General

  • Target

    JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b

  • Size

    656.6MB

  • Sample

    241223-2erhxatlcz

  • MD5

    43a4ce40b5f06ddce984176ae6c89058

  • SHA1

    3f7a5ff95f676f15e677e529aef734c512ab7464

  • SHA256

    644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b

  • SHA512

    bfe38667b779d8791ac8da36cfc9b40e67283f93cb4589bb0c1360cffde7605eda9cdeff9d2cc06dc19468e820e121af0d12d43ac81ac7e3ab29402016aec195

  • SSDEEP

    12288:RqeSPxZHRI0aF3IBXDPdQWatLHNn63r/iyAAb8T3rUUUIyPf:RaPhITRA+XtLtn6NAAgT3ZyPf

Malware Config

Extracted

Family

remcos

Botnet

hosts

C2

101.99.91.158:5222

94.131.99.153:8080

124.88.67.67:5222

124.88.67.98:5222

94.131.99.153:5222

94.131.99.156:5222

94.131.99.89:5222

94.131.99.56:5222

178.23.190.252:8080

178.23.190.253:8080

178.23.190.254:8080

178.23.190.54:8080

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    sql.exe

  • copy_folder

    sql

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %UserProfile%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rgh-LGM50O

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    skype_upd

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b

    • Size

      656.6MB

    • MD5

      43a4ce40b5f06ddce984176ae6c89058

    • SHA1

      3f7a5ff95f676f15e677e529aef734c512ab7464

    • SHA256

      644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b

    • SHA512

      bfe38667b779d8791ac8da36cfc9b40e67283f93cb4589bb0c1360cffde7605eda9cdeff9d2cc06dc19468e820e121af0d12d43ac81ac7e3ab29402016aec195

    • SSDEEP

      12288:RqeSPxZHRI0aF3IBXDPdQWatLHNn63r/iyAAb8T3rUUUIyPf:RaPhITRA+XtLtn6NAAgT3ZyPf

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks