Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 22:30
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b.exe
-
Size
656.6MB
-
MD5
43a4ce40b5f06ddce984176ae6c89058
-
SHA1
3f7a5ff95f676f15e677e529aef734c512ab7464
-
SHA256
644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b
-
SHA512
bfe38667b779d8791ac8da36cfc9b40e67283f93cb4589bb0c1360cffde7605eda9cdeff9d2cc06dc19468e820e121af0d12d43ac81ac7e3ab29402016aec195
-
SSDEEP
12288:RqeSPxZHRI0aF3IBXDPdQWatLHNn63r/iyAAb8T3rUUUIyPf:RaPhITRA+XtLtn6NAAgT3ZyPf
Malware Config
Extracted
remcos
hosts
101.99.91.158:5222
94.131.99.153:8080
124.88.67.67:5222
124.88.67.98:5222
94.131.99.153:5222
94.131.99.156:5222
94.131.99.89:5222
94.131.99.56:5222
178.23.190.252:8080
178.23.190.253:8080
178.23.190.254:8080
178.23.190.54:8080
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
sql.exe
-
copy_folder
sql
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%UserProfile%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rgh-LGM50O
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
skype_upd
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skype_upd = "\"C:\\Users\\Admin\\sql\\sql.exe\"" 2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skype_upd = "\"C:\\Users\\Admin\\sql\\sql.exe\"" sql.exe -
Executes dropped EXE 2 IoCs
pid Process 2984 2.exe 2756 sql.exe -
Loads dropped DLL 4 IoCs
pid Process 2448 JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b.exe 2448 JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b.exe 2984 2.exe 2984 2.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\skype_upd = "\"C:\\Users\\Admin\\sql\\sql.exe\"" 2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\skype_upd = "\"C:\\Users\\Admin\\sql\\sql.exe\"" 2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\skype_upd = "\"C:\\Users\\Admin\\sql\\sql.exe\"" sql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\skype_upd = "\"C:\\Users\\Admin\\sql\\sql.exe\"" sql.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2756 set thread context of 2372 2756 sql.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2756 sql.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2756 sql.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2448 wrote to memory of 2984 2448 JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b.exe 29 PID 2448 wrote to memory of 2984 2448 JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b.exe 29 PID 2448 wrote to memory of 2984 2448 JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b.exe 29 PID 2448 wrote to memory of 2984 2448 JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b.exe 29 PID 2984 wrote to memory of 2756 2984 2.exe 30 PID 2984 wrote to memory of 2756 2984 2.exe 30 PID 2984 wrote to memory of 2756 2984 2.exe 30 PID 2984 wrote to memory of 2756 2984 2.exe 30 PID 2756 wrote to memory of 2372 2756 sql.exe 31 PID 2756 wrote to memory of 2372 2756 sql.exe 31 PID 2756 wrote to memory of 2372 2756 sql.exe 31 PID 2756 wrote to memory of 2372 2756 sql.exe 31 PID 2756 wrote to memory of 2372 2756 sql.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\sql\sql.exe"C:\Users\Admin\sql\sql.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2372
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
476KB
MD5ee42511075de43ee5be1f719b9d821f3
SHA1ee98bfb1daca038e3d9be04941f962d1050fc7d9
SHA256ca408a4f313a8dc8afe42b490e74b345d758bc319c0b5b251f03fed84e8deb0e
SHA5126709b469d8e8764fc9677bf8ef69c165afce5e6bc8369e19df10a56d1017936622b4d625094e0dd71fbbeabbfccf0b84023d40124f57f211b5e70ed0cbe83884