General

  • Target

    JaffaCakes118_55f131be9f75250cc1291aafe4bc1593d460bcc71c62da5437aa14c894cf22f3

  • Size

    186KB

  • Sample

    241225-dnr9sswkfs

  • MD5

    d6871bd2c8ca05d1edd8414e6ef32d3f

  • SHA1

    c19893a50f85595aba15abc3a3e02f56e0ca3e21

  • SHA256

    55f131be9f75250cc1291aafe4bc1593d460bcc71c62da5437aa14c894cf22f3

  • SHA512

    449684673fed085029c721a573df39e7af5ed751b85f4f5b0084cdd8dfb56d1c41711770ae10b36ba60f5e303d717b41cf7bac79fea42577b2e3dd9cb85a5f66

  • SSDEEP

    3072:uRPUPdRWSqYHZSt7+haWsNfA6uLmeG9ivvwZtzwZrsufjkWzbJBm:uRMPSkHstq8566em/Awvw62jTb/m

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

GRACE _ MARCY

C2

103.153.77.83:4348

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    mozila.exe

  • copy_folder

    mozila

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    mozila

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    mozila-VR8Q9A

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    mozila

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281

    • Size

      199KB

    • MD5

      9915622262b1663ae9f851f664854000

    • SHA1

      da9ae0706648eb10e1f5fbec1060f3eea8588ec6

    • SHA256

      2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281

    • SHA512

      d4a5583f1a531a292aece6f27f41b1abd37a31500f5def1459b5e801816bfddd1b1e6aea38f4682dd21a0e5e2ab17149d15b07242bd65fb8a6147e5247e5e61d

    • SSDEEP

      3072:5NRCywDw1DiJkuQbojv4YQ/6Jfd9cV44zo7dkH6ChVLOWV49p6vfE2JvAEVXUOQn:5T4Dt+AxQnpe6HrLObovfTNAE2Ar+e2

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/InstallOptions.dll

    • Size

      15KB

    • MD5

      0a9fb96a7579b685ec36b17fc354e6a3

    • SHA1

      355754104dd47d5fcf8918dee0dc2e2ee53390a6

    • SHA256

      b34fb342f21d690aac024b6f48a597e78d15791ef480ac55159cd585d0f64af7

    • SHA512

      67870206fa7f1e7df45c8c1bc2f51fb430f0a048a2bdb55a4a41525388ca3b50203784537f139169705a03db4bb13b591162a79a5d2df81a4d11fd849615c86b

    • SSDEEP

      384:EFC43tPegZ3eBaRwCPOYY7nNYXCg/Yosa:EMTgZ3eBTCmrnNAo

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      564bb0373067e1785cba7e4c24aab4bf

    • SHA1

      7c9416a01d821b10b2eef97b80899d24014d6fc1

    • SHA256

      7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

    • SHA512

      22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

    • SSDEEP

      192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL

    Score
    3/10
    • Target

      $PLUGINSDIR/gb7ir8nsaimu39b.dll

    • Size

      149KB

    • MD5

      0c44ee25d7c510783d118d3f76d88b3b

    • SHA1

      ff537d185513d1a2daf91ca5679c79f3c8346e9a

    • SHA256

      0b54c2abb6bee336adc1866f128591a6e0d5fa0f90333f6a6b57205b41196e20

    • SHA512

      a13490eb75a842e15ae33cb167209e76dbfb7b1fe96530ca3bd41ff2a4318717b53a5e44bb1f0f2523f38888e142061019082ffb11bc633953a773b25e2fc587

    • SSDEEP

      3072:zakbhW2I5O+aiKzEV6o7dkH6ChVLOSV49p6vfESJvAEVXUOQn3r+e2:zjbM2SwbUJ6HrLOHovfFNAE23r+e2

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks