Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2024, 22:13 UTC

General

  • Target

    JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe

  • Size

    124KB

  • MD5

    8b62975c6ddaa41bae24ce12cede46c5

  • SHA1

    fb182a7d0975fe1509ff69caa0f21a2574bb6258

  • SHA256

    88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12

  • SHA512

    e980d7784fac9a5d16ee84930cbc12aa524d774c2bbcd11e2ede8fa5a52232cc98652df842e770c585bc225401c52512e34c1482a8437357e6e224391db5d1ac

  • SSDEEP

    3072:mlh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUra:Ch1qn3IF9Obbj/a1cpcQjeHOzqhUr

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

RemoteHost

C2

91.193.75.145:1604

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    firefox1.exe

  • copy_folder

    firefox

  • delete_file

    true

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs9.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-IVNP1E

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    firefox

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies WinLogon
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3532
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\firefox\firefox1.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3804
        • C:\Users\Admin\AppData\Roaming\firefox\firefox1.exe
          C:\Users\Admin\AppData\Roaming\firefox\firefox1.exe
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies WinLogon
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1592

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    260 B
    200 B
    5
    5
  • 91.193.75.145:1604
    firefox1.exe
    52 B
    1
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    75.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    75.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\install.vbs

    Filesize

    692B

    MD5

    a86b6d7e80c9b3568ea72832ff512e8a

    SHA1

    9956983e499222955b86255747034251f4e63ed5

    SHA256

    1bce219a4bfa0ba3a2564a8e0b0dd3a176429d3f536119e2aa8264a2365925b8

    SHA512

    99a445ec335844ccc0d2c2a47d56f6bc4c7b2e0368adff62c34233f08e31e881726f1e4c300b4e7c4cde9a3ba81e1cf9f973c580a1b0f9beae5af00fa3e0e1e5

  • C:\Users\Admin\AppData\Roaming\firefox\firefox1.exe

    Filesize

    124KB

    MD5

    8b62975c6ddaa41bae24ce12cede46c5

    SHA1

    fb182a7d0975fe1509ff69caa0f21a2574bb6258

    SHA256

    88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12

    SHA512

    e980d7784fac9a5d16ee84930cbc12aa524d774c2bbcd11e2ede8fa5a52232cc98652df842e770c585bc225401c52512e34c1482a8437357e6e224391db5d1ac

  • C:\Users\Admin\AppData\Roaming\remcos\logs9.dat

    Filesize

    74B

    MD5

    d1d6c6069c471f5ff2df97d866023786

    SHA1

    a0f87526a3c024c15f21ffdc83393ac12fe06bd9

    SHA256

    4eec30926df6eab97aa1e37bd0d26c2bab5c592cbd3e157a4cae60db60c27326

    SHA512

    5adb7deadbc0570274a0cba8497519ff3550b280c7cc95640f0e56893389e30851afe0ae53dbb61be8701eb6c1667d479b71c4cfc645f667f0c6949ec940bb50

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.