Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 23:16
Static task
static1
Behavioral task
behavioral1
Sample
5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe
-
Size
624KB
-
MD5
5bfc4a0b0e7484ff63f2eb66b45186b7
-
SHA1
804f350c5034fc13fcc3d49e72de98799e301fb2
-
SHA256
9ab651c11036df65785bcd01fe6ecb68a9b0beb56579b76c350dbd3f6960f0ae
-
SHA512
084dcda591290c89d1fec84c7868d65522d193524cbbc15d61bec710f617535bf77386ea5a6c3c1b366cce216dd7310d84271847775497533648d04b8ae00620
-
SSDEEP
6144:Fp7rCb1Ekm7tzWFMLP1Coq4nFNDsFWhMh0Q/AISm9rY1NOC8IBfmbhscwovdC5OB:FJrCZW9WGLP1MWaym3C8qmbyo05OcEl
Malware Config
Extracted
remcos
1.8.1 Pro
MicrosoftDll
1.habladourf.top:24043
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
crrcs.exe
-
copy_folder
Microsoft
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
ERDATYFVUASG_AGSJHDJDJG-GR2269
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
crrcs.exe
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
crrcs.exepid process 4164 crrcs.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
crrcs.exe5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crrcs.exe = "\"C:\\Windows\\SysWOW64\\Microsoft\\crrcs.exe\"" crrcs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crrcs.exe = "\"C:\\Windows\\SysWOW64\\Microsoft\\crrcs.exe\"" 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crrcs.exe = "\"C:\\Windows\\SysWOW64\\Microsoft\\crrcs.exe\"" 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crrcs.exe = "\"C:\\Windows\\SysWOW64\\Microsoft\\crrcs.exe\"" crrcs.exe -
Drops file in System32 directory 3 IoCs
Processes:
5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Microsoft\crrcs.exe 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Microsoft 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe File created C:\Windows\SysWOW64\Microsoft\crrcs.exe 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.execrrcs.exepid process 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe 4164 crrcs.exe 4164 crrcs.exe 4164 crrcs.exe 4164 crrcs.exe 4164 crrcs.exe 4164 crrcs.exe 4164 crrcs.exe 4164 crrcs.exe 4164 crrcs.exe 4164 crrcs.exe 4164 crrcs.exe 4164 crrcs.exe 4164 crrcs.exe 4164 crrcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
crrcs.exepid process 4164 crrcs.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.execmd.exedescription pid process target process PID 5100 wrote to memory of 4948 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe cmd.exe PID 5100 wrote to memory of 4948 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe cmd.exe PID 5100 wrote to memory of 4948 5100 5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe cmd.exe PID 4948 wrote to memory of 2244 4948 cmd.exe PING.EXE PID 4948 wrote to memory of 2244 4948 cmd.exe PING.EXE PID 4948 wrote to memory of 2244 4948 cmd.exe PING.EXE PID 4948 wrote to memory of 4164 4948 cmd.exe crrcs.exe PID 4948 wrote to memory of 4164 4948 cmd.exe crrcs.exe PID 4948 wrote to memory of 4164 4948 cmd.exe crrcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5bfc4a0b0e7484ff63f2eb66b45186b7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2244 -
C:\Windows\SysWOW64\Microsoft\crrcs.exe"C:\Windows\SysWOW64\Microsoft\crrcs.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4256,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3924 /prefetch:81⤵PID:1596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90B
MD5163f2af0d421cff56e30d04e89363fe7
SHA15116aa1cad828ecd3e0819c15523839901fa6eac
SHA2562f9c8881dd083f02446f616ce3fbbcb008bb92b21cfd5dc85652a38d297eebf5
SHA512303ca46c8319393f7257088328da0bcd4b5a66de64fb15fd0e306dccf4985d8179d73c346d44c574807436aedd7da8cabb0c24494876fb5c151dd62d174bc8fb
-
Filesize
624KB
MD55bfc4a0b0e7484ff63f2eb66b45186b7
SHA1804f350c5034fc13fcc3d49e72de98799e301fb2
SHA2569ab651c11036df65785bcd01fe6ecb68a9b0beb56579b76c350dbd3f6960f0ae
SHA512084dcda591290c89d1fec84c7868d65522d193524cbbc15d61bec710f617535bf77386ea5a6c3c1b366cce216dd7310d84271847775497533648d04b8ae00620