Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 03:03
Behavioral task
behavioral1
Sample
JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe
-
Size
124KB
-
MD5
e539333186264615997bd8dc947b93f4
-
SHA1
bfb26373cc908ec3d5f4431ab21474d5c791a11e
-
SHA256
82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc
-
SHA512
f5829c4a91553056a8a0012b1e74966240a63e00c072fc8814d89915fffac36518da0eac353ab4bcd86af8a157c2535407580a8cb673ed2e09e1bf5c77900676
-
SSDEEP
3072:mVh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUSa:yh1qn3IF9Obbj/a1cpcQjeHOzqhUS
Malware Config
Extracted
remcos
2.5.0 Pro
wakidi
zimchi2020.ddns.net:7171
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-8BO56S
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Remcos family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 4412 remcos.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4412 remcos.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3940 wrote to memory of 1848 3940 JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe 83 PID 3940 wrote to memory of 1848 3940 JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe 83 PID 3940 wrote to memory of 1848 3940 JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe 83 PID 1848 wrote to memory of 2768 1848 WScript.exe 84 PID 1848 wrote to memory of 2768 1848 WScript.exe 84 PID 1848 wrote to memory of 2768 1848 WScript.exe 84 PID 2768 wrote to memory of 4412 2768 cmd.exe 86 PID 2768 wrote to memory of 4412 2768 cmd.exe 86 PID 2768 wrote to memory of 4412 2768 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4412
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418B
MD5ff449f6f7bc5e2d800eb30e2d2c56611
SHA193419ea805b9ce35a766e5c56db50d54c2d3f94b
SHA256655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416
SHA51202a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6
-
Filesize
74B
MD58671a8e8ca7d296c689b9d87b28d4b32
SHA1ba9926137145775b14f5e242c0c02ca0cf9263c8
SHA256df35a552d9076363808b2a690bbb9686645291e5f578421143cc87acff06f1b8
SHA512007f353c377660d2d3e4127aa77c4aadcfaff69d1c0d71fb989d533639552e604aae40fc2d09349a0e4d54217bd0797322ca56a1a0cd70b01553db7f5b476aa7
-
Filesize
124KB
MD5e539333186264615997bd8dc947b93f4
SHA1bfb26373cc908ec3d5f4431ab21474d5c791a11e
SHA25682e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc
SHA512f5829c4a91553056a8a0012b1e74966240a63e00c072fc8814d89915fffac36518da0eac353ab4bcd86af8a157c2535407580a8cb673ed2e09e1bf5c77900676