Malware Analysis Report

2024-12-07 22:51

Sample ID 240510-1yn2fsfb33
Target 314162b42775491f40e45f230a66a951_JaffaCakes118
SHA256 494e74c88fed50337a524e4e3c395fbf0cf1443691ef9ba11d22199c72add384
Tags
remcos rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

494e74c88fed50337a524e4e3c395fbf0cf1443691ef9ba11d22199c72add384

Threat Level: Known bad

The file 314162b42775491f40e45f230a66a951_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remcos rat

Remcos

Checks computer location settings

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 22:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 22:03

Reported

2024-05-10 22:06

Platform

win7-20240419-en

Max time kernel

146s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\AdobeReader.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\AdobeReader.exe N/A
N/A N/A C:\ProgramData\AdobeReader.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\ProgramData\AdobeReader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1148 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1148 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1148 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1148 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1148 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1148 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1148 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1148 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2644 wrote to memory of 2724 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\AdobeReader.exe
PID 2644 wrote to memory of 2724 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\AdobeReader.exe
PID 2644 wrote to memory of 2724 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\AdobeReader.exe
PID 2644 wrote to memory of 2724 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\AdobeReader.exe

Processes

C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "AdobeReader" /TR "\"C:\ProgramData\AdobeReader.exe\""

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /run /tn "AdobeReader"

C:\Windows\system32\taskeng.exe

taskeng.exe {E1B534F9-C63A-47FE-A3F4-4FE4FBE5F329} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]

C:\ProgramData\AdobeReader.exe

C:\ProgramData\AdobeReader.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 popupcalls.ddns.net udp

Files

memory/1148-2-0x0000000077D30000-0x0000000077E06000-memory.dmp

C:\ProgramData\AdobeReader.exe

MD5 a943181e6d69c99c1428d7a4b2474b7d
SHA1 e47deac6de97b97aa7298e80d426fefd777ea5cd
SHA256 73f7a66e9f030f01b9171a8e0776320de453043ce0bd47bb9c53c79d5473849f
SHA512 5a1470e35295d2906e8b4e9f67ee754a3874375fa58c8ddf1a464758c2936dade45f56bac94d89037ee499554646d69c59924bf49e4d43af3fc14fad33326af0

memory/2724-8-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 d5d1ecca3c017616b424cd03876ad92b
SHA1 b5ec611d43c6130ca457c93e4b2e0fdc12d4ad22
SHA256 f9f554cac5faddf711a4bda33f6a383ba78e840939b5af654fce6a77ac39f3d7
SHA512 f40e549d413d42e2de8afff22b9d1a79188b4575dd5ab00a83c43ec90feef6a22f4f6f5494ac1842bc0f40408083961c17d75913ed2c3e8ffe7949bb0a826e5c

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 22:03

Reported

2024-05-10 22:06

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\AdobeReader.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\AdobeReader.exe N/A
N/A N/A C:\ProgramData\AdobeReader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "AdobeReader" /TR "\"C:\ProgramData\AdobeReader.exe\""

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /run /tn "AdobeReader"

C:\ProgramData\AdobeReader.exe

C:\ProgramData\AdobeReader.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 popupcalls.ddns.net udp
US 8.8.8.8:53 udp

Files

memory/4992-2-0x0000000076EB1000-0x0000000076FD1000-memory.dmp

C:\ProgramData\AdobeReader.exe

MD5 a943181e6d69c99c1428d7a4b2474b7d
SHA1 e47deac6de97b97aa7298e80d426fefd777ea5cd
SHA256 73f7a66e9f030f01b9171a8e0776320de453043ce0bd47bb9c53c79d5473849f
SHA512 5a1470e35295d2906e8b4e9f67ee754a3874375fa58c8ddf1a464758c2936dade45f56bac94d89037ee499554646d69c59924bf49e4d43af3fc14fad33326af0

memory/3492-9-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3492-12-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3492-13-0x0000000000400000-0x0000000000575000-memory.dmp

memory/3492-18-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3492-19-0x0000000000400000-0x0000000000575000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 83b97265e21f56d5bd10048724ff6dae
SHA1 b94b9d9cc60b564568f90c84a1a50307150ca03e
SHA256 96ba7f3c99208dcc85e8336c459b1562caa5b270064442686ee59576084d905c
SHA512 77e309fe0e561e69b4ae82eb5ded158ea26a36afce800063cbd8ae1c4cf857eeac87568168a6a61d78aca514c6aed1ba26d8f1efd93e80fd3564361faac9cb5f