remcos | f053c60697e0af53615df9ef94f936ea9f571a2f697e19c7db8955d36fe12a4a

General

Target

7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
Size

330KB
MD5

7160c922014ca2e09814ea97e0892575
SHA1

4b89e8c0e55360eb92040feae26d80c73542846c
SHA256

f053c60697e0af53615df9ef94f936ea9f571a2f697e19c7db8955d36fe12a4a
SHA512

2adf6b0a5ad50c92152a2aa5a8d3c8c113c374a5a9e823f4ddf391de9beed3069597ad5fc7fde0571bd18c2c91a8042121bfb6fad4ffde768cfb69ee08ac7b22
SSDEEP

6144:2w6JMnBKjX33LRxKEV+KliE3IvHlouxcAG42uZ:D6MI7LRECFiHegnT

Score

10^/10

remcos 28-07-2019 persistence rat

Malware Config

Extracted

Family

remcos

Version

2.4.7 Pro

Botnet

28-07-2019

C2

muhoste.ddnsfree.com:2401

koustaeik.dynu.net:2424

houstus.gleeze.com:2525

foustraje.mywire.org:2626

housteko.mywire.org:2727

houstrik.gleeze.com:2828

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
3
copy_file
servicesT.exe
copy_folder
Windows10Update
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
SystemWindows7
keylog_path
%AppData%
mouse_option
false
mutex
le1boss2019-P7U0OY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
sips3
screenshot_path
%AppData%
screenshot_time
10
startup_value
Defender-Update-System
take_screenshot_option
true
take_screenshot_time
1
take_screenshot_title
amazon;secure;checkout;payment;rakuten;order;sncf;secure2;pay;hipay;bricoprive;webpayment;payline;Alipay;hsbc;3d;secur5e;authentification;paybox;récapitilatif;systempay;worldpay;secure1;cic;sips;3dsecure;sogenactif;paiement;paypal;paylib;webpayment

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

7160c922014ca2e09814ea97e0892575_JaffaCakes118.exeservicesT.exeservicesT.exe

pid process

2800 7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
1840 servicesT.exe
2504 servicesT.exe
Loads dropped DLL 3 IoCs

Processes:

7160c922014ca2e09814ea97e0892575_JaffaCakes118.execmd.exeservicesT.exe

pid process

2424 7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
2340 cmd.exe
1840 servicesT.exe

pid	process
2800	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
1840	servicesT.exe
2504	servicesT.exe

pid	process
2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
2340	cmd.exe
1840	servicesT.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7160c922014ca2e09814ea97e0892575_JaffaCakes118.exeservicesT.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Defender-Update-System = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows10Update\\servicesT.exe\""	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Defender-Update-System = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows10Update\\servicesT.exe\""	servicesT.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

7160c922014ca2e09814ea97e0892575_JaffaCakes118.exeservicesT.exe

description	pid	process	target process
PID 2424 set thread context of 2800	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 1840 set thread context of 2504	1840	servicesT.exe	servicesT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 3 IoCs

Processes:

cmd.exe7160c922014ca2e09814ea97e0892575_JaffaCakes118.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Windows10Update\servicesT.exe\:Zone.Identifier:$DATA	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Windows10Update\servicesT.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7160c922014ca2e09814ea97e0892575_JaffaCakes118.exeservicesT.exe

description pid process

Token: SeDebugPrivilege 2424 7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
Token: SeDebugPrivilege 1840 servicesT.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

servicesT.exe

pid process

2504 servicesT.exe

description	pid	process
Token: SeDebugPrivilege	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
Token: SeDebugPrivilege	1840	servicesT.exe

pid	process
2504	servicesT.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe7160c922014ca2e09814ea97e0892575_JaffaCakes118.exeWScript.execmd.exeservicesT.exe

