remcos | cd0c0dc8825985002a921c4f67915777717a7b373066c94feb30c39b311673e0

General

Target

de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe
Size

653KB
MD5

de0586ba85283a1f5f2a4923faa825c3
SHA1

fb3e5153fbe78fe8d7fbbb8fc294c26c6c6a7e57
SHA256

cd0c0dc8825985002a921c4f67915777717a7b373066c94feb30c39b311673e0
SHA512

2c2631995ae1a9d64deb1ce5fa93158c18be975d26664fce34a022c7aeaf5e845d35b48c66113bcbc40dcc4834fe36d33807f03a68bc88d011b2c8728863aeb6
SSDEEP

3072:3boqL0207vxQI0Bsebdm0LE8HeF24c6+beKuH6ZpGJMjMbPYQh2eeSxLNRny2Dth:92uI0Fb1t+M4ObeOpf02e

Score

10^/10

remcos host defense_evasion discovery rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

soft2546.ddns.net:3033

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_tdjlqcixym
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
1128	svhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4708 set thread context of 1128	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	104

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\windows\skypes.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1704	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\windows\skypes.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe
4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe
4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe
4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe
4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe
4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe
4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe
4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1128	svhost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 3180	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	101
PID 4708 wrote to memory of 3180	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	101
PID 4708 wrote to memory of 3180	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	101
PID 3180 wrote to memory of 3284	3180	cmd.exe	103
PID 3180 wrote to memory of 3284	3180	cmd.exe	103
PID 3180 wrote to memory of 3284	3180	cmd.exe	103
PID 4708 wrote to memory of 1128	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	104
PID 4708 wrote to memory of 1128	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	104
PID 4708 wrote to memory of 1128	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	104
PID 4708 wrote to memory of 1128	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	104
PID 4708 wrote to memory of 1128	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	104
PID 4708 wrote to memory of 1128	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	104
PID 4708 wrote to memory of 1128	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	104
PID 4708 wrote to memory of 1128	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	104
PID 4708 wrote to memory of 1128	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	104
PID 4708 wrote to memory of 3612	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	105
PID 4708 wrote to memory of 3612	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	105
PID 4708 wrote to memory of 3612	4708	de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe	105
PID 3612 wrote to memory of 1704	3612	cmd.exe	107
PID 3612 wrote to memory of 1704	3612	cmd.exe	107
PID 3612 wrote to memory of 1704	3612	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de0586ba85283a1f5f2a4923faa825c3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\windows\skypes.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3284
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\windows\skypes.exe.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1288,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=3036 /prefetch:8
1⤵
PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Roaming\windows\skypes.exe

Filesize
653KB

MD5
de0586ba85283a1f5f2a4923faa825c3

SHA1
fb3e5153fbe78fe8d7fbbb8fc294c26c6c6a7e57

SHA256
cd0c0dc8825985002a921c4f67915777717a7b373066c94feb30c39b311673e0

SHA512
2c2631995ae1a9d64deb1ce5fa93158c18be975d26664fce34a022c7aeaf5e845d35b48c66113bcbc40dcc4834fe36d33807f03a68bc88d011b2c8728863aeb6

Download Submit
C:\Users\Admin\AppData\Roaming\windows\skypes.exe.bat

Filesize
203B

MD5
800b6a9bc708844795d815b35d83f9b0

SHA1
e5cf1e60c4d7c828f99cbec4589caf06bbc357d8

SHA256
98083ebdd4942003bcfe167d7f4c815c256dfa11c7e4956ecabdafc2b7807d44

SHA512
29f7b42bd318b67f6df394f84a75de34f830dea87e7dda4181eb66d6f89ee1da2f93b4623c1d721e60374210a846c49e7392527fe1f99a935179e4ce3bcfc176

Download Submit
memory/1128-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4708-0-0x0000000075522000-0x0000000075523000-memory.dmp

Filesize
4KB

Download
memory/4708-1-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4708-2-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4708-423-0x0000000075522000-0x0000000075523000-memory.dmp

Filesize
4KB

Download
memory/4708-424-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4708-426-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing