remcos | eb8ddb4030665a4bee35306bb1a44d2faeb6e44c451d6ab4c7a39d105e396679

General

Target

dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe
Size

124KB
MD5

dcdd1f5ef6db6fce55ddef5949eca403
SHA1

7ec48483ac912b1b58923d7412ed53985962c301
SHA256

eb8ddb4030665a4bee35306bb1a44d2faeb6e44c451d6ab4c7a39d105e396679
SHA512

e53ef1a7711fda1945a6d59036fa52454722fa68bde9c6ae0f79ca341e715b3adc1fada67d352f1c8c7ce6c553d2e613fd9f32e4c4584a0254b9a5c45adb3c37
SSDEEP

3072:lFNUcekHxRkuHxSWMDUajQJf/p/itxBCBpEzImXnr+vHI+zIcdQr12u1p:lHUcLxRkuRSWMDUaGf/p/sxWpEzImXqI

Score

10^/10

remcos persomacro discovery evasion persistence rat

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

persomacro

C2

lenovoscanner.duckdns.org:2607

lenovoscannerone.duckdns.org:2607

lenovoscannertwo.duckdns.org:2607

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
UjgRsaW.exe
copy_folder
jFhktyE
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
poger
keylog_path
%AppData%
mouse_option
false
mutex
col12345-M4OQGH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
InstallDiret
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	UjgRsaW.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2104	UjgRsaW.exe

Loads dropped DLL 2 IoCs

pid	Process
2924	cmd.exe
2924	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\InstallDiret = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jFhktyE\\UjgRsaW.exe\""	UjgRsaW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InstallDiret = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jFhktyE\\UjgRsaW.exe\""	UjgRsaW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\InstallDiret = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jFhktyE\\UjgRsaW.exe\""	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InstallDiret = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jFhktyE\\UjgRsaW.exe\""	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UjgRsaW.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2104	UjgRsaW.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2612	2992	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2612	2992	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2612	2992	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2612	2992	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2924	2612	WScript.exe	31
PID 2612 wrote to memory of 2924	2612	WScript.exe	31
PID 2612 wrote to memory of 2924	2612	WScript.exe	31
PID 2612 wrote to memory of 2924	2612	WScript.exe	31
PID 2924 wrote to memory of 2104	2924	cmd.exe	33
PID 2924 wrote to memory of 2104	2924	cmd.exe	33
PID 2924 wrote to memory of 2104	2924	cmd.exe	33
PID 2924 wrote to memory of 2104	2924	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\jFhktyE\UjgRsaW.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\jFhktyE\UjgRsaW.exe
      C:\Users\Admin\AppData\Local\Temp\jFhktyE\UjgRsaW.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
428B

MD5
a1ee86fa851b7335c433024f2943b9c2

SHA1
b6c60141b61e3cb1466a7740b5209a809fe1d785

SHA256
3523293ab79009cf895b6549e1414c2d4f64c46eb3629c454c63e3e97e50eca0

SHA512
7972ea2a5293e681c75b23d6e2f17fe76ce01ca5d113b234c2f1aa654975f54d2ac1a78ec9a38876fecef7a5293261c556bbfd2e5e6135fa06eccad7ecae9822

Download Submit
C:\Users\Admin\AppData\Roaming\poger\logs.dat

Filesize
79B

MD5
4593c17c126c5394ac6a6ac0b3f9bb5c

SHA1
6ec8766e7da2b4d9a6deff465e5b54f6d16ecea2

SHA256
e164ac1088301f74105ba102f533b03657b83c7c2cd1a96b01cd277f9965af20

SHA512
9a7a402ba8286f5c6aafaad607638e49ec85003dcff9e7ddb59a2280863a8251d226fb052996f14b7aa73769e4a52b21b2b1f9d0756d83a6e42db77725a0b163

Download Submit
\Users\Admin\AppData\Local\Temp\jFhktyE\UjgRsaW.exe

Filesize
124KB

MD5
dcdd1f5ef6db6fce55ddef5949eca403

SHA1
7ec48483ac912b1b58923d7412ed53985962c301

SHA256
eb8ddb4030665a4bee35306bb1a44d2faeb6e44c451d6ab4c7a39d105e396679

SHA512
e53ef1a7711fda1945a6d59036fa52454722fa68bde9c6ae0f79ca341e715b3adc1fada67d352f1c8c7ce6c553d2e613fd9f32e4c4584a0254b9a5c45adb3c37

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads