Malware Analysis Report

2024-11-13 18:51

Sample ID 240519-wr9blaah8x
Target 5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118
SHA256 bca0f84530687df0192d79ce7bc1f1359c5ffccbbba864006d525697a964bfca
Tags
remcos remcos20 persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bca0f84530687df0192d79ce7bc1f1359c5ffccbbba864006d525697a964bfca

Threat Level: Known bad

The file 5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remcos remcos20 persistence rat

Remcos

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 18:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 18:10

Reported

2024-05-19 18:13

Platform

win7-20240508-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Applicationtinjtbertsnrimrjtbrdyth = "C:\\Users\\Admin\\AppData\\Roaming\\appert8u5e5e7yhg45e.exe -boot" C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1528 set thread context of 1916 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2236 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2236 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2236 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2216 wrote to memory of 1528 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 2216 wrote to memory of 1528 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 2216 wrote to memory of 1528 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 2216 wrote to memory of 1528 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 1528 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 1528 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 1528 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 1528 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 1528 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 1528 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 1528 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 1528 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 1528 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 1528 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 1528 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 1528 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 1528 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 1528 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe

"C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe"

C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe

"C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe"

C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe

"C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 casillas.hicam.net udp
US 8.8.8.8:53 casillasmx.chickenkiller.com udp
US 8.8.8.8:53 casillas45.hopto.org udp
US 8.8.8.8:53 casillas.libfoobar.so udp
US 8.8.8.8:53 du4alr0ute.sendsmtp.com udp
MX 187.155.77.154:2404 du4alr0ute.sendsmtp.com tcp
US 8.8.8.8:53 settings.wifizone.org udp
MX 187.155.77.154:2404 du4alr0ute.sendsmtp.com tcp

Files

memory/2236-0-0x00000000748D1000-0x00000000748D2000-memory.dmp

memory/2236-1-0x00000000748D0000-0x0000000074E7B000-memory.dmp

memory/2236-2-0x00000000748D0000-0x0000000074E7B000-memory.dmp

memory/2236-3-0x00000000748D0000-0x0000000074E7B000-memory.dmp

memory/2236-4-0x00000000748D0000-0x0000000074E7B000-memory.dmp

memory/2236-10-0x00000000748D0000-0x0000000074E7B000-memory.dmp

C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe

MD5 5ab7ab87a1164876f8515a82ec11a51d
SHA1 4268a9c421a1c37695acc67435334269ac8622ec
SHA256 bca0f84530687df0192d79ce7bc1f1359c5ffccbbba864006d525697a964bfca
SHA512 686348f82ecac03181776e153c9f8b6219ce3e5e057f1e6ba42182e0fa075832f5284a36a05d5e90a96dfef7fd8b6f7b905d69ce97d68a6e8553fbb2bc55a8b8

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

MD5 1df068aad0bc9ecfccea3c9623c08328
SHA1 701a011c59d5ac1efd342d1b8016b77572ca44f0
SHA256 16672dca18dce9f63b769332d8e00d3adc4c12993852089d41d28e0c5c7d4018
SHA512 4f715c700e140b75726d65898a666eac9671675066b0673621756ae1f81308f453131d7104b6773b35b0d887a71bf1ce1269fc907ae94af2fe3e7da6cfcffc6d

memory/1916-16-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1916-18-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1916-19-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 18:10

Reported

2024-05-19 18:13

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Applicationtinjtbertsnrimrjtbrdyth = "C:\\Users\\Admin\\AppData\\Roaming\\appert8u5e5e7yhg45e.exe -boot" C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 336 set thread context of 3008 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2720 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2720 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 4632 wrote to memory of 336 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 4632 wrote to memory of 336 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 4632 wrote to memory of 336 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 336 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 336 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 336 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 336 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 336 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 336 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 336 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 336 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 336 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 336 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 336 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe
PID 336 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5ab7ab87a1164876f8515a82ec11a51d_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe

"C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe"

C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe

"C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe"

C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe

"C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.185:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 185.83.221.88.in-addr.arpa udp
BE 88.221.83.185:443 www.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 casillas.hicam.net udp
US 8.8.8.8:53 casillasmx.chickenkiller.com udp
US 8.8.8.8:53 casillas45.hopto.org udp
US 8.8.8.8:53 casillas.libfoobar.so udp
US 8.8.8.8:53 du4alr0ute.sendsmtp.com udp
MX 187.155.77.154:2404 du4alr0ute.sendsmtp.com tcp
US 8.8.8.8:53 settings.wifizone.org udp

Files

memory/2720-0-0x0000000074E42000-0x0000000074E43000-memory.dmp

memory/2720-1-0x0000000074E40000-0x00000000753F1000-memory.dmp

memory/2720-2-0x0000000074E40000-0x00000000753F1000-memory.dmp

memory/2720-3-0x0000000074E40000-0x00000000753F1000-memory.dmp

memory/2720-4-0x0000000074E40000-0x00000000753F1000-memory.dmp

memory/2720-5-0x0000000074E42000-0x0000000074E43000-memory.dmp

memory/2720-12-0x0000000074E40000-0x00000000753F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\appert8u5e5e7yhg45e.exe

MD5 5ab7ab87a1164876f8515a82ec11a51d
SHA1 4268a9c421a1c37695acc67435334269ac8622ec
SHA256 bca0f84530687df0192d79ce7bc1f1359c5ffccbbba864006d525697a964bfca
SHA512 686348f82ecac03181776e153c9f8b6219ce3e5e057f1e6ba42182e0fa075832f5284a36a05d5e90a96dfef7fd8b6f7b905d69ce97d68a6e8553fbb2bc55a8b8

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

MD5 459aaa4ef6cb96ca6c2d826a2ee7517f
SHA1 b371e0e5d621816f87f1b027813289e45085681d
SHA256 5df0a1c86b2edefe26537322eea9a8807d0468fa54464c2eba1f3c10fab5919e
SHA512 b31ccdfb6ef8299abfbfddb8f20450f08ef1187e9f138845df2f619325f436fa30152b3e96e3bef6b47ed6fa9595bec7584e96cf8b1708038f0027bbd0179b27

memory/3008-18-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3008-23-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3008-22-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3008-20-0x0000000000400000-0x000000000041C000-memory.dmp