Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 02:57
Behavioral task
behavioral1
Sample
JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe
-
Size
124KB
-
MD5
e539333186264615997bd8dc947b93f4
-
SHA1
bfb26373cc908ec3d5f4431ab21474d5c791a11e
-
SHA256
82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc
-
SHA512
f5829c4a91553056a8a0012b1e74966240a63e00c072fc8814d89915fffac36518da0eac353ab4bcd86af8a157c2535407580a8cb673ed2e09e1bf5c77900676
-
SSDEEP
3072:mVh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUSa:yh1qn3IF9Obbj/a1cpcQjeHOzqhUS
Malware Config
Extracted
remcos
2.5.0 Pro
wakidi
zimchi2020.ddns.net:7171
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-8BO56S
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Remcos family
-
Executes dropped EXE 1 IoCs
pid Process 3028 remcos.exe -
Loads dropped DLL 2 IoCs
pid Process 1628 cmd.exe 1628 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3028 remcos.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2280 2512 JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe 30 PID 2512 wrote to memory of 2280 2512 JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe 30 PID 2512 wrote to memory of 2280 2512 JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe 30 PID 2512 wrote to memory of 2280 2512 JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe 30 PID 2280 wrote to memory of 1628 2280 WScript.exe 31 PID 2280 wrote to memory of 1628 2280 WScript.exe 31 PID 2280 wrote to memory of 1628 2280 WScript.exe 31 PID 2280 wrote to memory of 1628 2280 WScript.exe 31 PID 1628 wrote to memory of 3028 1628 cmd.exe 33 PID 1628 wrote to memory of 3028 1628 cmd.exe 33 PID 1628 wrote to memory of 3028 1628 cmd.exe 33 PID 1628 wrote to memory of 3028 1628 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3028
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418B
MD5ff449f6f7bc5e2d800eb30e2d2c56611
SHA193419ea805b9ce35a766e5c56db50d54c2d3f94b
SHA256655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416
SHA51202a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6
-
Filesize
74B
MD57ffafa69c131b01528fbd3cbc9fd4295
SHA17f90ec00802bb00f18c2d8bf2d6483b1a2e1ba63
SHA2565b90c313c71d65a47bf679eafde2775ab1a16a2b58bbd800b0e839d1c64ed068
SHA512ac92645f33fb8de2480e8c1d6eb1d1c1ad49d756cb7a824632680b0c4b991f302ab5cea73523e920a1982d86d7697d4e57c1a8f862a4ceee5a9e9717e0d3a8cd
-
Filesize
124KB
MD5e539333186264615997bd8dc947b93f4
SHA1bfb26373cc908ec3d5f4431ab21474d5c791a11e
SHA25682e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc
SHA512f5829c4a91553056a8a0012b1e74966240a63e00c072fc8814d89915fffac36518da0eac353ab4bcd86af8a157c2535407580a8cb673ed2e09e1bf5c77900676