remcos | 326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693

General

Target

eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe
Size

208KB
MD5

eb38e581ba2c7d46a2373dc9abc02b3b
SHA1

86d8449307be9bdeea725c56254fde1692b82a30
SHA256

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693
SHA512

d09ebf20951ec472b3b68e02f79493049f0f81972327a8d12ee7b7a3c643bb8a5f2ad5377f1f228fda61f38bfffb2c2123ca17095c30ea94c24dbb2cc40ac800
SSDEEP

3072:NeVfhA2bkmeXqYVWYxB9dXAICnZy0+C1iX+7vzk5eP6dvT:NIAcheXZkYx/1AICnc0P1DbztPw

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

RemoteHost

C2

79.172.242.28:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
xi3s.exe
copy_folder
xi3x
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-NL03Y0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
xi5w
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Botnet

RemoteHost

C2

79.172.242.28:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
xi3s.exe
copy_folder
xi3x
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-NL03Y0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
xi5w
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 3 IoCs

pid	Process
2392	tmp.exe
568	.exe
2652	xi3s.exe

Loads dropped DLL 5 IoCs

pid	Process
2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe
2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe
2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe
2752	cmd.exe
2752	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\xi5w = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\xi3x\\xi3s.exe\""	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\xi5w = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\xi3x\\xi3s.exe\""	xi3s.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2888 set thread context of 568	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xi3s.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe
2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe
2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe
Token: 33	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2392	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2392	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2392	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2392	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe	30
PID 2888 wrote to memory of 568	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe	31
PID 2888 wrote to memory of 568	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe	31
PID 2888 wrote to memory of 568	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe	31
PID 2888 wrote to memory of 568	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe	31
PID 2888 wrote to memory of 568	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe	31
PID 2888 wrote to memory of 568	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe	31
PID 2888 wrote to memory of 568	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe	31
PID 2888 wrote to memory of 568	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe	31
PID 2888 wrote to memory of 568	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe	31
PID 2888 wrote to memory of 568	2888	eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe	31
PID 2392 wrote to memory of 2252	2392	tmp.exe	32
PID 2392 wrote to memory of 2252	2392	tmp.exe	32
PID 2392 wrote to memory of 2252	2392	tmp.exe	32
PID 2392 wrote to memory of 2252	2392	tmp.exe	32
PID 2252 wrote to memory of 2752	2252	WScript.exe	33
PID 2252 wrote to memory of 2752	2252	WScript.exe	33
PID 2252 wrote to memory of 2752	2252	WScript.exe	33
PID 2252 wrote to memory of 2752	2252	WScript.exe	33
PID 2752 wrote to memory of 2652	2752	cmd.exe	35
PID 2752 wrote to memory of 2652	2752	cmd.exe	35
PID 2752 wrote to memory of 2652	2752	cmd.exe	35
PID 2752 wrote to memory of 2652	2752	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
        
        C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2652
- C:\Users\Admin\AppData\Local\Temp\.exe
  "C:\Users\Admin\AppData\Local\Temp\.exe"
  2⤵
  - Executes dropped EXE
  PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
416B

MD5
453f89e2c8f4e830ac8db7611532f1dd

SHA1
d1e4a30ec5fd1067ade5d4a806457829038131ad

SHA256
533afaf7f3b5f135c3c9cfa7dc71bba8452949c40ba0d8ffc56daf87fb306936

SHA512
840c7af7dc1911f983a3f0005b9b0efa7b63161b62d53b859b29b3d2d313653d88a5e1db687f87fff1e47e233160fc96ed5067b4f11be6ef9f4bdf72c6b145df

Download Submit
\Users\Admin\AppData\Local\Temp\.exe

Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
108KB

MD5
7ead38802bd7c0a3af677214f2ba23db

SHA1
f0c204c57146244c7e2cc744214c3deff5a9f4b6

SHA256
c75ba3917383a776dee26a215929d242b7896641a4157afa1d7d05913eb473fd

SHA512
88c35c02fc21850904f41563611b57f3bd6c39b649fd8017d6fc19135c87a2b288365020a04d2571a64a91772edda9444821301d69d1ba8b4702fb577b98ac69

Download Submit
memory/568-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/568-31-0x0000000000080000-0x000000000009B000-memory.dmp

Filesize
108KB

Download
memory/568-26-0x0000000000080000-0x000000000009B000-memory.dmp

Filesize
108KB

Download
memory/568-24-0x0000000000080000-0x000000000009B000-memory.dmp

Filesize
108KB

Download
memory/568-22-0x0000000000080000-0x000000000009B000-memory.dmp

Filesize
108KB

Download
memory/568-21-0x0000000000080000-0x000000000009B000-memory.dmp

Filesize
108KB

Download
memory/568-19-0x0000000000080000-0x000000000009B000-memory.dmp

Filesize
108KB

Download
memory/2888-2-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-0-0x0000000074FC1000-0x0000000074FC2000-memory.dmp

Filesize
4KB

Download
memory/2888-34-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-1-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads