General
-
Target
JaffaCakes118_f566a50594b589b0927a5c40b2d381945a1c90799d6ad7e9c2ce7bc75d09a778
-
Size
739KB
-
Sample
241222-byh3rsxrfl
-
MD5
55fcd64f73750517898edbe36eb9ebb8
-
SHA1
ddeb26c4d2ce15e1d092444223cc2eee27e6251b
-
SHA256
f566a50594b589b0927a5c40b2d381945a1c90799d6ad7e9c2ce7bc75d09a778
-
SHA512
cc3d462b8b5cc346e2aad70eaa328a08179e9e7da84830fc6b74e5d7ec46afa7f9701aa16d656c8bd64d40c39ccc527436d2933ef3952c76830ec81ca781285d
-
SSDEEP
12288:cPTzKwBXol4KgrQ1S0Of4UJ6xSOTc2CXUHNc8+R/vqQ1rB0G:cP/Kw6l4KK/f3V28UtH+dvqAB0G
Malware Config
Extracted
remcos
3.1.5 Pro
Client
jokerwe.duckdns.org:45131
thegatorway.com:58764
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
start.exe
-
copy_folder
start
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
AV
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
-JTORVC
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
25
-
startup_value
start
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631
-
Size
945KB
-
MD5
97dbc44370eaaa9f03b0a49214740b0c
-
SHA1
e49d9ea0e7380f49904e41c2a48ef0f2bcecd6ba
-
SHA256
7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631
-
SHA512
2ddcd33620230fabc1a1ed2915c3f74dcfbfaf21c96af6d6359b99596dab655b14ebbe474d9c9b22aa167ffc16eb07effbf5ecabf2bb3a92f2019acfcfe4f190
-
SSDEEP
24576:TcpPlcL6NZ/qpYGVsIHpY4hVj1ak+gMkFqufX:EPlcLq/qpsINDjgMbFR
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-