Overview

overview

10

Static

static

3

c541ef92d5...18.exe

windows7-x64

10

c541ef92d5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2024 01:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c541ef92d5024981da22c4cd0a7884be_JaffaCakes118.exe

  • Size

    776KB

  • MD5

    c541ef92d5024981da22c4cd0a7884be

  • SHA1

    554c2af624c1d1f36d522bbdad0860cc05e4fb31

  • SHA256

    0aef5fd40527e7ab78039802a026b1268a330c6580eb1b5bb11ae29137de3d2c

  • SHA512

    89059237ff2d332016b9ed49946b31042be61a349b53a4a415e18ab67976d3c12ecfdd9b6311162b56d6d82dd8807cdda4bf43e3fff263af60cb8cb4343eab8f

  • SSDEEP

    12288:8XV1Vt7syT8RJJ58bOZmZHGGPVo5yOnperQvBXtvldA93LYzxOd6:8nVtYyKp2zPPOpXvBXtvlg0Ad6

Score
10/10
remcosremotehost-5778discoveryevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

remcos

Version

3.1.4 Pro

Botnet

RemoteHost-5778

C2

5778.hopto.org:5778

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-8NVW4R

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Windows security bypass 2 TTPs 3 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c541ef92d5024981da22c4cd0a7884be_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c541ef92d5024981da22c4cd0a7884be_JaffaCakes118.exe"
    1⤵
    • Windows security bypass
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:596
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\E4GaIu5fec68eP8\svchost.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2912
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c541ef92d5024981da22c4cd0a7884be_JaffaCakes118.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2104
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\E4GaIu5fec68eP8\svchost.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Users\Admin\AppData\Local\Temp\c541ef92d5024981da22c4cd0a7884be_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\c541ef92d5024981da22c4cd0a7884be_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    bbd76131511349ce3d5ecec72493e044

    SHA1

    82369a7d9eacdcf81ffec3dcf530bd1413db7f4f

    SHA256

    3b6a8866967d35679c814a83f2228286dcf13202108cd0b31ff3720692ad3122

    SHA512

    5b6bd6de4e18e27df0ba966d52bcf40d47962320e722207f1136f3df7339de9213ec550c6974947932cc05d1cc9ec361d09053b885e4003c8d6f806e6d7fb297

    Download Submit

  • C:\Users\Admin\AppData\Roaming\remcos\logs.dat
    Filesize

    286B

    MD5

    e077391405e0afeda0d4013f523ee278

    SHA1

    8e85eb3e637983cb2316d313746253747ca9f4e5

    SHA256

    5ea8c191c54fd31107799c6739ba83a9435d8e58217a5823d53d3dab23bf5cee

    SHA512

    84f6bfd8a759fc5f30bd8e2738d31968a4ca4338d8c25a5f8eaa7b96289ec7406ba1b2f33c1d856d449855e534e8332c364fcf36573bd9a9a55ded332fa35391

    Download Submit

  • memory/596-36-0x0000000074650000-0x0000000074D3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/596-1-0x0000000000C70000-0x0000000000D38000-memory.dmp

    Filesize

    800KB

    Download

  • memory/596-2-0x0000000004ED0000-0x0000000004F92000-memory.dmp

    Filesize

    776KB

    Download

  • memory/596-3-0x0000000074650000-0x0000000074D3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/596-0-0x000000007465E000-0x000000007465F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2620-31-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2620-23-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2620-33-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2620-35-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2620-29-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2620-27-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2620-26-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2620-34-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2620-21-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2620-19-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2620-41-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2620-38-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2620-37-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2620-17-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download