Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/08/2024, 14:28

General

  • Target

    ccf9fd46a69a406c6a58f5159b329965_JaffaCakes118.exe

  • Size

    556KB

  • MD5

    ccf9fd46a69a406c6a58f5159b329965

  • SHA1

    3dac39eac3061e2e83d1a07bcdc7bd2a6c025662

  • SHA256

    eb49b4f516251a86ef5d49ab634e25e7a1f88a1855cb46799081183048a844ee

  • SHA512

    6a9a0dffee79a6435281203f6ebf1e657242dc8a26116d3b21c26f8e58a9d7c967f4fc9d728ef1e72ce5c890a4d1b52d11e379cc8d8389cf4b502c59cd63dbd0

  • SSDEEP

    6144:dXGR7onTiRtFc4EhQfIytKzSzLjCUBkNG7NgY1MW2wiWQD9+Wjc:dg7oItFNfIyt3BuMNgY1M0iW/W

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ccf9fd46a69a406c6a58f5159b329965_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ccf9fd46a69a406c6a58f5159b329965_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3788
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4200
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remc\Remc.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:968
        • C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
          C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3500
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe
            5⤵
              PID:1208

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\install.vbs

      Filesize

      410B

      MD5

      837b54af2c8d285fb69d719cc9061206

      SHA1

      b31b75216a46b744eb0d89dd9885431a8ecde820

      SHA256

      353bf067c7071e2b6904205a0f6755433a8711a4b2a9b48ac32ff538463f0e46

      SHA512

      6cc4e846538cf16de26004343a157a565fe9730ad5c253e3fb6c64098405849e732bd2216fbdecd52cc3cbcb84e24e4dca23b5fd4f68bcdc0e73d485479e2311

    • C:\Users\Admin\AppData\Roaming\Remc\Remc.exe

      Filesize

      556KB

      MD5

      ccf9fd46a69a406c6a58f5159b329965

      SHA1

      3dac39eac3061e2e83d1a07bcdc7bd2a6c025662

      SHA256

      eb49b4f516251a86ef5d49ab634e25e7a1f88a1855cb46799081183048a844ee

      SHA512

      6a9a0dffee79a6435281203f6ebf1e657242dc8a26116d3b21c26f8e58a9d7c967f4fc9d728ef1e72ce5c890a4d1b52d11e379cc8d8389cf4b502c59cd63dbd0

    • C:\Users\Admin\AppData\Roaming\Remc\logs.dat

      Filesize

      79B

      MD5

      4e843c2e9ec957b9d5f46ff88dc9b4d4

      SHA1

      afe160aca491da8f6ecc1ea201ad59fc15ad3a03

      SHA256

      5a434dee1be9471b0a5282ed1112edbbebdb801c7a6cd95da36988639d7fb99d

      SHA512

      e9de0b423f2deb87c33630d03411fa28dfa868cd353b908677f41c140b35c42de7010355febce0f0c64d54a3902815a290285446238971ea03892439dabb21e6

    • memory/1208-23-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/3500-18-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/3500-21-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/3788-2-0x0000000076EC1000-0x0000000076FE1000-memory.dmp

      Filesize

      1.1MB

    • memory/3788-4-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/3788-7-0x0000000000400000-0x000000000048B000-memory.dmp

      Filesize

      556KB

    • memory/3788-10-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB