General
-
Target
399ae180ff34a4ae3beafdea619326ae_JaffaCakes118
-
Size
1.2MB
-
Sample
240512-mch2eseb69
-
MD5
399ae180ff34a4ae3beafdea619326ae
-
SHA1
c62c2f96b8599a6b924933cb00cc3843a8369a5f
-
SHA256
d2bf2e9f869fda26610181516e5d34c988112624600e9b977b6912a1b0432e0b
-
SHA512
72b771e7b6e9dacd7144ff54a114725386d5e4a2fe272b7b8cba06384dfaf62d6c35178cfc248cc16fb5ea8b5060686b9f664f5258b297334e51b6fb936946a5
-
SSDEEP
24576:BCdxte/80jYLT3U1jfsWaF1bEQrcdZHQ0j:gw80cTsjkWaFbFA
Static task
static1
Behavioral task
behavioral1
Sample
399ae180ff34a4ae3beafdea619326ae_JaffaCakes118.exe
Resource
win7-20240220-en
Malware Config
Extracted
remcos
2.2.0 Pro
ppnet
DEDETSARDFKJH.RU:1530
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
3
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
update.dat
-
keylog_flag
false
-
keylog_folder
Winrar
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
ggnet-1A5CYF
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
399ae180ff34a4ae3beafdea619326ae_JaffaCakes118
-
Size
1.2MB
-
MD5
399ae180ff34a4ae3beafdea619326ae
-
SHA1
c62c2f96b8599a6b924933cb00cc3843a8369a5f
-
SHA256
d2bf2e9f869fda26610181516e5d34c988112624600e9b977b6912a1b0432e0b
-
SHA512
72b771e7b6e9dacd7144ff54a114725386d5e4a2fe272b7b8cba06384dfaf62d6c35178cfc248cc16fb5ea8b5060686b9f664f5258b297334e51b6fb936946a5
-
SSDEEP
24576:BCdxte/80jYLT3U1jfsWaF1bEQrcdZHQ0j:gw80cTsjkWaFbFA
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-