remcos | bb195c1d7814d4aa43e8d1970fa690fde8f61b36ae3713b3c4df9f28435ba8bd

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe
Size

485KB
MD5

98f4fc4af7f75e390cd5a47fd91210bd
SHA1

dbc0c57df52235137039517e0ecf84999e9dec42
SHA256

bb195c1d7814d4aa43e8d1970fa690fde8f61b36ae3713b3c4df9f28435ba8bd
SHA512

f69dd47715b8fc4450d2a076329c36bae710c7cdd9989ed97fa2f2baf4d44e28db96a5d6009e6fab5292622f4ffa006c31c1b7ae6f86796b26aa538258303dbb
SSDEEP

12288:4StFP1Jm4yxP6r7nkO18JZdyt5vnnotuV1bOMJ5d:4SrP1KxCr7718dy7/F1bO2

Score

10^/10

remcos discovery persistence rat upx

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 4 IoCs

pid	Process
2428	remcos.exe
2844	StikyNot.exe
1076	remcos.exe
356	StikyNot.exe

Loads dropped DLL 4 IoCs

pid	Process
2868	cmd.exe
2868	cmd.exe
1752	diskperf.exe
1752	diskperf.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Program Files (x86)\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Program Files (x86)\\remcos\\remcos.exe\""	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	remcos.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2648 set thread context of 2552	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	30
PID 2648 set thread context of 1752	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	31
PID 2428 set thread context of 1076	2428	remcos.exe	37
PID 1076 set thread context of 1404	1076	remcos.exe	38
PID 2428 set thread context of 696	2428	remcos.exe	39
PID 2844 set thread context of 356	2844	StikyNot.exe	40
PID 2844 set thread context of 3000	2844	StikyNot.exe	41

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2648-0-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral1/memory/2648-2-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral1/memory/2648-36-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral1/memory/2648-25-0x0000000003240000-0x000000000333C000-memory.dmp	upx
behavioral1/files/0x0007000000017487-46.dat	upx
behavioral1/memory/2844-71-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral1/memory/2428-74-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral1/memory/2844-77-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral1/memory/2428-113-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral1/memory/1404-105-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral1/memory/2844-143-0x0000000000400000-0x00000000004FC000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\remcos\remcos.exe	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\remcos\remcos.exe	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\remcos\logs.dat	StikyNot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskperf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1752	diskperf.exe
1752	diskperf.exe
1752	diskperf.exe
1752	diskperf.exe
1752	diskperf.exe
1752	diskperf.exe
1752	diskperf.exe
1752	diskperf.exe
1752	diskperf.exe
1752	diskperf.exe
1752	diskperf.exe
1752	diskperf.exe
696	diskperf.exe
1752	diskperf.exe
3000	diskperf.exe
696	diskperf.exe
1752	diskperf.exe
3000	diskperf.exe
696	diskperf.exe
1752	diskperf.exe
3000	diskperf.exe
696	diskperf.exe
1752	diskperf.exe
3000	diskperf.exe
696	diskperf.exe
1752	diskperf.exe
3000	diskperf.exe
696	diskperf.exe
1752	diskperf.exe
3000	diskperf.exe
696	diskperf.exe
1752	diskperf.exe
3000	diskperf.exe
696	diskperf.exe
1752	diskperf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
356	StikyNot.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2552	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2552	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2552	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2552	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2552	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2552	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2552	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2552	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2552	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2552	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	30
PID 2648 wrote to memory of 1752	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	31
PID 2648 wrote to memory of 1752	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	31
PID 2648 wrote to memory of 1752	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	31
PID 2648 wrote to memory of 1752	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	31
PID 2648 wrote to memory of 1752	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	31
PID 2648 wrote to memory of 1752	2648	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	31
PID 2552 wrote to memory of 2412	2552	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	32
PID 2552 wrote to memory of 2412	2552	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	32
PID 2552 wrote to memory of 2412	2552	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	32
PID 2552 wrote to memory of 2412	2552	98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe	32
PID 2412 wrote to memory of 2868	2412	WScript.exe	33
PID 2412 wrote to memory of 2868	2412	WScript.exe	33
PID 2412 wrote to memory of 2868	2412	WScript.exe	33
PID 2412 wrote to memory of 2868	2412	WScript.exe	33
PID 2868 wrote to memory of 2428	2868	cmd.exe	35
PID 2868 wrote to memory of 2428	2868	cmd.exe	35
PID 2868 wrote to memory of 2428	2868	cmd.exe	35
PID 2868 wrote to memory of 2428	2868	cmd.exe	35
PID 1752 wrote to memory of 2844	1752	diskperf.exe	36
PID 1752 wrote to memory of 2844	1752	diskperf.exe	36
PID 1752 wrote to memory of 2844	1752	diskperf.exe	36
PID 1752 wrote to memory of 2844	1752	diskperf.exe	36
PID 2428 wrote to memory of 1076	2428	remcos.exe	37
PID 2428 wrote to memory of 1076	2428	remcos.exe	37
PID 2428 wrote to memory of 1076	2428	remcos.exe	37
PID 2428 wrote to memory of 1076	2428	remcos.exe	37
PID 2428 wrote to memory of 1076	2428	remcos.exe	37
PID 2428 wrote to memory of 1076	2428	remcos.exe	37
PID 2428 wrote to memory of 1076	2428	remcos.exe	37
PID 2428 wrote to memory of 1076	2428	remcos.exe	37
PID 2428 wrote to memory of 1076	2428	remcos.exe	37
PID 2428 wrote to memory of 1076	2428	remcos.exe	37
PID 1076 wrote to memory of 1404	1076	remcos.exe	38
PID 1076 wrote to memory of 1404	1076	remcos.exe	38
PID 1076 wrote to memory of 1404	1076	remcos.exe	38
PID 1076 wrote to memory of 1404	1076	remcos.exe	38
PID 2428 wrote to memory of 696	2428	remcos.exe	39
PID 2428 wrote to memory of 696	2428	remcos.exe	39
PID 2428 wrote to memory of 696	2428	remcos.exe	39
PID 2428 wrote to memory of 696	2428	remcos.exe	39
PID 1076 wrote to memory of 1404	1076	remcos.exe	38
PID 1076 wrote to memory of 1404	1076	remcos.exe	38
PID 1076 wrote to memory of 1404	1076	remcos.exe	38
PID 1076 wrote to memory of 1404	1076	remcos.exe	38
PID 2428 wrote to memory of 696	2428	remcos.exe	39
PID 2428 wrote to memory of 696	2428	remcos.exe	39
PID 2844 wrote to memory of 356	2844	StikyNot.exe	40
PID 2844 wrote to memory of 356	2844	StikyNot.exe	40
PID 2844 wrote to memory of 356	2844	StikyNot.exe	40
PID 2844 wrote to memory of 356	2844	StikyNot.exe	40
PID 2844 wrote to memory of 356	2844	StikyNot.exe	40
PID 2844 wrote to memory of 356	2844	StikyNot.exe	40
PID 2844 wrote to memory of 356	2844	StikyNot.exe	40
PID 2844 wrote to memory of 356	2844	StikyNot.exe	40

