remcos | 64d8c1f3cea735fc62a1c424325acc350ebd878fdf369220c579e6079d0d0a94

General

Target

efc115065e049d9ff628735235a40078_JaffaCakes118.exe
Size

200KB
MD5

efc115065e049d9ff628735235a40078
SHA1

ea06d184a299493badc4233af4c0fbb5beb10b57
SHA256

64d8c1f3cea735fc62a1c424325acc350ebd878fdf369220c579e6079d0d0a94
SHA512

e71cf176018e774fc96982145aaea3d86294f57036a9b03f5ac5973eee177454c3cd588ae04bc24aae0a191af11ab28437643c351a7a9676c264be0d3e64351f
SSDEEP

3072:v70pdzwruktfpOdq8qamIoUBPDAGFufDhb/BNASUXvQ:vIwruklpsqgfBPDfwHrUXv

Score

10^/10

remcos mswinen discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

mswinen

C2

191.96.249.27:2404

191.96.249.44:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
mswinen.exe
copy_folder
mswiner
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
wininitator
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_irujnkxsbqmbujv
screenshot_crypt
true
screenshot_flag
false
screenshot_folder
winss
screenshot_path
%WinDir%\System32
screenshot_time
1
startup_value
mswinen
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
ing;citibank;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Deletes itself 1 IoCs

pid	Process
2036	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2824	mswinen.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	cmd.exe
2036	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\mswinen = "\"C:\\Windows\\SysWOW64\\mswiner\\mswinen.exe\""	mswinen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mswinen = "\"C:\\Windows\\SysWOW64\\mswiner\\mswinen.exe\""	mswinen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\mswinen = "\"C:\\Windows\\SysWOW64\\mswiner\\mswinen.exe\""	efc115065e049d9ff628735235a40078_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mswinen = "\"C:\\Windows\\SysWOW64\\mswiner\\mswinen.exe\""	efc115065e049d9ff628735235a40078_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mswiner	efc115065e049d9ff628735235a40078_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wininitator\logs.dat	iexplore.exe
File created	C:\Windows\SysWOW64\wininitator\logs.dat	iexplore.exe
File created	C:\Windows\SysWOW64\mswiner\mswinen.exe	efc115065e049d9ff628735235a40078_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mswiner\mswinen.exe	efc115065e049d9ff628735235a40078_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2824 set thread context of 2864	2824	mswinen.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efc115065e049d9ff628735235a40078_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mswinen.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2488	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2488	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2864	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2864	iexplore.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2036	2540	efc115065e049d9ff628735235a40078_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2036	2540	efc115065e049d9ff628735235a40078_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2036	2540	efc115065e049d9ff628735235a40078_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2036	2540	efc115065e049d9ff628735235a40078_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2036	2540	efc115065e049d9ff628735235a40078_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2036	2540	efc115065e049d9ff628735235a40078_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2036	2540	efc115065e049d9ff628735235a40078_JaffaCakes118.exe	30
PID 2036 wrote to memory of 2488	2036	cmd.exe	32
PID 2036 wrote to memory of 2488	2036	cmd.exe	32
PID 2036 wrote to memory of 2488	2036	cmd.exe	32
PID 2036 wrote to memory of 2488	2036	cmd.exe	32
PID 2036 wrote to memory of 2824	2036	cmd.exe	33
PID 2036 wrote to memory of 2824	2036	cmd.exe	33
PID 2036 wrote to memory of 2824	2036	cmd.exe	33
PID 2036 wrote to memory of 2824	2036	cmd.exe	33
PID 2824 wrote to memory of 2864	2824	mswinen.exe	34
PID 2824 wrote to memory of 2864	2824	mswinen.exe	34
PID 2824 wrote to memory of 2864	2824	mswinen.exe	34
PID 2824 wrote to memory of 2864	2824	mswinen.exe	34
PID 2824 wrote to memory of 2864	2824	mswinen.exe	34
PID 2824 wrote to memory of 2864	2824	mswinen.exe	34
PID 2824 wrote to memory of 2864	2824	mswinen.exe	34
PID 2824 wrote to memory of 2864	2824	mswinen.exe	34
PID 2824 wrote to memory of 2864	2824	mswinen.exe	34
PID 2824 wrote to memory of 2864	2824	mswinen.exe	34
PID 2824 wrote to memory of 2864	2824	mswinen.exe	34

C:\Users\Admin\AppData\Local\Temp\efc115065e049d9ff628735235a40078_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efc115065e049d9ff628735235a40078_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2488
- - C:\Windows\SysWOW64\mswiner\mswinen.exe
    "C:\Windows\SysWOW64\mswiner\mswinen.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
182B

MD5
f1ca369d190083e766fade70c2b37ee5

SHA1
8e9176a199dea240a80618512cda8ba6e1b0f6be

SHA256
46aee7a27ddbf7b825e82e12339e52aa7217076c6c64ceb7e17d64a82ef4c844

SHA512
6dc828dad7dd51ff233875448efbc8170c443e086ecd3e814d2a1c9871bbc90c7f15bf4f39db74111cde56017c6be8800b65caea4be8cf5811549bb34083f340

Download Submit
\Windows\SysWOW64\mswiner\mswinen.exe

Filesize
200KB

MD5
efc115065e049d9ff628735235a40078

SHA1
ea06d184a299493badc4233af4c0fbb5beb10b57

SHA256
64d8c1f3cea735fc62a1c424325acc350ebd878fdf369220c579e6079d0d0a94

SHA512
e71cf176018e774fc96982145aaea3d86294f57036a9b03f5ac5973eee177454c3cd588ae04bc24aae0a191af11ab28437643c351a7a9676c264be0d3e64351f

Download Submit
memory/2540-3-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/2540-4-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2540-16-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2540-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2824-25-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2824-29-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2824-26-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2864-27-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads