Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 23:26
Static task
static1
Behavioral task
behavioral1
Sample
7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe
-
Size
242KB
-
MD5
7024cd28d4a7ea90cfcdbdf1a8d7287e
-
SHA1
f435f44873b3a58c3a0d4dd49796f41c17d4db08
-
SHA256
5744db104260134735390f73f8db18a3283957d0d25971163ea45ae7654ffe53
-
SHA512
9973079b5aab5d9b8479c822a1198a3327d6e006f4768916813f630e46279f619dbcd35527c628184f791415bb9cea1bb008abfc07dcb3d3f28af13980315600
-
SSDEEP
6144:uRonVqN4M2SoVWI8IScNKtw7zjPzeOvJnYsgIY:uKg4/SoVWI8IScNKtieOvB7gIY
Malware Config
Extracted
remcos
1.7 Pro
Host
pmanz.sytes.net:444
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_jyjlpacrfdsoono
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exedescription pid process target process PID 2284 set thread context of 3080 2284 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exepid process 2284 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2284 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exedescription pid process target process PID 2284 wrote to memory of 5100 2284 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe schtasks.exe PID 2284 wrote to memory of 5100 2284 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe schtasks.exe PID 2284 wrote to memory of 5100 2284 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe schtasks.exe PID 2284 wrote to memory of 3080 2284 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe PID 2284 wrote to memory of 3080 2284 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe PID 2284 wrote to memory of 3080 2284 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe PID 2284 wrote to memory of 3080 2284 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe PID 2284 wrote to memory of 3080 2284 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe PID 2284 wrote to memory of 3080 2284 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe PID 2284 wrote to memory of 3080 2284 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe PID 2284 wrote to memory of 3080 2284 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe PID 2284 wrote to memory of 3080 2284 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe 7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UgEZFDCCx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2B80.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\7024cd28d4a7ea90cfcdbdf1a8d7287e_JaffaCakes118.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2B80.tmpFilesize
1KB
MD5401e49f24b4d181f1119adb239834235
SHA1a24435cbc2582af0e3ede0b6a0f05106ab7814ff
SHA2563ec8192c7b67fe77feb97f55c28fde006118f906b86bfc22840e01922acf2369
SHA512cc170da13ea8484bcb97ef739016542cfe4f7838c58a0e7c46de77f9dcc4ffed624fbd56695676798104df8b5f8af0b8d5bd18d8808474d531e14b25f4efc461
-
memory/2284-0-0x0000000075102000-0x0000000075103000-memory.dmpFilesize
4KB
-
memory/2284-1-0x0000000075100000-0x00000000756B1000-memory.dmpFilesize
5.7MB
-
memory/2284-2-0x0000000075100000-0x00000000756B1000-memory.dmpFilesize
5.7MB
-
memory/2284-3-0x0000000075102000-0x0000000075103000-memory.dmpFilesize
4KB
-
memory/2284-4-0x0000000075100000-0x00000000756B1000-memory.dmpFilesize
5.7MB
-
memory/2284-15-0x0000000075100000-0x00000000756B1000-memory.dmpFilesize
5.7MB
-
memory/3080-10-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3080-13-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3080-14-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3080-16-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB