remcos | a9ff9a41326c279855caea185b0582337a3fa43141fa0438e14517012f42485a

General

Target

e39631fe80afbb62dab1b3c7302f8dba_JaffaCakes118.exe
Size

344KB
MD5

e39631fe80afbb62dab1b3c7302f8dba
SHA1

a018136af1c0f58633e759b78417b134d1e86725
SHA256

a9ff9a41326c279855caea185b0582337a3fa43141fa0438e14517012f42485a
SHA512

4c23d042c36237e0f561c9588de3484c146f39ea03adcad59f5b144165e513798c3604e43d09ac8251da078ba39d68c065d16056b8d72dd2a88a49e22f65b783
SSDEEP

3072:niyYjwU6pDpp6c/DPZauWGo8LqZArxcjXAvZ4TokBsAmec7GAC////////zhHM:lY6Uc7g8LdtYCs/1Zc7G3

Score

10^/10

remcos discovery persistence rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
1648	Rem5.exe

Loads dropped DLL 2 IoCs

pid	Process
2300	cmd.exe
2300	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\LKJhgtYGS = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rem5\\Rem5.exe\""	Rem5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\LKJhgtYGS = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rem5\\Rem5.exe\""	e39631fe80afbb62dab1b3c7302f8dba_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1648 set thread context of 1148	1648	Rem5.exe	35

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	svchost.exe
File opened for modification	C:\Windows\win.ini	e39631fe80afbb62dab1b3c7302f8dba_JaffaCakes118.exe
File opened for modification	C:\Windows\win.ini	Rem5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39631fe80afbb62dab1b3c7302f8dba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rem5.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2256	e39631fe80afbb62dab1b3c7302f8dba_JaffaCakes118.exe
1648	Rem5.exe
1648	Rem5.exe
1148	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2444	2256	e39631fe80afbb62dab1b3c7302f8dba_JaffaCakes118.exe	30
PID 2256 wrote to memory of 2444	2256	e39631fe80afbb62dab1b3c7302f8dba_JaffaCakes118.exe	30
PID 2256 wrote to memory of 2444	2256	e39631fe80afbb62dab1b3c7302f8dba_JaffaCakes118.exe	30
PID 2256 wrote to memory of 2444	2256	e39631fe80afbb62dab1b3c7302f8dba_JaffaCakes118.exe	30
PID 2444 wrote to memory of 2300	2444	WScript.exe	32
PID 2444 wrote to memory of 2300	2444	WScript.exe	32
PID 2444 wrote to memory of 2300	2444	WScript.exe	32
PID 2444 wrote to memory of 2300	2444	WScript.exe	32
PID 2300 wrote to memory of 1648	2300	cmd.exe	34
PID 2300 wrote to memory of 1648	2300	cmd.exe	34
PID 2300 wrote to memory of 1648	2300	cmd.exe	34
PID 2300 wrote to memory of 1648	2300	cmd.exe	34
PID 1648 wrote to memory of 1148	1648	Rem5.exe	35
PID 1648 wrote to memory of 1148	1648	Rem5.exe	35
PID 1648 wrote to memory of 1148	1648	Rem5.exe	35
PID 1648 wrote to memory of 1148	1648	Rem5.exe	35
PID 1648 wrote to memory of 1148	1648	Rem5.exe	35
PID 1648 wrote to memory of 1148	1648	Rem5.exe	35
PID 1648 wrote to memory of 1148	1648	Rem5.exe	35
PID 1648 wrote to memory of 1148	1648	Rem5.exe	35
PID 1648 wrote to memory of 1148	1648	Rem5.exe	35

C:\Users\Admin\AppData\Local\Temp\e39631fe80afbb62dab1b3c7302f8dba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e39631fe80afbb62dab1b3c7302f8dba_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Rem5\Rem5.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Users\Admin\AppData\Roaming\Rem5\Rem5.exe
      C:\Users\Admin\AppData\Roaming\Rem5\Rem5.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
410B

MD5
4b309959125fb954b68968bad5bed9ac

SHA1
b2b805fa81f1b82fa07b718031c9a89046731146

SHA256
109742373d7cca30b46ef4b05d9b86694e2a54f862afd891e7bba50cf0f18830

SHA512
9d90d6f5085ac7103aee6679272b677589afe3a50835152f3c1f799080e38b975f3c246d6649926a80a7ee3bbcabf755d6a20cf768083714a359bc9a5af9cf92

Download Submit
C:\Users\Admin\AppData\Roaming\Rem5\logs.dat

Filesize
79B

MD5
da55226bfacef064a1e23a5f5f084fdd

SHA1
4a10dc841b56738de2afd94121a606429f6f46db

SHA256
0026af16d0c0385de81f81ee0e1f30e862fef183df97d42f78ffb42b12e5c656

SHA512
2365b75bfe7e60ebe09e4b8f3f3cf53c19b2eb984dc4e508bbd2258175e7ab79c4f0dea8d70ee1c568acab7a36e00b13fa4f0fd3ecf6e1e2c88d6119b7b55c59

Download Submit
C:\Windows\win.ini

Filesize
506B

MD5
8e6100faa270f8b935ebba91ae814491

SHA1
1b5d16ec7d3f2ed289fc4c079fed992275578257

SHA256
293b109535400cdd3eb36c8a47dcdda245e8f48200aa59bfddb21d105923e93b

SHA512
78b36ef3fd77d991d7ef9aa4f900f653edb1df5ab6ddbc369e0b3b3430fba9074673bf67d208cbb885b41afd3a9cd26ae9c2b392c70df7d08f055a41318469e7

Download Submit
\Users\Admin\AppData\Roaming\Rem5\Rem5.exe

Filesize
344KB

MD5
e39631fe80afbb62dab1b3c7302f8dba

SHA1
a018136af1c0f58633e759b78417b134d1e86725

SHA256
a9ff9a41326c279855caea185b0582337a3fa43141fa0438e14517012f42485a

SHA512
4c23d042c36237e0f561c9588de3484c146f39ea03adcad59f5b144165e513798c3604e43d09ac8251da078ba39d68c065d16056b8d72dd2a88a49e22f65b783

Download Submit
memory/1148-33-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1148-38-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1148-45-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1148-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1148-39-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1148-31-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1148-29-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1648-27-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1648-24-0x0000000077C60000-0x0000000077E09000-memory.dmp

Filesize
1.7MB

Download
memory/2256-3-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2256-7-0x0000000077C61000-0x0000000077D62000-memory.dmp

Filesize
1.0MB

Download
memory/2256-8-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2256-6-0x0000000077E50000-0x0000000077F26000-memory.dmp

Filesize
856KB

Download
memory/2256-5-0x0000000002AB0000-0x0000000002BB0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads