remcos | 54ef39cc3b133c0c801ba5b3a2a7022058e167ded68467222bfb5fd97313127c

General

Target

08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe
Size

568KB
MD5

08dcd2da3919d56aff6c27f09b84e04a
SHA1

209528f1cd4777bc6cd2064bde84edea518efdd2
SHA256

54ef39cc3b133c0c801ba5b3a2a7022058e167ded68467222bfb5fd97313127c
SHA512

ccf4f2e670b74fdd8f55bf6766505f61c130a45f42dc520267edac9b90adeeb7b27cd98f91fb2a8b70ec2f06fef78f60ce02963b2bf0c66625a7b99f7c289a9c
SSDEEP

12288:awlZtjDK5NQtANA/J6ncwIU64uhWK2Cm2TLXUDM91deI1ZN3hcK38yZegr7Z:tlZtj2E6nY4c

Score

10^/10

remcos tatiana discovery rat

Malware Config

Extracted

Family

remcos

Version

2.7.0 Pro

Botnet

TATIANA

C2

tatians222.duckdns.org:1717

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-F2Z54Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2168 set thread context of 2864	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2740	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2864	RegSvcs.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2740	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2740	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2740	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2740	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2864	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	33
PID 2168 wrote to memory of 2864	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	33
PID 2168 wrote to memory of 2864	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	33
PID 2168 wrote to memory of 2864	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	33
PID 2168 wrote to memory of 2864	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	33
PID 2168 wrote to memory of 2864	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	33
PID 2168 wrote to memory of 2864	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	33
PID 2168 wrote to memory of 2864	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	33
PID 2168 wrote to memory of 2864	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	33
PID 2168 wrote to memory of 2864	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	33
PID 2168 wrote to memory of 2864	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	33
PID 2168 wrote to memory of 2864	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	33
PID 2168 wrote to memory of 2864	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	33
PID 2168 wrote to memory of 2864	2168	08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08dcd2da3919d56aff6c27f09b84e04a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\epZKffGnePq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F70.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3F70.tmp

Filesize
1KB

MD5
99e8c1aee28f2bb9e56b5a11c0fadd36

SHA1
78a0c974daffc95add4703cc925a298a72cf4cc8

SHA256
baa6bf97126311f2f90d0ec4144195d1c3ef4add371a1a567226ba8252f0626e

SHA512
c4b031bb894da6bca28869d2a5a2326c08a66691b6146456587da9400f7fb671e36a00e96bf6b0afb4382a43fff75eab7f4a658669f66deb3b8548c90e32fde6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
74B

MD5
2bb5a3298ac59c3eb812206752d31a59

SHA1
ecf52059190308d4414a840bf5d79908bae58b34

SHA256
9401dcfdb71ac2d9378f17c74ab2623d16767a240a44e8fd138f797ccfaa8f63

SHA512
c94b17ba5f28d2b54b20c8661da368cdc400449e21e4be35dcc709f456cc56b13682ab8f68556d5f1e6dcbed003d1143aebcd0c4b677677e5e90c0f62c68d2d0

Download Submit
memory/2168-29-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/2168-0-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

Filesize
4KB

Download
memory/2168-4-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

Filesize
4KB

Download
memory/2168-5-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/2168-6-0x0000000004E70000-0x0000000004EE8000-memory.dmp

Filesize
480KB

Download
memory/2168-7-0x00000000005B0000-0x00000000005E2000-memory.dmp

Filesize
200KB

Download
memory/2168-2-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/2168-1-0x0000000000E10000-0x0000000000EA4000-memory.dmp

Filesize
592KB

Download
memory/2168-3-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/2864-31-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2864-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-28-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-24-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads