Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 04:41
Static task
static1
Behavioral task
behavioral1
Sample
662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
-
Size
983KB
-
MD5
662d5ab8f03c44205c00e9f12e99105a
-
SHA1
df86b024cd1d3135a0056c32c5e682420b4301ad
-
SHA256
c684c19f26ab739c326667fc6c0ad1d6288846b22da744940e7865bbde25dd00
-
SHA512
abcec11083f1895767d4a880cef5c03be189f29246062eb45c54bb020e7d51cda84c192bfb285f3e751a2249e731d087eec29cf7db8acf1a485ade93fc040a9f
-
SSDEEP
24576:Emy2FtwvxuN4HtOOpmF4zH5YOMGk6pbKneG9tK:TXFQINIOOpJzH515gQ
Malware Config
Extracted
remcos
3.0.2 Pro
FEB
194.5.98.202:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-8W5M5B
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exeWScript.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
Processes:
remcos.exeremcos.exepid Process 3788 remcos.exe 4268 remcos.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exeremcos.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exeremcos.exedescription pid Process procid_target PID 2752 set thread context of 3384 2752 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe 97 PID 3788 set thread context of 4268 3788 remcos.exe 103 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
remcos.exepid Process 4268 remcos.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exeWScript.execmd.exeremcos.exeremcos.exedescription pid Process procid_target PID 2752 wrote to memory of 3384 2752 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe 97 PID 2752 wrote to memory of 3384 2752 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe 97 PID 2752 wrote to memory of 3384 2752 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe 97 PID 2752 wrote to memory of 3384 2752 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe 97 PID 2752 wrote to memory of 3384 2752 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe 97 PID 2752 wrote to memory of 3384 2752 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe 97 PID 2752 wrote to memory of 3384 2752 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe 97 PID 2752 wrote to memory of 3384 2752 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe 97 PID 2752 wrote to memory of 3384 2752 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe 97 PID 2752 wrote to memory of 3384 2752 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe 97 PID 2752 wrote to memory of 3384 2752 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe 97 PID 2752 wrote to memory of 3384 2752 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe 97 PID 3384 wrote to memory of 3284 3384 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe 98 PID 3384 wrote to memory of 3284 3384 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe 98 PID 3384 wrote to memory of 3284 3384 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe 98 PID 3284 wrote to memory of 1752 3284 WScript.exe 99 PID 3284 wrote to memory of 1752 3284 WScript.exe 99 PID 3284 wrote to memory of 1752 3284 WScript.exe 99 PID 1752 wrote to memory of 3788 1752 cmd.exe 101 PID 1752 wrote to memory of 3788 1752 cmd.exe 101 PID 1752 wrote to memory of 3788 1752 cmd.exe 101 PID 3788 wrote to memory of 4268 3788 remcos.exe 103 PID 3788 wrote to memory of 4268 3788 remcos.exe 103 PID 3788 wrote to memory of 4268 3788 remcos.exe 103 PID 3788 wrote to memory of 4268 3788 remcos.exe 103 PID 3788 wrote to memory of 4268 3788 remcos.exe 103 PID 3788 wrote to memory of 4268 3788 remcos.exe 103 PID 3788 wrote to memory of 4268 3788 remcos.exe 103 PID 3788 wrote to memory of 4268 3788 remcos.exe 103 PID 3788 wrote to memory of 4268 3788 remcos.exe 103 PID 3788 wrote to memory of 4268 3788 remcos.exe 103 PID 3788 wrote to memory of 4268 3788 remcos.exe 103 PID 3788 wrote to memory of 4268 3788 remcos.exe 103 PID 4268 wrote to memory of 3604 4268 remcos.exe 104 PID 4268 wrote to memory of 3604 4268 remcos.exe 104 PID 4268 wrote to memory of 3604 4268 remcos.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe"{path}"2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"{path}"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe7⤵PID:3604
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418B
MD5ff449f6f7bc5e2d800eb30e2d2c56611
SHA193419ea805b9ce35a766e5c56db50d54c2d3f94b
SHA256655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416
SHA51202a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6
-
Filesize
74B
MD5e17c3d0d2a74f37e7059fe9ec92828eb
SHA1117755fe80bdd12a1b30404cabd9d2a53697fa65
SHA256ca6b7f1592aa05fd670629f4e18c0cdb7cc3e09f06b4abef918f917e3267928a
SHA5122c9fc2b51f425bf58862a2be389b999992c2f7f3e3c9740d3adf0f74f199af27d0f22d297eed6e70b7b9694e6b883d615ff781ccd82a2421cbe20b0f8c0fe0dc
-
Filesize
983KB
MD5662d5ab8f03c44205c00e9f12e99105a
SHA1df86b024cd1d3135a0056c32c5e682420b4301ad
SHA256c684c19f26ab739c326667fc6c0ad1d6288846b22da744940e7865bbde25dd00
SHA512abcec11083f1895767d4a880cef5c03be189f29246062eb45c54bb020e7d51cda84c192bfb285f3e751a2249e731d087eec29cf7db8acf1a485ade93fc040a9f