C:\Users\Admin\AppData\Local\Temp\98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\98f4fc4af7f75e390cd5a47fd91210bd_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\remcos\remcos.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Program Files (x86)\remcos\remcos.exe
        
        "C:\Program Files (x86)\remcos\remcos.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Program Files (x86)\remcos\remcos.exe
        
        "C:\Program Files (x86)\remcos\remcos.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1404
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:696
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
    "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      "C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:356
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
402B

MD5
48e15bdc628f511fa6b4ed0519a731db

SHA1
bcc93f8504cdc4f07888a9d69081adb66c1ea1db

SHA256
6808964801a9dce5b86efe8e5a521a00158cec83baa825b2bb4e62f79324c6b6

SHA512
1fa2b139e11d51065e0e4f1d91f6f2555f12d7cd59e5816645e957347c9ebe7144e581a94cdd15d45adc0521e590553aa5ce6b413e1b67471ff9f635a1c1c09b

Download Submit
\Program Files (x86)\remcos\remcos.exe

Filesize
485KB

MD5
98f4fc4af7f75e390cd5a47fd91210bd

SHA1
dbc0c57df52235137039517e0ecf84999e9dec42

SHA256
bb195c1d7814d4aa43e8d1970fa690fde8f61b36ae3713b3c4df9f28435ba8bd

SHA512
f69dd47715b8fc4450d2a076329c36bae710c7cdd9989ed97fa2f2baf4d44e28db96a5d6009e6fab5292622f4ffa006c31c1b7ae6f86796b26aa538258303dbb

Download Submit
memory/1076-104-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1076-107-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1404-105-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1752-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1752-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1752-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1752-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1752-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1752-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1752-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1752-70-0x0000000002620000-0x000000000271C000-memory.dmp

Filesize
1008KB

Download
memory/1752-69-0x0000000002620000-0x000000000271C000-memory.dmp

Filesize
1008KB

Download
memory/1752-76-0x0000000002620000-0x000000000271C000-memory.dmp

Filesize
1008KB

Download
memory/2428-74-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2428-113-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2552-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2552-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2552-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2552-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2552-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2552-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2552-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2552-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2552-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2552-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2648-36-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2648-25-0x0000000003240000-0x000000000333C000-memory.dmp

Filesize
1008KB

Download
memory/2648-0-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2648-4-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2648-2-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2648-1-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2844-71-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2844-77-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2844-143-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2868-73-0x00000000022C0000-0x00000000023BC000-memory.dmp

Filesize
1008KB

Download
memory/2868-49-0x00000000022C0000-0x00000000023BC000-memory.dmp

Filesize
1008KB

Download