remcos | eb8ddb4030665a4bee35306bb1a44d2faeb6e44c451d6ab4c7a39d105e396679

General

Target

dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe
Size

124KB
MD5

dcdd1f5ef6db6fce55ddef5949eca403
SHA1

7ec48483ac912b1b58923d7412ed53985962c301
SHA256

eb8ddb4030665a4bee35306bb1a44d2faeb6e44c451d6ab4c7a39d105e396679
SHA512

e53ef1a7711fda1945a6d59036fa52454722fa68bde9c6ae0f79ca341e715b3adc1fada67d352f1c8c7ce6c553d2e613fd9f32e4c4584a0254b9a5c45adb3c37
SSDEEP

3072:lFNUcekHxRkuHxSWMDUajQJf/p/itxBCBpEzImXnr+vHI+zIcdQr12u1p:lHUcLxRkuRSWMDUaGf/p/sxWpEzImXqI

Score

10^/10

remcos persomacro discovery evasion persistence rat

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

persomacro

C2

lenovoscanner.duckdns.org:2607

lenovoscannerone.duckdns.org:2607

lenovoscannertwo.duckdns.org:2607

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
UjgRsaW.exe
copy_folder
jFhktyE
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
poger
keylog_path
%AppData%
mouse_option
false
mutex
col12345-M4OQGH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
InstallDiret
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	UjgRsaW.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2064	UjgRsaW.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InstallDiret = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jFhktyE\\UjgRsaW.exe\""	UjgRsaW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InstallDiret = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jFhktyE\\UjgRsaW.exe\""	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InstallDiret = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jFhktyE\\UjgRsaW.exe\""	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InstallDiret = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jFhktyE\\UjgRsaW.exe\""	UjgRsaW.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UjgRsaW.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2064	UjgRsaW.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 1488	4692	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe	91
PID 4692 wrote to memory of 1488	4692	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe	91
PID 4692 wrote to memory of 1488	4692	dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe	91
PID 1488 wrote to memory of 872	1488	WScript.exe	94
PID 1488 wrote to memory of 872	1488	WScript.exe	94
PID 1488 wrote to memory of 872	1488	WScript.exe	94
PID 872 wrote to memory of 2064	872	cmd.exe	96
PID 872 wrote to memory of 2064	872	cmd.exe	96
PID 872 wrote to memory of 2064	872	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\jFhktyE\UjgRsaW.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Users\Admin\AppData\Local\Temp\jFhktyE\UjgRsaW.exe
      C:\Users\Admin\AppData\Local\Temp\jFhktyE\UjgRsaW.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3000,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:8
1⤵
PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
428B

MD5
a1ee86fa851b7335c433024f2943b9c2

SHA1
b6c60141b61e3cb1466a7740b5209a809fe1d785

SHA256
3523293ab79009cf895b6549e1414c2d4f64c46eb3629c454c63e3e97e50eca0

SHA512
7972ea2a5293e681c75b23d6e2f17fe76ce01ca5d113b234c2f1aa654975f54d2ac1a78ec9a38876fecef7a5293261c556bbfd2e5e6135fa06eccad7ecae9822

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFhktyE\UjgRsaW.exe

Filesize
124KB

MD5
dcdd1f5ef6db6fce55ddef5949eca403

SHA1
7ec48483ac912b1b58923d7412ed53985962c301

SHA256
eb8ddb4030665a4bee35306bb1a44d2faeb6e44c451d6ab4c7a39d105e396679

SHA512
e53ef1a7711fda1945a6d59036fa52454722fa68bde9c6ae0f79ca341e715b3adc1fada67d352f1c8c7ce6c553d2e613fd9f32e4c4584a0254b9a5c45adb3c37

Download Submit
C:\Users\Admin\AppData\Roaming\poger\logs.dat

Filesize
79B

MD5
d57a29e45cecf856a5d4cd77e882eb1a

SHA1
66508289fb14a5bd43bb493b0ba5c4439536bf60

SHA256
69085c2c19649e604b6fa89cdd1d61caa14739f76f60efc5e214c262b7850917

SHA512
88a3f8b29bdfe78b7c824fc7f6e8d1c3317dab3922f7ef8afdb6dcf15aca756ccc02d7410e330062b10d6a1dfd5ca2f9298e1e68c50057f2aa30afc0774e97c6

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads