remcos | 98f031407df4d599b9027f8e672436f1b61876048529a1304bc3118c82d42bd6

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
Size

552KB
MD5

cf2d4e1a5f04682abe68311c5ea02402
SHA1

d871ac3c14aee753e81796b29f3177ee23c585f7
SHA256

98f031407df4d599b9027f8e672436f1b61876048529a1304bc3118c82d42bd6
SHA512

aed48e62648970c7fb787eb81d5674080987a83b55e1b1fd9b348f02c64e95ba1aabb0598a8f07063f8a13cc7586e223840c9e654b6b104323417d5e1f83066a
SSDEEP

12288:swFPGxJDbawx1fVc+yjaUP6tplMw797fCbs66u6tfIxk:swNMJ6wBuTMlM8JYr6uYI2

Score

10^/10

remcos corona lockdown discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Corona Lockdown

enmark81.duckdns.org:4045

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Windows logoff sound.exe
copy_folder
Windows Sound
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Windows Sound
keylog_path
%WinDir%
mouse_option
false
mutex
Windows Audio
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Windows Audio
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Username;password;proforma;invoice;notepad

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
2868	Windows logoff sound.exe
1752	Windows logoff sound.exe

Loads dropped DLL 2 IoCs

pid	Process
2800	cmd.exe
2800	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Audio = "\"C:\\Windows\\Windows Sound\\Windows logoff sound.exe\""	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Audio = "\"C:\\Windows\\Windows Sound\\Windows logoff sound.exe\""	Windows logoff sound.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 2288	2276	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	29
PID 2868 set thread context of 1752	2868	Windows logoff sound.exe	37

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Windows Sound\Windows logoff sound.exe	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
File opened for modification	C:\Windows\Windows Sound\Windows logoff sound.exe	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
File opened for modification	C:\Windows\Windows Sound	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
File opened for modification	C:\Windows\Windows Sound\logs.dat	Windows logoff sound.exe
File created	C:\Windows\Windows Sound\logs.dat	Windows logoff sound.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows logoff sound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows logoff sound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2544	PING.EXE

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2684	reg.exe
2616	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2544	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2276	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
2868	Windows logoff sound.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1752	Windows logoff sound.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2276	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
2868	Windows logoff sound.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1752	Windows logoff sound.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2288	2276	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	29
PID 2276 wrote to memory of 2288	2276	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	29
PID 2276 wrote to memory of 2288	2276	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	29
PID 2276 wrote to memory of 2288	2276	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	29
PID 2288 wrote to memory of 2964	2288	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	30
PID 2288 wrote to memory of 2964	2288	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	30
PID 2288 wrote to memory of 2964	2288	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	30
PID 2288 wrote to memory of 2964	2288	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2684	2964	cmd.exe	32
PID 2964 wrote to memory of 2684	2964	cmd.exe	32
PID 2964 wrote to memory of 2684	2964	cmd.exe	32
PID 2964 wrote to memory of 2684	2964	cmd.exe	32
PID 2288 wrote to memory of 2800	2288	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	33
PID 2288 wrote to memory of 2800	2288	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	33
PID 2288 wrote to memory of 2800	2288	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	33
PID 2288 wrote to memory of 2800	2288	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	33
PID 2288 wrote to memory of 2800	2288	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	33
PID 2288 wrote to memory of 2800	2288	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	33
PID 2288 wrote to memory of 2800	2288	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	33
PID 2800 wrote to memory of 2544	2800	cmd.exe	35
PID 2800 wrote to memory of 2544	2800	cmd.exe	35
PID 2800 wrote to memory of 2544	2800	cmd.exe	35
PID 2800 wrote to memory of 2544	2800	cmd.exe	35
PID 2800 wrote to memory of 2868	2800	cmd.exe	36
PID 2800 wrote to memory of 2868	2800	cmd.exe	36
PID 2800 wrote to memory of 2868	2800	cmd.exe	36
PID 2800 wrote to memory of 2868	2800	cmd.exe	36
PID 2868 wrote to memory of 1752	2868	Windows logoff sound.exe	37
PID 2868 wrote to memory of 1752	2868	Windows logoff sound.exe	37
PID 2868 wrote to memory of 1752	2868	Windows logoff sound.exe	37
PID 2868 wrote to memory of 1752	2868	Windows logoff sound.exe	37
PID 1752 wrote to memory of 2484	1752	Windows logoff sound.exe	38
PID 1752 wrote to memory of 2484	1752	Windows logoff sound.exe	38
PID 1752 wrote to memory of 2484	1752	Windows logoff sound.exe	38
PID 1752 wrote to memory of 2484	1752	Windows logoff sound.exe	38
PID 1752 wrote to memory of 2796	1752	Windows logoff sound.exe	40
PID 1752 wrote to memory of 2796	1752	Windows logoff sound.exe	40
PID 1752 wrote to memory of 2796	1752	Windows logoff sound.exe	40
PID 1752 wrote to memory of 2796	1752	Windows logoff sound.exe	40
PID 2484 wrote to memory of 2616	2484	cmd.exe	41
PID 2484 wrote to memory of 2616	2484	cmd.exe	41
PID 2484 wrote to memory of 2616	2484	cmd.exe	41
PID 2484 wrote to memory of 2616	2484	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2544
  - - C:\Windows\Windows Sound\Windows logoff sound.exe
      "C:\Windows\Windows Sound\Windows logoff sound.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\Windows Sound\Windows logoff sound.exe
        
        "C:\Windows\Windows Sound\Windows logoff sound.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2616
      - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
100B

MD5
cbf070456b22d7a9295c7fcca06da9b2

SHA1
05d0fdaa5744a79a3394222d173ab20dc8b6155e

SHA256
7cfab39660b0276287c2534cc3b3aa9d23eacccb3255fb0a5910be44ee55b50c

SHA512
10b89fa9f7c5fa261fbd3cd1e5df0a3e478067c595d2f39f20fe3ec77be2639215c84e2672846e3915db7e434a3e84c1f29b50e37b5ab3daacc48b46d981dd87

Download Submit
\Windows\Windows Sound\Windows logoff sound.exe

Filesize
552KB

MD5
cf2d4e1a5f04682abe68311c5ea02402

SHA1
d871ac3c14aee753e81796b29f3177ee23c585f7

SHA256
98f031407df4d599b9027f8e672436f1b61876048529a1304bc3118c82d42bd6

SHA512
aed48e62648970c7fb787eb81d5674080987a83b55e1b1fd9b348f02c64e95ba1aabb0598a8f07063f8a13cc7586e223840c9e654b6b104323417d5e1f83066a

Download Submit
memory/1752-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1752-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1752-36-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1752-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1752-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1752-44-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1752-43-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1752-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1752-40-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1752-37-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1752-39-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1752-49-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1752-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1752-38-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2276-1-0x0000000000453000-0x000000000045D000-memory.dmp

Filesize
40KB

Download
memory/2276-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2276-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2288-7-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2288-6-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2288-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2288-18-0x0000000000450000-0x0000000000480000-memory.dmp

Filesize
192KB

Download
memory/2288-3-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2868-28-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download