Overview

overview

10

Static

static

3

8017e41b2c...18.exe

windows7-x64

10

8017e41b2c...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2024, 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8017e41b2c71f66ee834d21728a4160b_JaffaCakes118.exe

  • Size

    1002KB

  • MD5

    8017e41b2c71f66ee834d21728a4160b

  • SHA1

    cb8019c2aa21d17daf49f1a9a23e13281b8f4ac8

  • SHA256

    d83290b80bf412884168a6d24a06fad12edb578cc612ea555476b422a4499613

  • SHA512

    08ed4d7ef49248bca16a6ceff5ee2ae5acdb0f3b91b8fd6ffbf8bdcf2f90c5000e6fced84eb82dd9e94d5b358d27552526ce6a0d3896168251f4c7b88789ca03

  • SSDEEP

    24576:J7oP3LsrNZqTcIPBz8xAOZmuaWdEIwjS/1aOaxys:loTYqAIPBz8xASvaWt4Q1c

Score
10/10
remcosremotehostdiscoveryrat

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

RemoteHost

C2

www.ommi-it.com:8760

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    chase-0PUA4L

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 53 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8017e41b2c71f66ee834d21728a4160b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8017e41b2c71f66ee834d21728a4160b_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eGXOLNdIXhOq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp391A.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2164
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1452
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2540
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1124
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1168
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2604
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2496
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:876
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2324
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1564
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1304
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:568
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1628
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2140
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1744
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2488
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2316
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2616
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:944
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:436
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2108
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2076
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1132
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1608
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2060
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2728
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2584
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2596
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2940
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2784
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2232
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2104
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2612
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2632
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1840
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1580
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2952
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
          PID:1120
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe
          3⤵
          • System Location Discovery: System Language Discovery
          PID:360
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2756
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1636
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3024
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2796
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe
          3⤵
            PID:2824
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2136
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2548
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2056
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2336
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2080
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2884
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe
            3⤵
              PID:2100
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\SysWOW64\svchost.exe
              3⤵
              • System Location Discovery: System Language Discovery
              PID:2636
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\SysWOW64\svchost.exe
              3⤵
                PID:1796
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\SysWOW64\svchost.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:1648
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\SysWOW64\svchost.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:1660
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\SysWOW64\svchost.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:2908
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\SysWOW64\svchost.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:3068

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\tmp391A.tmp
            Filesize

            1KB

            MD5

            74fef31405213f66bbb7592f345f15be

            SHA1

            e39814730dde70c02c7e3aab9ef4eb8a6a3b293a

            SHA256

            92a26fcf91b738293a16a5883074b21b940c40076091b54e3494ca6b71a8c25d

            SHA512

            0d0fa96b8ea2698404bfd699a462b30b7f67c65203f66cfa36600e416ee716ccc2757cdc1639752626fe30ad04cc2ffa63599626137becdf331640fc8f2cb59d

            Download Submit

          • memory/1124-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1452-34-0x0000000000400000-0x0000000000692000-memory.dmp

            Filesize

            2.6MB

            Download

          • memory/1452-46-0x0000000000400000-0x0000000000692000-memory.dmp

            Filesize

            2.6MB

            Download

          • memory/1452-44-0x0000000000400000-0x0000000000692000-memory.dmp

            Filesize

            2.6MB

            Download

          • memory/1452-45-0x0000000000400000-0x0000000000692000-memory.dmp

            Filesize

            2.6MB

            Download

          • memory/1452-32-0x0000000000400000-0x0000000000692000-memory.dmp

            Filesize

            2.6MB

            Download

          • memory/1452-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1452-36-0x0000000000400000-0x0000000000692000-memory.dmp

            Filesize

            2.6MB

            Download

          • memory/1452-37-0x0000000000400000-0x0000000000692000-memory.dmp

            Filesize

            2.6MB

            Download

          • memory/1452-38-0x0000000000400000-0x0000000000692000-memory.dmp

            Filesize

            2.6MB

            Download

          • memory/1452-40-0x0000000000400000-0x0000000000692000-memory.dmp

            Filesize

            2.6MB

            Download

          • memory/1452-42-0x0000000000400000-0x0000000000692000-memory.dmp

            Filesize

            2.6MB

            Download

          • memory/2540-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2540-63-0x0000000000400000-0x0000000000692000-memory.dmp

            Filesize

            2.6MB

            Download

          • memory/2764-16-0x0000000000400000-0x0000000000479000-memory.dmp

            Filesize

            484KB

            Download

          • memory/2764-15-0x0000000000400000-0x0000000000479000-memory.dmp

            Filesize

            484KB

            Download

          • memory/2764-21-0x0000000000400000-0x0000000000479000-memory.dmp

            Filesize

            484KB

            Download

          • memory/2764-23-0x0000000000400000-0x0000000000479000-memory.dmp

            Filesize

            484KB

            Download

          • memory/2764-27-0x0000000000400000-0x0000000000479000-memory.dmp

            Filesize

            484KB

            Download

          • memory/2764-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2764-28-0x0000000000400000-0x0000000000479000-memory.dmp

            Filesize

            484KB

            Download

          • memory/2764-13-0x0000000000400000-0x0000000000479000-memory.dmp

            Filesize

            484KB

            Download

          • memory/2764-14-0x0000000000400000-0x0000000000479000-memory.dmp

            Filesize

            484KB

            Download

          • memory/2764-19-0x0000000000400000-0x0000000000479000-memory.dmp

            Filesize

            484KB

            Download

          • memory/2764-17-0x0000000000400000-0x0000000000479000-memory.dmp

            Filesize

            484KB

            Download

          • memory/2764-30-0x0000000000400000-0x0000000000479000-memory.dmp

            Filesize

            484KB

            Download

          • memory/3012-7-0x00000000053B0000-0x0000000005428000-memory.dmp

            Filesize

            480KB

            Download

          • memory/3012-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3012-31-0x0000000074DE0000-0x00000000754CE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/3012-6-0x0000000005760000-0x0000000005838000-memory.dmp

            Filesize

            864KB

            Download

          • memory/3012-5-0x0000000074DE0000-0x00000000754CE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/3012-4-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3012-3-0x0000000000340000-0x0000000000356000-memory.dmp

            Filesize

            88KB

            Download

          • memory/3012-2-0x0000000074DE0000-0x00000000754CE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/3012-1-0x0000000001070000-0x0000000001170000-memory.dmp

            Filesize

            1024KB

            Download