remcos | 0836bb223ab5657775962a4913387399291103cab772ad0156834f669575e3d3

General

Target

4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
Size

524KB
MD5

4ef5d993dfcfced0e8ca4529613c2d7f
SHA1

c9ef68198440a7baed2ff287956a22a2a6da282c
SHA256

0836bb223ab5657775962a4913387399291103cab772ad0156834f669575e3d3
SHA512

ea1422319ae1753bba25d77908c86688ea1f31545d62c147b4937c5e14f3f5b971e0c0b84dd3a6e7b9ab11fff5a0ef5b11a7efe052e66845172f6ec7e0b8b7e8
SSDEEP

3072:sdopXoLkYk+XgOVzM0IsYnNh+MddCbBLNN4WJ9pUwVc6dIIWkJCTnW917h:QohYkPO6znBdC7N4OuXiWkwWB

Score

10^/10

remcos rem95 rat

Malware Config

Extracted

Family

remcos

Version

1.9.5 Pro

Botnet

REM95

C2

casillas.hicam.net:2404

casillasmx.chickenkiller.com:2404

casillas45.hopto.org:2404

casillas.libfoobar.so:2404

du4alr0ute.sendsmtp.com:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
REM95-DM1QMV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 2 IoCs

Processes:

4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

description	pid	process	target process
PID 4584 set thread context of 1600	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 4584 set thread context of 3052	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe

Drops file in Windows directory 2 IoCs

Processes:

4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

regasm.exe

pid	process
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe
3052	regasm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exeregasm.exe

description pid process

Token: SeDebugPrivilege 4584 4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
Token: SeDebugPrivilege 3052 regasm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

pid process

1600 4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
Token: SeDebugPrivilege	3052	regasm.exe

pid	process
1600	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe"
  2⤵
  PID:4252
- C:\Users\Admin\AppData\Local\Temp\4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe"
  2⤵
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe" C:\Users\Admin\AppData\Local\Temp\4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe 1600 cd70ae03f3c24299abd87066babcaa52
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
908B

MD5
2d1532bdffdd41d4708b95da66bd8b01

SHA1
acaa04073f6e4d1a262dd0b896fd04134bf725b7

SHA256
0fb2798786896d702d773916c56c7f0117264384a3168c6660b8e7608333abe0

SHA512
214a73e4d46ae0cc8e684dfeb0eef73be33f8ff75b55281369d9e39fbc5347f5d991bf7c0f278fc324ad3256e513577a6176ed7efbcb0ddbc5579578338358f2

Download Submit
memory/1600-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1600-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1600-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1600-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1600-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3052-31-0x0000000074A10000-0x0000000074FC1000-memory.dmp

Filesize
5.7MB

Download
memory/3052-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-29-0x0000000074A12000-0x0000000074A13000-memory.dmp

Filesize
4KB

Download
memory/3052-33-0x0000000074A10000-0x0000000074FC1000-memory.dmp

Filesize
5.7MB

Download
memory/3052-37-0x0000000074A10000-0x0000000074FC1000-memory.dmp

Filesize
5.7MB

Download
memory/4584-2-0x0000000074A10000-0x0000000074FC1000-memory.dmp

Filesize
5.7MB

Download
memory/4584-1-0x0000000074A10000-0x0000000074FC1000-memory.dmp

Filesize
5.7MB

Download
memory/4584-0-0x0000000074A12000-0x0000000074A13000-memory.dmp

Filesize
4KB

Download
memory/4584-34-0x0000000074A10000-0x0000000074FC1000-memory.dmp

Filesize
5.7MB

Download
memory/4584-16-0x0000000074A10000-0x0000000074FC1000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 4584 wrote to memory of 4252	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 4584 wrote to memory of 4252	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 4584 wrote to memory of 4252	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 4584 wrote to memory of 2820	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 4584 wrote to memory of 2820	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 4584 wrote to memory of 2820	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 4584 wrote to memory of 1600	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 4584 wrote to memory of 1600	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 4584 wrote to memory of 1600	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 4584 wrote to memory of 1600	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 4584 wrote to memory of 1600	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 4584 wrote to memory of 1600	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 4584 wrote to memory of 1600	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 4584 wrote to memory of 1600	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 4584 wrote to memory of 1600	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe
PID 4584 wrote to memory of 3052	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 4584 wrote to memory of 3052	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 4584 wrote to memory of 3052	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 4584 wrote to memory of 3052	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 4584 wrote to memory of 3052	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 4584 wrote to memory of 3052	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 4584 wrote to memory of 3052	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe
PID 4584 wrote to memory of 3052	4584	4ef5d993dfcfced0e8ca4529613c2d7f_JaffaCakes118.exe	regasm.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads