remcos | 098fd9d5eb438af073651243c07bedcf9e1a1363f682bdefc124588d0cbf356a

General

Target

384aaa214d78f738940194fb363e1898_JaffaCakes118.exe
Size

120KB
MD5

384aaa214d78f738940194fb363e1898
SHA1

5106b7555c4340eda60742654f403ac73e36cd01
SHA256

098fd9d5eb438af073651243c07bedcf9e1a1363f682bdefc124588d0cbf356a
SHA512

4d4c505d6401a9f2a9f1c79dffa83c352911c0ca0d71e08799063ae91daed54bc48babc352532709fff9035de747f3b78f8232fad18d2a414ba64e1c8364e27a
SSDEEP

3072:tWekZYhHkjCVS1Mfg7EzCkM/Am1jhGjkFguLWzI+z4c4hr0ZE7N:tWezhHkj6S1Mfg7YCknE1GjkFguLWk+G

Score

10^/10

remcos remc1 persistence rat

Malware Config

Extracted

Family

remcos

Version

2.0.4 Pro

Botnet

Remc1

C2

civita2.no-ip.biz:2442

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
15
connect_interval
5
copy_file
Remc.exe
copy_folder
Remc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Remc
keylog_path
%AppData%
mouse_option
false
mutex
ophjgkjfmv-8RQED1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
erwfguyhjnxcj
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
2780	Remc.exe

Loads dropped DLL 2 IoCs

pid	Process
2776	cmd.exe
2776	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\erwfguyhjnxcj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remc\\Remc.exe\""	384aaa214d78f738940194fb363e1898_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\erwfguyhjnxcj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remc\\Remc.exe\""	Remc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2780	Remc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2608	1740	384aaa214d78f738940194fb363e1898_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2608	1740	384aaa214d78f738940194fb363e1898_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2608	1740	384aaa214d78f738940194fb363e1898_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2608	1740	384aaa214d78f738940194fb363e1898_JaffaCakes118.exe	28
PID 2608 wrote to memory of 2776	2608	WScript.exe	29
PID 2608 wrote to memory of 2776	2608	WScript.exe	29
PID 2608 wrote to memory of 2776	2608	WScript.exe	29
PID 2608 wrote to memory of 2776	2608	WScript.exe	29
PID 2776 wrote to memory of 2780	2776	cmd.exe	31
PID 2776 wrote to memory of 2780	2776	cmd.exe	31
PID 2776 wrote to memory of 2780	2776	cmd.exe	31
PID 2776 wrote to memory of 2780	2776	cmd.exe	31
PID 2780 wrote to memory of 2888	2780	Remc.exe	32
PID 2780 wrote to memory of 2888	2780	Remc.exe	32
PID 2780 wrote to memory of 2888	2780	Remc.exe	32
PID 2780 wrote to memory of 2888	2780	Remc.exe	32

C:\Users\Admin\AppData\Local\Temp\384aaa214d78f738940194fb363e1898_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\384aaa214d78f738940194fb363e1898_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remc\Remc.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
      C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        5⤵
        
        PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
410B

MD5
837b54af2c8d285fb69d719cc9061206

SHA1
b31b75216a46b744eb0d89dd9885431a8ecde820

SHA256
353bf067c7071e2b6904205a0f6755433a8711a4b2a9b48ac32ff538463f0e46

SHA512
6cc4e846538cf16de26004343a157a565fe9730ad5c253e3fb6c64098405849e732bd2216fbdecd52cc3cbcb84e24e4dca23b5fd4f68bcdc0e73d485479e2311

Download Submit
C:\Users\Admin\AppData\Roaming\Remc\Remc.exe

Filesize
120KB

MD5
384aaa214d78f738940194fb363e1898

SHA1
5106b7555c4340eda60742654f403ac73e36cd01

SHA256
098fd9d5eb438af073651243c07bedcf9e1a1363f682bdefc124588d0cbf356a

SHA512
4d4c505d6401a9f2a9f1c79dffa83c352911c0ca0d71e08799063ae91daed54bc48babc352532709fff9035de747f3b78f8232fad18d2a414ba64e1c8364e27a

Download Submit
C:\Users\Admin\AppData\Roaming\Remc\logs.dat

Filesize
79B

MD5
9a1c5fc1ce2d011a1149d12b118dcf3a

SHA1
b847e439e59e5fa467c40d78f28c3b3ffb4da3e4

SHA256
a7f4fe9b473e2bd14e5f29672d81c6879e64119afef02110f1fa25c91090f166

SHA512
60f35efee796de02f8e7fd4dbe56a6421a8af7ad2f0768c8faa58f18a7399474a43c6e4627fc39b9b38acbd4ebf07f69134b47c898f5db30e35b51ffcae2ae89

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads