Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 08:26

General

  • Target

    2e38119954558630507e341fe03f2022_JaffaCakes118.exe

  • Size

    338KB

  • MD5

    2e38119954558630507e341fe03f2022

  • SHA1

    20cb37e9d62a093333d6e678b8763ad4e2197907

  • SHA256

    4e6c3f32c4ef36e69182e054a01645694a113c1c039d2a33e3059801de002ad6

  • SHA512

    008a6cff3046ece3326b9e41fcb34cce5efa56ba300e47e048bc7bab15acac1ac519e418c3c483dbc2b21e409d30df7371006e31832388d3a67682d66af9c5bd

  • SSDEEP

    6144:VseEVxpKTp7HAIlbzeDoqPoBzKy0DtplL/T3zlcmRsC5JLOvzObPQaHNs33m:qeRTpTAIcoqEOFP1olaHmH

Score
10/10

Malware Config

Extracted

Family

remcos

Version

2.2.0 Pro

Botnet

Surge

C2

shellgang.gleeze.com:2112

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-CEXU81

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3952
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:4204
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
        3⤵
          PID:2528
      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2052

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

      Filesize

      338KB

      MD5

      2e38119954558630507e341fe03f2022

      SHA1

      20cb37e9d62a093333d6e678b8763ad4e2197907

      SHA256

      4e6c3f32c4ef36e69182e054a01645694a113c1c039d2a33e3059801de002ad6

      SHA512

      008a6cff3046ece3326b9e41fcb34cce5efa56ba300e47e048bc7bab15acac1ac519e418c3c483dbc2b21e409d30df7371006e31832388d3a67682d66af9c5bd

    • C:\Users\Admin\AppData\Local\Temp\svhost.exe

      Filesize

      1.6MB

      MD5

      1c9ff7df71493896054a91bee0322ebf

      SHA1

      38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

      SHA256

      e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

      SHA512

      aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

    • C:\Users\Admin\AppData\Roaming\remcos\logs.dat

      Filesize

      79B

      MD5

      ae4793814eeca9d4b687853da817ceb6

      SHA1

      076ca6af8346e8a98df19176aa064d87a76edc89

      SHA256

      e8a0fa5dd56b030c4597e4cf9f628d6e4e3f114339e4fd65a8f30e7b223428f0

      SHA512

      f07d03c98b565b3005f3c943a7153f9c2dcc111d64a1e4a6dd4f05ed10f960ac1f117000b200881e77b7f29af8aca1122d7bd9b1311aa49e61020bd3ddd06518

    • memory/2052-12-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/2052-16-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/2052-18-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/2052-19-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/2052-22-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/3952-0-0x0000000075572000-0x0000000075573000-memory.dmp

      Filesize

      4KB

    • memory/3952-1-0x0000000075570000-0x0000000075B21000-memory.dmp

      Filesize

      5.7MB

    • memory/3952-2-0x0000000075570000-0x0000000075B21000-memory.dmp

      Filesize

      5.7MB

    • memory/3952-24-0x0000000075570000-0x0000000075B21000-memory.dmp

      Filesize

      5.7MB