remcos | f053c60697e0af53615df9ef94f936ea9f571a2f697e19c7db8955d36fe12a4a

General

Target

7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
Size

330KB
MD5

7160c922014ca2e09814ea97e0892575
SHA1

4b89e8c0e55360eb92040feae26d80c73542846c
SHA256

f053c60697e0af53615df9ef94f936ea9f571a2f697e19c7db8955d36fe12a4a
SHA512

2adf6b0a5ad50c92152a2aa5a8d3c8c113c374a5a9e823f4ddf391de9beed3069597ad5fc7fde0571bd18c2c91a8042121bfb6fad4ffde768cfb69ee08ac7b22
SSDEEP

6144:2w6JMnBKjX33LRxKEV+KliE3IvHlouxcAG42uZ:D6MI7LRECFiHegnT

Score

10^/10

remcos 28-07-2019 persistence rat

Malware Config

Extracted

Family

remcos

Version

2.4.7 Pro

Botnet

28-07-2019

C2

muhoste.ddnsfree.com:2401

koustaeik.dynu.net:2424

houstus.gleeze.com:2525

foustraje.mywire.org:2626

housteko.mywire.org:2727

houstrik.gleeze.com:2828

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
3
copy_file
servicesT.exe
copy_folder
Windows10Update
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
SystemWindows7
keylog_path
%AppData%
mouse_option
false
mutex
le1boss2019-P7U0OY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
sips3
screenshot_path
%AppData%
screenshot_time
10
startup_value
Defender-Update-System
take_screenshot_option
true
take_screenshot_time
1
take_screenshot_title
amazon;secure;checkout;payment;rakuten;order;sncf;secure2;pay;hipay;bricoprive;webpayment;payline;Alipay;hsbc;3d;secur5e;authentification;paybox;récapitilatif;systempay;worldpay;secure1;cic;sips;3dsecure;sogenactif;paiement;paypal;paylib;webpayment

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7160c922014ca2e09814ea97e0892575_JaffaCakes118.exeWScript.exeservicesT.exe7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	servicesT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

Processes:

7160c922014ca2e09814ea97e0892575_JaffaCakes118.exeservicesT.exeservicesT.exe

pid process

3840 7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
4728 servicesT.exe
2400 servicesT.exe

pid	process
3840	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
4728	servicesT.exe
2400	servicesT.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7160c922014ca2e09814ea97e0892575_JaffaCakes118.exeservicesT.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Defender-Update-System = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows10Update\\servicesT.exe\""	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Defender-Update-System = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows10Update\\servicesT.exe\""	servicesT.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

7160c922014ca2e09814ea97e0892575_JaffaCakes118.exeservicesT.exe

description	pid	process	target process
PID 3236 set thread context of 3840	3236	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 4728 set thread context of 2400	4728	servicesT.exe	servicesT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe

NTFS ADS 3 IoCs

Processes:

cmd.exe7160c922014ca2e09814ea97e0892575_JaffaCakes118.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Windows10Update\servicesT.exe\:Zone.Identifier:$DATA	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Windows10Update\servicesT.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7160c922014ca2e09814ea97e0892575_JaffaCakes118.exeservicesT.exe

description pid process

Token: SeDebugPrivilege 3236 7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
Token: SeDebugPrivilege 4728 servicesT.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

servicesT.exe

pid process

2400 servicesT.exe

description	pid	process
Token: SeDebugPrivilege	3236	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
Token: SeDebugPrivilege	4728	servicesT.exe

pid	process
2400	servicesT.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe7160c922014ca2e09814ea97e0892575_JaffaCakes118.exeWScript.execmd.exeservicesT.exe

description	pid	process	target process
PID 3236 wrote to memory of 1372	3236	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	cmd.exe
PID 3236 wrote to memory of 1372	3236	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	cmd.exe
PID 3236 wrote to memory of 1372	3236	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	cmd.exe
PID 3236 wrote to memory of 3840	3236	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 3236 wrote to memory of 3840	3236	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 3236 wrote to memory of 3840	3236	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 3236 wrote to memory of 3840	3236	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 3236 wrote to memory of 3840	3236	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 3236 wrote to memory of 3840	3236	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 3236 wrote to memory of 3840	3236	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 3236 wrote to memory of 3840	3236	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 3236 wrote to memory of 3840	3236	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 3236 wrote to memory of 3840	3236	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
PID 3840 wrote to memory of 4864	3840	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	WScript.exe
PID 3840 wrote to memory of 4864	3840	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	WScript.exe
PID 3840 wrote to memory of 4864	3840	7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe	WScript.exe
PID 4864 wrote to memory of 1616	4864	WScript.exe	cmd.exe
PID 4864 wrote to memory of 1616	4864	WScript.exe	cmd.exe
PID 4864 wrote to memory of 1616	4864	WScript.exe	cmd.exe
PID 1616 wrote to memory of 4728	1616	cmd.exe	servicesT.exe
PID 1616 wrote to memory of 4728	1616	cmd.exe	servicesT.exe
PID 1616 wrote to memory of 4728	1616	cmd.exe	servicesT.exe
PID 4728 wrote to memory of 2840	4728	servicesT.exe	cmd.exe
PID 4728 wrote to memory of 2840	4728	servicesT.exe	cmd.exe
PID 4728 wrote to memory of 2840	4728	servicesT.exe	cmd.exe
PID 4728 wrote to memory of 2400	4728	servicesT.exe	servicesT.exe
PID 4728 wrote to memory of 2400	4728	servicesT.exe	servicesT.exe
PID 4728 wrote to memory of 2400	4728	servicesT.exe	servicesT.exe
PID 4728 wrote to memory of 2400	4728	servicesT.exe	servicesT.exe
PID 4728 wrote to memory of 2400	4728	servicesT.exe	servicesT.exe
PID 4728 wrote to memory of 2400	4728	servicesT.exe	servicesT.exe
PID 4728 wrote to memory of 2400	4728	servicesT.exe	servicesT.exe
PID 4728 wrote to memory of 2400	4728	servicesT.exe	servicesT.exe
PID 4728 wrote to memory of 2400	4728	servicesT.exe	servicesT.exe
PID 4728 wrote to memory of 2400	4728	servicesT.exe	servicesT.exe

C:\Users\Admin\AppData\Local\Temp\7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:1372

C:\Users\Admin\AppData\Local\Temp\7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Windows10Update\servicesT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Roaming\Windows10Update\servicesT.exe
C:\Users\Admin\AppData\Roaming\Windows10Update\servicesT.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Windows10Update\servicesT.exe:Zone.Identifier"
6⤵
- NTFS ADS
PID:2840

C:\Users\Admin\AppData\Roaming\Windows10Update\servicesT.exe
C:\Users\Admin\AppData\Roaming\Windows10Update\servicesT.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7160c922014ca2e09814ea97e0892575_JaffaCakes118.exe

Filesize
330KB

MD5
7160c922014ca2e09814ea97e0892575

SHA1
4b89e8c0e55360eb92040feae26d80c73542846c

SHA256
f053c60697e0af53615df9ef94f936ea9f571a2f697e19c7db8955d36fe12a4a

SHA512
2adf6b0a5ad50c92152a2aa5a8d3c8c113c374a5a9e823f4ddf391de9beed3069597ad5fc7fde0571bd18c2c91a8042121bfb6fad4ffde768cfb69ee08ac7b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
442B

MD5
ad6142dbff8f2dc512e4b02eb2d99235

SHA1
4fa753dadd6e969634e8fc9efea8fdd94a79a5f6

SHA256
f57cfb9871673dd7135346493efeba1b8de7a3a84d322e735e6f3b33885d4542

SHA512
2b772b10c413321e96d6ce4f0385ed022deff7e1ece68cff02c81f3395d2d842e1ea90042624919aa19d2243d002e32abe932e576d39ebe34922a8dae2c6575c

Download Submit
C:\Users\Admin\AppData\Roaming\SystemWindows7\logs.dat

Filesize
79B

MD5
640d4f458ba07c356848ef9ff43f0371

SHA1
51c00ae5b41a6c2db064380c277dca832ae68903

SHA256
d64f30d29dcd87a05f8499e36493d32158a293187c44f9356b7caf0a265a3bb1

SHA512
59a04f9a88966c37263b6e9a333a25208ce31214b40058a96582841613d89329f58050960d4e0742e986bd5fc9f89c2eaddc5fa12ae4b8b1c099676625c46996

Download Submit
memory/2400-35-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2400-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3236-12-0x00000000064F0000-0x000000000658C000-memory.dmp

Filesize
624KB

Download
memory/3236-5-0x0000000005490000-0x00000000054B2000-memory.dmp

Filesize
136KB

Download
memory/3236-7-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3236-8-0x00000000065B0000-0x0000000006B54000-memory.dmp

Filesize
5.6MB

Download
memory/3236-9-0x0000000006B60000-0x0000000006D22000-memory.dmp

Filesize
1.8MB

Download
memory/3236-10-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

Filesize
4KB

Download
memory/3236-11-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3236-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

Filesize
4KB

Download
memory/3236-1-0x0000000000AE0000-0x0000000000B38000-memory.dmp

Filesize
352KB

Download
memory/3236-6-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/3236-2-0x0000000002EC0000-0x0000000002EE2000-memory.dmp

Filesize
136KB

Download
memory/3236-3-0x0000000002DE0000-0x0000000002E04000-memory.dmp

Filesize
144KB

Download
memory/3236-22-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3236-4-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/3840-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3840-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3840-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3840-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4728-30-0x0000000002900000-0x0000000002924000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads