Overview

overview

10

Static

static

3

045184d7cc...18.exe

windows7-x64

10

045184d7cc...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2024 04:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    045184d7cce0802dc16c521f3c0a7bc8_JaffaCakes118.exe

  • Size

    400KB

  • MD5

    045184d7cce0802dc16c521f3c0a7bc8

  • SHA1

    915bd0f927af8d047fff49703d3abf175052499d

  • SHA256

    0b98e0ef3e6becc596653a8ad713e1e85fc55a4311a49baf15ffb7e24ee3e4c3

  • SHA512

    66f905ae92bb8f22c086a56529184bfb668bd9b58a3922943bafc366c133ea942a109aa5d122938c59fdc1596d5dee15b8742c695a0f2ef1639ba5f64ed53d11

  • SSDEEP

    6144:zDfzJgvuaD3RPyy81NO7xWAU5CM+YdgZQCkHLGq0:zfJgvdD3RPG1NQWAU0MDumLe

Score
10/10
remcoshostdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

avira-antivirus.ydns.eu:2404

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    iservice.exe

  • copy_folder

    windows

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_ycggdfmjebakyzc

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    iservice

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\045184d7cce0802dc16c521f3c0a7bc8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\045184d7cce0802dc16c521f3c0a7bc8_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3972
    • C:\Users\Admin\AppData\Local\Temp\045184d7cce0802dc16c521f3c0a7bc8_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\045184d7cce0802dc16c521f3c0a7bc8_JaffaCakes118.exe
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3728
        • C:\Windows\SysWOW64\PING.EXE
          PING 127.0.0.1 -n 2
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5352
        • C:\Users\Admin\AppData\Roaming\windows\iservice.exe
          "C:\Users\Admin\AppData\Roaming\windows\iservice.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5424
          • C:\Users\Admin\AppData\Local\Temp\iservice.exe
            C:\Users\Admin\AppData\Local\Temp\iservice.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1332
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1852
              • C:\Windows\SysWOW64\PING.EXE
                PING 127.0.0.1 -n 2
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:5176
              • C:\Users\Admin\AppData\Roaming\windows\iservice.exe
                "C:\Users\Admin\AppData\Roaming\windows\iservice.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2348
                • C:\Users\Admin\AppData\Local\Temp\iservice.exe
                  C:\Users\Admin\AppData\Local\Temp\iservice.exe
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4400
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:5600
                    • C:\Windows\SysWOW64\PING.EXE
                      PING 127.0.0.1 -n 2
                      10⤵
                      • System Location Discovery: System Language Discovery
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:5332
                    • C:\Users\Admin\AppData\Roaming\windows\iservice.exe
                      "C:\Users\Admin\AppData\Roaming\windows\iservice.exe"
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3524
                      • C:\Users\Admin\AppData\Local\Temp\iservice.exe
                        C:\Users\Admin\AppData\Local\Temp\iservice.exe
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:3404
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:6432
                          • C:\Windows\SysWOW64\PING.EXE
                            PING 127.0.0.1 -n 2
                            13⤵
                            • System Location Discovery: System Language Discovery
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:6736
                          • C:\Users\Admin\AppData\Roaming\windows\iservice.exe
                            "C:\Users\Admin\AppData\Roaming\windows\iservice.exe"
                            13⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4364
                            • C:\Users\Admin\AppData\Local\Temp\iservice.exe
                              C:\Users\Admin\AppData\Local\Temp\iservice.exe
                              14⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • System Location Discovery: System Language Discovery
                              PID:912
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
                                15⤵
                                • System Location Discovery: System Language Discovery
                                PID:4728
                                • C:\Windows\SysWOW64\PING.EXE
                                  PING 127.0.0.1 -n 2
                                  16⤵
                                  • System Location Discovery: System Language Discovery
                                  • System Network Configuration Discovery: Internet Connection Discovery
                                  • Runs ping.exe
                                  PID:4804
                                • C:\Users\Admin\AppData\Roaming\windows\iservice.exe
                                  "C:\Users\Admin\AppData\Roaming\windows\iservice.exe"
                                  16⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:5968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iservice.exe.log
    Filesize

    1KB

    MD5

    7ebe314bf617dc3e48b995a6c352740c

    SHA1

    538f643b7b30f9231a3035c448607f767527a870

    SHA256

    48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

    SHA512

    0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\install.bat
    Filesize

    102B

    MD5

    b0aa76226f9a1f3e68e774b1b92208c3

    SHA1

    fe93a3b569a8afd07e4de7c73acbfcd4f210027c

    SHA256

    b1984164b246a5579a9f334d4ea1a817cbfd2fb69e718a7ab78c008bf9e3df14

    SHA512

    e2282bafb69c5715c0fcabe7c84476d23146d79f43bd82860d518f44c229c9df009f7093f4df972280df834576674268fa8dd0a28be445ad6629600e03590344

    Download Submit

  • C:\Users\Admin\AppData\Roaming\windows\iservice.exe
    Filesize

    400KB

    MD5

    045184d7cce0802dc16c521f3c0a7bc8

    SHA1

    915bd0f927af8d047fff49703d3abf175052499d

    SHA256

    0b98e0ef3e6becc596653a8ad713e1e85fc55a4311a49baf15ffb7e24ee3e4c3

    SHA512

    66f905ae92bb8f22c086a56529184bfb668bd9b58a3922943bafc366c133ea942a109aa5d122938c59fdc1596d5dee15b8742c695a0f2ef1639ba5f64ed53d11

    Download Submit

  • memory/2572-2272-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2572-2279-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3972-57-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-2276-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3972-2-0x00000000054C0000-0x0000000005A64000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3972-49-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-4-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3972-5-0x00000000050B0000-0x00000000050BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3972-6-0x000000007487E000-0x000000007487F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3972-7-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3972-8-0x0000000006570000-0x00000000065BA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/3972-9-0x0000000006810000-0x0000000006882000-memory.dmp

    Filesize

    456KB

    Download

  • memory/3972-37-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-42-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-73-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-71-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-69-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-67-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-63-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-43-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-60-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-0-0x000000007487E000-0x000000007487F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3972-55-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-53-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-3-0x0000000004F10000-0x0000000004FA2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3972-1-0x00000000004E0000-0x000000000054A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/3972-61-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-39-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-35-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-33-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-31-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-29-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-27-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-23-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-21-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-19-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-17-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-16-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-65-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-51-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-45-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-25-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-13-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-11-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-10-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3972-48-0x0000000006810000-0x000000000687C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/5424-2284-0x000000007487E000-0x000000007487F000-memory.dmp

    Filesize

    4KB

    Download