General

  • Target

    6c73ccccd8582202a4f1152b69850b72_JaffaCakes118

  • Size

    447KB

  • Sample

    240724-xrtrksvglg

  • MD5

    6c73ccccd8582202a4f1152b69850b72

  • SHA1

    3974317a9fe77ec2cf202547cc8f7c5ff1df3573

  • SHA256

    8936445f70094fbb59a2a29e1503838ad372674f2f50731137e6f5690aab5848

  • SHA512

    324d32547423c6cb3424ddc945d72c92ffa6ea613a4f64f100b74ef64e2346ac902c69035a5ecebd048caa4592739a477b93debffd11c2987b5d14f214308bee

  • SSDEEP

    12288:n1zsVTyFFhoPn9Rx5CmrwNWw+4b19WfTtcLSTUkKCCJRNX9zo:n1zsVTyFa2ogWz61MfTuYxvuv5

Malware Config

Extracted

Family

remcos

Version

3.0.2 Pro

Botnet

RemoteHost

C2

91.241.19.107:1313

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-J2M0Y6

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      6c73ccccd8582202a4f1152b69850b72_JaffaCakes118

    • Size

      447KB

    • MD5

      6c73ccccd8582202a4f1152b69850b72

    • SHA1

      3974317a9fe77ec2cf202547cc8f7c5ff1df3573

    • SHA256

      8936445f70094fbb59a2a29e1503838ad372674f2f50731137e6f5690aab5848

    • SHA512

      324d32547423c6cb3424ddc945d72c92ffa6ea613a4f64f100b74ef64e2346ac902c69035a5ecebd048caa4592739a477b93debffd11c2987b5d14f214308bee

    • SSDEEP

      12288:n1zsVTyFFhoPn9Rx5CmrwNWw+4b19WfTtcLSTUkKCCJRNX9zo:n1zsVTyFa2ogWz61MfTuYxvuv5

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks