General

  • Target

    3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118

  • Size

    1.3MB

  • Sample

    240512-vntlasae63

  • MD5

    3b324a37f139d7d4ef82cee02bfb7ab9

  • SHA1

    ed92348bc52b3235909935d6d5a72b005c81ae7c

  • SHA256

    b22aa813b223ea1300d79472b45d28bec5eef803fd86598c3f9d2ce2aae30a74

  • SHA512

    1787616b44b57118b51844bb1a8e31d5aeee5a4a84df1e9436c5acce055406e046ce82ae1f9aa38ee89da79a7ec59538d4ecf9aa78cda3ada37b9a9cff3fb1a3

  • SSDEEP

    24576:JcDqWP/5QY9AvMLFbC7oYVkzTRv2RqroAO+7IelB4Zx/AO9SXiFwGae:JgZQYeMo/GzVKqrDO+F4vlSXi

Malware Config

Extracted

Family

remcos

Botnet

3404

C2

194.40.242.22:3404

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    2

  • connect_interval

    15

  • copy_file

    msos.exe

  • copy_folder

    Msos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    MSOS

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    support-9DOJNT

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    msos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118

    • Size

      1.3MB

    • MD5

      3b324a37f139d7d4ef82cee02bfb7ab9

    • SHA1

      ed92348bc52b3235909935d6d5a72b005c81ae7c

    • SHA256

      b22aa813b223ea1300d79472b45d28bec5eef803fd86598c3f9d2ce2aae30a74

    • SHA512

      1787616b44b57118b51844bb1a8e31d5aeee5a4a84df1e9436c5acce055406e046ce82ae1f9aa38ee89da79a7ec59538d4ecf9aa78cda3ada37b9a9cff3fb1a3

    • SSDEEP

      24576:JcDqWP/5QY9AvMLFbC7oYVkzTRv2RqroAO+7IelB4Zx/AO9SXiFwGae:JgZQYeMo/GzVKqrDO+F4vlSXi

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks