General
-
Target
JaffaCakes118_86dadeb6a6e837335c4c735ad8eda03fa66ca318ca50061dec33bb8349fad89a
-
Size
2.8MB
-
Sample
241229-f79z3atpcm
-
MD5
8b3917b689351ec05afe821bda3b36c7
-
SHA1
8c34a26744b7bdc531a4eb37576fe97231430fc6
-
SHA256
86dadeb6a6e837335c4c735ad8eda03fa66ca318ca50061dec33bb8349fad89a
-
SHA512
c06d4b2394f065add581eb24f6944780c4ca400eae85c2172a54d75d4a2bf83aa8626f2c162fe2057ec696beac02e45be2f0a82c8ac9fc6df835e39f4385cd51
-
SSDEEP
49152:KsBGq40J7zc2/Owc+QOBTBWR7cMwbxEOW8CRptjOboXYyQrT8tDyhmi32DgRI03y:KOGmJ7g2/OwcdIBW9OW8Cftj8yYmiG8e
Malware Config
Extracted
remcos
RH1
185.29.9.125:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
itunes.exe
-
copy_folder
RMS
-
delete_file
true
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Jd1985-XODZWD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Rms
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
e6b0f81a947b7de134379b5be6827e5277fbdaedc9067654062ed94b0dd2aefd
-
Size
2.9MB
-
MD5
c91f1586bb4bc9ea0953cdd3a7545227
-
SHA1
9fc644188b50deb00f77c0e9e0d78482e2a0619d
-
SHA256
e6b0f81a947b7de134379b5be6827e5277fbdaedc9067654062ed94b0dd2aefd
-
SHA512
044982c08afdc7c74fa59e1710f6e2697abe4985a4a8c8e6ec1dc5eb108d7758f04be26c158fb118f6f0866005fb4eb54b5f7b3d4844c351bc31d9f82f05e66e
-
SSDEEP
49152:1HDpYiPDPHKf7Z0ek8jbq2Qg0Bk3JDSr0A8F1EdJv9XTZD9En/tdklpv:1HtRPzHKf90ek8jbvx0Bk3JDK21E5XtT
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
UAC bypass
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Virtualization/Sandbox Evasion
1