Overview

overview

10

Static

static

1

f0deade517...18.ps1

windows7-x64

10

f0deade517...18.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 23:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0deade5174321c58ad77324ab5588a8_JaffaCakes118.ps1

  • Size

    1.4MB

  • MD5

    f0deade5174321c58ad77324ab5588a8

  • SHA1

    2b3a1492283804e8b5c430450f6b3851acab5e78

  • SHA256

    9d3039608025a43f763d86060b67c53deaf51c562ada90381325181681bd9db9

  • SHA512

    e469f2ee815c1ee742ff6266b57d0bf927a7a11cd2e984f12b9065c67696b1ef1e16eab8a1e185b18c8994bf3eb0727402ec49ee69ac7b8232073157a076e770

  • SSDEEP

    24576:vw2O9/TgwrSUhVPHahmorI0hnvUwLS4PfzKRWkvc+4R:495cwOI0ZhMCBR

Score
10/10
remcosrich-fam1-c.jdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Version

2.4.3 Pro

Botnet

Rich-Fam1-C.J

C2

rich-fam1.strangled.net:6628

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    3

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    oiuyg

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    iuytfdcuytf-Q5AT11

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\f0deade5174321c58ad77324ab5588a8_JaffaCakes118.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4300
    • C:\Users\Public\aflu.exe
      "C:\Users\Public\aflu.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:3764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wmjommrr.ddj.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\oiuyg\logs.dat
    Filesize

    79B

    MD5

    d87c292881f59d30f44d7481c7f2e00e

    SHA1

    7577279793efb30da5d63e516a0f42d3796ce99f

    SHA256

    d0dbcd79b09e2d1ceb7cfc18cf42c6994c1bca30e5e6332c89a6ad660f02cdb6

    SHA512

    8a55bb16a8aa48a7a8e9e35c6b83e0a826ed03cbc646d585dcb464e258c2a0482fd8760198c1c2bb89ce83e9ad1eaadb010ef2e7033db9dd8cee5ca25d6189e2

    Download Submit

  • C:\Users\Public\aflu.exe
    Filesize

    1.0MB

    MD5

    7ed692b4d0e973636bf6992d61ddb9a6

    SHA1

    3fbad00949c63c11a53747ad5da570122f00cf01

    SHA256

    a0e4d4e6f0413e242fa8723e7a8e98e76e0035421a2a5e1703e6233e8cb86326

    SHA512

    129cbf1ee3bde11a3189ac21f781f8caac81004d2154354932b48fe8c30d36d2f4a10422d1eb20cc29219b137ef2f716b50789d1ae722ee600f3e73a021a425d

    Download Submit

  • memory/3680-23-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3764-24-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3764-35-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3764-32-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3764-31-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4300-11-0x00007FFB5CC90000-0x00007FFB5D751000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4300-18-0x00007FFB5CC90000-0x00007FFB5D751000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4300-12-0x00007FFB5CC90000-0x00007FFB5D751000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4300-0-0x00007FFB5CC93000-0x00007FFB5CC95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4300-6-0x00000218F75B0000-0x00000218F75D2000-memory.dmp

    Filesize

    136KB

    Download