General

  • Target

    JaffaCakes118_1a6f2e5d65e1996aa473c9ca5a5ac7bb9575a5d22afb45717f971e6bf04817ed

  • Size

    3.1MB

  • Sample

    241224-nsymgswnfx

  • MD5

    077a624c868cd42501b16e60fc6a8131

  • SHA1

    7f7977a5ceaca7f963f1969209026945644c8b2e

  • SHA256

    1a6f2e5d65e1996aa473c9ca5a5ac7bb9575a5d22afb45717f971e6bf04817ed

  • SHA512

    1fde2b9e680ab327202fe48d47f20565e0c99c820a51a4eb91c249f4f68a69a7a4e8adb53656d8239e39a02cfbb6cec21921df826c6a298c9892fc56a73a97a7

  • SSDEEP

    98304:2ZNVPmPNPCqESHslE1Xg3M9LKHe5H2Xrpxuy:21u16qhSDHeqrpn

Malware Config

Extracted

Family

remcos

Version

2.6.0 Pro

Botnet

�����

C2

37.1.206.16:5757

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Windows.exe

  • copy_folder

    Temp

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    13asdadsSDSSDSDSD12132az-BMS9FK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Defender

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      OverdriveNTool_0.2.9/OverdriveNTool.exe

    • Size

      2.9MB

    • MD5

      b64dbdbb60d0edab5bf3608d9973d7b5

    • SHA1

      470ec316274648567965ac7912cb8fbfc5763c47

    • SHA256

      731f26f74722af06e463904102705bc856f20852faecb08b5fda6b7bc0e5539c

    • SHA512

      2d21e148db3e5a60075609ca0b4e5cabba7bf15299ed49ebe81f73844440090f8d935e919e2e7368927890b4d51514518bf9467ab01a1db0a3bbae50153719a9

    • SSDEEP

      49152:gLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvM0:cwSi0b67zeCzt0+yO3kSf

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks