remcos | 98f031407df4d599b9027f8e672436f1b61876048529a1304bc3118c82d42bd6

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
Size

552KB
MD5

cf2d4e1a5f04682abe68311c5ea02402
SHA1

d871ac3c14aee753e81796b29f3177ee23c585f7
SHA256

98f031407df4d599b9027f8e672436f1b61876048529a1304bc3118c82d42bd6
SHA512

aed48e62648970c7fb787eb81d5674080987a83b55e1b1fd9b348f02c64e95ba1aabb0598a8f07063f8a13cc7586e223840c9e654b6b104323417d5e1f83066a
SSDEEP

12288:swFPGxJDbawx1fVc+yjaUP6tplMw797fCbs66u6tfIxk:swNMJ6wBuTMlM8JYr6uYI2

Score

10^/10

remcos corona lockdown discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Corona Lockdown

enmark81.duckdns.org:4045

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Windows logoff sound.exe
copy_folder
Windows Sound
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Windows Sound
keylog_path
%WinDir%
mouse_option
false
mutex
Windows Audio
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Windows Audio
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Username;password;proforma;invoice;notepad

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4344	Windows logoff sound.exe
2008	Windows logoff sound.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Audio = "\"C:\\Windows\\Windows Sound\\Windows logoff sound.exe\""	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Audio = "\"C:\\Windows\\Windows Sound\\Windows logoff sound.exe\""	Windows logoff sound.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1988	3412	WerFault.exe	99

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1100 set thread context of 4732	1100	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	84
PID 4344 set thread context of 2008	4344	Windows logoff sound.exe	94
PID 2008 set thread context of 4932	2008	Windows logoff sound.exe	98
PID 4932 set thread context of 3412	4932	iexplore.exe	99

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Windows Sound\Windows logoff sound.exe	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
File opened for modification	C:\Windows\Windows Sound\Windows logoff sound.exe	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
File opened for modification	C:\Windows\Windows Sound	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows logoff sound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows logoff sound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4220	PING.EXE

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4580	reg.exe
4960	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4220	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1100	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
1100	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
4344	Windows logoff sound.exe
4344	Windows logoff sound.exe
4932	iexplore.exe
4932	iexplore.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1100	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
4344	Windows logoff sound.exe
4932	iexplore.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 4732	1100	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	84
PID 1100 wrote to memory of 4732	1100	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	84
PID 1100 wrote to memory of 4732	1100	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	84
PID 4732 wrote to memory of 1080	4732	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	85
PID 4732 wrote to memory of 1080	4732	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	85
PID 4732 wrote to memory of 1080	4732	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	85
PID 1080 wrote to memory of 4960	1080	cmd.exe	87
PID 1080 wrote to memory of 4960	1080	cmd.exe	87
PID 1080 wrote to memory of 4960	1080	cmd.exe	87
PID 4732 wrote to memory of 1492	4732	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	89
PID 4732 wrote to memory of 1492	4732	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	89
PID 4732 wrote to memory of 1492	4732	cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe	89
PID 1492 wrote to memory of 4220	1492	cmd.exe	91
PID 1492 wrote to memory of 4220	1492	cmd.exe	91
PID 1492 wrote to memory of 4220	1492	cmd.exe	91
PID 1492 wrote to memory of 4344	1492	cmd.exe	93
PID 1492 wrote to memory of 4344	1492	cmd.exe	93
PID 1492 wrote to memory of 4344	1492	cmd.exe	93
PID 4344 wrote to memory of 2008	4344	Windows logoff sound.exe	94
PID 4344 wrote to memory of 2008	4344	Windows logoff sound.exe	94
PID 4344 wrote to memory of 2008	4344	Windows logoff sound.exe	94
PID 2008 wrote to memory of 888	2008	Windows logoff sound.exe	96
PID 2008 wrote to memory of 888	2008	Windows logoff sound.exe	96
PID 2008 wrote to memory of 888	2008	Windows logoff sound.exe	96
PID 2008 wrote to memory of 4932	2008	Windows logoff sound.exe	98
PID 2008 wrote to memory of 4932	2008	Windows logoff sound.exe	98
PID 2008 wrote to memory of 4932	2008	Windows logoff sound.exe	98
PID 2008 wrote to memory of 4932	2008	Windows logoff sound.exe	98
PID 2008 wrote to memory of 4932	2008	Windows logoff sound.exe	98
PID 2008 wrote to memory of 4932	2008	Windows logoff sound.exe	98
PID 2008 wrote to memory of 4932	2008	Windows logoff sound.exe	98
PID 2008 wrote to memory of 4932	2008	Windows logoff sound.exe	98
PID 2008 wrote to memory of 4932	2008	Windows logoff sound.exe	98
PID 2008 wrote to memory of 4932	2008	Windows logoff sound.exe	98
PID 2008 wrote to memory of 4932	2008	Windows logoff sound.exe	98
PID 2008 wrote to memory of 4932	2008	Windows logoff sound.exe	98
PID 2008 wrote to memory of 4932	2008	Windows logoff sound.exe	98
PID 4932 wrote to memory of 3412	4932	iexplore.exe	99
PID 4932 wrote to memory of 3412	4932	iexplore.exe	99
PID 4932 wrote to memory of 3412	4932	iexplore.exe	99
PID 888 wrote to memory of 4580	888	cmd.exe	101
PID 888 wrote to memory of 4580	888	cmd.exe	101
PID 888 wrote to memory of 4580	888	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cf2d4e1a5f04682abe68311c5ea02402_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4220
  - - C:\Windows\Windows Sound\Windows logoff sound.exe
      "C:\Windows\Windows Sound\Windows logoff sound.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Windows\Windows Sound\Windows logoff sound.exe
        
        "C:\Windows\Windows Sound\Windows logoff sound.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4580
      - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 404
        8⤵
        Program crash
        
        PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3412 -ip 3412
1⤵
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
100B

MD5
cbf070456b22d7a9295c7fcca06da9b2

SHA1
05d0fdaa5744a79a3394222d173ab20dc8b6155e

SHA256
7cfab39660b0276287c2534cc3b3aa9d23eacccb3255fb0a5910be44ee55b50c

SHA512
10b89fa9f7c5fa261fbd3cd1e5df0a3e478067c595d2f39f20fe3ec77be2639215c84e2672846e3915db7e434a3e84c1f29b50e37b5ab3daacc48b46d981dd87

Download Submit
C:\Windows\Windows Sound\Windows logoff sound.exe

Filesize
552KB

MD5
cf2d4e1a5f04682abe68311c5ea02402

SHA1
d871ac3c14aee753e81796b29f3177ee23c585f7

SHA256
98f031407df4d599b9027f8e672436f1b61876048529a1304bc3118c82d42bd6

SHA512
aed48e62648970c7fb787eb81d5674080987a83b55e1b1fd9b348f02c64e95ba1aabb0598a8f07063f8a13cc7586e223840c9e654b6b104323417d5e1f83066a

Download Submit
memory/1100-1-0x0000000000453000-0x000000000045D000-memory.dmp

Filesize
40KB

Download
memory/1100-3-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1100-0-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2008-25-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2008-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2008-26-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4344-20-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4344-21-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4732-6-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4732-15-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4732-13-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/4732-7-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4732-2-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4932-28-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download