remcos | e6930000e13aa3deafe16f78fcfca8e6276e18ba6a252b8045dfaf570f044328

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

476691329c39995b54054d56b4d7eb51_JaffaCakes118.exe
Size

1.2MB
MD5

476691329c39995b54054d56b4d7eb51
SHA1

c3b8c48aabb26827184eb6705a2adee4a5301ab7
SHA256

e6930000e13aa3deafe16f78fcfca8e6276e18ba6a252b8045dfaf570f044328
SHA512

8c7396ec639cfb2ab766805b12d90cc4b39193fe0ba9f9c0e979598fe85c2573d36e9609dc0abcd27376472f09f96b46e7e6698388f99881d8399060ff039d1e
SSDEEP

24576:rAOcZAhh4rutcbhCPBhcoy+r58kwKemE3EJkq3XFQYcqa6lCKK5/GOv:t+eMhCfcyr5VcV0JkWX6Kt7Ov

Score

10^/10

remcos august$$$discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

AUGUST$$$

mgc0147.hopto.org:2930

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-NJ9UQU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2592	orcadwtsg.pif
2428	RegSvcs.exe

Loads dropped DLL 5 IoCs

pid	Process
2068	476691329c39995b54054d56b4d7eb51_JaffaCakes118.exe
2068	476691329c39995b54054d56b4d7eb51_JaffaCakes118.exe
2068	476691329c39995b54054d56b4d7eb51_JaffaCakes118.exe
2068	476691329c39995b54054d56b4d7eb51_JaffaCakes118.exe
2592	orcadwtsg.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\24286637\\ORCADW~1.PIF C:\\Users\\Admin\\24286637\\duba.nik"	orcadwtsg.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 2428	2592	orcadwtsg.pif	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orcadwtsg.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	476691329c39995b54054d56b4d7eb51_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2592	orcadwtsg.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2428	RegSvcs.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2592	2068	476691329c39995b54054d56b4d7eb51_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2592	2068	476691329c39995b54054d56b4d7eb51_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2592	2068	476691329c39995b54054d56b4d7eb51_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2592	2068	476691329c39995b54054d56b4d7eb51_JaffaCakes118.exe	30
PID 2592 wrote to memory of 1856	2592	orcadwtsg.pif	31
PID 2592 wrote to memory of 1856	2592	orcadwtsg.pif	31
PID 2592 wrote to memory of 1856	2592	orcadwtsg.pif	31
PID 2592 wrote to memory of 1856	2592	orcadwtsg.pif	31
PID 2592 wrote to memory of 1484	2592	orcadwtsg.pif	32
PID 2592 wrote to memory of 1484	2592	orcadwtsg.pif	32
PID 2592 wrote to memory of 1484	2592	orcadwtsg.pif	32
PID 2592 wrote to memory of 1484	2592	orcadwtsg.pif	32
PID 2592 wrote to memory of 2256	2592	orcadwtsg.pif	33
PID 2592 wrote to memory of 2256	2592	orcadwtsg.pif	33
PID 2592 wrote to memory of 2256	2592	orcadwtsg.pif	33
PID 2592 wrote to memory of 2256	2592	orcadwtsg.pif	33
PID 2592 wrote to memory of 400	2592	orcadwtsg.pif	34
PID 2592 wrote to memory of 400	2592	orcadwtsg.pif	34
PID 2592 wrote to memory of 400	2592	orcadwtsg.pif	34
PID 2592 wrote to memory of 400	2592	orcadwtsg.pif	34
PID 2592 wrote to memory of 1716	2592	orcadwtsg.pif	35
PID 2592 wrote to memory of 1716	2592	orcadwtsg.pif	35
PID 2592 wrote to memory of 1716	2592	orcadwtsg.pif	35
PID 2592 wrote to memory of 1716	2592	orcadwtsg.pif	35
PID 2592 wrote to memory of 2040	2592	orcadwtsg.pif	36
PID 2592 wrote to memory of 2040	2592	orcadwtsg.pif	36
PID 2592 wrote to memory of 2040	2592	orcadwtsg.pif	36
PID 2592 wrote to memory of 2040	2592	orcadwtsg.pif	36
PID 2592 wrote to memory of 752	2592	orcadwtsg.pif	37
PID 2592 wrote to memory of 752	2592	orcadwtsg.pif	37
PID 2592 wrote to memory of 752	2592	orcadwtsg.pif	37
PID 2592 wrote to memory of 752	2592	orcadwtsg.pif	37
PID 2592 wrote to memory of 2428	2592	orcadwtsg.pif	38
PID 2592 wrote to memory of 2428	2592	orcadwtsg.pif	38
PID 2592 wrote to memory of 2428	2592	orcadwtsg.pif	38
PID 2592 wrote to memory of 2428	2592	orcadwtsg.pif	38
PID 2592 wrote to memory of 2428	2592	orcadwtsg.pif	38
PID 2592 wrote to memory of 2428	2592	orcadwtsg.pif	38
PID 2592 wrote to memory of 2428	2592	orcadwtsg.pif	38
PID 2592 wrote to memory of 2428	2592	orcadwtsg.pif	38
PID 2592 wrote to memory of 2428	2592	orcadwtsg.pif	38

C:\Users\Admin\AppData\Local\Temp\476691329c39995b54054d56b4d7eb51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\476691329c39995b54054d56b4d7eb51_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\24286637\orcadwtsg.pif
  "C:\Users\Admin\24286637\orcadwtsg.pif" duba.nik
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1856
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1484
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2256
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:400
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2040
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:752
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\24286637\tfui.icm

Filesize
974KB

MD5
d079ab787176c8fae35436736088e507

SHA1
4494e6f4e380273a71baf1f888e89c0f407bb9d5

SHA256
5a8bc83877c1c8c5cd1f2ec3066211716071a09ae2f2b1921f590db90231bbe5

SHA512
7644b63c5a9df057234d9dbf5d2969d96b1e1272903fa11533295440cc36e874faa0632feac4ddb86abb92c58d2d1983f14ba58c278c5fc7254a59a6034c7c60

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
148B

MD5
e25a9bb31b36962fd331707b57ea4778

SHA1
271f33978f700b4c459fb7133b3cf7325a4fb9fe

SHA256
fbca2a3270e6717d3268645b73ceed568ce434e234799feba8d86fa753764cf9

SHA512
3efb6b862d7815b182def3b9d912d60bfe86f7fbe4a7cb2ce6b684bf7c2ca3d1b3a449ab20b46266227ae6f292575dcee4d7d0dc2d92391be4d7fa798c0aa957

Download Submit
\Users\Admin\24286637\orcadwtsg.pif

Filesize
646KB

MD5
cdbb08d4234736c4a052dc3f181e66f2

SHA1
6801a805b6dcb760e8bf399a7d3ad0489fec7bfb

SHA256
07e5f6d7ec7ccbc3d742658e9161d799934c6f7f6a3ebf560f361b4ee1730b6a

SHA512
1ebd1a546e64d4b36d4f143ff7211d953f8db8e74c739db5e9c0939a6eb010a461fd1368f8a7813a8a2da804de6993010075ac21e4917d74d3f9394eaebafdfb

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/2428-87-0x00000000002E0000-0x000000000094D000-memory.dmp

Filesize
6.4MB

Download
memory/2428-90-0x00000000002E0000-0x000000000094D000-memory.dmp

Filesize
6.4MB

Download
memory/2428-93-0x00000000002E0000-0x000000000094D000-memory.dmp

Filesize
6.4MB

Download
memory/2428-92-0x00000000002E0000-0x000000000094D000-memory.dmp

Filesize
6.4MB

Download
memory/2428-96-0x00000000002E0000-0x000000000094D000-memory.dmp

Filesize
6.4MB

Download
memory/2428-89-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download