Analysis

  • max time kernel
    146s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 22:03

General

  • Target

    314162b42775491f40e45f230a66a951_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    314162b42775491f40e45f230a66a951

  • SHA1

    8b69e81360caa7c644ff9d646ce707614d57f14b

  • SHA256

    494e74c88fed50337a524e4e3c395fbf0cf1443691ef9ba11d22199c72add384

  • SHA512

    a33fe3f575c3d53f735a1ac30fdb2249d6ebb0df9828a495f34d28804a4932c3d4c75188ca478acb885d87137b2dbddb6b75b1fc66206d613f7fd7b5f91b6d71

  • SSDEEP

    24576:w8IX/6BvJQOsb7DW9d9597vmQnbWPRqprGYRfVP2XvZ:qXShJQOsHS9d9597vmQnKpqpr/3P2/

Score
10/10

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "AdobeReader" /TR "\"C:\ProgramData\AdobeReader.exe\""
      2⤵
      • Creates scheduled task(s)
      PID:1708
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /run /tn "AdobeReader"
      2⤵
        PID:1544
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {E1B534F9-C63A-47FE-A3F4-4FE4FBE5F329} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\ProgramData\AdobeReader.exe
        C:\ProgramData\AdobeReader.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        PID:2724

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AdobeReader.exe

      Filesize

      1.5MB

      MD5

      a943181e6d69c99c1428d7a4b2474b7d

      SHA1

      e47deac6de97b97aa7298e80d426fefd777ea5cd

      SHA256

      73f7a66e9f030f01b9171a8e0776320de453043ce0bd47bb9c53c79d5473849f

      SHA512

      5a1470e35295d2906e8b4e9f67ee754a3874375fa58c8ddf1a464758c2936dade45f56bac94d89037ee499554646d69c59924bf49e4d43af3fc14fad33326af0

    • C:\Users\Admin\AppData\Roaming\remcos\logs.dat

      Filesize

      79B

      MD5

      d5d1ecca3c017616b424cd03876ad92b

      SHA1

      b5ec611d43c6130ca457c93e4b2e0fdc12d4ad22

      SHA256

      f9f554cac5faddf711a4bda33f6a383ba78e840939b5af654fce6a77ac39f3d7

      SHA512

      f40e549d413d42e2de8afff22b9d1a79188b4575dd5ab00a83c43ec90feef6a22f4f6f5494ac1842bc0f40408083961c17d75913ed2c3e8ffe7949bb0a826e5c

    • memory/1148-2-0x0000000077D30000-0x0000000077E06000-memory.dmp

      Filesize

      856KB

    • memory/2724-8-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB