remcos | cd0c0dc8825985002a921c4f67915777717a7b373066c94feb30c39b311673e0

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe
Size

653KB
MD5

de0586ba85283a1f5f2a4923faa825c3
SHA1

fb3e5153fbe78fe8d7fbbb8fc294c26c6c6a7e57
SHA256

cd0c0dc8825985002a921c4f67915777717a7b373066c94feb30c39b311673e0
SHA512

2c2631995ae1a9d64deb1ce5fa93158c18be975d26664fce34a022c7aeaf5e845d35b48c66113bcbc40dcc4834fe36d33807f03a68bc88d011b2c8728863aeb6
SSDEEP

3072:3boqL0207vxQI0Bsebdm0LE8HeF24c6+beKuH6ZpGJMjMbPYQh2eeSxLNRny2Dth:92uI0Fb1t+M4ObeOpf02e

Score

10^/10

remcos host defense_evasion discovery rat

Malware Config

Extracted

Family

remcos

Botnet

Host

soft2546.ddns.net:3033

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_tdjlqcixym
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
2160	svhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 2160	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	33

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\windows\skypes.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2840	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\windows\skypes.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe
2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe
2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe
2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 1416	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	30
PID 2056 wrote to memory of 1416	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	30
PID 2056 wrote to memory of 1416	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	30
PID 2056 wrote to memory of 1416	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	30
PID 1416 wrote to memory of 1960	1416	cmd.exe	32
PID 1416 wrote to memory of 1960	1416	cmd.exe	32
PID 1416 wrote to memory of 1960	1416	cmd.exe	32
PID 1416 wrote to memory of 1960	1416	cmd.exe	32
PID 2056 wrote to memory of 2160	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	33
PID 2056 wrote to memory of 2160	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	33
PID 2056 wrote to memory of 2160	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	33
PID 2056 wrote to memory of 2160	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	33
PID 2056 wrote to memory of 2160	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	33
PID 2056 wrote to memory of 2160	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	33
PID 2056 wrote to memory of 2160	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	33
PID 2056 wrote to memory of 2160	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	33
PID 2056 wrote to memory of 2160	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	33
PID 2056 wrote to memory of 2160	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	33
PID 2056 wrote to memory of 2888	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	34
PID 2056 wrote to memory of 2888	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	34
PID 2056 wrote to memory of 2888	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	34
PID 2056 wrote to memory of 2888	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	34
PID 2888 wrote to memory of 2840	2888	cmd.exe	36
PID 2888 wrote to memory of 2840	2888	cmd.exe	36
PID 2888 wrote to memory of 2840	2888	cmd.exe	36
PID 2888 wrote to memory of 2840	2888	cmd.exe	36
PID 2056 wrote to memory of 2848	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	37
PID 2056 wrote to memory of 2848	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	37
PID 2056 wrote to memory of 2848	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	37
PID 2056 wrote to memory of 2848	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	37
PID 2848 wrote to memory of 2824	2848	csc.exe	39
PID 2848 wrote to memory of 2824	2848	csc.exe	39
PID 2848 wrote to memory of 2824	2848	csc.exe	39
PID 2848 wrote to memory of 2824	2848	csc.exe	39
PID 2056 wrote to memory of 1976	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	40
PID 2056 wrote to memory of 1976	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	40
PID 2056 wrote to memory of 1976	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	40
PID 2056 wrote to memory of 1976	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	40
PID 1976 wrote to memory of 3064	1976	csc.exe	42
PID 1976 wrote to memory of 3064	1976	csc.exe	42
PID 1976 wrote to memory of 3064	1976	csc.exe	42
PID 1976 wrote to memory of 3064	1976	csc.exe	42
PID 2056 wrote to memory of 844	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	43
PID 2056 wrote to memory of 844	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	43
PID 2056 wrote to memory of 844	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	43
PID 2056 wrote to memory of 844	2056	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	43

C:\Users\Admin\AppData\Local\Temp\de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\windows\skypes.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1960
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\windows\skypes.exe.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2840
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eji3qrah.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAF7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBAF6.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b2cpfzy_.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6AA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC6A9.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3064
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1272
  2⤵
  - System Location Discovery: System Language Discovery
  PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBAF7.tmp

Filesize
1KB

MD5
e4c4a3fff5afad14bda1cc9abb3e0dd9

SHA1
71c90799d6cbf544ea13f8c42a9dccee1e2f183c

SHA256
fa612a1fe61e5303a1d66d10554cb847a088b7bb15e0b160ec6ecf54960023b3

SHA512
13fd6d71ebb099dc845f2e87610848b8d6dfb059abfd97580dab7671c41b7ce164c77c2254cde3abc04b5c4d100396628a82ecbb4d98dd615e346896c617be4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC6AA.tmp

Filesize
1KB

MD5
b2977e516f75a889891904603abcb5b2

SHA1
0689725606851b397aa4a41349c6cc1869b86f9d

SHA256
3ed58bb042c806b7b25e3ba856659774557a6736bc4283ffd2ca8469f66de4ee

SHA512
8eb5a687cbde451997558e7da9f50b49da5d8d6e0627827ce0e727e5d99d8a92cb7ef0fe167498a03bf35e605c5fefd37fd397480f09feae82a277db96f3eb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2cpfzy_.dll

Filesize
9KB

MD5
ec79944c7e7f0de2e56c41907a5bcc0f

SHA1
886cc1a3bdd83f61b4de85f5bc809336f4df204f

SHA256
8f085e1697c5d8099e2ddbdaf2761a7b1a8a2176222befb44c33d5a9ced0d1fa

SHA512
66bd982a91f1f13da4c98768356f83ee90675c62d84e76462519116ba91752d25a37978d632c5f4778461f65923789125f2fd82bcce14b5aae43d50b4380271a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eji3qrah.dll

Filesize
8KB

MD5
aa7b6f003e63ab5c6f9e9c8e0fce060f

SHA1
83b1b0dcba91cef4d7952dd5932d9043d5a494ff

SHA256
c9dfd25faaab1fabf81f20f560dd6aa4068ec55bea2bc684e5fab10bf6086abc

SHA512
e68806dfe4fc1cd085927c22a93825c7ae1427a9d46eb4c113dac02eca56815d7e8d782dc6eb2799556a33d409d62d0369bf2ba7f4aa4597159f5de2e9a4f2c2

Download Submit
C:\Users\Admin\AppData\Roaming\windows\skypes.exe.bat

Filesize
203B

MD5
800b6a9bc708844795d815b35d83f9b0

SHA1
e5cf1e60c4d7c828f99cbec4589caf06bbc357d8

SHA256
98083ebdd4942003bcfe167d7f4c815c256dfa11c7e4956ecabdafc2b7807d44

SHA512
29f7b42bd318b67f6df394f84a75de34f830dea87e7dda4181eb66d6f89ee1da2f93b4623c1d721e60374210a846c49e7392527fe1f99a935179e4ce3bcfc176

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBAF6.tmp

Filesize
652B

MD5
c1de9909b32d1980f76ea5cd17486eb5

SHA1
ba2f906b7773c5883feac406b811d8c5f1a9af0c

SHA256
2132f1653c4546b7f2e105d83f5ba8cd966aba53d7d32c7efa5a6960e8870d4e

SHA512
a3275d24bd1ae7c1d655616aa53d5e7ce45da16eb765f9afa57344f5f0cd6a1a65e3895b66e09f1c9614a2ee3842fffeb26d6a85f974b29b496aa2105d8208cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC6A9.tmp

Filesize
652B

MD5
dc1f4d4ed116a8908064d16bee5ee5c3

SHA1
17cb0c8ad4c495f2f3d464adf09c8474249d8544

SHA256
6fa96d3f7f97468921ed1b6c6244eeebb6dfa17e584581583cfbe89f2107ae6a

SHA512
06ad86fad3bfd6667e0dd3827e29a972af86741481dbc850e7695ea01268c708585204cea1c2a429b51bcb1384589120e93bddc9d8fdaa12caddcb7a3683b23d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b2cpfzy_.0.cs

Filesize
11KB

MD5
13a28512a6c506d7d6cbe8a1cdd6aec5

SHA1
977b1d51a455feb73a3dcf89760b6a4c365fba4a

SHA256
3c11a8e8e93df7c52c8b78ea99bb8a289832cb6bbc14a0e2c3db989c59bcb1f8

SHA512
71408ec6b92a93c116cdeb58907ccf462545bd2c946464bb488908366747fca672371a9bf6b072ecf83aa344679f1bca2c3debc7dcba33b6bc3ee62f76e0f5e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b2cpfzy_.cmdline

Filesize
619B

MD5
9d14480fa1d984a80b7e810453840474

SHA1
be89435fe898ae853184b0e5acf207516236bbb1

SHA256
4829e5ee15f4821de2e1523b15a9cb734bd453a4dbb8141460b8f52941008d23

SHA512
799a7aa2d2b7dcd9d720fc455ffd0e7c060da3be90cc8fd5b1906d6281c8502d617a9e76686f848e0fcac080bd3f26024e6208c362acab5c7096a2e70ea49532

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eji3qrah.0.cs

Filesize
10KB

MD5
fc5708080530a8686bc2662214c74343

SHA1
f2a822645b861812096864bc86d88b56d348cf40

SHA256
f0ae86e26d097ee3ac9cd0ac8734d1b18a294ddb64da8e8835d79d85eaccbd3d

SHA512
ad4e42058159c0219bd37e054299f275a40d60b358bcfaed13275f83f702edb64d7bf5f0479b857b67c8da12d49d9e7f1acd85ef12db90dd554b468cb72e1561

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eji3qrah.cmdline

Filesize
619B

MD5
d1b5485929a978240b39297ff699ac73

SHA1
fce7cb3ae2609ebc6fc60452509a60083eef3c97

SHA256
ecf235c46b5abafb3d9d86ace08af210cb3454586280daa587bdfb4ae7004fb6

SHA512
0e752cff15188e58db9066d7e5ae5fbd44fa5317486cdbd4f2b329ac957702b70d4cc6360dddfced559931b8c57547f41487ba3f45caa2593626c24193695063

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
memory/2056-46-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-0-0x0000000074191000-0x0000000074192000-memory.dmp

Filesize
4KB

Download
memory/2056-2-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-1-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-60-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-61-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2160-15-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/2160-17-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/2160-19-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/2160-13-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/2160-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2160-11-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/2160-62-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download