remcos | ceacd96438f933acfbf6b01a34f37c36db4db79362f66d660fb6b33541581204

General

Target

4eb4210e0c2ae6f9eddd871ccc194d2e_JaffaCakes118.exe
Size

120KB
MD5

4eb4210e0c2ae6f9eddd871ccc194d2e
SHA1

25df32e67a1f0581d1ee60fb0deda607343743ea
SHA256

ceacd96438f933acfbf6b01a34f37c36db4db79362f66d660fb6b33541581204
SHA512

8bb8e8949821e3fe746f2b494fc0902c8148baa8c852b45ad37dd8cc5d9221f1d8633a822815bd7abb8e394fb5a61943bb0f119e663d5c271485d03e14d54ccc
SSDEEP

3072:1FNUcekHxRkuHxSWMDUajQJf/p/itxBCBpEzImXnr+vHI+zIcdpr72u1p:1HUcLxRkuRSWMDUaGf/p/sxWpEzImXqV

Score

10^/10

remcos new evasion persistence rat

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

NEW

C2

195.154.242.51:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
syscmd.exe
copy_folder
Syscmd
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Syscmd
keylog_path
%AppData%
mouse_option
true
mutex
Syscmd-TEC6F3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
syscmd
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

4eb4210e0c2ae6f9eddd871ccc194d2e_JaffaCakes118.exesyscmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4eb4210e0c2ae6f9eddd871ccc194d2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	syscmd.exe

Executes dropped EXE 1 IoCs

Processes:

syscmd.exe

pid process

2648 syscmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2588 cmd.exe
2588 cmd.exe

pid	process
2648	syscmd.exe

pid	process
2588	cmd.exe
2588	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4eb4210e0c2ae6f9eddd871ccc194d2e_JaffaCakes118.exesyscmd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\syscmd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Syscmd\\syscmd.exe\""	4eb4210e0c2ae6f9eddd871ccc194d2e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\syscmd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Syscmd\\syscmd.exe\""	syscmd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

syscmd.exe

description pid process target process

PID 2648 set thread context of 2556 2648 syscmd.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2648 set thread context of 2556	2648	syscmd.exe	iexplore.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

4eb4210e0c2ae6f9eddd871ccc194d2e_JaffaCakes118.exeWScript.execmd.exesyscmd.exe

description	pid	process	target process
PID 2072 wrote to memory of 3048	2072	4eb4210e0c2ae6f9eddd871ccc194d2e_JaffaCakes118.exe	WScript.exe
PID 2072 wrote to memory of 3048	2072	4eb4210e0c2ae6f9eddd871ccc194d2e_JaffaCakes118.exe	WScript.exe
PID 2072 wrote to memory of 3048	2072	4eb4210e0c2ae6f9eddd871ccc194d2e_JaffaCakes118.exe	WScript.exe
PID 2072 wrote to memory of 3048	2072	4eb4210e0c2ae6f9eddd871ccc194d2e_JaffaCakes118.exe	WScript.exe
PID 3048 wrote to memory of 2588	3048	WScript.exe	cmd.exe
PID 3048 wrote to memory of 2588	3048	WScript.exe	cmd.exe
PID 3048 wrote to memory of 2588	3048	WScript.exe	cmd.exe
PID 3048 wrote to memory of 2588	3048	WScript.exe	cmd.exe
PID 2588 wrote to memory of 2648	2588	cmd.exe	syscmd.exe
PID 2588 wrote to memory of 2648	2588	cmd.exe	syscmd.exe
PID 2588 wrote to memory of 2648	2588	cmd.exe	syscmd.exe
PID 2588 wrote to memory of 2648	2588	cmd.exe	syscmd.exe
PID 2648 wrote to memory of 2556	2648	syscmd.exe	iexplore.exe
PID 2648 wrote to memory of 2556	2648	syscmd.exe	iexplore.exe
PID 2648 wrote to memory of 2556	2648	syscmd.exe	iexplore.exe
PID 2648 wrote to memory of 2556	2648	syscmd.exe	iexplore.exe
PID 2648 wrote to memory of 2556	2648	syscmd.exe	iexplore.exe
PID 2648 wrote to memory of 2556	2648	syscmd.exe	iexplore.exe
PID 2648 wrote to memory of 2556	2648	syscmd.exe	iexplore.exe
PID 2648 wrote to memory of 2556	2648	syscmd.exe	iexplore.exe
PID 2648 wrote to memory of 2556	2648	syscmd.exe	iexplore.exe
PID 2648 wrote to memory of 2556	2648	syscmd.exe	iexplore.exe
PID 2648 wrote to memory of 2556	2648	syscmd.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\4eb4210e0c2ae6f9eddd871ccc194d2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4eb4210e0c2ae6f9eddd871ccc194d2e_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Syscmd\syscmd.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Users\Admin\AppData\Roaming\Syscmd\syscmd.exe
      C:\Users\Admin\AppData\Roaming\Syscmd\syscmd.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
418B

MD5
a188db36cc78c3a687fefe769400911f

SHA1
c76a6749da9941cabadbf26399ee950aa4dc2782

SHA256
66ba60e9d8ecda66fcee8ce0a80855a67e14704f823d5c058751746208e7d4d3

SHA512
9587847ede7ad801c22eb2d1c3ffdc09aec9fd249b5835ba40b75b150ae87982b13e7828cd9e11290db8a8e28dec02a1b3a712de9694a24349c75b190857f929

Download Submit
\Users\Admin\AppData\Roaming\Syscmd\syscmd.exe

Filesize
120KB

MD5
4eb4210e0c2ae6f9eddd871ccc194d2e

SHA1
25df32e67a1f0581d1ee60fb0deda607343743ea

SHA256
ceacd96438f933acfbf6b01a34f37c36db4db79362f66d660fb6b33541581204

SHA512
8bb8e8949821e3fe746f2b494fc0902c8148baa8c852b45ad37dd8cc5d9221f1d8633a822815bd7abb8e394fb5a61943bb0f119e663d5c271485d03e14d54ccc

Download Submit
memory/2556-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads