Resubmissions

24-12-2024 03:03

241224-dj43sszpe1 10

24-12-2024 02:57

241224-dfnlmsznft 10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 02:57

General

  • Target

    JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe

  • Size

    124KB

  • MD5

    e539333186264615997bd8dc947b93f4

  • SHA1

    bfb26373cc908ec3d5f4431ab21474d5c791a11e

  • SHA256

    82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc

  • SHA512

    f5829c4a91553056a8a0012b1e74966240a63e00c072fc8814d89915fffac36518da0eac353ab4bcd86af8a157c2535407580a8cb673ed2e09e1bf5c77900676

  • SSDEEP

    3072:mVh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUSa:yh1qn3IF9Obbj/a1cpcQjeHOzqhUS

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

wakidi

C2

zimchi2020.ddns.net:7171

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-8BO56S

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
          C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\install.vbs

    Filesize

    418B

    MD5

    ff449f6f7bc5e2d800eb30e2d2c56611

    SHA1

    93419ea805b9ce35a766e5c56db50d54c2d3f94b

    SHA256

    655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

    SHA512

    02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

  • C:\Users\Admin\AppData\Roaming\remcos\logs.dat

    Filesize

    74B

    MD5

    7ffafa69c131b01528fbd3cbc9fd4295

    SHA1

    7f90ec00802bb00f18c2d8bf2d6483b1a2e1ba63

    SHA256

    5b90c313c71d65a47bf679eafde2775ab1a16a2b58bbd800b0e839d1c64ed068

    SHA512

    ac92645f33fb8de2480e8c1d6eb1d1c1ad49d756cb7a824632680b0c4b991f302ab5cea73523e920a1982d86d7697d4e57c1a8f862a4ceee5a9e9717e0d3a8cd

  • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

    Filesize

    124KB

    MD5

    e539333186264615997bd8dc947b93f4

    SHA1

    bfb26373cc908ec3d5f4431ab21474d5c791a11e

    SHA256

    82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc

    SHA512

    f5829c4a91553056a8a0012b1e74966240a63e00c072fc8814d89915fffac36518da0eac353ab4bcd86af8a157c2535407580a8cb673ed2e09e1bf5c77900676