Overview

overview

10

Static

static

3

d4ac7bbda8...18.exe

windows7-x64

10

d4ac7bbda8...18.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

k84i936.dll

windows7-x64

6

k84i936.dll

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d4ac7bbda85aebcfdceb1989f81ac1c9_JaffaCakes118

  • Size

    233KB

  • Sample

    240908-swy5mstcmk

  • MD5

    d4ac7bbda85aebcfdceb1989f81ac1c9

  • SHA1

    58104a1c576cd4bc6f3218589c6d8d927a852068

  • SHA256

    4ee463200a2e23f5f8cd27820da94a17de71dfbcdd4793524262d6ab2099b44c

  • SHA512

    39fa6e5ccab2521876d3ee55ebafdeefb79293223f194b401cb004a11fc9507a6772b4d6219149c172c2832f322c56cf2d8d80353386d95d2565f08de5017565

  • SSDEEP

    3072:yBkfJpRXATwMdFCcM6HbgkHL7CgLuGkH7zX+dFReLF/Bbnz+eE+2ErDBjCoit:yqjIGezCgLuGy+TkB/9z+Wj4t

Score
10/10
remcosremotehostdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

RemoteHost

C2

103.89.88.238:4299

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    excel.exe

  • copy_folder

    excel

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    excel

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    excel-8OHAVR

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    excel

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      d4ac7bbda85aebcfdceb1989f81ac1c9_JaffaCakes118

    • Size

      233KB

    • MD5

      d4ac7bbda85aebcfdceb1989f81ac1c9

    • SHA1

      58104a1c576cd4bc6f3218589c6d8d927a852068

    • SHA256

      4ee463200a2e23f5f8cd27820da94a17de71dfbcdd4793524262d6ab2099b44c

    • SHA512

      39fa6e5ccab2521876d3ee55ebafdeefb79293223f194b401cb004a11fc9507a6772b4d6219149c172c2832f322c56cf2d8d80353386d95d2565f08de5017565

    • SSDEEP

      3072:yBkfJpRXATwMdFCcM6HbgkHL7CgLuGkH7zX+dFReLF/Bbnz+eE+2ErDBjCoit:yqjIGezCgLuGy+TkB/9z+Wj4t

    Score
    10/10
    remcosremotehostdiscoverypersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fccff8cb7a1067e23fd2e2b63971a8e1

    • SHA1

      30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    • SHA256

      6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    • SHA512

      f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    • SSDEEP

      192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      k84i936.dll

    • Size

      13KB

    • MD5

      7c0a51de29d404c903e2768e6d083ba6

    • SHA1

      af1177ab91ca26ca84c096df4dc1f36363f21520

    • SHA256

      f6c7ccbb1f2c879b7788e284301360e65d983ee000b1d69efbc9cdb60820b734

    • SHA512

      3091c385603723769adb29f484548b8c7da3610bb588fc37359043c897fc9d1e69740a117b4be6f0c95e278c2b72ade6efc81e86523f33e82d297ceb7d1c08a9

    • SSDEEP

      192:rONg35CxbUH3EvQgBsTmnVG3YDxxOFbCyBFngtEV:aeCS3cXYOOMKGt

    Score
    6/10
    discoverypersistence
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks