remcos | e31fd278c3cfd7c89a35f170b7b7d25c563dc57667c08229732f36061f8fd4ec

General

Target

f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
Size

336KB
MD5

f1b681a4165d8a0c30b284a55d474366
SHA1

a853246ee60381eadd930c4e3d390ea71cbb95d9
SHA256

e31fd278c3cfd7c89a35f170b7b7d25c563dc57667c08229732f36061f8fd4ec
SHA512

f953b3ad0ececf98a9573bfd0ae20c5996cbaca9487f0742103fb17906e9f826cac85d44d2f0ef20310248fdf44a5cb47f800762fc1b9212ed7fedfd3a124f02
SSDEEP

6144:t8Hk8eC/39oZ12dRmN5IPL0pHZzoDsgP56rSiN96fglN:l8g12dRP8HZcDBRCJCe

Score

10^/10

remcos discovery persistence rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4884	RemR.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygfuyh = "\"C:\\Users\\Admin\\AppData\\Roaming\\RemR\\RemR.exe\""	RemR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygfuyh = "\"C:\\Users\\Admin\\AppData\\Roaming\\RemR\\RemR.exe\""	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4884 set thread context of 4980	4884	RemR.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RemR.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
432	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
432	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
4884	RemR.exe
4884	RemR.exe
4980	svchost.exe
4980	svchost.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
432	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
432	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
4884	RemR.exe
4884	RemR.exe
4980	svchost.exe
4980	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
432	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
4884	RemR.exe
4884	RemR.exe
4980	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 4084	432	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe	82
PID 432 wrote to memory of 4084	432	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe	82
PID 432 wrote to memory of 4084	432	f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe	82
PID 4084 wrote to memory of 4920	4084	WScript.exe	83
PID 4084 wrote to memory of 4920	4084	WScript.exe	83
PID 4084 wrote to memory of 4920	4084	WScript.exe	83
PID 4920 wrote to memory of 4884	4920	cmd.exe	85
PID 4920 wrote to memory of 4884	4920	cmd.exe	85
PID 4920 wrote to memory of 4884	4920	cmd.exe	85
PID 4884 wrote to memory of 4980	4884	RemR.exe	86
PID 4884 wrote to memory of 4980	4884	RemR.exe	86
PID 4884 wrote to memory of 4980	4884	RemR.exe	86
PID 4884 wrote to memory of 4980	4884	RemR.exe	86
PID 4884 wrote to memory of 4980	4884	RemR.exe	86
PID 4884 wrote to memory of 4980	4884	RemR.exe	86
PID 4884 wrote to memory of 4980	4884	RemR.exe	86
PID 4884 wrote to memory of 4980	4884	RemR.exe	86

C:\Users\Admin\AppData\Local\Temp\f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1b681a4165d8a0c30b284a55d474366_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\RemR\RemR.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Users\Admin\AppData\Roaming\RemR\RemR.exe
      C:\Users\Admin\AppData\Roaming\RemR\RemR.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
410B

MD5
0f1c2dcf4fcf6e4406e775ae78ae651c

SHA1
3c466127a72a156392ed9f80736987137ca83685

SHA256
93a43a4c6ee11ae66addf6a73237a94d14fcc9dd817f1c214a3db570c9c02645

SHA512
b49da82224e8582c575c34b1803cdc64fd861223225bdd65b8feb63db040af1b9cc5fd148093fb52c68520f99c733f720cf68c302b6617dc340df5f4612b977b

Download Submit
C:\Users\Admin\AppData\Roaming\RemR\RemR.exe

Filesize
336KB

MD5
f1b681a4165d8a0c30b284a55d474366

SHA1
a853246ee60381eadd930c4e3d390ea71cbb95d9

SHA256
e31fd278c3cfd7c89a35f170b7b7d25c563dc57667c08229732f36061f8fd4ec

SHA512
f953b3ad0ececf98a9573bfd0ae20c5996cbaca9487f0742103fb17906e9f826cac85d44d2f0ef20310248fdf44a5cb47f800762fc1b9212ed7fedfd3a124f02

Download Submit
C:\Users\Admin\AppData\Roaming\RemR\logs.dat

Filesize
79B

MD5
82995570f19ed6a5bf6b84ea9c17db16

SHA1
7b7f8cfff0ef165355d0b01b1b413741814172cf

SHA256
cddd8135a0f57e31b71e8ccd911469523c70096a90c98dc3b5896cfce2b51c02

SHA512
136da2ea65bc7bca52b8ec26b82d7690f4843a5f95f1aaf2f5352418bfe990f650889377425003aedc451da686befa216d96a3eb601c234e2c7deb438227bdbb

Download Submit
memory/432-2-0x0000000002280000-0x0000000002285000-memory.dmp

Filesize
20KB

Download
memory/432-3-0x0000000077A91000-0x0000000077BB1000-memory.dmp

Filesize
1.1MB

Download
memory/432-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/432-10-0x0000000002280000-0x0000000002285000-memory.dmp

Filesize
20KB

Download
memory/432-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4884-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4884-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4980-26-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4980-27-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads