Analysis Overview
SHA256
4e6c3f32c4ef36e69182e054a01645694a113c1c039d2a33e3059801de002ad6
Threat Level: Known bad
The file 2e38119954558630507e341fe03f2022_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Remcos
Executes dropped EXE
Loads dropped DLL
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
NTFS ADS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 08:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 08:26
Reported
2024-05-10 08:28
Platform
win7-20240221-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Remcos
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2712 set thread context of 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | shellgang.gleeze.com | udp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| US | 8.8.8.8:53 | shellgang.gleeze.com | udp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
Files
memory/2712-0-0x0000000074C71000-0x0000000074C72000-memory.dmp
memory/2712-1-0x0000000074C70000-0x000000007521B000-memory.dmp
memory/2712-2-0x0000000074C70000-0x000000007521B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
| MD5 | 2e38119954558630507e341fe03f2022 |
| SHA1 | 20cb37e9d62a093333d6e678b8763ad4e2197907 |
| SHA256 | 4e6c3f32c4ef36e69182e054a01645694a113c1c039d2a33e3059801de002ad6 |
| SHA512 | 008a6cff3046ece3326b9e41fcb34cce5efa56ba300e47e048bc7bab15acac1ac519e418c3c483dbc2b21e409d30df7371006e31832388d3a67682d66af9c5bd |
\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 32827e69b293b99013bbbe37d029245d |
| SHA1 | bc9f80a38f09354d71467a05b0c5a82c3f7dac53 |
| SHA256 | 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f |
| SHA512 | 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5 |
memory/2572-15-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2572-14-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2572-27-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2572-23-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2572-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2572-19-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2572-18-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2572-17-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2572-16-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2572-31-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2572-32-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2572-35-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2712-37-0x0000000074C70000-0x000000007521B000-memory.dmp
C:\Users\Admin\AppData\Roaming\remcos\logs.dat
| MD5 | 8b78f6ef0a399c80c9d87f690549cfe8 |
| SHA1 | ca8bda54270fdb0ac874aaa406d3a2807b43cc5e |
| SHA256 | 3c6738caa4b90ee91e0888ce5f3f1f7d131c826d0a8e2f427345206c23f6ce6f |
| SHA512 | 35a30f7237ed8d9c27c1777df0ffcc943e483708ed942e61bc9a62f02df8388f66ac6bdc11b7b90c7934e39f0fa38e1c8bb9a2ac67f845afd83cb7dfb8a5f589 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 08:26
Reported
2024-05-10 08:28
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Remcos
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3952 set thread context of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | shellgang.gleeze.com | udp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.56:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.56:443 | www.bing.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| US | 8.8.8.8:53 | shellgang.gleeze.com | udp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
| GB | 185.125.205.79:2112 | shellgang.gleeze.com | tcp |
Files
memory/3952-0-0x0000000075572000-0x0000000075573000-memory.dmp
memory/3952-1-0x0000000075570000-0x0000000075B21000-memory.dmp
memory/3952-2-0x0000000075570000-0x0000000075B21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
| MD5 | 2e38119954558630507e341fe03f2022 |
| SHA1 | 20cb37e9d62a093333d6e678b8763ad4e2197907 |
| SHA256 | 4e6c3f32c4ef36e69182e054a01645694a113c1c039d2a33e3059801de002ad6 |
| SHA512 | 008a6cff3046ece3326b9e41fcb34cce5efa56ba300e47e048bc7bab15acac1ac519e418c3c483dbc2b21e409d30df7371006e31832388d3a67682d66af9c5bd |
memory/2052-12-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 1c9ff7df71493896054a91bee0322ebf |
| SHA1 | 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4 |
| SHA256 | e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa |
| SHA512 | aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab |
memory/2052-16-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2052-18-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2052-19-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2052-22-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3952-24-0x0000000075570000-0x0000000075B21000-memory.dmp
C:\Users\Admin\AppData\Roaming\remcos\logs.dat
| MD5 | ae4793814eeca9d4b687853da817ceb6 |
| SHA1 | 076ca6af8346e8a98df19176aa064d87a76edc89 |
| SHA256 | e8a0fa5dd56b030c4597e4cf9f628d6e4e3f114339e4fd65a8f30e7b223428f0 |
| SHA512 | f07d03c98b565b3005f3c943a7153f9c2dcc111d64a1e4a6dd4f05ed10f960ac1f117000b200881e77b7f29af8aca1122d7bd9b1311aa49e61020bd3ddd06518 |