remcos | b0e0893c4a07b3a6c42c33988741f24c283be68927f79e0388e30d91eed7e2c2

General

Target

cebd70129181b2d00175a09425028661_JaffaCakes118.exe
Size

313KB
MD5

cebd70129181b2d00175a09425028661
SHA1

6412c81a57eb3e491d140cbb10b507b8f5086421
SHA256

b0e0893c4a07b3a6c42c33988741f24c283be68927f79e0388e30d91eed7e2c2
SHA512

c9bea381d1f87ff4715acaccbe75cbb834374b00324699f0eff6c76a019f2f933efb780fdd7efac48b30a47514ae910798c3f85013cd038692ef78d5007d647b
SSDEEP

6144:KN4z5x2rNAo0eQ2sCTQ6UGSeywoFaVt4Co5pZRtW2JrMNk:jz5Aqo0eQOTQ6N0nQt4j/ZO2Jrkk

Score

10^/10

remcos server discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.7.1 Pro

Botnet

Server

C2

resener.duckdns.org:3202

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
chrome.exe
copy_folder
Chrome
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Chrome
keylog_path
%AppData%
mouse_option
false
mutex
TgFthajaf3mUgRdEsgZ5-NNN84S
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Chrome
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cebd70129181b2d00175a09425028661_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1116	chrome.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome\\chrome.exe\""	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome\\chrome.exe\""	cebd70129181b2d00175a09425028661_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4828	1100	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cebd70129181b2d00175a09425028661_JaffaCakes118.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cebd70129181b2d00175a09425028661_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1116	chrome.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 2700	1100	cebd70129181b2d00175a09425028661_JaffaCakes118.exe	83
PID 1100 wrote to memory of 2700	1100	cebd70129181b2d00175a09425028661_JaffaCakes118.exe	83
PID 1100 wrote to memory of 2700	1100	cebd70129181b2d00175a09425028661_JaffaCakes118.exe	83
PID 2700 wrote to memory of 2924	2700	WScript.exe	88
PID 2700 wrote to memory of 2924	2700	WScript.exe	88
PID 2700 wrote to memory of 2924	2700	WScript.exe	88
PID 2924 wrote to memory of 1116	2924	cmd.exe	90
PID 2924 wrote to memory of 1116	2924	cmd.exe	90
PID 2924 wrote to memory of 1116	2924	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\cebd70129181b2d00175a09425028661_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cebd70129181b2d00175a09425028661_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
      C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1180
  2⤵
  - Program crash
  PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1100 -ip 1100
1⤵
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
418B

MD5
fb3ccc6eb57452ab438c3d24d3a981d9

SHA1
272e3387aa7f7664d25dab9038cc223378a8e23f

SHA256
3dcd37f4d61b497d1145c1361ccd09dff5e9af2829f322b0b3231505fd8fa6db

SHA512
7c079b262a3e1ab9202f4874dbcbc5de2eff0932c8cd1b9f2bc7283dd4c11ee528c849b3f3130bd3bd64d9af2b0b666c03fd173aabdb5b8a835d74623f7315a9

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe

Filesize
313KB

MD5
cebd70129181b2d00175a09425028661

SHA1
6412c81a57eb3e491d140cbb10b507b8f5086421

SHA256
b0e0893c4a07b3a6c42c33988741f24c283be68927f79e0388e30d91eed7e2c2

SHA512
c9bea381d1f87ff4715acaccbe75cbb834374b00324699f0eff6c76a019f2f933efb780fdd7efac48b30a47514ae910798c3f85013cd038692ef78d5007d647b

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\logs.dat

Filesize
74B

MD5
635d1cfd38dbb65c054093c29b759834

SHA1
c9a0702d19b33b970f4854751f057c98bef3e07e

SHA256
1373daf3d85c1703214a74a1489ac993aeec5826822b81b98fb1df4a324bf39b

SHA512
513ef903349ab7e72eac809a4d05946948c455c56e641d5b9fb75232a152cb880515e828bdd994f221de3fe9fc101d21567a90887f539a734531127dcf879efb

Download Submit
memory/1100-2-0x00000000001C0000-0x00000000001E1000-memory.dmp

Filesize
132KB

Download
memory/1100-1-0x0000000000B40000-0x0000000000C40000-memory.dmp

Filesize
1024KB

Download
memory/1100-3-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1100-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1100-11-0x00000000001C0000-0x00000000001E1000-memory.dmp

Filesize
132KB

Download
memory/1100-10-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/1116-19-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/1116-18-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/1116-20-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/1116-22-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/1116-26-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/1116-17-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/1116-30-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/1116-33-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/1116-37-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/1116-43-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/1116-47-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads