Malware Analysis Report

2024-12-07 22:47

Sample ID 240512-vntlasae63
Target 3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118
SHA256 b22aa813b223ea1300d79472b45d28bec5eef803fd86598c3f9d2ce2aae30a74
Tags
remcos 3404 evasion persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b22aa813b223ea1300d79472b45d28bec5eef803fd86598c3f9d2ce2aae30a74

Threat Level: Known bad

The file 3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remcos 3404 evasion persistence rat

Remcos

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Loads dropped DLL

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-12 17:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-12 17:08

Reported

2024-05-12 17:11

Platform

win7-20240508-en

Max time kernel

142s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\msos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Msos\\msos.exe\"" C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\msos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Msos\\msos.exe\"" C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3016 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3016 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3016 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2092 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Msos\msos.exe
PID 2724 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Msos\msos.exe
PID 2724 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Msos\msos.exe
PID 2724 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Msos\msos.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Msos\msos.exe"

C:\Users\Admin\AppData\Roaming\Msos\msos.exe

C:\Users\Admin\AppData\Roaming\Msos\msos.exe

Network

Country Destination Domain Proto
GB 194.40.242.22:3404 tcp
GB 194.40.242.22:3404 tcp
GB 194.40.242.22:3404 tcp
GB 194.40.242.22:3404 tcp
GB 194.40.242.22:3404 tcp
GB 194.40.242.22:3404 tcp
GB 194.40.242.22:3404 tcp
GB 194.40.242.22:3404 tcp

Files

memory/3016-0-0x0000000000400000-0x000000000070C000-memory.dmp

memory/3016-1-0x0000000077180000-0x0000000077182000-memory.dmp

memory/3016-4-0x0000000000401000-0x000000000040A000-memory.dmp

memory/3016-5-0x0000000000400000-0x000000000070C000-memory.dmp

memory/3016-9-0x0000000000400000-0x000000000070C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 ffc5481bf624ad66edb74a4c5beaf486
SHA1 d0a108d67daca4147752bb8a383a3d046a8ec9c2
SHA256 a461e3a4eb06fb7a885e2e9f6e0faee3692018365a1645cda2d2209cb6a5bddf
SHA512 c5c17dde61dfc80eb0e7a31fd30d143b7e8bc8b42d1c2848e27e7a5861c8c98d5441e7ebc1b8b90779ebf59f09b4f76e8b81da0a802b2d206a7b961e39f61b02

\Users\Admin\AppData\Roaming\Msos\msos.exe

MD5 3b324a37f139d7d4ef82cee02bfb7ab9
SHA1 ed92348bc52b3235909935d6d5a72b005c81ae7c
SHA256 b22aa813b223ea1300d79472b45d28bec5eef803fd86598c3f9d2ce2aae30a74
SHA512 1787616b44b57118b51844bb1a8e31d5aeee5a4a84df1e9436c5acce055406e046ce82ae1f9aa38ee89da79a7ec59538d4ecf9aa78cda3ada37b9a9cff3fb1a3

memory/2748-14-0x0000000000400000-0x000000000070C000-memory.dmp

memory/2748-17-0x0000000000400000-0x000000000070C000-memory.dmp

memory/2748-20-0x0000000000400000-0x000000000070C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Msos\logs.dat

MD5 622bb19f6f05dcd070f0d3acd4bf7c80
SHA1 c27eab67689919053885076b69868c645e1bb964
SHA256 66740b36b460b815b865fb147b8a0c407aab47fe6dc9b5f7f7ec66389add1c6d
SHA512 37c685e943da27c447f4c2b57ab4482d4a0dd9b274c4f89b1de45aee4faaa3992f18e5ec712100a8bec2ab073a91e95e0a0366a3fbfbf163215718a514862267

memory/2748-25-0x0000000000400000-0x000000000070C000-memory.dmp

memory/2748-27-0x0000000000400000-0x000000000070C000-memory.dmp

memory/2748-31-0x0000000000400000-0x000000000070C000-memory.dmp

memory/2748-34-0x0000000000400000-0x000000000070C000-memory.dmp

memory/2748-39-0x0000000000400000-0x000000000070C000-memory.dmp

memory/2748-42-0x0000000000400000-0x000000000070C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-12 17:08

