Resubmissions

24-12-2024 03:03

241224-dj43sszpe1 10

24-12-2024 02:57

241224-dfnlmsznft 10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 03:03

General

  • Target

    JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe

  • Size

    124KB

  • MD5

    e539333186264615997bd8dc947b93f4

  • SHA1

    bfb26373cc908ec3d5f4431ab21474d5c791a11e

  • SHA256

    82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc

  • SHA512

    f5829c4a91553056a8a0012b1e74966240a63e00c072fc8814d89915fffac36518da0eac353ab4bcd86af8a157c2535407580a8cb673ed2e09e1bf5c77900676

  • SSDEEP

    3072:mVh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUSa:yh1qn3IF9Obbj/a1cpcQjeHOzqhUS

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

wakidi

C2

zimchi2020.ddns.net:7171

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-8BO56S

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3940
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
          C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\install.vbs

    Filesize

    418B

    MD5

    ff449f6f7bc5e2d800eb30e2d2c56611

    SHA1

    93419ea805b9ce35a766e5c56db50d54c2d3f94b

    SHA256

    655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

    SHA512

    02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

  • C:\Users\Admin\AppData\Roaming\remcos\logs.dat

    Filesize

    74B

    MD5

    8671a8e8ca7d296c689b9d87b28d4b32

    SHA1

    ba9926137145775b14f5e242c0c02ca0cf9263c8

    SHA256

    df35a552d9076363808b2a690bbb9686645291e5f578421143cc87acff06f1b8

    SHA512

    007f353c377660d2d3e4127aa77c4aadcfaff69d1c0d71fb989d533639552e604aae40fc2d09349a0e4d54217bd0797322ca56a1a0cd70b01553db7f5b476aa7

  • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

    Filesize

    124KB

    MD5

    e539333186264615997bd8dc947b93f4

    SHA1

    bfb26373cc908ec3d5f4431ab21474d5c791a11e

    SHA256

    82e58023e850c0341d19f135f46bb33fc39541dd5526d9a7936538fcf0c9eddc

    SHA512

    f5829c4a91553056a8a0012b1e74966240a63e00c072fc8814d89915fffac36518da0eac353ab4bcd86af8a157c2535407580a8cb673ed2e09e1bf5c77900676