remcos | 38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe
Size

959KB
MD5

3af10feddd3a827a7c7725fab1b97745
SHA1

c34daf7dea4deb87305cb2a7d3147da38f77091b
SHA256

38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f
SHA512

c616ae06060fbfff228f294fb690fbb20af2f1230d592e1a3a020b084034d637cb7393c823d05e10c2eacabd06ab3ca4746953c4a77649693894b0d522396611
SSDEEP

24576:8HmHBVbcOmTnszrGeTMFTgm227Zaz5r2pXFWyEL:2QI9yrGIMFTI2JLq

Score

10^/10

remcos zzzzzzzzzzzzzzzzzzzzzzzznuevamente discovery rat

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

zzzzzzzzzzzzZZZZZZZZZZZZNUEVAMENTE

dominoduck2095.duckdns.org:9597

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Chrome.exe
copy_folder
Chrome
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
system
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-NUTDL6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 6 IoCs

flow	pid	Process
40	3908	cmd.exe
41	3908	cmd.exe
45	3908	cmd.exe
51	3908	cmd.exe
52	3908	cmd.exe
53	3908	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
4112	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\esentutl.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4112	rundll32.exe
4112	rundll32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4112	rundll32.exe
4112	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3908	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 4112	2420	JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe	83
PID 2420 wrote to memory of 4112	2420	JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe	83
PID 2420 wrote to memory of 4112	2420	JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe	83
PID 4112 wrote to memory of 1444	4112	rundll32.exe	84
PID 4112 wrote to memory of 1444	4112	rundll32.exe	84
PID 4112 wrote to memory of 1444	4112	rundll32.exe	84
PID 4112 wrote to memory of 1444	4112	rundll32.exe	84
PID 4112 wrote to memory of 1444	4112	rundll32.exe	84
PID 4112 wrote to memory of 1444	4112	rundll32.exe	84
PID 4112 wrote to memory of 1444	4112	rundll32.exe	84
PID 4112 wrote to memory of 1444	4112	rundll32.exe	84
PID 4112 wrote to memory of 1444	4112	rundll32.exe	84
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85
PID 4112 wrote to memory of 3908	4112	rundll32.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe GuestRummy,Michelle
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GuestRummy.DLL

Filesize
19KB

MD5
fc2b4128dbe4d1885b5f3297b8d77e3d

SHA1
239043c06a87fd038f242a240d64996acd7de8b9

SHA256
95965a6f6a610d3cd68ab6f2eabdb2fb23c29db258761ea8b547c754fe11ce4e

SHA512
a477136f2ebf89257197d86cd35b050e7fd0ad8cce97f3d532ac9749ddb9e4dfc9bce365543ab812b80a182f10f631bddb322bb9a89e745cb75a7116e2061f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Widget

Filesize
858KB

MD5
d939d6020b0253004cf75fe77ec938be

SHA1
4e01426b8d1e95d95de93ffbce6d17ad9f68a3d5

SHA256
6a245cf81218561625e171252d8f66d712aa9c7f3181540a0d2eb7d50d1c2b86

SHA512
c7ad2cca81c67804e46ebfda9170f3a3a63e1487b4143fbdb1ea56b439f7b809ab6b82bb4cd3ba16152326cdd6445f0254f055dfbfe5f6d55c9bb781b931ab40

Download Submit
C:\Users\Admin\AppData\Roaming\system\logs.dat

Filesize
74B

MD5
f714b2dbcfea441d3410742ec40526bf

SHA1
3f7c932f74b81b9bdc43cb92697af42d690e714e

SHA256
5e92c1a322a4664f11b7436e4472055315885268363efabdc3edb63082eda7e0

SHA512
cbcde42806494cf89670a2decfc8e2a893d1917102f2de50860e38844ea349dde66cb0c41e86b36da27ff7d268877eb2e15eb90ec3a2288eac54068460eca1e8

Download Submit
memory/3908-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3908-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3908-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3908-25-0x0000000000810000-0x0000000000816000-memory.dmp

Filesize
24KB

Download
memory/3908-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3908-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3908-36-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4112-22-0x0000000075500000-0x0000000075563000-memory.dmp

Filesize
396KB

Download
memory/4112-26-0x0000000074400000-0x00000000744C8000-memory.dmp

Filesize
800KB

Download
memory/4112-21-0x0000000074400000-0x00000000744C8000-memory.dmp

Filesize
800KB

Download
memory/4112-20-0x0000000000B50000-0x0000000000B52000-memory.dmp

Filesize
8KB

Download