General
-
Target
JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b
-
Size
656.6MB
-
Sample
241223-2erhxatlcz
-
MD5
43a4ce40b5f06ddce984176ae6c89058
-
SHA1
3f7a5ff95f676f15e677e529aef734c512ab7464
-
SHA256
644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b
-
SHA512
bfe38667b779d8791ac8da36cfc9b40e67283f93cb4589bb0c1360cffde7605eda9cdeff9d2cc06dc19468e820e121af0d12d43ac81ac7e3ab29402016aec195
-
SSDEEP
12288:RqeSPxZHRI0aF3IBXDPdQWatLHNn63r/iyAAb8T3rUUUIyPf:RaPhITRA+XtLtn6NAAgT3ZyPf
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
hosts
101.99.91.158:5222
94.131.99.153:8080
124.88.67.67:5222
124.88.67.98:5222
94.131.99.153:5222
94.131.99.156:5222
94.131.99.89:5222
94.131.99.56:5222
178.23.190.252:8080
178.23.190.253:8080
178.23.190.254:8080
178.23.190.54:8080
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
sql.exe
-
copy_folder
sql
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%UserProfile%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rgh-LGM50O
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
skype_upd
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b
-
Size
656.6MB
-
MD5
43a4ce40b5f06ddce984176ae6c89058
-
SHA1
3f7a5ff95f676f15e677e529aef734c512ab7464
-
SHA256
644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b
-
SHA512
bfe38667b779d8791ac8da36cfc9b40e67283f93cb4589bb0c1360cffde7605eda9cdeff9d2cc06dc19468e820e121af0d12d43ac81ac7e3ab29402016aec195
-
SSDEEP
12288:RqeSPxZHRI0aF3IBXDPdQWatLHNn63r/iyAAb8T3rUUUIyPf:RaPhITRA+XtLtn6NAAgT3ZyPf
Score10/10-
Remcos family
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-