Reported

2024-05-12 17:11

Platform

win10v2004-20240426-en

Max time kernel

144s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Msos\\msos.exe\"" C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Msos\\msos.exe\"" C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Msos\msos.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3b324a37f139d7d4ef82cee02bfb7ab9_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Msos\msos.exe"

C:\Users\Admin\AppData\Roaming\Msos\msos.exe

C:\Users\Admin\AppData\Roaming\Msos\msos.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.61.62.23.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
GB 194.40.242.22:3404 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
GB 194.40.242.22:3404 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
GB 194.40.242.22:3404 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
GB 194.40.242.22:3404 tcp
US 52.111.227.11:443 tcp
GB 194.40.242.22:3404 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 194.40.242.22:3404 tcp
GB 194.40.242.22:3404 tcp
GB 194.40.242.22:3404 tcp

Files

memory/4988-0-0x0000000000400000-0x000000000070C000-memory.dmp

memory/4988-1-0x0000000077B84000-0x0000000077B86000-memory.dmp

memory/4988-4-0x0000000000401000-0x000000000040A000-memory.dmp

memory/4988-5-0x0000000000400000-0x000000000070C000-memory.dmp

memory/4988-9-0x0000000000400000-0x000000000070C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 ffc5481bf624ad66edb74a4c5beaf486
SHA1 d0a108d67daca4147752bb8a383a3d046a8ec9c2
SHA256 a461e3a4eb06fb7a885e2e9f6e0faee3692018365a1645cda2d2209cb6a5bddf
SHA512 c5c17dde61dfc80eb0e7a31fd30d143b7e8bc8b42d1c2848e27e7a5861c8c98d5441e7ebc1b8b90779ebf59f09b4f76e8b81da0a802b2d206a7b961e39f61b02

memory/4580-13-0x0000000000400000-0x000000000070C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Msos\msos.exe

MD5 3b324a37f139d7d4ef82cee02bfb7ab9
SHA1 ed92348bc52b3235909935d6d5a72b005c81ae7c
SHA256 b22aa813b223ea1300d79472b45d28bec5eef803fd86598c3f9d2ce2aae30a74
SHA512 1787616b44b57118b51844bb1a8e31d5aeee5a4a84df1e9436c5acce055406e046ce82ae1f9aa38ee89da79a7ec59538d4ecf9aa78cda3ada37b9a9cff3fb1a3

memory/4580-15-0x0000000000400000-0x000000000070C000-memory.dmp

memory/4580-16-0x0000000000400000-0x000000000070C000-memory.dmp

memory/4580-17-0x0000000000400000-0x000000000070C000-memory.dmp

memory/4580-18-0x0000000000400000-0x000000000070C000-memory.dmp

memory/4580-21-0x0000000000400000-0x000000000070C000-memory.dmp

memory/4580-25-0x0000000000400000-0x000000000070C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Msos\logs.dat

MD5 a476edc0b121846e54554e6a27f82e90
SHA1 cb86562a9dda84706a58ba38245eb6419c161116
SHA256 f0deb144ecbb7ae090690b3fe5183aa24b39c1f596ea5758a5ae0eda4d180cfe
SHA512 efad89d495e80cf0ff0b6602033a2998c17a1db08d8ed47f1d12eaeb45e831892bf5aac463062d98fa1e95689ccb186ceaf1d9155fb59f1864a337df14233ae4

memory/4580-27-0x0000000000400000-0x000000000070C000-memory.dmp

memory/4580-33-0x0000000000400000-0x000000000070C000-memory.dmp

memory/4580-35-0x0000000000400000-0x000000000070C000-memory.dmp

memory/4580-38-0x0000000000400000-0x000000000070C000-memory.dmp

memory/4580-43-0x0000000000400000-0x000000000070C000-memory.dmp

memory/4580-47-0x0000000000400000-0x000000000070C000-memory.dmp