General

  • Target

    JaffaCakes118_e9f5732cff8afc4193b41bfee8b53aeea5e35b8d152e4a3226b3be96a13115b2

  • Size

    419KB

  • Sample

    241223-tb3g1atpa1

  • MD5

    8c02288d16570bcbfd037a7032b97e1e

  • SHA1

    f517add3e5e35cd0b545eaa791606cd9bb678c65

  • SHA256

    e9f5732cff8afc4193b41bfee8b53aeea5e35b8d152e4a3226b3be96a13115b2

  • SHA512

    4c2d14d89a3f350dd20dd95179e5b1642a74ac045d01f776fe5a355a267bbe8780458d1c3746cff04fcff9755d9b99b6fcf7722cfeeb01a502faa74ba6b26613

  • SSDEEP

    6144:NYI35oxH9zKfUDS4TpYwfPYrBRp/LmRSt4C4EdzlbRWU9UnLQpsv:mIpot9RPJQBKRSt4ChzlbRWSSLQs

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

RemoteHost

C2

trijgrscviomnbvdewacvioplmjytrewwqazxcvty.ydns.eu.ydns.eu:7143

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    jmaqvbo.exe

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-DCSDH0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    nplwat

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      0ffc2fa4405ccafee0472e351799dca8.bin

    • Size

      663KB

    • MD5

      0ffc2fa4405ccafee0472e351799dca8

    • SHA1

      9fcda13ed9fbc784a8cafa3f96edcc819e60ffbc

    • SHA256

      6b6d820ce1c8df1c795e938995133201a5c75ad3989cd51568323b671ecf8109

    • SHA512

      4d49de65bf593730d697c47f2614d3193454a2582f614157a4cafc60b45986cd117ace112fef9abb7e899cf811eb3bfb0cff6f17a29424d391b25a31bee40f2a

    • SSDEEP

      12288:Piqqh8QqSxiPeDMfTw/eLAO6X7FOFc8Q5:PPqhzqVer9LrFOK8Q5

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks