Malware Analysis Report

2025-01-02 03:32

Sample ID 240510-kbvmqaga63
Target 2e38119954558630507e341fe03f2022_JaffaCakes118
SHA256 4e6c3f32c4ef36e69182e054a01645694a113c1c039d2a33e3059801de002ad6
Tags
remcos surge rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e6c3f32c4ef36e69182e054a01645694a113c1c039d2a33e3059801de002ad6

Threat Level: Known bad

The file 2e38119954558630507e341fe03f2022_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remcos surge rat

Remcos

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 08:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 08:26

Reported

2024-05-10 08:28

Platform

win7-20240221-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2712 set thread context of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2712 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2712 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2712 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2712 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2712 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2712 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2712 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2712 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2712 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2712 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 shellgang.gleeze.com udp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
US 8.8.8.8:53 shellgang.gleeze.com udp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp

Files

memory/2712-0-0x0000000074C71000-0x0000000074C72000-memory.dmp

memory/2712-1-0x0000000074C70000-0x000000007521B000-memory.dmp

memory/2712-2-0x0000000074C70000-0x000000007521B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5 2e38119954558630507e341fe03f2022
SHA1 20cb37e9d62a093333d6e678b8763ad4e2197907
SHA256 4e6c3f32c4ef36e69182e054a01645694a113c1c039d2a33e3059801de002ad6
SHA512 008a6cff3046ece3326b9e41fcb34cce5efa56ba300e47e048bc7bab15acac1ac519e418c3c483dbc2b21e409d30df7371006e31832388d3a67682d66af9c5bd

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

memory/2572-15-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2572-14-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2572-27-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2572-23-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2572-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2572-19-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2572-18-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2572-17-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2572-16-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2572-31-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2572-32-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2572-35-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2712-37-0x0000000074C70000-0x000000007521B000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 8b78f6ef0a399c80c9d87f690549cfe8
SHA1 ca8bda54270fdb0ac874aaa406d3a2807b43cc5e
SHA256 3c6738caa4b90ee91e0888ce5f3f1f7d131c826d0a8e2f427345206c23f6ce6f
SHA512 35a30f7237ed8d9c27c1777df0ffcc943e483708ed942e61bc9a62f02df8388f66ac6bdc11b7b90c7934e39f0fa38e1c8bb9a2ac67f845afd83cb7dfb8a5f589

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 08:26

Reported

2024-05-10 08:28

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3952 set thread context of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4204 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4204 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4204 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3952 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3952 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3952 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3952 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3952 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3952 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3952 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3952 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3952 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3952 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2e38119954558630507e341fe03f2022_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 shellgang.gleeze.com udp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.56:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 56.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.56:443 www.bing.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
US 8.8.8.8:53 shellgang.gleeze.com udp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp
GB 185.125.205.79:2112 shellgang.gleeze.com tcp

Files

memory/3952-0-0x0000000075572000-0x0000000075573000-memory.dmp

memory/3952-1-0x0000000075570000-0x0000000075B21000-memory.dmp

memory/3952-2-0x0000000075570000-0x0000000075B21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5 2e38119954558630507e341fe03f2022
SHA1 20cb37e9d62a093333d6e678b8763ad4e2197907
SHA256 4e6c3f32c4ef36e69182e054a01645694a113c1c039d2a33e3059801de002ad6
SHA512 008a6cff3046ece3326b9e41fcb34cce5efa56ba300e47e048bc7bab15acac1ac519e418c3c483dbc2b21e409d30df7371006e31832388d3a67682d66af9c5bd

memory/2052-12-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 1c9ff7df71493896054a91bee0322ebf
SHA1 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256 e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512 aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

memory/2052-16-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2052-18-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2052-19-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2052-22-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3952-24-0x0000000075570000-0x0000000075B21000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 ae4793814eeca9d4b687853da817ceb6
SHA1 076ca6af8346e8a98df19176aa064d87a76edc89
SHA256 e8a0fa5dd56b030c4597e4cf9f628d6e4e3f114339e4fd65a8f30e7b223428f0
SHA512 f07d03c98b565b3005f3c943a7153f9c2dcc111d64a1e4a6dd4f05ed10f960ac1f117000b200881e77b7f29af8aca1122d7bd9b1311aa49e61020bd3ddd06518