remcos | 44d7a61d3747767e1b03f7d01b3dd97fd13b1b22f38fc2ce2f71411cff58b305

General

Target

f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe
Size

417KB
MD5

f223301d7067bd92990ff21ca936eb21
SHA1

fb090a6b9d9e93838a19c9fa4f916394a46aa681
SHA256

44d7a61d3747767e1b03f7d01b3dd97fd13b1b22f38fc2ce2f71411cff58b305
SHA512

19d6ba4568c765059be128fef0989449263c6ae5c4ecb81549b0083138b933092bd1a7b5ab806beac388fc00a6ba1dfc0fe0c53992467639aed7299b2d3092dc
SSDEEP

6144:FcxUSabTOKo4YvoJBJc0MOPz+ZYQQbiJYEJ1Cv9N:Sx0AoxcJazYYfiWBv9N

Score

10^/10

remcos remotehost defense_evasion discovery rat

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

RemoteHost

C2

dboynyz.pdns.cz:7575

streetz.club:7575

dboynyz.pdns.cz:53998

streetz.club:53998

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
20
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
-JCK8SB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2600	tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe
2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3016	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe
2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe
2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe
2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2800	2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2800	2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2800	2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2800	2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe	30
PID 2800 wrote to memory of 2576	2800	cmd.exe	32
PID 2800 wrote to memory of 2576	2800	cmd.exe	32
PID 2800 wrote to memory of 2576	2800	cmd.exe	32
PID 2800 wrote to memory of 2576	2800	cmd.exe	32
PID 2356 wrote to memory of 2600	2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe	33
PID 2356 wrote to memory of 2600	2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe	33
PID 2356 wrote to memory of 2600	2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe	33
PID 2356 wrote to memory of 2600	2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe	33
PID 2356 wrote to memory of 2616	2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe	34
PID 2356 wrote to memory of 2616	2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe	34
PID 2356 wrote to memory of 2616	2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe	34
PID 2356 wrote to memory of 2616	2356	f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe	34
PID 2616 wrote to memory of 3016	2616	cmd.exe	36
PID 2616 wrote to memory of 3016	2616	cmd.exe	36
PID 2616 wrote to memory of 3016	2616	cmd.exe	36
PID 2616 wrote to memory of 3016	2616	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f223301d7067bd92990ff21ca936eb21_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2576
- C:\Users\Admin\AppData\Roaming\tmp.exe
  "C:\Users\Admin\AppData\Roaming\tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

Filesize
189B

MD5
dca86f6bec779bba1b58d992319e88db

SHA1
844e656d3603d15ae56f36298f8031ad52935829

SHA256
413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743

SHA512
4b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe

Filesize
124KB

MD5
bfa2fdc1bbcf4d0de7190f6299c9df76

SHA1
8c813c968518063e020a1b547c5c1d23636fddbb

SHA256
77ab5139107570f1177eedaf9f6842af0811b7754cc1d5a589791f9c7a7ef961

SHA512
faa2380ad25f20aa14e0b656865f546a9b48a11491b08e02a5c5415f6ced6bf82132c76497dbfb4340571dcbd3ee404a94577adb6c02b8ccc1581329a2034c4f

Download Submit
memory/2356-0-0x0000000074A41000-0x0000000074A42000-memory.dmp

Filesize
4KB

Download
memory/2356-1-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2356-2-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2356-3-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2356-25-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing