Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 21:39
Static task
static1
Behavioral task
behavioral1
Sample
56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe
-
Size
568KB
-
MD5
56ed7755596cbebf5045b5ae092bd53e
-
SHA1
1ab7c4db5124049dafea240b89cfa26e58356e1b
-
SHA256
d4882f9891573b8583ce81aaf4658b8163c0731d7800a41f5146f4ce34f4c2cc
-
SHA512
8f00e4f8345aa6a5ec06cab00eca49ec980c46a3c19a7fba86a757a7c09d47f3d6f0d611ce8e801260aaa29ece17815a7204aa5247dc0ea0b57f2bca4abe037d
-
SSDEEP
12288:eVuOp7v1NAGhtLylx7uyslnjwKpj/05AXjVYyuOk3y+:FecGhtLix7uycbh4p
Malware Config
Extracted
remcos
2.5.0 Pro
notfnaf
ddns.rbs.pw:24092
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
data.dat
-
keylog_flag
false
-
keylog_folder
winsock
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
clowndown-I5YG6M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\winsock\\fuhMeWYHV1Cz.exe\",explorer.exe" 56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exedescription pid process target process PID 2128 set thread context of 2264 2128 56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exepid process 2128 56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2128 56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 2264 vbc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exedescription pid process target process PID 2128 wrote to memory of 2264 2128 56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe vbc.exe PID 2128 wrote to memory of 2264 2128 56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe vbc.exe PID 2128 wrote to memory of 2264 2128 56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe vbc.exe PID 2128 wrote to memory of 2264 2128 56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe vbc.exe PID 2128 wrote to memory of 2264 2128 56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe vbc.exe PID 2128 wrote to memory of 2264 2128 56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe vbc.exe PID 2128 wrote to memory of 2264 2128 56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe vbc.exe PID 2128 wrote to memory of 2264 2128 56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe vbc.exe PID 2128 wrote to memory of 2264 2128 56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe vbc.exe PID 2128 wrote to memory of 2264 2128 56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe vbc.exe PID 2128 wrote to memory of 2264 2128 56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD52bebfbfe95c2ff4053fc8f98d169d71a
SHA1b842ec1dbf450f496d14cfef71d66da0e541317e
SHA2560593ccc3fded5ff5edf1c1623402f012387f52d8427a0eb177b1e8bd329a484d
SHA5122e8f2f0e399dcc43b2cd95f35295b6bb1a4554f8ba8e8bbaaa27ccf69656179fcdfd74db84eb87803782d375ac6990f1e8f087049dd0fbbdf3af2b462bf951a4