Malware Analysis Report

2024-12-07 22:20

Sample ID 240811-m4xnwswgml
Target 8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118
SHA256 c3d5cfa19bb7af77abe161135bd85506171d67dca3f86fa6a68340d05e203f64
Tags
remcos remotehost persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3d5cfa19bb7af77abe161135bd85506171d67dca3f86fa6a68340d05e203f64

Threat Level: Known bad

The file 8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remcos remotehost persistence rat

Remcos

Core1 .NET packer

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-11 11:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-11 11:01

Reported

2024-08-11 11:04

Platform

win7-20240704-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Core1 .NET packer

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\file.exe = "C:\\Users\\Admin\\AppData\\Roaming\\file\\file.exe" C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3004 set thread context of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWow64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 3004 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 3004 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 3004 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 3004 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 3004 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 3004 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 3004 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 3004 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 3004 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 3004 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 3004 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 3004 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe"

C:\Windows\SysWow64\svchost.exe

"C:\\Windows\\SysWow64\\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp

Files

memory/3004-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

memory/3004-1-0x000000013F690000-0x000000013F7E6000-memory.dmp

memory/3004-2-0x000000001C4E0000-0x000000001C5C6000-memory.dmp

memory/3004-3-0x000000001B750000-0x000000001B7C8000-memory.dmp

memory/3004-4-0x00000000020A0000-0x00000000020B6000-memory.dmp

memory/3004-5-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

memory/3004-6-0x00000000020C0000-0x00000000020C4000-memory.dmp

memory/3000-7-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3000-14-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3000-18-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3000-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3000-13-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3000-11-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3000-12-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3000-10-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3000-9-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3000-8-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3000-16-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3000-23-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3000-19-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3000-22-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3004-25-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

memory/3000-28-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 43e910c093f7380a398764b141a2299e
SHA1 33fc479f6930fbff47737f1b0984426e17064919
SHA256 08a8822ccb8ae24656bb39cd097748a89b1dd493a731aec609a85968a45b5a0c
SHA512 f0a766206f322ed29983de4f202ae1945a5e1408504cd1026b1c1805a375c00be97a2ecdb600fd8bed263a8561fd81d802a098fe047dfaae37df3933f7c234e2

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-11 11:01

Reported

2024-08-11 11:04

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Core1 .NET packer

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\file.exe = "C:\\Users\\Admin\\AppData\\Roaming\\file\\file.exe" C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1204 set thread context of 4480 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWow64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 1204 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 1204 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 1204 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 1204 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 1204 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 1204 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 1204 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 1204 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 1204 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 1204 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe
PID 1204 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe C:\Windows\SysWow64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8a1c35a1197ef463e625f84cf4042c00_JaffaCakes118.exe"

C:\Windows\SysWow64\svchost.exe

"C:\\Windows\\SysWow64\\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp
US 8.8.8.8:53 talkmyyown.kozow.com udp
US 8.8.8.8:53 talkmyown.kozow.com udp

Files

memory/1204-0-0x00007FF850B83000-0x00007FF850B85000-memory.dmp

memory/1204-1-0x0000000000EE0000-0x0000000001036000-memory.dmp

memory/1204-2-0x000000001E0D0000-0x000000001E1B6000-memory.dmp

memory/1204-3-0x0000000001B10000-0x0000000001B88000-memory.dmp

memory/1204-4-0x00000000018F0000-0x0000000001906000-memory.dmp

memory/1204-5-0x0000000001920000-0x0000000001924000-memory.dmp

memory/1204-6-0x00007FF850B80000-0x00007FF851641000-memory.dmp

memory/4480-7-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4480-10-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4480-11-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4480-12-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4480-15-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4480-16-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1204-17-0x00007FF850B80000-0x00007FF851641000-memory.dmp

memory/4480-20-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 43e910c093f7380a398764b141a2299e
SHA1 33fc479f6930fbff47737f1b0984426e17064919
SHA256 08a8822ccb8ae24656bb39cd097748a89b1dd493a731aec609a85968a45b5a0c
SHA512 f0a766206f322ed29983de4f202ae1945a5e1408504cd1026b1c1805a375c00be97a2ecdb600fd8bed263a8561fd81d802a098fe047dfaae37df3933f7c234e2