Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 08:26
Static task
static1
Behavioral task
behavioral1
Sample
2e38119954558630507e341fe03f2022_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
2e38119954558630507e341fe03f2022_JaffaCakes118.exe
-
Size
338KB
-
MD5
2e38119954558630507e341fe03f2022
-
SHA1
20cb37e9d62a093333d6e678b8763ad4e2197907
-
SHA256
4e6c3f32c4ef36e69182e054a01645694a113c1c039d2a33e3059801de002ad6
-
SHA512
008a6cff3046ece3326b9e41fcb34cce5efa56ba300e47e048bc7bab15acac1ac519e418c3c483dbc2b21e409d30df7371006e31832388d3a67682d66af9c5bd
-
SSDEEP
6144:VseEVxpKTp7HAIlbzeDoqPoBzKy0DtplL/T3zlcmRsC5JLOvzObPQaHNs33m:qeRTpTAIcoqEOFP1olaHmH
Malware Config
Extracted
remcos
2.2.0 Pro
Surge
shellgang.gleeze.com:2112
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-CEXU81
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2052 svhost.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 2e38119954558630507e341fe03f2022_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 2e38119954558630507e341fe03f2022_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3952 set thread context of 2052 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe 88 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly 2e38119954558630507e341fe03f2022_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini 2e38119954558630507e341fe03f2022_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 2e38119954558630507e341fe03f2022_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2052 svhost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3952 wrote to memory of 4204 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe 84 PID 3952 wrote to memory of 4204 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe 84 PID 3952 wrote to memory of 4204 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe 84 PID 4204 wrote to memory of 2528 4204 cmd.exe 86 PID 4204 wrote to memory of 2528 4204 cmd.exe 86 PID 4204 wrote to memory of 2528 4204 cmd.exe 86 PID 3952 wrote to memory of 2052 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe 88 PID 3952 wrote to memory of 2052 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe 88 PID 3952 wrote to memory of 2052 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe 88 PID 3952 wrote to memory of 2052 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe 88 PID 3952 wrote to memory of 2052 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe 88 PID 3952 wrote to memory of 2052 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe 88 PID 3952 wrote to memory of 2052 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe 88 PID 3952 wrote to memory of 2052 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe 88 PID 3952 wrote to memory of 2052 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe 88 PID 3952 wrote to memory of 2052 3952 2e38119954558630507e341fe03f2022_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f3⤵PID:2528
-
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338KB
MD52e38119954558630507e341fe03f2022
SHA120cb37e9d62a093333d6e678b8763ad4e2197907
SHA2564e6c3f32c4ef36e69182e054a01645694a113c1c039d2a33e3059801de002ad6
SHA512008a6cff3046ece3326b9e41fcb34cce5efa56ba300e47e048bc7bab15acac1ac519e418c3c483dbc2b21e409d30df7371006e31832388d3a67682d66af9c5bd
-
Filesize
1.6MB
MD51c9ff7df71493896054a91bee0322ebf
SHA138f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab
-
Filesize
79B
MD5ae4793814eeca9d4b687853da817ceb6
SHA1076ca6af8346e8a98df19176aa064d87a76edc89
SHA256e8a0fa5dd56b030c4597e4cf9f628d6e4e3f114339e4fd65a8f30e7b223428f0
SHA512f07d03c98b565b3005f3c943a7153f9c2dcc111d64a1e4a6dd4f05ed10f960ac1f117000b200881e77b7f29af8aca1122d7bd9b1311aa49e61020bd3ddd06518