Overview

overview

10

Static

static

3

7457f8093e...18.exe

windows7-x64

10

7457f8093e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 04:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7457f8093e70201177324a864177c0a0_JaffaCakes118.exe

  • Size

    556KB

  • MD5

    7457f8093e70201177324a864177c0a0

  • SHA1

    6a2f85277ef38212be308b7ccf76903dff624984

  • SHA256

    a6d3232aeb2e3c6005036fb2777a3ce55cabf39ab8af66c09676852eae567193

  • SHA512

    73c387564059f6190c83283ba6ed7b662f337bb4bcd32046a72f8f0e77ca07281f6b25c404e1dafb38ce6cfa40aa009cae6f284aa0b1712b7b10e7b102fae17a

  • SSDEEP

    6144:iiUDqX0CehPi+joO/zHWR8Hnk4sJL7JW35ZZu/qQj7/KX9327RALTVeuKnK6Zh:iA1e0m5U8Hn+uiqQj7/KX9GNQEuKnz

Score
10/10
remcospersistencerat

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7457f8093e70201177324a864177c0a0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7457f8093e70201177324a864177c0a0_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\RemD\RemD.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Users\Admin\AppData\Roaming\RemD\RemD.exe
          C:\Users\Admin\AppData\Roaming\RemD\RemD.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe
            5⤵
              PID:2500

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\install.vbs
      Filesize

      410B

      MD5

      991cad69a8a5ac8e22281a335b88e2b3

      SHA1

      58568a006ade6e2ca7fa25673b036bcefa303a7d

      SHA256

      95d975c5b36f23f9121390f8f4a1373b1cbb8045765e1c9fa68e114e2f592d60

      SHA512

      298dc73384bf23e913f9a92e83040d84171ef86630652f82f73367fec9e6c61eb8a6055afe03d997870e529e4e88c0f9571b6da8ca934311afdbb67aca3132ba

      Download Submit

    • C:\Users\Admin\AppData\Roaming\RemD\RemD.exe
      Filesize

      556KB

      MD5

      7457f8093e70201177324a864177c0a0

      SHA1

      6a2f85277ef38212be308b7ccf76903dff624984

      SHA256

      a6d3232aeb2e3c6005036fb2777a3ce55cabf39ab8af66c09676852eae567193

      SHA512

      73c387564059f6190c83283ba6ed7b662f337bb4bcd32046a72f8f0e77ca07281f6b25c404e1dafb38ce6cfa40aa009cae6f284aa0b1712b7b10e7b102fae17a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Remc\logs.dat
      Filesize

      79B

      MD5

      1ad4c722ea40342a7b08934c3e147255

      SHA1

      a93eb053b356939a0bf3ac7931e129d29f945bfc

      SHA256

      fa7edf519296e5473d73e80d0c9e564ee7b50f689230936b8fc28f5942a60ece

      SHA512

      d42ccae2efbcbcac8a576f80eaf5eeff2ce39c0d967b9eb38cbd95bf539fc7c2cea89a65e63e36d223b4412172f92650518ced8f3fe1623c835c5ea7b1e12cd2

      Download Submit

    • memory/1400-2-0x0000000077590000-0x0000000077666000-memory.dmp

      Filesize

      856KB

      Download

    • memory/1400-3-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1400-4-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1400-7-0x0000000072940000-0x0000000072A60000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1400-10-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1400-11-0x0000000072940000-0x0000000072A60000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2500-34-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2500-37-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2500-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2500-32-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2500-30-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2500-28-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2500-26-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2500-24-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2716-22-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2716-19-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download