Overview

overview

10

Static

static

3

eb38e581ba...18.exe

windows7-x64

10

eb38e581ba...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 11:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe

  • Size

    208KB

  • MD5

    eb38e581ba2c7d46a2373dc9abc02b3b

  • SHA1

    86d8449307be9bdeea725c56254fde1692b82a30

  • SHA256

    326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693

  • SHA512

    d09ebf20951ec472b3b68e02f79493049f0f81972327a8d12ee7b7a3c643bb8a5f2ad5377f1f228fda61f38bfffb2c2123ca17095c30ea94c24dbb2cc40ac800

  • SSDEEP

    3072:NeVfhA2bkmeXqYVWYxB9dXAICnZy0+C1iX+7vzk5eP6dvT:NIAcheXZkYx/1AICnc0P1DbztPw

Score
10/10
remcosremotehostdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

RemoteHost

C2

79.172.242.28:2404

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    xi3s.exe

  • copy_folder

    xi3x

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %Temp%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-NL03Y0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    xi5w

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eb38e581ba2c7d46a2373dc9abc02b3b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3484
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2980
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2376
          • C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
            C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1788
    • C:\Users\Admin\AppData\Local\Temp\.exe
      "C:\Users\Admin\AppData\Local\Temp\.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:840
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=1892 /prefetch:8
    1⤵
      PID:3876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\.exe
      Filesize

      1.6MB

      MD5

      1c9ff7df71493896054a91bee0322ebf

      SHA1

      38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

      SHA256

      e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

      SHA512

      aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\install.vbs
      Filesize

      416B

      MD5

      453f89e2c8f4e830ac8db7611532f1dd

      SHA1

      d1e4a30ec5fd1067ade5d4a806457829038131ad

      SHA256

      533afaf7f3b5f135c3c9cfa7dc71bba8452949c40ba0d8ffc56daf87fb306936

      SHA512

      840c7af7dc1911f983a3f0005b9b0efa7b63161b62d53b859b29b3d2d313653d88a5e1db687f87fff1e47e233160fc96ed5067b4f11be6ef9f4bdf72c6b145df

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      Filesize

      108KB

      MD5

      7ead38802bd7c0a3af677214f2ba23db

      SHA1

      f0c204c57146244c7e2cc744214c3deff5a9f4b6

      SHA256

      c75ba3917383a776dee26a215929d242b7896641a4157afa1d7d05913eb473fd

      SHA512

      88c35c02fc21850904f41563611b57f3bd6c39b649fd8017d6fc19135c87a2b288365020a04d2571a64a91772edda9444821301d69d1ba8b4702fb577b98ac69

      Download Submit

    • memory/840-23-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/840-21-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/840-17-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2956-0-0x00000000746F2000-0x00000000746F3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2956-1-0x00000000746F0000-0x0000000074CA1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2956-2-0x00000000746F0000-0x0000000074CA1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2956-29-0x00000000746F2000-0x00000000746F3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2956-31-0x00000000746F0000-0x0000000074CA1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2956-32-0x00000000746F0000-0x0000000074CA1000-memory.dmp

      Filesize

      5.7MB

      Download