General

  • Target

    39fcda73563dc640ff3f8f5b1d3df6e5_JaffaCakes118

  • Size

    842KB

  • Sample

    240512-n5eedadh6w

  • MD5

    39fcda73563dc640ff3f8f5b1d3df6e5

  • SHA1

    e86d0d1648ce08109abca5718ce9525b299b7479

  • SHA256

    c78739f397f2a982726394db0557ba011c6a8724fdf0c11f22b25fe9788933dc

  • SHA512

    a5cd30daba613586e8d383592adeb6cfca8aa730a4c6c29fe2a0e372e2662730bf1c31e996f9a5a3ba04d92628ccfb81e1bfba58d8b21ce480b9f86f71f0f6d3

  • SSDEEP

    24576:z2O/GlNr7nUl/IwPXJm6RmuL1s8LwmxhKbH3rUO46GVYjq:QraAw/JmZ8LwmxUT3i9gq

Malware Config

Extracted

Family

remcos

Version

2.1.0 Pro

Botnet

10DIC

C2

casillas.hicam.net:2404

casillasmx.chickenkiller.com:2404

casillas45.hopto.org:2404

casillas.libfoobar.so:2404

du4alr0ute.sendsmtp.com:2404

settings.wifizone.org:2404

wifi.con-ip.com:2404

rsaupdatr.jumpingcrab.com:2404

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    REM20

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    dfrgJLK

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    10DIC-WRGB17

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      39fcda73563dc640ff3f8f5b1d3df6e5_JaffaCakes118

    • Size

      842KB

    • MD5

      39fcda73563dc640ff3f8f5b1d3df6e5

    • SHA1

      e86d0d1648ce08109abca5718ce9525b299b7479

    • SHA256

      c78739f397f2a982726394db0557ba011c6a8724fdf0c11f22b25fe9788933dc

    • SHA512

      a5cd30daba613586e8d383592adeb6cfca8aa730a4c6c29fe2a0e372e2662730bf1c31e996f9a5a3ba04d92628ccfb81e1bfba58d8b21ce480b9f86f71f0f6d3

    • SSDEEP

      24576:z2O/GlNr7nUl/IwPXJm6RmuL1s8LwmxhKbH3rUO46GVYjq:QraAw/JmZ8LwmxUT3i9gq

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks