Overview

overview

10

Static

static

10

Teklif-Formu.jar

windows7-x64

10

Teklif-Formu.jar

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 12:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Teklif-Formu.jar

  • Size

    64KB

  • MD5

    8f32b6ad5a4b0bf593c5e8cfe8afd04b

  • SHA1

    02623723f9a9af013df424336d45ada46abe9472

  • SHA256

    0fb1d11732acd516de3da578ac8d7a4a0f51684f588898bc0621fe5424cef0eb

  • SHA512

    185bb366786dc1a1a54dcb623341f7a727842685aa50d48dcc4bafe5135feaa1f6294a874faa55fdc91816a43bd60ab543c9284b7eec97d8cedf65dd62de282c

  • SSDEEP

    1536:sFVl2U0Gg0HxEjXu28Gut9+gnzqYgMYw0Sr8awyvI0cNFl:sFv2U0GXUu28P7HZY84awyv3cNFl

Score
10/10
remcosstrratmay daydiscoverypersistenceratstealertrojan

Malware Config

Extracted

Family

remcos

Botnet

May Day

C2

zekeriyasolek45.duckdns.org:3321

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Windows Data Start.exe

  • copy_folder

    Windows Data Start-Up

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    Window Display

  • keylog_path

    %WinDir%

  • mouse_option

    false

  • mutex

    Windows Audio-EIQQ40

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

    trojanstealerstrrat
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\Teklif-Formu.jar
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:4736
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Teklif-Formu.jar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Teklif-Formu.jar"
        3⤵
        • Creates scheduled task(s)
        PID:4628
    • C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Teklif-Formu.jar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3228
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2856
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3484
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4800
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
          4⤵
            PID:3408
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:908
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
            4⤵
              PID:4352
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /c "C:\Users\Admin\AppData\Roaming\WindowsDataSystem.scr"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4500
            • C:\Users\Admin\AppData\Roaming\WindowsDataSystem.scr
              C:\Users\Admin\AppData\Roaming\WindowsDataSystem.scr
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1048
              • C:\Users\Admin\AppData\Roaming\WindowsDataSystem.scr
                "C:\Users\Admin\AppData\Roaming\WindowsDataSystem.scr"
                5⤵
                • Executes dropped EXE
                PID:3700
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 512
                  6⤵
                  • Program crash
                  PID:3280
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3700 -ip 3700
        1⤵
          PID:1764

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Teklif-Formu.jar
          Filesize

          64KB

          MD5

          8f32b6ad5a4b0bf593c5e8cfe8afd04b

          SHA1

          02623723f9a9af013df424336d45ada46abe9472

          SHA256

          0fb1d11732acd516de3da578ac8d7a4a0f51684f588898bc0621fe5424cef0eb

          SHA512

          185bb366786dc1a1a54dcb623341f7a727842685aa50d48dcc4bafe5135feaa1f6294a874faa55fdc91816a43bd60ab543c9284b7eec97d8cedf65dd62de282c

          Download Submit

        • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
          Filesize

          46B

          MD5

          8cdf0407571760592bdccfd6612232b7

          SHA1

          a2dfe6f7c2ef6798babc776b643a2b7d09e4be6b

          SHA256

          0034328191901ba3c625c7977bca187ec9560deaa1d81dfba6be9e4f874fc526

          SHA512

          8d4b228b87e398eb79d94fe6a5a238be483ca81a6c00acbcc121d3f93d268ac04e9dbf93ab7dffe0b8fde41c0eee349ca97b0abf2c13e8f014e8de877366df3e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\WindowsDataSystem.scr
          Filesize

          1.3MB

          MD5

          20c84604de0080942e1d3b1d4d2afe12

          SHA1

          6f1777d49fdead6ef00b40826c95d5645748fb1b

          SHA256

          90f99f8659dd04260d1b30b7d139e832ba8e2f2bbbb393f07f7ebcbaef8093c8

          SHA512

          162ece022f63214e099c540c181c8230d26cbf062ddf768b3db654f1bed3821d8127664d365b2a9ac2d43edde700d21d7144a58e8916df09740b763d0d773acd

          Download Submit

        • memory/1048-137-0x0000000000400000-0x000000000055C000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1048-138-0x0000000004ED0000-0x0000000004F7E000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1048-139-0x0000000005530000-0x0000000005AD4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1048-140-0x0000000005040000-0x00000000050D2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1048-141-0x0000000005180000-0x000000000521C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/1048-142-0x0000000005010000-0x0000000005018000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1680-33-0x000002D890870000-0x000002D890871000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1680-41-0x000002D890B60000-0x000002D890B70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1680-25-0x000002D890B60000-0x000002D890B70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1680-24-0x000002D890B50000-0x000002D890B60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1680-27-0x000002D890B70000-0x000002D890B80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1680-18-0x000002D890B20000-0x000002D890B30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1680-34-0x000002D890890000-0x000002D890B00000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/1680-37-0x000002D890B20000-0x000002D890B30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1680-42-0x000002D890B70000-0x000002D890B80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1680-21-0x000002D890B40000-0x000002D890B50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1680-40-0x000002D890B50000-0x000002D890B60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1680-39-0x000002D890B40000-0x000002D890B50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1680-38-0x000002D890B30000-0x000002D890B40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1680-36-0x000002D890B10000-0x000002D890B20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1680-35-0x000002D890B00000-0x000002D890B10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1680-19-0x000002D890B30000-0x000002D890B40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1680-15-0x000002D890B10000-0x000002D890B20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1680-14-0x000002D890B00000-0x000002D890B10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1680-2-0x000002D890890000-0x000002D890B00000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/3228-65-0x0000017EE8640000-0x0000017EE8650000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-84-0x0000017EE8670000-0x0000017EE8680000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-66-0x0000017EE8650000-0x0000017EE8660000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-69-0x0000017EE8660000-0x0000017EE8670000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-71-0x0000017EE8670000-0x0000017EE8680000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-72-0x0000017EE8680000-0x0000017EE8690000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-73-0x0000017EE6AD0000-0x0000017EE6AD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3228-76-0x0000017EE8390000-0x0000017EE8600000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/3228-77-0x0000017EE8600000-0x0000017EE8610000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-78-0x0000017EE8610000-0x0000017EE8620000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-79-0x0000017EE8630000-0x0000017EE8640000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-80-0x0000017EE8620000-0x0000017EE8630000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-81-0x0000017EE8640000-0x0000017EE8650000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-82-0x0000017EE8650000-0x0000017EE8660000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-83-0x0000017EE8660000-0x0000017EE8670000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-64-0x0000017EE8630000-0x0000017EE8640000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-85-0x0000017EE8680000-0x0000017EE8690000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-90-0x0000017EE8690000-0x0000017EE86A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-118-0x0000017EE6AD0000-0x0000017EE6AD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3228-61-0x0000017EE8620000-0x0000017EE8630000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-57-0x0000017EE8600000-0x0000017EE8610000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-58-0x0000017EE8610000-0x0000017EE8620000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3228-46-0x0000017EE8390000-0x0000017EE8600000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/3228-121-0x0000017EE6AD0000-0x0000017EE6AD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3228-123-0x0000017EE6AD0000-0x0000017EE6AD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3228-133-0x0000017EE6AD0000-0x0000017EE6AD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3228-162-0x0000017EE8690000-0x0000017EE86A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3700-150-0x00000000009A0000-0x0000000000A22000-memory.dmp

          Filesize

          520KB

          Download

        • memory/3700-144-0x00000000009A0000-0x0000000000A22000-memory.dmp

          Filesize

          520KB

          Download