remcos | 88613ee7cd4b2903e3c61952d22137fd1d3aaf803dad920da2fd3fc77ef087df

General

Target

e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe
Size

362KB
MD5

e0d893bbe8e0619a8244724ab8d31a6b
SHA1

f7c0b35ac49968a294dcf41a3df85086a4e9eba5
SHA256

88613ee7cd4b2903e3c61952d22137fd1d3aaf803dad920da2fd3fc77ef087df
SHA512

e0bf9474f718c51bf9075c74f7e0be984a363207bcf65021348b555d97373d47e623aca41c644ff6cabe89d5a372a76ceb4c82790e5b1b8f84ee43cf54397a6d
SSDEEP

6144:/ORBAOX9znvY2y8DDRU+D9YH5IFxJM5HUfvr7EMAP8IW:qFTYF8Ky9YH5xUrSP8IW

Score

10^/10

remcos host discovery rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

rimoy788.ddns.net:7005

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
rem.exe
copy_folder
pdf
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_qjilatgigi
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1584 set thread context of 1512	1584	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	107
PID 1512 set thread context of 4776	1512	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3188	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 3188	1584	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	105
PID 1584 wrote to memory of 3188	1584	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	105
PID 1584 wrote to memory of 3188	1584	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	105
PID 1584 wrote to memory of 1512	1584	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	107
PID 1584 wrote to memory of 1512	1584	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	107
PID 1584 wrote to memory of 1512	1584	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	107
PID 1584 wrote to memory of 1512	1584	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	107
PID 1584 wrote to memory of 1512	1584	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	107
PID 1584 wrote to memory of 1512	1584	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	107
PID 1584 wrote to memory of 1512	1584	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	107
PID 1584 wrote to memory of 1512	1584	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	107
PID 1584 wrote to memory of 1512	1584	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	107
PID 1512 wrote to memory of 4776	1512	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	108
PID 1512 wrote to memory of 4776	1512	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	108
PID 1512 wrote to memory of 4776	1512	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	108
PID 1512 wrote to memory of 4776	1512	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	108
PID 1512 wrote to memory of 4776	1512	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	108
PID 1512 wrote to memory of 4776	1512	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	108
PID 1512 wrote to memory of 4776	1512	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	108
PID 1512 wrote to memory of 4776	1512	e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe	108
PID 4776 wrote to memory of 3120	4776	iexplore.exe	109
PID 4776 wrote to memory of 3120	4776	iexplore.exe	109
PID 4776 wrote to memory of 1120	4776	iexplore.exe	118
PID 4776 wrote to memory of 1120	4776	iexplore.exe	118

C:\Users\Admin\AppData\Local\Temp\e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YmbaLANB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1F75.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3188
- C:\Users\Admin\AppData\Local\Temp\e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e0d893bbe8e0619a8244724ab8d31a6b_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:3120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4184 /prefetch:8
1⤵
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=3568,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4684 /prefetch:1
1⤵
PID:1736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=2000,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4856 /prefetch:1
1⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5456,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:1
1⤵
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5616,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:8
1⤵
PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5636,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=5684 /prefetch:8
1⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6188,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=6184 /prefetch:1
1⤵
PID:996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6344,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=6312 /prefetch:1
1⤵
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4636,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4684 /prefetch:8
1⤵
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=4816,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:1
1⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6624,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:1
1⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5804,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=6088 /prefetch:8
1⤵
PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1F75.tmp

Filesize
1KB

MD5
0ff0d3332552d2b2c47086c8f95b3243

SHA1
49b04b5a360b66728245e5b08862c370d537f180

SHA256
ad519e79956b89f5978976016a1b5e564edf7997a7a177d68e95029c59e6acf4

SHA512
c54ea748203523b351eea55aa8dc634571555a18ad686be9669415c4a220a3d652ff20aa198255b45bb95de423b9bf6dd660705b3f8500cf46ae162da0f2839d

Download Submit
memory/1512-17-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1512-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1512-14-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1512-19-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1584-2-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1584-3-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1584-4-0x0000000075522000-0x0000000075523000-memory.dmp

Filesize
4KB

Download
memory/1584-5-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1584-1-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1584-0-0x0000000075522000-0x0000000075523000-memory.dmp

Filesize
4KB

Download
memory/1584-16-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1584-15-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4776-18-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads