remcos | e31fd278c3cfd7c89a35f170b7b7d25c563dc57667c08229732f36061f8fd4ec

General

Target

f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
Size

336KB
MD5

f1b681a4165d8a0c30b284a55d474366
SHA1

a853246ee60381eadd930c4e3d390ea71cbb95d9
SHA256

e31fd278c3cfd7c89a35f170b7b7d25c563dc57667c08229732f36061f8fd4ec
SHA512

f953b3ad0ececf98a9573bfd0ae20c5996cbaca9487f0742103fb17906e9f826cac85d44d2f0ef20310248fdf44a5cb47f800762fc1b9212ed7fedfd3a124f02
SSDEEP

6144:t8Hk8eC/39oZ12dRmN5IPL0pHZzoDsgP56rSiN96fglN:l8g12dRP8HZcDBRCJCe

Score

10^/10

remcos discovery persistence rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 1 IoCs

pid	Process
2812	RemR.exe

Loads dropped DLL 2 IoCs

pid	Process
2712	cmd.exe
2712	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ygfuyh = "\"C:\\Users\\Admin\\AppData\\Roaming\\RemR\\RemR.exe\""	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ygfuyh = "\"C:\\Users\\Admin\\AppData\\Roaming\\RemR\\RemR.exe\""	RemR.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2812 set thread context of 2024	2812	RemR.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RemR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2348	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
2348	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
2812	RemR.exe
2812	RemR.exe
2024	svchost.exe
2024	svchost.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2348	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
2348	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
2812	RemR.exe
2812	RemR.exe
2024	svchost.exe
2024	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2348	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
2812	RemR.exe
2812	RemR.exe
2024	svchost.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2348	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
2812	RemR.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2492	2348	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2492	2348	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2492	2348	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2492	2348	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe	31
PID 2492 wrote to memory of 2712	2492	WScript.exe	32
PID 2492 wrote to memory of 2712	2492	WScript.exe	32
PID 2492 wrote to memory of 2712	2492	WScript.exe	32
PID 2492 wrote to memory of 2712	2492	WScript.exe	32
PID 2712 wrote to memory of 2812	2712	cmd.exe	34
PID 2712 wrote to memory of 2812	2712	cmd.exe	34
PID 2712 wrote to memory of 2812	2712	cmd.exe	34
PID 2712 wrote to memory of 2812	2712	cmd.exe	34
PID 2812 wrote to memory of 2024	2812	RemR.exe	35
PID 2812 wrote to memory of 2024	2812	RemR.exe	35
PID 2812 wrote to memory of 2024	2812	RemR.exe	35
PID 2812 wrote to memory of 2024	2812	RemR.exe	35
PID 2812 wrote to memory of 2024	2812	RemR.exe	35
PID 2812 wrote to memory of 2024	2812	RemR.exe	35
PID 2812 wrote to memory of 2024	2812	RemR.exe	35
PID 2812 wrote to memory of 2024	2812	RemR.exe	35
PID 2812 wrote to memory of 2024	2812	RemR.exe	35

C:\Users\Admin\AppData\Local\Temp\f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\RemR\RemR.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Roaming\RemR\RemR.exe
      C:\Users\Admin\AppData\Roaming\RemR\RemR.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
410B

MD5
0f1c2dcf4fcf6e4406e775ae78ae651c

SHA1
3c466127a72a156392ed9f80736987137ca83685

SHA256
93a43a4c6ee11ae66addf6a73237a94d14fcc9dd817f1c214a3db570c9c02645

SHA512
b49da82224e8582c575c34b1803cdc64fd861223225bdd65b8feb63db040af1b9cc5fd148093fb52c68520f99c733f720cf68c302b6617dc340df5f4612b977b

Download Submit
C:\Users\Admin\AppData\Roaming\RemR\logs.dat

Filesize
79B

MD5
82995570f19ed6a5bf6b84ea9c17db16

SHA1
7b7f8cfff0ef165355d0b01b1b413741814172cf

SHA256
cddd8135a0f57e31b71e8ccd911469523c70096a90c98dc3b5896cfce2b51c02

SHA512
136da2ea65bc7bca52b8ec26b82d7690f4843a5f95f1aaf2f5352418bfe990f650889377425003aedc451da686befa216d96a3eb601c234e2c7deb438227bdbb

Download Submit
\Users\Admin\AppData\Roaming\RemR\RemR.exe

Filesize
336KB

MD5
f1b681a4165d8a0c30b284a55d474366

SHA1
a853246ee60381eadd930c4e3d390ea71cbb95d9

SHA256
e31fd278c3cfd7c89a35f170b7b7d25c563dc57667c08229732f36061f8fd4ec

SHA512
f953b3ad0ececf98a9573bfd0ae20c5996cbaca9487f0742103fb17906e9f826cac85d44d2f0ef20310248fdf44a5cb47f800762fc1b9212ed7fedfd3a124f02

Download Submit
memory/2024-34-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2024-25-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2024-27-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2024-29-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2024-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2348-10-0x0000000000560000-0x0000000000565000-memory.dmp

Filesize
20KB

Download
memory/2348-2-0x0000000000560000-0x0000000000565000-memory.dmp

Filesize
20KB

Download
memory/2348-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2348-4-0x0000000077220000-0x00000000773C9000-memory.dmp

Filesize
1.7MB

Download
memory/2348-3-0x0000000077221000-0x0000000077322000-memory.dmp

Filesize
1.0MB

Download
memory/2812-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2812-22-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2812-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads