Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-01-2025 18:55
General
-
Target
JaffaCakes118_cfbc12724a70e40d2c8198e0b6b7a31b.exe
-
Size
7.2MB
-
MD5
cfbc12724a70e40d2c8198e0b6b7a31b
-
SHA1
72eae54b673e5847d76edc7414754cd3a031d53f
-
SHA256
d6b0deb424fc3aa7bcb783f29c826fd5505878a95f24586eecb0d0f086d34dd3
-
SHA512
de4bf0c456e7563ffa6ac4b0915c78f4f00a921d941e8808465cd8863fab1fdd1be8f553ad61b32d0e0878a037e9e665bcb86c80f4d9bac78f9e1586724752bc
-
SSDEEP
49152:PccBdkUSY+5zvCHT6xX379ZO3LEHe3Rh4mkR1I2j0iU50AX79UA7DPrFB2S:UckDeEGh4mkHj5l079UA7vFB2
Malware Config
Extracted
remcos
3.3.0 Pro
hopa
178.20.44.131:2405
my.bingoroll20.net:2405
my.bingoroll19.net:2405
my.bingoroll18.net:2405
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
winmap.exe
-
copy_folder
winmap
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
pidron-PXIKI2
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
winmap
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfbc12724a70e40d2c8198e0b6b7a31b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfbc12724a70e40d2c8198e0b6b7a31b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds policy Run key to start application
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Checks computer location settings
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\winmap\winmap.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\winmap\winmap.exeC:\Users\Admin\AppData\Roaming\winmap\winmap.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds policy Run key to start application
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
622B
MD55870831aeac7efa721bf1a418cecb514
SHA1afeebdd676d930cb290a08c8f79e545002901aeb
SHA256d99e72c1a4f9475418faf82a74b9b15a335b5dc3c9b8ac687b721632ce162410
SHA512114ba7749db0caf5fbe94c91b3139eafe3902b08e9299be79038d90267d8a3b860f5e936b545cd2b6cd608d6f583f848ac8bbd87e06b15b6b418fd08f4744cc4
-
Filesize
7.2MB
MD5cfbc12724a70e40d2c8198e0b6b7a31b
SHA172eae54b673e5847d76edc7414754cd3a031d53f
SHA256d6b0deb424fc3aa7bcb783f29c826fd5505878a95f24586eecb0d0f086d34dd3
SHA512de4bf0c456e7563ffa6ac4b0915c78f4f00a921d941e8808465cd8863fab1fdd1be8f553ad61b32d0e0878a037e9e665bcb86c80f4d9bac78f9e1586724752bc
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
8KB