General

  • Target

    97518d8ccc8e8279e10ff5028f3dc3de_JaffaCakes118

  • Size

    373KB

  • Sample

    240814-xvhtgstfpp

  • MD5

    97518d8ccc8e8279e10ff5028f3dc3de

  • SHA1

    756926f6f7c7eebd171033cfff769af163bb6862

  • SHA256

    e939b191df2c460705fb601c020be92e228cc6bba84336a3a3b878c39f235cc6

  • SHA512

    1fc1b6612ba48d0343d25175e28c5830f68e9aa3778988f1d2812c0679d104b37812d90156e87dc4ada40ad6486ea9750cb774f8c18b537cecd2a29cb14443ad

  • SSDEEP

    6144:yolMYuweyOoy4VoxhbdkpKOZIXmI6km8C1AaI0W520MxXYM7V5JkwqWoGZd61Wud:RKWPO93j+KRdmT1hmM7Jkw+W3pS

Malware Config

Extracted

Family

remcos

Version

3.0.1 Pro

Botnet

RemoteHost

C2

capriteam.ddns.net:1010

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-VHHYND

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe

    • Size

      412KB

    • MD5

      3932f812b26f3bff1d20070c58468f2e

    • SHA1

      cbbd717f6fc0efebb051ca6329b90d8473dc5366

    • SHA256

      6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e

    • SHA512

      9b3b414a5552635e111d97b4f3bb458ca778eeaed38b30d9236ff9cd095e9f2e5a28666756e5382adfcaf04b0692b00cec6ea42d984609f1d1f3b2e75377f104

    • SSDEEP

      6144:5s8MYkOoyOoKkpoxJbJkpKOv0Xmq6Mm8C1AKI0W5w0MxXYc7VBJkSqWoGZd61OuT:YQZOz1/CKbrmT1bCc79kS+O3njF

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks