Overview

overview

10

Static

static

3

cba17390b5...18.exe

windows7-x64

10

cba17390b5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30-08-2024 20:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cba17390b59f3c9380e24455c440d3eb_JaffaCakes118.exe

  • Size

    584KB

  • MD5

    cba17390b59f3c9380e24455c440d3eb

  • SHA1

    f3544f292336cf0f6e3a6163ccfda6ae6ed442b6

  • SHA256

    3102123a62009a62e4a75da567d6b65abd2de23c739cba7486dff4337927fec4

  • SHA512

    b3a5084bc86b9640b68240e60b9328d3a4d09765720a44722e593c2b2763898dfa451e05854fe476b360e5889caaf58f42c941f78a1e9385b3e0b0d3752b8777

  • SSDEEP

    12288:2/XPRr7jlWuyfvHv4HOo9TfC/lIWrpcUx2gluSzTSqFQalf:2/5/U/fvgHOoNfCiWl7zuShQalf

Score
10/10
remcosdiscoverypersistencerat

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cba17390b59f3c9380e24455c440d3eb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cba17390b59f3c9380e24455c440d3eb_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remc\Remc.exe"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
          C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2740
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe
            5⤵
              PID:2604

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\install.vbs
      Filesize

      410B

      MD5

      837b54af2c8d285fb69d719cc9061206

      SHA1

      b31b75216a46b744eb0d89dd9885431a8ecde820

      SHA256

      353bf067c7071e2b6904205a0f6755433a8711a4b2a9b48ac32ff538463f0e46

      SHA512

      6cc4e846538cf16de26004343a157a565fe9730ad5c253e3fb6c64098405849e732bd2216fbdecd52cc3cbcb84e24e4dca23b5fd4f68bcdc0e73d485479e2311

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Remc\logs.dat
      Filesize

      79B

      MD5

      4372f575d82a254d62aefc7b3ab960fe

      SHA1

      570977d9b42e1a07614db7d9416307469fc15964

      SHA256

      912ef5e98d7f6009f5d7e6c0f6e8869906aa431447cbe1a6601b91137519d082

      SHA512

      2d8702ed505a89333d486b79e1b96fe6bd539efe3cb22c26c90b635432e5f0c15e33427c6ffcbdc3e4133f938e7f7fd4deaf1f0f9d5032ced7335dfe287502a0

      Download Submit

    • \Users\Admin\AppData\Roaming\Remc\Remc.exe
      Filesize

      584KB

      MD5

      cba17390b59f3c9380e24455c440d3eb

      SHA1

      f3544f292336cf0f6e3a6163ccfda6ae6ed442b6

      SHA256

      3102123a62009a62e4a75da567d6b65abd2de23c739cba7486dff4337927fec4

      SHA512

      b3a5084bc86b9640b68240e60b9328d3a4d09765720a44722e593c2b2763898dfa451e05854fe476b360e5889caaf58f42c941f78a1e9385b3e0b0d3752b8777

      Download Submit

    • memory/2216-2-0x0000000077200000-0x00000000772D6000-memory.dmp

      Filesize

      856KB

      Download

    • memory/2216-3-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2216-4-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2216-7-0x0000000072940000-0x0000000072A60000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2216-12-0x0000000072940000-0x0000000072A60000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2216-11-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2604-35-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2604-38-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2604-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2604-33-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2604-31-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2604-29-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2604-27-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2604-25-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2740-23-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2740-20-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download