Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
27-11-2024 00:06
General
-
Target
a4d856eb0a221fa7ca6c020db37b0c25_JaffaCakes118.exe
-
Size
131KB
-
MD5
a4d856eb0a221fa7ca6c020db37b0c25
-
SHA1
c81ff23cc49a0b3e66451df743a001e0c7ffe65d
-
SHA256
53fac46129abda3d4e515a3bec0980ca1e44ba57fd7aeec3d624bd9aa6680526
-
SHA512
e784ed6e07875fd10fa1c0aeca21e84a60f64e2b15f127cbcd1bf847c99fab31eb2b211b2118de3b15dcf3a1176408ea4b8a217c683a4096ae273663dbb4bd49
-
SSDEEP
1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjKP:xPd4n/M+WLcilrpgGH/GwY87mVmIXf
Malware Config
Extracted
remcos
1.7 Pro
Host
systemcontrol.ddns.net:45000
systemcontrol2.ddns.net:45000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
OfficeUpgrade.exe
-
copy_folder
OfficeUpgrade
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
Upgrader.dat
-
keylog_flag
false
-
keylog_folder
Upgrader
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
req_khauflaoyr
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
OfficeUpgrade
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4d856eb0a221fa7ca6c020db37b0c25_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a4d856eb0a221fa7ca6c020db37b0c25_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
131KB
MD593251b05ad0c641a99c41c443a37965c
SHA165259454fdb8c4aa3e057c8b3c27f5139c72eda0
SHA256d594677aa94452c7eec73d61af5f865fe55461d8638d3ffa8756f55d0be1444b
SHA512e407b5c69aad1892e125dfd1c7453dfebd2272c1ba030b7009e2db3e0e4699abfcc4b753791df87c1abab304ce0e2307f73d65b04df0ca9a1382fe36978f04ab
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
160KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB