remcos | b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c

General

Target

JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe
Size

562KB
MD5

f34a430619e5668615cb3ada04be4216
SHA1

9c1113c380db483ceb5efc712e7179cace0fefe3
SHA256

b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c
SHA512

18218a0537eec400cd414b00fcdbc21c7edd8ac39139407fac4f872fec7309da391ec69249d947d9a92e8410e3d0477c57a029a9b3ae771eaeeaa80dd445592c
SSDEEP

12288:FEIS3A/ps/uSaSXO9bZMEp+CGE8eGaOko2vaR:FZS3AVj9np+CSey2va

Score

10^/10

remcos newyear discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

NEWYEAR

C2

cato.fingusti.club:6609

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-VHEUO4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 2 IoCs

pid	Process
2332	Startup.exe
1964	Startup.exe

Loads dropped DLL 1 IoCs

pid	Process
3048	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\up = "C:\\Program Files (x86)\\Startup.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 1964	2332	Startup.exe	34

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Startup.exe	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe
File created	C:\Program Files (x86)\Startup.exe	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Startup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3048	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe
3048	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe
3048	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe
3048	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe
3048	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe
2332	Startup.exe
2332	Startup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe
Token: SeDebugPrivilege	2332	Startup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1964	Startup.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2752	3048	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe	30
PID 3048 wrote to memory of 2752	3048	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe	30
PID 3048 wrote to memory of 2752	3048	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe	30
PID 3048 wrote to memory of 2752	3048	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe	30
PID 2752 wrote to memory of 2708	2752	cmd.exe	32
PID 2752 wrote to memory of 2708	2752	cmd.exe	32
PID 2752 wrote to memory of 2708	2752	cmd.exe	32
PID 2752 wrote to memory of 2708	2752	cmd.exe	32
PID 3048 wrote to memory of 2332	3048	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe	33
PID 3048 wrote to memory of 2332	3048	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe	33
PID 3048 wrote to memory of 2332	3048	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe	33
PID 3048 wrote to memory of 2332	3048	JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe	33
PID 2332 wrote to memory of 1964	2332	Startup.exe	34
PID 2332 wrote to memory of 1964	2332	Startup.exe	34
PID 2332 wrote to memory of 1964	2332	Startup.exe	34
PID 2332 wrote to memory of 1964	2332	Startup.exe	34
PID 2332 wrote to memory of 1964	2332	Startup.exe	34
PID 2332 wrote to memory of 1964	2332	Startup.exe	34
PID 2332 wrote to memory of 1964	2332	Startup.exe	34
PID 2332 wrote to memory of 1964	2332	Startup.exe	34
PID 2332 wrote to memory of 1964	2332	Startup.exe	34
PID 2332 wrote to memory of 1964	2332	Startup.exe	34
PID 2332 wrote to memory of 1964	2332	Startup.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "up" /t REG_SZ /d "C:\Program Files (x86)\Startup.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "up" /t REG_SZ /d "C:\Program Files (x86)\Startup.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2708
- C:\Program Files (x86)\Startup.exe
  "C:\Program Files (x86)\Startup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Program Files (x86)\Startup.exe
    "C:\Program Files (x86)\Startup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
74B

MD5
adcbd1fe700c548d9bbc3da6a477f370

SHA1
c3ea34df358ccab3b0f192c74d4d5114fcf376dc

SHA256
1cfdec6d4711dcd4b744b4454d9a66b03e19d664f900cfb86a01d711393af7e3

SHA512
348697e0401e945546b8a481a1dbf2d3303022890aa4b89e2fc930aa92aabf624439d67366fac9388da887a5afdf454f1c991b2a34a189b8e90a9f30ef1b5485

Download Submit
\Program Files (x86)\Startup.exe

Filesize
562KB

MD5
f34a430619e5668615cb3ada04be4216

SHA1
9c1113c380db483ceb5efc712e7179cace0fefe3

SHA256
b584bd384f721c35557bf7acc7bb9c789d74804da8b8dbb3fd7c39586571cb1c

SHA512
18218a0537eec400cd414b00fcdbc21c7edd8ac39139407fac4f872fec7309da391ec69249d947d9a92e8410e3d0477c57a029a9b3ae771eaeeaa80dd445592c

Download Submit
memory/1964-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1964-37-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1964-36-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1964-34-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1964-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1964-29-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1964-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1964-31-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1964-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1964-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1964-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2332-20-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download
memory/2332-15-0x0000000000140000-0x00000000001D0000-memory.dmp

Filesize
576KB

Download
memory/2332-19-0x0000000000370000-0x0000000000384000-memory.dmp

Filesize
80KB

Download
memory/2332-17-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2332-41-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2332-16-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/3048-8-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/3048-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

Filesize
4KB

Download
memory/3048-7-0x00000000744EE000-0x00000000744EF000-memory.dmp

Filesize
4KB

Download
memory/3048-6-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/3048-4-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/3048-3-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/3048-2-0x0000000000250000-0x0000000000276000-memory.dmp

Filesize
152KB

Download
memory/3048-18-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/3048-1-0x0000000001250000-0x00000000012E0000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads