Analysis

  • max time kernel
    145s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 20:31

General

  • Target

    5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    5b51fcb93e6d3718bba97e531ba8ad2d

  • SHA1

    3ea027b5382e84f2936fc688781de0a2fc167db1

  • SHA256

    b2d23e455eb56451966097d786f7b7e3a056e693f7811b179147da1603850aef

  • SHA512

    76242227fc5b7d07973c45ae541eb050e212e9136cd5b1b8abbf9c963d1493f5333bdcffcf6029c04ba81dd7e5d9f9330f67038d82ff80ab7d1b677e69e679d8

  • SSDEEP

    12288:EQbgTLDAmuSRNHNwmFUMJW48HGO+hfuQ/c0TQyZKpL9GQ5Qw:EQkTLMmuSRNHNwmFUEZ4GOIft/1Qp9GA

Score
10/10

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:340
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\system32\mstsc.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
          • Enumerates connected drives
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/340-16-0x0000000000400000-0x0000000000538000-memory.dmp

    Filesize

    1.2MB

  • memory/340-2-0x0000000000535000-0x0000000000536000-memory.dmp

    Filesize

    4KB

  • memory/340-1-0x0000000000400000-0x0000000000538000-memory.dmp

    Filesize

    1.2MB

  • memory/340-3-0x0000000000400000-0x0000000000538000-memory.dmp

    Filesize

    1.2MB

  • memory/340-4-0x0000000000400000-0x0000000000538000-memory.dmp

    Filesize

    1.2MB

  • memory/340-5-0x0000000000400000-0x0000000000538000-memory.dmp

    Filesize

    1.2MB

  • memory/340-6-0x0000000000400000-0x0000000000538000-memory.dmp

    Filesize

    1.2MB

  • memory/340-7-0x0000000000535000-0x0000000000536000-memory.dmp

    Filesize

    4KB

  • memory/340-0-0x0000000000400000-0x0000000000538000-memory.dmp

    Filesize

    1.2MB

  • memory/2580-12-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/2580-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2580-8-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/2580-17-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/2580-19-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/2592-20-0x0000000001E50000-0x0000000001E51000-memory.dmp

    Filesize

    4KB

  • memory/2708-18-0x0000000001000000-0x0000000001104000-memory.dmp

    Filesize

    1.0MB