description	pid	process	target process
PID 2424 wrote to memory of 2612	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	cmd.exe
PID 2424 wrote to memory of 2612	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	cmd.exe
PID 2424 wrote to memory of 2612	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	cmd.exe
PID 2424 wrote to memory of 2612	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	cmd.exe
PID 2424 wrote to memory of 2800	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 2424 wrote to memory of 2800	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 2424 wrote to memory of 2800	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 2424 wrote to memory of 2800	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 2424 wrote to memory of 2800	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 2424 wrote to memory of 2800	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 2424 wrote to memory of 2800	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 2424 wrote to memory of 2800	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 2424 wrote to memory of 2800	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 2424 wrote to memory of 2800	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 2424 wrote to memory of 2800	2424	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 2800 wrote to memory of 2592	2800	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	WScript.exe
PID 2800 wrote to memory of 2592	2800	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	WScript.exe
PID 2800 wrote to memory of 2592	2800	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	WScript.exe
PID 2800 wrote to memory of 2592	2800	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	WScript.exe
PID 2592 wrote to memory of 2340	2592	WScript.exe	cmd.exe
PID 2592 wrote to memory of 2340	2592	WScript.exe	cmd.exe
PID 2592 wrote to memory of 2340	2592	WScript.exe	cmd.exe
PID 2592 wrote to memory of 2340	2592	WScript.exe	cmd.exe
PID 2340 wrote to memory of 1840	2340	cmd.exe	servicesT.exe
PID 2340 wrote to memory of 1840	2340	cmd.exe	servicesT.exe
PID 2340 wrote to memory of 1840	2340	cmd.exe	servicesT.exe
PID 2340 wrote to memory of 1840	2340	cmd.exe	servicesT.exe
PID 1840 wrote to memory of 1808	1840	servicesT.exe	cmd.exe
PID 1840 wrote to memory of 1808	1840	servicesT.exe	cmd.exe
PID 1840 wrote to memory of 1808	1840	servicesT.exe	cmd.exe
PID 1840 wrote to memory of 1808	1840	servicesT.exe	cmd.exe
PID 1840 wrote to memory of 2504	1840	servicesT.exe	servicesT.exe
PID 1840 wrote to memory of 2504	1840	servicesT.exe	servicesT.exe
PID 1840 wrote to memory of 2504	1840	servicesT.exe	servicesT.exe
PID 1840 wrote to memory of 2504	1840	servicesT.exe	servicesT.exe
PID 1840 wrote to memory of 2504	1840	servicesT.exe	servicesT.exe
PID 1840 wrote to memory of 2504	1840	servicesT.exe	servicesT.exe
PID 1840 wrote to memory of 2504	1840	servicesT.exe	servicesT.exe
PID 1840 wrote to memory of 2504	1840	servicesT.exe	servicesT.exe
PID 1840 wrote to memory of 2504	1840	servicesT.exe	servicesT.exe
PID 1840 wrote to memory of 2504	1840	servicesT.exe	servicesT.exe
PID 1840 wrote to memory of 2504	1840	servicesT.exe	servicesT.exe

C:\Users\Admin\AppData\Local\Temp\7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:2612

C:\Users\Admin\AppData\Local\Temp\7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Windows10Update\servicesT.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Roaming\Windows10Update\servicesT.exe
C:\Users\Admin\AppData\Roaming\Windows10Update\servicesT.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Windows10Update\servicesT.exe:Zone.Identifier"
6⤵
- NTFS ADS
PID:1808

C:\Users\Admin\AppData\Roaming\Windows10Update\servicesT.exe
C:\Users\Admin\AppData\Roaming\Windows10Update\servicesT.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
442B

MD5
ad6142dbff8f2dc512e4b02eb2d99235

SHA1
4fa753dadd6e969634e8fc9efea8fdd94a79a5f6

SHA256
f57cfb9871673dd7135346493efeba1b8de7a3a84d322e735e6f3b33885d4542

SHA512
2b772b10c413321e96d6ce4f0385ed022deff7e1ece68cff02c81f3395d2d842e1ea90042624919aa19d2243d002e32abe932e576d39ebe34922a8dae2c6575c

Download Submit
C:\Users\Admin\AppData\Roaming\SystemWindows7\logs.dat

Filesize
79B

MD5
a40831a2e2c35b1fbe48b5a6e25e396b

SHA1
17484bc9ab0f8be1ab8956991119c340ea2aa19c

SHA256
8dc815a43dba6ee347b917d439b16a4481ee3cb9388b6b4c0f3a7ba86b25da78

SHA512
30ebf5ce500bd42218fbb37f90ce0c18e2ac786f71c45fff780365f298c3603a1d8e1650533e99739a00ae0924ad30ae4c278d6d122d14a8421c45364ac0056e

Download Submit
\Users\Admin\AppData\Local\Temp\7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe

Filesize
330KB

MD5
7160c922014ca2e09814ea97e0892575

SHA1
4b89e8c0e55360eb92040feae26d80c73542846c

SHA256
f053c60697e0af53615df9ef94f936ea9f571a2f697e19c7db8955d36fe12a4a

SHA512
2adf6b0a5ad50c92152a2aa5a8d3c8c113c374a5a9e823f4ddf391de9beed3069597ad5fc7fde0571bd18c2c91a8042121bfb6fad4ffde768cfb69ee08ac7b22

Download Submit
memory/1840-34-0x0000000001050000-0x00000000010A8000-memory.dmp

Filesize
352KB

Download
memory/2424-26-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-0-0x00000000741BE000-0x00000000741BF000-memory.dmp

Filesize
4KB

Download
memory/2424-6-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-4-0x00000000741BE000-0x00000000741BF000-memory.dmp

Filesize
4KB

Download
memory/2424-1-0x0000000000CF0000-0x0000000000D48000-memory.dmp

Filesize
352KB

Download
memory/2424-5-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-2-0x0000000000380000-0x00000000003A4000-memory.dmp

Filesize
144KB

Download
memory/2424-3-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2504-52-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2504-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2504-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2800-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-29-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2800-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads