Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 23:16
Static task
static1
Behavioral task
behavioral1
Sample
5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe
-
Size
624KB
-
MD5
5bfc4a0b0e7484ff63f2eb66b45186b7
-
SHA1
804f350c5034fc13fcc3d49e72de98799e301fb2
-
SHA256
9ab651c11036df65785bcd01fe6ecb68a9b0beb56579b76c350dbd3f6960f0ae
-
SHA512
084dcda591290c89d1fec84c7868d65522d193524cbbc15d61bec710f617535bf77386ea5a6c3c1b366cce216dd7310d84271847775497533648d04b8ae00620
-
SSDEEP
6144:Fp7rCb1Ekm7tzWFMLP1Coq4nFNDsFWhMh0Q/AISm9rY1NOC8IBfmbhscwovdC5OB:FJrCZW9WGLP1MWaym3C8qmbyo05OcEl
Malware Config
Extracted
remcos
1.8.1 Pro
MicrosoftDll
1.habladourf.top:24043
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
crrcs.exe
-
copy_folder
Microsoft
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
ERDATYFVUASG_AGSJHDJDJG-GR2269
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
crrcs.exe
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
crrcs.exepid process 2608 crrcs.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2592 cmd.exe 2592 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.execrrcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\crrcs.exe = "\"C:\\Windows\\SysWOW64\\Microsoft\\crrcs.exe\"" 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\crrcs.exe = "\"C:\\Windows\\SysWOW64\\Microsoft\\crrcs.exe\"" 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\crrcs.exe = "\"C:\\Windows\\SysWOW64\\Microsoft\\crrcs.exe\"" crrcs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\crrcs.exe = "\"C:\\Windows\\SysWOW64\\Microsoft\\crrcs.exe\"" crrcs.exe -
Drops file in System32 directory 3 IoCs
Processes:
5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Microsoft\crrcs.exe 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Microsoft 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe File created C:\Windows\SysWOW64\Microsoft\crrcs.exe 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.execrrcs.exepid process 2784 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 2784 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 2784 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 2784 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 2784 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 2784 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 2784 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 2608 crrcs.exe 2608 crrcs.exe 2608 crrcs.exe 2608 crrcs.exe 2608 crrcs.exe 2608 crrcs.exe 2608 crrcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
crrcs.exepid process 2608 crrcs.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.execmd.exedescription pid process target process PID 2784 wrote to memory of 2592 2784 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe cmd.exe PID 2784 wrote to memory of 2592 2784 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe cmd.exe PID 2784 wrote to memory of 2592 2784 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe cmd.exe PID 2784 wrote to memory of 2592 2784 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe cmd.exe PID 2784 wrote to memory of 2592 2784 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe cmd.exe PID 2784 wrote to memory of 2592 2784 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe cmd.exe PID 2784 wrote to memory of 2592 2784 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe cmd.exe PID 2592 wrote to memory of 2712 2592 cmd.exe PING.EXE PID 2592 wrote to memory of 2712 2592 cmd.exe PING.EXE PID 2592 wrote to memory of 2712 2592 cmd.exe PING.EXE PID 2592 wrote to memory of 2712 2592 cmd.exe PING.EXE PID 2592 wrote to memory of 2608 2592 cmd.exe crrcs.exe PID 2592 wrote to memory of 2608 2592 cmd.exe crrcs.exe PID 2592 wrote to memory of 2608 2592 cmd.exe crrcs.exe PID 2592 wrote to memory of 2608 2592 cmd.exe crrcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2712 -
C:\Windows\SysWOW64\Microsoft\crrcs.exe"C:\Windows\SysWOW64\Microsoft\crrcs.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90B
MD5163f2af0d421cff56e30d04e89363fe7
SHA15116aa1cad828ecd3e0819c15523839901fa6eac
SHA2562f9c8881dd083f02446f616ce3fbbcb008bb92b21cfd5dc85652a38d297eebf5
SHA512303ca46c8319393f7257088328da0bcd4b5a66de64fb15fd0e306dccf4985d8179d73c346d44c574807436aedd7da8cabb0c24494876fb5c151dd62d174bc8fb
-
Filesize
624KB
MD55bfc4a0b0e7484ff63f2eb66b45186b7
SHA1804f350c5034fc13fcc3d49e72de98799e301fb2
SHA2569ab651c11036df65785bcd01fe6ecb68a9b0beb56579b76c350dbd3f6960f0ae
SHA512084dcda591290c89d1fec84c7868d65522d193524cbbc15d61bec710f617535bf77386ea5a6c3c1b366cce216dd7310d84271847775497533648d04b8ae00620