remcos | b0e0893c4a07b3a6c42c33988741f24c283be68927f79e0388e30d91eed7e2c2

General

Target

cebd70129181b2d00175a09425028661_JaffaCakes118.exe
Size

313KB
MD5

cebd70129181b2d00175a09425028661
SHA1

6412c81a57eb3e491d140cbb10b507b8f5086421
SHA256

b0e0893c4a07b3a6c42c33988741f24c283be68927f79e0388e30d91eed7e2c2
SHA512

c9bea381d1f87ff4715acaccbe75cbb834374b00324699f0eff6c76a019f2f933efb780fdd7efac48b30a47514ae910798c3f85013cd038692ef78d5007d647b
SSDEEP

6144:KN4z5x2rNAo0eQ2sCTQ6UGSeywoFaVt4Co5pZRtW2JrMNk:jz5Aqo0eQOTQ6N0nQt4j/ZO2Jrkk

Score

10^/10

remcos server discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.7.1 Pro

Botnet

Server

C2

resener.duckdns.org:3202

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
chrome.exe
copy_folder
Chrome
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Chrome
keylog_path
%AppData%
mouse_option
false
mutex
TgFthajaf3mUgRdEsgZ5-NNN84S
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Chrome
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 1 IoCs

pid	Process
2820	chrome.exe

Loads dropped DLL 2 IoCs

pid	Process
2416	cmd.exe
2416	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome\\chrome.exe\""	cebd70129181b2d00175a09425028661_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome\\chrome.exe\""	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cebd70129181b2d00175a09425028661_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2820	chrome.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2608	2372	cebd70129181b2d00175a09425028661_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2608	2372	cebd70129181b2d00175a09425028661_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2608	2372	cebd70129181b2d00175a09425028661_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2608	2372	cebd70129181b2d00175a09425028661_JaffaCakes118.exe	30
PID 2608 wrote to memory of 2416	2608	WScript.exe	31
PID 2608 wrote to memory of 2416	2608	WScript.exe	31
PID 2608 wrote to memory of 2416	2608	WScript.exe	31
PID 2608 wrote to memory of 2416	2608	WScript.exe	31
PID 2416 wrote to memory of 2820	2416	cmd.exe	33
PID 2416 wrote to memory of 2820	2416	cmd.exe	33
PID 2416 wrote to memory of 2820	2416	cmd.exe	33
PID 2416 wrote to memory of 2820	2416	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\cebd70129181b2d00175a09425028661_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cebd70129181b2d00175a09425028661_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
      C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
418B

MD5
fb3ccc6eb57452ab438c3d24d3a981d9

SHA1
272e3387aa7f7664d25dab9038cc223378a8e23f

SHA256
3dcd37f4d61b497d1145c1361ccd09dff5e9af2829f322b0b3231505fd8fa6db

SHA512
7c079b262a3e1ab9202f4874dbcbc5de2eff0932c8cd1b9f2bc7283dd4c11ee528c849b3f3130bd3bd64d9af2b0b666c03fd173aabdb5b8a835d74623f7315a9

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe

Filesize
313KB

MD5
cebd70129181b2d00175a09425028661

SHA1
6412c81a57eb3e491d140cbb10b507b8f5086421

SHA256
b0e0893c4a07b3a6c42c33988741f24c283be68927f79e0388e30d91eed7e2c2

SHA512
c9bea381d1f87ff4715acaccbe75cbb834374b00324699f0eff6c76a019f2f933efb780fdd7efac48b30a47514ae910798c3f85013cd038692ef78d5007d647b

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\logs.dat

Filesize
74B

MD5
afa6cb9d0d62a1ae6f34b122ff0b6061

SHA1
4bf6fe23729bc0f5ffb42133071f00ba42b53595

SHA256
b2b945a5234d6a48596b8e803a799efe47b70d652729c99e267aa297e4beec4d

SHA512
d51567e26828823738401380b75987d511502a4c1f64a3b56994d7cf71e977faf1b99e767546292887f89e146ec83ef31427da14a3b353ce809505d2e65530b5

Download Submit
memory/2372-2-0x0000000000220000-0x0000000000241000-memory.dmp

Filesize
132KB

Download
memory/2372-3-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2372-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2372-10-0x0000000000220000-0x0000000000241000-memory.dmp

Filesize
132KB

Download
memory/2372-9-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/2372-1-0x0000000000AE0000-0x0000000000BE0000-memory.dmp

Filesize
1024KB

Download
memory/2820-19-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/2820-26-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/2820-22-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/2820-30-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/2820-35-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/2820-40-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/2820-44-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads