remcos | 5744db104260134735390f73f8db18a3283957d0d25971163ea45ae7654ffe53

General

Target

7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe
Size

242KB
MD5

7024cd28d4a7ea90cfcdbdf1a8d7287e
SHA1

f435f44873b3a58c3a0d4dd49796f41c17d4db08
SHA256

5744db104260134735390f73f8db18a3283957d0d25971163ea45ae7654ffe53
SHA512

9973079b5aab5d9b8479c822a1198a3327d6e006f4768916813f630e46279f619dbcd35527c628184f791415bb9cea1bb008abfc07dcb3d3f28af13980315600
SSDEEP

6144:uRonVqN4M2SoVWI8IScNKtw7zjPzeOvJnYsgIY:uKg4/SoVWI8IScNKtieOvB7gIY

Score

10^/10

remcos host rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

pmanz.sytes.net:444

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_jyjlpacrfdsoono
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

Processes:

7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe

description	pid	process	target process
PID 2440 set thread context of 2784	2440	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2372 schtasks.exe

pid	process
2372	schtasks.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe

description	pid	process	target process
PID 2440 wrote to memory of 2372	2440	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe	schtasks.exe
PID 2440 wrote to memory of 2372	2440	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe	schtasks.exe
PID 2440 wrote to memory of 2372	2440	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe	schtasks.exe
PID 2440 wrote to memory of 2372	2440	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe	schtasks.exe
PID 2440 wrote to memory of 2784	2440	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe
PID 2440 wrote to memory of 2784	2440	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe
PID 2440 wrote to memory of 2784	2440	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe
PID 2440 wrote to memory of 2784	2440	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe
PID 2440 wrote to memory of 2784	2440	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe
PID 2440 wrote to memory of 2784	2440	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe
PID 2440 wrote to memory of 2784	2440	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe
PID 2440 wrote to memory of 2784	2440	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe
PID 2440 wrote to memory of 2784	2440	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe
PID 2440 wrote to memory of 2784	2440	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe	7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UgEZFDCCx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B10.tmp"
2⤵
- Creates scheduled task(s)
PID:2372

C:\Users\Admin\AppData\Local\Temp\7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe
"{path}"
2⤵
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8B10.tmp

Filesize
1KB

MD5
e280d011f8e3541777acdbfa6166dee1

SHA1
267c5e3c12203cbf552debf44d3110e6cff5d6cd

SHA256
a6927abd99a3d547b2e814c64856784a1debefda28f5fb1d68adb5c75aded91b

SHA512
c3dd387ab821601e4990b3895a37410f64e6a3e7416ed623160b6fe131caebf8ef645f541b05ae0f207478b4554cc78d0de35c9947eb04c59a53f73f44587ec9

Download Submit
memory/2440-0-0x0000000074751000-0x0000000074752000-memory.dmp

Filesize
4KB

Download
memory/2440-1-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-2-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-3-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-4-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-26-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/2784-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2784-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2784-18-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2784-16-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2784-14-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2784-12-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2784-25-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2784-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2784-27-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads