  • Size

    120KB

  • MD5

    29a0d1bc5abfbbf0bdf15ffa762cac27

  • SHA1

    76d716d41e3387f6a8854cdbda653efe844e2262

  • SHA256

    4e55885791569c17891d8620a28b7563f441e0c80e875df828b33a5a006d544a

  • SHA512

    05dcf37e6425a932fe55099767aab0c4a6de6ee2b1fbf2abde61e442ef8dc4d71a3e3c88b75b54e3bc9c8864d65ff68c2ba3d4c718bf0b563f80ed9b7dfa3413

  • SSDEEP

    3072:NFNUcekHxRkuHxSWMDUajQJf/p/itxBCBpEzImXnr+vHI+zIcdhrPx2u1p:NHUcLxRkuRSWMDUaGf/p/sxWpEzImXqn

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

NEW

C2

195.154.242.51:2404

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    syscmd.exe

  • copy_folder

    Syscmd

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    Syscmd

  • keylog_path

    %AppData%

  • mouse_option

    true

  • mutex

    Syscmd-1WBY6V

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    syscmd

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Program crash 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\29a0d1bc5abfbbf0bdf15ffa762cac27_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4204
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4272
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Syscmd\syscmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4580
        • C:\Users\Admin\AppData\Roaming\Syscmd\syscmd.exe
          C:\Users\Admin\AppData\Roaming\Syscmd\syscmd.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1996
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            5⤵
              PID:1948
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 536
                6⤵
                • Program crash
                PID:3644
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1948 -ip 1948
      1⤵
        PID:1080

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\install.vbs

        Filesize

        418B

        MD5

        a188db36cc78c3a687fefe769400911f

        SHA1

        c76a6749da9941cabadbf26399ee950aa4dc2782

        SHA256

        66ba60e9d8ecda66fcee8ce0a80855a67e14704f823d5c058751746208e7d4d3

        SHA512

        9587847ede7ad801c22eb2d1c3ffdc09aec9fd249b5835ba40b75b150ae87982b13e7828cd9e11290db8a8e28dec02a1b3a712de9694a24349c75b190857f929

      • C:\Users\Admin\AppData\Roaming\Syscmd\syscmd.exe

        Filesize

        120KB

        MD5

        29a0d1bc5abfbbf0bdf15ffa762cac27

        SHA1

        76d716d41e3387f6a8854cdbda653efe844e2262

        SHA256

        4e55885791569c17891d8620a28b7563f441e0c80e875df828b33a5a006d544a

        SHA512

        05dcf37e6425a932fe55099767aab0c4a6de6ee2b1fbf2abde61e442ef8dc4d71a3e3c88b75b54e3bc9c8864d65ff68c2ba3d4c718bf0b563f80ed9b7dfa3413

      • memory/1948-9-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB