Overview

overview

10

Static

static

3

cba17390b5...18.exe

windows7-x64

10

cba17390b5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-08-2024 20:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cba17390b59f3c9380e24455c440d3eb_JaffaCakes118.exe

  • Size

    584KB

  • MD5

    cba17390b59f3c9380e24455c440d3eb

  • SHA1

    f3544f292336cf0f6e3a6163ccfda6ae6ed442b6

  • SHA256

    3102123a62009a62e4a75da567d6b65abd2de23c739cba7486dff4337927fec4

  • SHA512

    b3a5084bc86b9640b68240e60b9328d3a4d09765720a44722e593c2b2763898dfa451e05854fe476b360e5889caaf58f42c941f78a1e9385b3e0b0d3752b8777

  • SSDEEP

    12288:2/XPRr7jlWuyfvHv4HOo9TfC/lIWrpcUx2gluSzTSqFQalf:2/5/U/fvgHOoNfCiWl7zuShQalf

Score
10/10
remcosdiscoverypersistencerat

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cba17390b59f3c9380e24455c440d3eb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cba17390b59f3c9380e24455c440d3eb_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:720
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3928
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remc\Remc.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4680
        • C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
          C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:448
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe
            5⤵
              PID:4436
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:8
      1⤵
        PID:2168

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\install.vbs
        Filesize

        410B

        MD5

        837b54af2c8d285fb69d719cc9061206

        SHA1

        b31b75216a46b744eb0d89dd9885431a8ecde820

        SHA256

        353bf067c7071e2b6904205a0f6755433a8711a4b2a9b48ac32ff538463f0e46

        SHA512

        6cc4e846538cf16de26004343a157a565fe9730ad5c253e3fb6c64098405849e732bd2216fbdecd52cc3cbcb84e24e4dca23b5fd4f68bcdc0e73d485479e2311

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
        Filesize

        584KB

        MD5

        cba17390b59f3c9380e24455c440d3eb

        SHA1

        f3544f292336cf0f6e3a6163ccfda6ae6ed442b6

        SHA256

        3102123a62009a62e4a75da567d6b65abd2de23c739cba7486dff4337927fec4

        SHA512

        b3a5084bc86b9640b68240e60b9328d3a4d09765720a44722e593c2b2763898dfa451e05854fe476b360e5889caaf58f42c941f78a1e9385b3e0b0d3752b8777

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Remc\logs.dat
        Filesize

        79B

        MD5

        10ce336af4bf7d9aa8858bcef42dc1b6

        SHA1

        5515ec65a267095029fa87ed89d0b30d25d1ac18

        SHA256

        3dab1f375f218843d3ac236fba50e58926ae1dccf394f29f537722d699e243da

        SHA512

        1a3001ef654e96727e6002ebb9012ab0c6fdb91765e63710d62f4763218d36efcd5acac867525130de9dbc31379f6d7fefb0f1a948bbb82ea297df618b90c175

        Download Submit

      • memory/448-19-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/448-22-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/720-2-0x00000000774B1000-0x00000000775D1000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/720-4-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/720-7-0x0000000000400000-0x0000000000494000-memory.dmp

        Filesize

        592KB

        Download

      • memory/720-12-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4436-25-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download