Analysis
-
max time kernel
94s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 11:11
Static task
static1
Behavioral task
behavioral1
Sample
fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe
-
Size
2.5MB
-
MD5
fb4fb518905944d8d40f97c13a1a5578
-
SHA1
87791ebc36c32c5623dae7e32c375d39cb7abcd3
-
SHA256
50915f0f6260856a025536f2e78c82d605e522d7051600545ab94f887bf4cfc5
-
SHA512
07dd64fbe898dd173f19b93d29876e0ea294bdfda2d4a15e4366efbf5b15a967f1fed48860e51f1fb49d8183486c38b18ec797f21dba5e280b9bb0818ce12aee
-
SSDEEP
49152:t848Edrt/PRv5ytQzhEP8aebD0KkslOcSDnYrPg3CvH7QDAYDvzs/3ffwva+f:t26p/phyueP8aebDQiOcSYzgx7zifZ+f
Malware Config
Signatures
-
Remcos family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2968 remcos_a.vmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos_a.vmp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4084 wrote to memory of 2968 4084 fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe 83 PID 4084 wrote to memory of 2968 4084 fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe 83 PID 4084 wrote to memory of 2968 4084 fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\remcos_a.vmp.exe"C:\Users\Admin\AppData\Local\Temp\remcos_a.vmp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
923KB
MD5f3314fc93173aa9f577d660772740ec2
SHA12a40e34b13dce2c06047e510d61cb8074d30e683
SHA256be495cf2dcb879d5e867a0b744cf040ab55a4338a18c1f6a012c2450d5a57799
SHA512decb8a5b77a1fedad692013e6ef3608094baba5e0b9d71cba7faafddeb8707dfddd524ef6639c57deb0cfc9254b63077bfae9de0c66fc7b599070b50dd35369a