Overview

overview

10

Static

static

3

ea88f63b1c...18.exe

windows7-x64

10

ea88f63b1c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 03:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea88f63b1c26c1aefd1804ee475478ab_JaffaCakes118.exe

  • Size

    453KB

  • MD5

    ea88f63b1c26c1aefd1804ee475478ab

  • SHA1

    526c70868c0fb9d11065d2f75f98e2c523907c92

  • SHA256

    7ad56c2211cf19c5e6cf7a25846eb21a67c59baa55644d3cd1a097cf4d734750

  • SHA512

    08df2bba1ce203baee82b5ca97a110d2d57597e8f3e2ec61c9a710e70a3752e11a9570e700716d3bb9facdf606a868871016c61ab6d5b4e04d79bcd0329e3bd3

  • SSDEEP

    12288:/xd8PIcO+kOmZ2xd8PIcO+kOmZ9QVBQTBK8Yuv7J+:PMk+kbUMk+kbqVBSw8PJ+

Score
10/10
remcosrich-fam1defense_evasiondiscoveryrat

Malware Config

Extracted

Family

remcos

Version

2.4.3 Pro

Botnet

Rich-Fam1

C2

rich-fam1.strangled.net:6628

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    3

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    winlogs

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    iuytfdcuytf-OV62Q3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NTFS ADS 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea88f63b1c26c1aefd1804ee475478ab_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea88f63b1c26c1aefd1804ee475478ab_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\ea88f63b1c26c1aefd1804ee475478ab_JaffaCakes118.exe:Zone.Identifier"
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      PID:3012
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\ea88f63b1c26c1aefd1804ee475478ab_JaffaCakes118.exe:Zone.Identifier"
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      PID:1568
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\ea88f63b1c26c1aefd1804ee475478ab_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgc.exe"
      2⤵
      • Drops startup file
      • System Location Discovery: System Language Discovery
      PID:2824
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgc.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgc.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgc.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgc.exe:Zone.Identifier"
          4⤵
          • Drops startup file
          • System Location Discovery: System Language Discovery
          PID:3064
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgc.exe:Zone.Identifier"
          4⤵
          • Drops startup file
          • System Location Discovery: System Language Discovery
          PID:2416
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgc.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgc.exe
    Filesize

    453KB

    MD5

    ea88f63b1c26c1aefd1804ee475478ab

    SHA1

    526c70868c0fb9d11065d2f75f98e2c523907c92

    SHA256

    7ad56c2211cf19c5e6cf7a25846eb21a67c59baa55644d3cd1a097cf4d734750

    SHA512

    08df2bba1ce203baee82b5ca97a110d2d57597e8f3e2ec61c9a710e70a3752e11a9570e700716d3bb9facdf606a868871016c61ab6d5b4e04d79bcd0329e3bd3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\winlogs\logs.dat
    Filesize

    79B

    MD5

    5f71a88c295b612b7ecf6b1e2a64c604

    SHA1

    3acc76069feccfd436dd65f075a06d7f08b17fe5

    SHA256

    d133b904487b07e56085176499f1f7e31435f048b26ec059509ffde9fa2b1794

    SHA512

    efa4c53c5d79888663422793e51290394dc1420318b1b89d6f48ed75c54de6c33c81b0c13b38833503d02ec3ffaf444bc0dcd68f66bebd807d89d31f98171dce

    Download Submit

  • memory/2364-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-26-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2364-22-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2364-20-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2364-39-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2364-37-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2364-35-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2364-33-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2364-24-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2364-31-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2364-28-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2712-18-0x0000000004850000-0x000000000485C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2712-15-0x0000000000ED0000-0x0000000000F48000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2872-4-0x0000000074CB0000-0x000000007539E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2872-3-0x0000000000540000-0x000000000056A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2872-1-0x0000000001150000-0x00000000011C8000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2872-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-2-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-11-0x0000000074CB0000-0x000000007539E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2872-7-0x0000000074CB0000-0x000000007539E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2872-6-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2872-5-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

    Filesize

    32KB

    Download