General
-
Target
97518d8ccc8e8279e10ff5028f3dc3de_JaffaCakes118
-
Size
373KB
-
Sample
240814-xvhtgstfpp
-
MD5
97518d8ccc8e8279e10ff5028f3dc3de
-
SHA1
756926f6f7c7eebd171033cfff769af163bb6862
-
SHA256
e939b191df2c460705fb601c020be92e228cc6bba84336a3a3b878c39f235cc6
-
SHA512
1fc1b6612ba48d0343d25175e28c5830f68e9aa3778988f1d2812c0679d104b37812d90156e87dc4ada40ad6486ea9750cb774f8c18b537cecd2a29cb14443ad
-
SSDEEP
6144:yolMYuweyOoy4VoxhbdkpKOZIXmI6km8C1AaI0W520MxXYM7V5JkwqWoGZd61Wud:RKWPO93j+KRdmT1hmM7Jkw+W3pS
Static task
static1
Behavioral task
behavioral1
Sample
HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
remcos
3.0.1 Pro
RemoteHost
capriteam.ddns.net:1010
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-VHHYND
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe
-
Size
412KB
-
MD5
3932f812b26f3bff1d20070c58468f2e
-
SHA1
cbbd717f6fc0efebb051ca6329b90d8473dc5366
-
SHA256
6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e
-
SHA512
9b3b414a5552635e111d97b4f3bb458ca778eeaed38b30d9236ff9cd095e9f2e5a28666756e5382adfcaf04b0692b00cec6ea42d984609f1d1f3b2e75377f104
-
SSDEEP
6144:5s8MYkOoyOoKkpoxJbJkpKOv0Xmq6Mm8C1AKI0W5w0MxXYc7VBJkSqWoGZd61OuT:YQZOz1/CKbrmT1bCc79kS+O3njF
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-