remcos | 8d087e56deb745a40c704cd0a508f9f07b697b3ff44ae660ee581f7f42e4e160

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe
Size

813KB
MD5

dec90801aac280bb0cf01fab56f30bf3
SHA1

c8cac95cbc28dd1303dc73eab11d9c3bca4cf6c3
SHA256

8d087e56deb745a40c704cd0a508f9f07b697b3ff44ae660ee581f7f42e4e160
SHA512

038f0e1951aee45fd2b6a2b0b72ffc8661676a11cc9ff695709f4a2e666f5881e6d9193af53dc4fdace493cdee50ae3e0753d74d4519061afad1837565fbb769
SSDEEP

12288:JExW/T1SZXGPoNAGntHtGQ735RC/Ad9upIJ3OT1ohva/qwtGIkBBAvV:Jv/T1wNAGVH3m/AdcpIYEC/zFkBB

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

3.0.2 Pro

Botnet

RemoteHost

berryttttiere.duckdns.org:6553

asddskfjjer.duckdns.org:6553

fjgjkhltyjj.duckdns.org:6553

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-0DI0HG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
5012	remcos.exe
2520	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3876 set thread context of 4896	3876	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe	102
PID 5012 set thread context of 2520	5012	remcos.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2520	remcos.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 4896	3876	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe	102
PID 3876 wrote to memory of 4896	3876	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe	102
PID 3876 wrote to memory of 4896	3876	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe	102
PID 3876 wrote to memory of 4896	3876	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe	102
PID 3876 wrote to memory of 4896	3876	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe	102
PID 3876 wrote to memory of 4896	3876	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe	102
PID 3876 wrote to memory of 4896	3876	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe	102
PID 3876 wrote to memory of 4896	3876	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe	102
PID 3876 wrote to memory of 4896	3876	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe	102
PID 3876 wrote to memory of 4896	3876	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe	102
PID 3876 wrote to memory of 4896	3876	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe	102
PID 3876 wrote to memory of 4896	3876	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe	102
PID 4896 wrote to memory of 4040	4896	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe	103
PID 4896 wrote to memory of 4040	4896	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe	103
PID 4896 wrote to memory of 4040	4896	dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe	103
PID 4040 wrote to memory of 2912	4040	WScript.exe	104
PID 4040 wrote to memory of 2912	4040	WScript.exe	104
PID 4040 wrote to memory of 2912	4040	WScript.exe	104
PID 2912 wrote to memory of 5012	2912	cmd.exe	106
PID 2912 wrote to memory of 5012	2912	cmd.exe	106
PID 2912 wrote to memory of 5012	2912	cmd.exe	106
PID 5012 wrote to memory of 2520	5012	remcos.exe	108
PID 5012 wrote to memory of 2520	5012	remcos.exe	108
PID 5012 wrote to memory of 2520	5012	remcos.exe	108
PID 5012 wrote to memory of 2520	5012	remcos.exe	108
PID 5012 wrote to memory of 2520	5012	remcos.exe	108
PID 5012 wrote to memory of 2520	5012	remcos.exe	108
PID 5012 wrote to memory of 2520	5012	remcos.exe	108
PID 5012 wrote to memory of 2520	5012	remcos.exe	108
PID 5012 wrote to memory of 2520	5012	remcos.exe	108
PID 5012 wrote to memory of 2520	5012	remcos.exe	108
PID 5012 wrote to memory of 2520	5012	remcos.exe	108
PID 5012 wrote to memory of 2520	5012	remcos.exe	108
PID 2520 wrote to memory of 2248	2520	remcos.exe	109
PID 2520 wrote to memory of 2248	2520	remcos.exe	109
PID 2520 wrote to memory of 2248	2520	remcos.exe	109

C:\Users\Admin\AppData\Local\Temp\dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Local\Temp\dec90801aac280bb0cf01fab56f30bf3_JaffaCakes118.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5012
      - C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        
        "{path}"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        
        PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4056,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=1044 /prefetch:8
1⤵
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
418B

MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\logs.dat

Filesize
74B

MD5
eaaf93c83b96ecca888650cb632c2658

SHA1
452436df0c6f87d35f11b5e99f3bb9cb8eb78681

SHA256
4fc3f21d82bf7a53f2e84c8b16e5f22e046161536d30d80cd9ffb4f31723ca2d

SHA512
d593f26ec1ee3195eb77ab567ae1432f8c1c2cba7cd8a2b29b2ef37931522485697244cbc2d511f1198e896313d5ffeed07e0b6cc705e58dc1c25556e440d431

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

Filesize
813KB

MD5
dec90801aac280bb0cf01fab56f30bf3

SHA1
c8cac95cbc28dd1303dc73eab11d9c3bca4cf6c3

SHA256
8d087e56deb745a40c704cd0a508f9f07b697b3ff44ae660ee581f7f42e4e160

SHA512
038f0e1951aee45fd2b6a2b0b72ffc8661676a11cc9ff695709f4a2e666f5881e6d9193af53dc4fdace493cdee50ae3e0753d74d4519061afad1837565fbb769

Download Submit
memory/2520-28-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2520-30-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2520-33-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2520-36-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3876-6-0x0000000006920000-0x00000000069BC000-memory.dmp

Filesize
624KB

Download
memory/3876-5-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/3876-9-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/3876-10-0x0000000006AC0000-0x0000000006B92000-memory.dmp

Filesize
840KB

Download
memory/3876-1-0x0000000000770000-0x0000000000842000-memory.dmp

Filesize
840KB

Download
memory/3876-8-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/3876-2-0x00000000058E0000-0x0000000005E84000-memory.dmp

Filesize
5.6MB

Download
memory/3876-3-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/3876-18-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/3876-4-0x0000000005200000-0x000000000520A000-memory.dmp

Filesize
40KB

Download
memory/3876-7-0x0000000005390000-0x0000000005398000-memory.dmp

Filesize
32KB

Download
memory/3876-0-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/4896-13-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4896-21-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4896-15-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4896-14-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4896-11-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads