General

  • Target

    JaffaCakes118_e5c85966816a4d1bf0b624712095bce065d7ba277ca7126e8e2d8951222baf4e

  • Size

    300.0MB

  • Sample

    241224-3l6f3s1jes

  • MD5

    c4c2beda15179f6664a458f36d2c290d

  • SHA1

    3ce80b1ac6a5cf4f3cb3c127223a161023e0be59

  • SHA256

    e5c85966816a4d1bf0b624712095bce065d7ba277ca7126e8e2d8951222baf4e

  • SHA512

    c91ee4c2a462090362bb7cd27c6c3b1db4423b6fd5761fe4f16885a5858ad8936d264fbb12ca9a24cb8ddd15c4df1779c0461ce73d2b0dde814aae08aaefe863

  • SSDEEP

    12288:7rThwUxpprVUKi0LVUDdz71Cmv0gLpsmT4Rhni6ivmZ:jh1prTi0odz7AWeo4RhMvU

Malware Config

Extracted

Family

remcos

Botnet

COMRADE MARCH-21

C2

comaand-marc-21.duckdns.org:30288

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    sms-audio

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Snappy1yld7-2Q760T

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      JaffaCakes118_e5c85966816a4d1bf0b624712095bce065d7ba277ca7126e8e2d8951222baf4e

    • Size

      300.0MB

    • MD5

      c4c2beda15179f6664a458f36d2c290d

    • SHA1

      3ce80b1ac6a5cf4f3cb3c127223a161023e0be59

    • SHA256

      e5c85966816a4d1bf0b624712095bce065d7ba277ca7126e8e2d8951222baf4e

    • SHA512

      c91ee4c2a462090362bb7cd27c6c3b1db4423b6fd5761fe4f16885a5858ad8936d264fbb12ca9a24cb8ddd15c4df1779c0461ce73d2b0dde814aae08aaefe863

    • SSDEEP

      12288:7rThwUxpprVUKi0LVUDdz71Cmv0gLpsmT4Rhni6ivmZ:jh1prTi0odz7AWeo4RhMvU

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks