Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 04:37
Static task
static1
Behavioral task
behavioral1
Sample
69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe
-
Size
435KB
-
MD5
69bda55cf1a5f060d8d583646f986943
-
SHA1
6c46cc4216bf9e2ab963ced691b0e9bce6a359d6
-
SHA256
02dfbee0b56dd31315f9661286364a5575589577de2077423e59c7bed46bc4d7
-
SHA512
2db813ba399bb7068dc132404fb08d8dd48bae6045dbb7db7222044598b85133227c3269b35112c56692e998d1ff7b1b00ac9e697039b79a241cabbd555d94a4
-
SSDEEP
6144:6zYRHXOH+jso2yGB0bU0R+ZO6EzmzFlblw2:6zYRD4Izmzbb+
Malware Config
Extracted
remcos
1.9.9 Pro
Gold Farm
fzsification.bounceme.net:9009
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
log8498.bat
-
keylog_flag
false
-
keylog_folder
Windows Command Module
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Null-8WJKBY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
true
-
take_screenshot_time
5
-
take_screenshot_title
coin;bitcoin;crypto;ethereum;litecoin;bitfinex;bittrex;coinbase;paypal;
Signatures
-
Drops startup file 1 IoCs
Processes:
69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bird.exe.lnk 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 2756 svhost.exe -
Loads dropped DLL 1 IoCs
Processes:
69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exepid process 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exedescription pid process target process PID 3048 set thread context of 2756 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2568 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\Pidgin\bird.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exepid process 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 2756 svhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svhost.exepid process 2756 svhost.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
69bda55cf1a5f060d8d583646f986943_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 3048 wrote to memory of 3032 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe cmd.exe PID 3048 wrote to memory of 3032 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe cmd.exe PID 3048 wrote to memory of 3032 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe cmd.exe PID 3048 wrote to memory of 3032 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe cmd.exe PID 3032 wrote to memory of 2152 3032 cmd.exe reg.exe PID 3032 wrote to memory of 2152 3032 cmd.exe reg.exe PID 3032 wrote to memory of 2152 3032 cmd.exe reg.exe PID 3032 wrote to memory of 2152 3032 cmd.exe reg.exe PID 3048 wrote to memory of 2756 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe svhost.exe PID 3048 wrote to memory of 2756 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe svhost.exe PID 3048 wrote to memory of 2756 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe svhost.exe PID 3048 wrote to memory of 2756 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe svhost.exe PID 3048 wrote to memory of 2756 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe svhost.exe PID 3048 wrote to memory of 2756 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe svhost.exe PID 3048 wrote to memory of 2756 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe svhost.exe PID 3048 wrote to memory of 2756 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe svhost.exe PID 3048 wrote to memory of 2756 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe svhost.exe PID 3048 wrote to memory of 2756 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe svhost.exe PID 3048 wrote to memory of 2756 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe svhost.exe PID 3048 wrote to memory of 2524 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe cmd.exe PID 3048 wrote to memory of 2524 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe cmd.exe PID 3048 wrote to memory of 2524 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe cmd.exe PID 3048 wrote to memory of 2524 3048 69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe cmd.exe PID 2524 wrote to memory of 2568 2524 cmd.exe timeout.exe PID 2524 wrote to memory of 2568 2524 cmd.exe timeout.exe PID 2524 wrote to memory of 2568 2524 cmd.exe timeout.exe PID 2524 wrote to memory of 2568 2524 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\69bda55cf1a5f060d8d583646f986943_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Pidgin\bird.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Pidgin\bird.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Pidgin\bird.exeFilesize
435KB
MD569bda55cf1a5f060d8d583646f986943
SHA16c46cc4216bf9e2ab963ced691b0e9bce6a359d6
SHA25602dfbee0b56dd31315f9661286364a5575589577de2077423e59c7bed46bc4d7
SHA5122db813ba399bb7068dc132404fb08d8dd48bae6045dbb7db7222044598b85133227c3269b35112c56692e998d1ff7b1b00ac9e697039b79a241cabbd555d94a4
-
C:\Users\Admin\AppData\Local\Temp\Pidgin\bird.exe.batFilesize
203B
MD58924a4be6613e42b6f8065e9acfbe2e3
SHA1ef1d5dedce26eb50f32ca3ebf5550f397aa5732f
SHA256f6c2c759ec4c3a3ead6a4fae5f9da83f9581939180447dc3ad78b5bc7ecf94ec
SHA5128f4f278852f7d50fa8ea9022997994d8f1971be1657f4a9c9c1163e7a61c0910e9b6224c0a27eea87500e6a91ae048d84b46141c0872d97649865fe984ee667c
-
\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
1.6MB
MD532827e69b293b99013bbbe37d029245d
SHA1bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA2569250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA51258c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5
-
memory/2756-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2756-13-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2756-15-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2756-17-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2756-19-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2756-21-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2756-23-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2756-48-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2756-27-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2756-35-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2756-31-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2756-30-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3048-2-0x0000000074030000-0x00000000745DB000-memory.dmpFilesize
5.7MB
-
memory/3048-1-0x0000000074030000-0x00000000745DB000-memory.dmpFilesize
5.7MB
-
memory/3048-44-0x0000000074030000-0x00000000745DB000-memory.dmpFilesize
5.7MB
-
memory/3048-47-0x0000000074030000-0x00000000745DB000-memory.dmpFilesize
5.7MB
-
memory/3048-0-0x0000000074031000-0x0000000074032000-memory.dmpFilesize
4KB