remcos | 89761ac5c1a3887d4dbb9d65efe721bf9f03fc607e5869b8d98c2ee36bfb129f

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe
Size

687KB
MD5

f35a8c14e8db517ba87733afc993f39b
SHA1

ad7daa444bbafc984e0cf3441adf924887c16e79
SHA256

89761ac5c1a3887d4dbb9d65efe721bf9f03fc607e5869b8d98c2ee36bfb129f
SHA512

0ab563af74786902240e965a4062c5f6befb4d11fcd11042e4f786b54e0eb936584d47abdd588b9a4132e09bbccafba20ece64035d9a0a3eeb27afdefcaed7a0
SSDEEP

12288:PqMUpN8MEnz7ln4RN/9H48+Ltey1t2HA1S1zgDy7KmQqX0h28wel2GjJp20ZDnvx:SxHMl4RNFH48KFXS1MDy

Score

10^/10

remcos osiris discovery rat

Malware Config

Extracted

Family

remcos

Version

2.7.0 Pro

Botnet

OSIRIS

osiris8612.duckdns.org:1616

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-4RTLP1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2160 set thread context of 2844	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2844	RegSvcs.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2872	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	31
PID 2160 wrote to memory of 2872	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	31
PID 2160 wrote to memory of 2872	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	31
PID 2160 wrote to memory of 2872	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	31
PID 2160 wrote to memory of 2844	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	33
PID 2160 wrote to memory of 2844	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	33
PID 2160 wrote to memory of 2844	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	33
PID 2160 wrote to memory of 2844	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	33
PID 2160 wrote to memory of 2844	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	33
PID 2160 wrote to memory of 2844	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	33
PID 2160 wrote to memory of 2844	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	33
PID 2160 wrote to memory of 2844	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	33
PID 2160 wrote to memory of 2844	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	33
PID 2160 wrote to memory of 2844	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	33
PID 2160 wrote to memory of 2844	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	33
PID 2160 wrote to memory of 2844	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	33
PID 2160 wrote to memory of 2844	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	33
PID 2160 wrote to memory of 2844	2160	f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f35a8c14e8db517ba87733afc993f39b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GJFTgPDfR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4808.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4808.tmp

Filesize
1KB

MD5
3840806f4151c97b09bf425afe881ec5

SHA1
d5f910fa584ec6a1fe66cb644485d0c9b5e73e70

SHA256
92e9b033aa07f9b96ce924a93fc29b248f2758d50efe36f0d4c0d9971df2b7ab

SHA512
706ff9bbf8ad8f958f015505c8036794f6dbee01ebeedbf36b3336f48dd5263ae0466b33684219bd187ff971fef5836342d0f61e0ec378cc5351be4ff64115e3

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
74B

MD5
ddebad2962f6b0d9e2d30abc1661e4c6

SHA1
1ee13cdd2cd06db89e3097c262133f1b719b1f56

SHA256
e0e09653b88856b69e056a6ef9e36adb32885dcc679b513ec0bcf5f70c4bc9f7

SHA512
9ced03cb2b71f9d18b0a614cd8044782a8db8b5d868af9ace7e0f522211c57ca8ed8b30aac1dddcc33030fcfcfc096d86543f71aff3216e4e6018605d21a995c

Download Submit
memory/2160-34-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2160-1-0x0000000001210000-0x00000000012C2000-memory.dmp

Filesize
712KB

Download
memory/2160-2-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2160-3-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2160-4-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2160-5-0x000000007403E000-0x000000007403F000-memory.dmp

Filesize
4KB

Download
memory/2160-6-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2160-7-0x0000000004B00000-0x0000000004B7C000-memory.dmp

Filesize
496KB

Download
memory/2160-8-0x0000000000980000-0x00000000009B0000-memory.dmp

Filesize
192KB

Download
memory/2160-0-0x000000007403E000-0x000000007403F000-memory.dmp

Filesize
4KB

Download
memory/2844-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-32-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-29-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-28-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2844-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-35-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-36-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-37-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-33-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-42-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-43-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-49-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-50-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-51-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-52-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-53-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-54-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-55-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-56-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-57-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-77-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-79-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-81-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download