Overview

overview

10

Static

static

3

7457f8093e...18.exe

windows7-x64

10

7457f8093e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 04:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7457f8093e70201177324a864177c0a0_JaffaCakes118.exe

  • Size

    556KB

  • MD5

    7457f8093e70201177324a864177c0a0

  • SHA1

    6a2f85277ef38212be308b7ccf76903dff624984

  • SHA256

    a6d3232aeb2e3c6005036fb2777a3ce55cabf39ab8af66c09676852eae567193

  • SHA512

    73c387564059f6190c83283ba6ed7b662f337bb4bcd32046a72f8f0e77ca07281f6b25c404e1dafb38ce6cfa40aa009cae6f284aa0b1712b7b10e7b102fae17a

  • SSDEEP

    6144:iiUDqX0CehPi+joO/zHWR8Hnk4sJL7JW35ZZu/qQj7/KX9327RALTVeuKnK6Zh:iA1e0m5U8Hn+uiqQj7/KX9GNQEuKnz

Score
10/10
remcospersistencerat

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7457f8093e70201177324a864177c0a0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7457f8093e70201177324a864177c0a0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\RemD\RemD.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Users\Admin\AppData\Roaming\RemD\RemD.exe
          C:\Users\Admin\AppData\Roaming\RemD\RemD.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1596
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe
            5⤵
              PID:4872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\install.vbs
      Filesize

      410B

      MD5

      991cad69a8a5ac8e22281a335b88e2b3

      SHA1

      58568a006ade6e2ca7fa25673b036bcefa303a7d

      SHA256

      95d975c5b36f23f9121390f8f4a1373b1cbb8045765e1c9fa68e114e2f592d60

      SHA512

      298dc73384bf23e913f9a92e83040d84171ef86630652f82f73367fec9e6c61eb8a6055afe03d997870e529e4e88c0f9571b6da8ca934311afdbb67aca3132ba

      Download Submit

    • C:\Users\Admin\AppData\Roaming\RemD\RemD.exe
      Filesize

      556KB

      MD5

      7457f8093e70201177324a864177c0a0

      SHA1

      6a2f85277ef38212be308b7ccf76903dff624984

      SHA256

      a6d3232aeb2e3c6005036fb2777a3ce55cabf39ab8af66c09676852eae567193

      SHA512

      73c387564059f6190c83283ba6ed7b662f337bb4bcd32046a72f8f0e77ca07281f6b25c404e1dafb38ce6cfa40aa009cae6f284aa0b1712b7b10e7b102fae17a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Remc\logs.dat
      Filesize

      79B

      MD5

      4fb26fdaadb0e163fc5c4536383147f2

      SHA1

      2715cb32b125e8a8accb93ed0873cf6a6a93cbb8

      SHA256

      f41845028f9226a641cf8cf864e170246990db2450b551a5fa585d120acb7eb3

      SHA512

      491faf5564fa21ceaf715097919d5c44bbaf6975d41888f49d119f2380b2287cc7fe9f0629ca18782616aef2def63301fdecc1c5e67f0d0b705d153e8c94a44a

      Download Submit

    • memory/1596-18-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1596-21-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4704-2-0x0000000077321000-0x0000000077441000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4704-6-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4704-7-0x0000000000400000-0x000000000048B000-memory.dmp

      Filesize

      556KB

      Download

    • memory/4704-10-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4872-23-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download