Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12-07-2024 10:38
Static task
static1
Behavioral task
behavioral1
Sample
3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
3d0807aa99589883f5dc7cb8fb6490d5
-
SHA1
40e1d6397069aa7a02d04878df48a75ae0031c1f
-
SHA256
cda3c2f396a4e635e9b1021a9bce498172e893e38af0de9790b682d0ca925f63
-
SHA512
fb332eb89421a6925b04565bf22919b0fe73549314dc9855b4119bcf22d594bdd4e4918f4aebdf252c89fb48c3a5e6678d59852b49d3904af67d8557dc01440c
-
SSDEEP
24576:lmGohjnimx7shSysvR0RhZPpFYDHvGABsTn57Rv1bVpf/GH0gIq:av4yCRMH+JJRJ1M
Malware Config
Extracted
remcos
2.6.0 Pro
�����
37.252.11.23:7878
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Windows.exe
-
copy_folder
Temp
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
132123dsaasd-Q14G2Y
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Defender
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Windows\Tasks\ctmon.job notepad.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exenotepad.exepid process 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe 2860 notepad.exe 2860 notepad.exe 2860 notepad.exe 2860 notepad.exe 2860 notepad.exe 2860 notepad.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
notepad.exepid process 2860 notepad.exe 2860 notepad.exe 2860 notepad.exe 2860 notepad.exe 2860 notepad.exe 2860 notepad.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exenotepad.exedescription pid process target process PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2732 wrote to memory of 2860 2732 3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe notepad.exe PID 2860 wrote to memory of 364 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 364 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 364 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 364 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 364 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 364 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 364 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 364 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 364 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 364 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 364 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 364 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 364 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2568 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2568 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2568 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2568 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2568 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2568 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2568 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2568 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2568 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2568 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2568 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2568 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2568 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2684 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2684 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2684 2860 notepad.exe cmd.exe PID 2860 wrote to memory of 2684 2860 notepad.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d0807aa99589883f5dc7cb8fb6490d5_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:364
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:2568
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:2684
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:572
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:916
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"3⤵
- Drops file in Windows directory
PID:1968