Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 17:42

General

  • Target

    5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe

  • Size

    879KB

  • MD5

    5aa3e5eafe9fe3da717d5996a830cd14

  • SHA1

    5c6bb95199209778cb31a710cdcb4a48aeeb3e6e

  • SHA256

    668bfc84804f44313ed60e9a4f06eeeedbc009f779f620673025f54cf1d7ac02

  • SHA512

    ccd855646dad4b561556818592c863079f55aa8b82935c75b6d7fbc3358e9107cdef6e39802988fc897410b499073014e09a608fc36b2923ed05019096851f7d

  • SSDEEP

    12288:68XrFMOLZBoEL2R0SSDGootOCA/OR2AyBf7xXsXdV+Tf/6SHNGSsf9g2Q0jC+/f1:68Xr+EJL2RkDGOHOEZfN8Sj/9dmx2+V

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4332
    • C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:60
      • C:\Users\Admin\AppData\Local\Temp\FB_FB96.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\FB_FB96.tmp.exe"
        3⤵
        • Executes dropped EXE
        PID:1624
      • C:\Users\Admin\AppData\Local\Temp\FB_FCB0.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\FB_FCB0.tmp.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Adds policy Run key to start application
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies WinLogon
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2436
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\20mcos\20mcos.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3740
            • C:\Users\Admin\AppData\Roaming\20mcos\20mcos.exe
              C:\Users\Admin\AppData\Roaming\20mcos\20mcos.exe
              6⤵
              • Modifies WinLogon for persistence
              • Adds policy Run key to start application
              • Executes dropped EXE
              • Adds Run key to start application
              • Modifies WinLogon
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4532
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                7⤵
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of SetWindowsHookEx
                PID:1628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FB_FB96.tmp.exe

    Filesize

    3KB

    MD5

    74bafb3e707c7b0c63938ac200f99c7f

    SHA1

    10c5506337845ed9bf25c73d2506f9c15ab8e608

    SHA256

    129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689

    SHA512

    5b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781

  • C:\Users\Admin\AppData\Local\Temp\FB_FCB0.tmp.exe

    Filesize

    124KB

    MD5

    663817126bcbfb5363e1ccf899d7e25c

    SHA1

    a4ddb193cc750325dc01817966a29b77fbde88c4

    SHA256

    f08db58c7ae0bf65ecf99e1bb5c1576692172ee59ba2c8f6bfda8580ca443a06

    SHA512

    b28f7b6b09694e621baac7d02a873fb6775e90b6d1a04acf36d8b94aa49d3b042114c396ef5aff95af4e40c777399a2999a023373d2011fbfaf8c59b91751b7e

  • C:\Users\Admin\AppData\Local\Temp\install.vbs

    Filesize

    552B

    MD5

    beb6898a23e3ec9bf013bac14f601daf

    SHA1

    3137d43d5f5add5517dc9db02482a6fe965b8e0d

    SHA256

    875ef0f499ebce8f9381c8fcdc6140c9daa10efff86076682a8e8f9f05b6e63c

    SHA512

    3abc30353f8baf847b226aebb48b11d0e34930a11c40a0a22513a6d6176fbf7ca84a884fd6e2d93af0d9010515c1ade51e5f6aea12cf1ed70ec56c4a7aacda32

  • C:\Users\Admin\AppData\Roaming\20mcoslogs\logs.dat

    Filesize

    117B

    MD5

    4d10ff778c0db3c328f4d554105ad447

    SHA1

    3e967f220d0d7eb8ff31169dc63cbee3184b972e

    SHA256

    c7d1fcad547fa014b9f486bc72c01a5fe40ff68f0238da7f76df8f9944bd0029

    SHA512

    705a563d1d09ae2fb059027fe48ef2e25c7240304acbc21e61bf36720b501509f2b0065c62b525e9d8edbc524986253856f77d8be0758be220da41397bf12761

  • memory/60-6-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/60-10-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/60-12-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1628-38-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/4332-0-0x0000000002160000-0x0000000002161000-memory.dmp

    Filesize

    4KB

  • memory/4332-1-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

  • memory/4332-3-0x0000000002160000-0x0000000002161000-memory.dmp

    Filesize

    4KB

  • memory/4332-13-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB