Overview

overview

10

Static

static

3

JaffaCakes...82.exe

windows7-x64

10

JaffaCakes...82.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2025 03:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_d9be6e743c8b0aa8b4b90317c7e67c82.exe

  • Size

    634KB

  • MD5

    d9be6e743c8b0aa8b4b90317c7e67c82

  • SHA1

    9053adbbb2d16f6605a6f177e4780902c4b3eb29

  • SHA256

    de044337b12eb226975f080442f42dd95b506d2ae96fdb6473d5143bc35302ea

  • SHA512

    faf647fff8299279e5bd738a63cc5e5149cb09eb6bf0a594ea24d4a960c44a051ff315b076bddf260a139d10530a9910350554763259cc96604db093f9700e19

  • SSDEEP

    12288:abUzps8KWpghT5NF+048vy/PTm23n2Oi6qQfE+lxWXfJMd+Wsssb/hyDVebAk:dpXKWpO5NI04m23nrw8xWE+3ssb/hyDC

Score
10/10
remcoswechatsetupdiscoveryevasionexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

WeChatsetup

C2

grace.adds-only.xyz:1619

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    WeChatsetup.exe

  • copy_folder

    WeChatx

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    WeChatxl

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-2DS55H

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    WeChatx

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9be6e743c8b0aa8b4b90317c7e67c82.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9be6e743c8b0aa8b4b90317c7e67c82.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9be6e743c8b0aa8b4b90317c7e67c82.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2860
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NUrruv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp16FA.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1832
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9be6e743c8b0aa8b4b90317c7e67c82.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9be6e743c8b0aa8b4b90317c7e67c82.exe"
      2⤵
        PID:2672
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9be6e743c8b0aa8b4b90317c7e67c82.exe
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9be6e743c8b0aa8b4b90317c7e67c82.exe"
        2⤵
          PID:2692
        • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9be6e743c8b0aa8b4b90317c7e67c82.exe
          "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9be6e743c8b0aa8b4b90317c7e67c82.exe"
          2⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1504
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\WeChatx\WeChatsetup.exe"
              4⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1344
              • C:\Users\Admin\AppData\Roaming\WeChatx\WeChatsetup.exe
                C:\Users\Admin\AppData\Roaming\WeChatx\WeChatsetup.exe
                5⤵
                • Looks for VirtualBox Guest Additions in registry
                • Looks for VMWare Tools registry key
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Loads dropped DLL
                • Maps connected drives based on registry
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1660
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WeChatx\WeChatsetup.exe"
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2536
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NUrruv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC73.tmp"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:676
                • C:\Users\Admin\AppData\Roaming\WeChatx\WeChatsetup.exe
                  "C:\Users\Admin\AppData\Roaming\WeChatx\WeChatsetup.exe"
                  6⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of SetWindowsHookEx
                  PID:1312

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      4
      T1012

      System Information Discovery

      3
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Virtualization/Sandbox Evasion

      2
      T1497

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\install.vbs
        Filesize

        430B

        MD5

        cd993335674b29ee5d504bfdd6fceaf4

        SHA1

        0d9fbb54cdb0802f0adef4cda0e72868234ec0fa

        SHA256

        177d8acb4ebf8382a98e2ef6a61ca5453774365b783b341a581646a1876e212e

        SHA512

        3f432b6eb8c35333017ba458fa92ee65cb8aa0c52113505a6dd21d435621b04c3ae708db879f55768593852a9e17c51cf2230642c3d101859008d43eb7cba64c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        0b67a84ca133947da170c77fc3976fe9

        SHA1

        c38b8c34730c53eba4670b7c5d3a6971a7d3d697

        SHA256

        e667869d2d65d2635054823a9ac8d7944f07d785603e026a076acfa3a9bfbeea

        SHA512

        b1e0fff45684253b5d5cb0af28441d006f78027578726fec73150b2c69c6c004525cbe9a93e0b81257c218ae47a4080e39b8f5dfb2f34f33e54d7e8a80352e53

        Download Submit

      • C:\Users\Admin\AppData\Roaming\WeChatxl\logs.dat
        Filesize

        184B

        MD5

        6fc1e3a7fee525e256e1847e771b891a

        SHA1

        66c0e2e8990983411327baebb07656e99755971d

        SHA256

        f8f37163b96d072841d2e7ef75f9b5173de80b2c502aa67dc91d75d7bce19eee

        SHA512

        75b269ccd9162e43f30b5a42a032af60ac88e6b1feaece0ba72a643174945616872389c4d69bb6cc6f02adc555fd0f81edc7371019c87c6e5f9dd0614c116543

        Download Submit

      • \Users\Admin\AppData\Roaming\WeChatx\WeChatsetup.exe
        Filesize

        634KB

        MD5

        d9be6e743c8b0aa8b4b90317c7e67c82

        SHA1

        9053adbbb2d16f6605a6f177e4780902c4b3eb29

        SHA256

        de044337b12eb226975f080442f42dd95b506d2ae96fdb6473d5143bc35302ea

        SHA512

        faf647fff8299279e5bd738a63cc5e5149cb09eb6bf0a594ea24d4a960c44a051ff315b076bddf260a139d10530a9910350554763259cc96604db093f9700e19

        Download Submit

      • memory/800-7-0x0000000008DD0000-0x0000000008E6C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/800-5-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/800-6-0x0000000074EC0000-0x00000000755AE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/800-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/800-1-0x0000000000ED0000-0x0000000000F74000-memory.dmp

        Filesize

        656KB

        Download

      • memory/800-4-0x0000000074EC0000-0x00000000755AE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/800-3-0x0000000074EC0000-0x00000000755AE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/800-38-0x0000000074EC0000-0x00000000755AE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/800-2-0x0000000074EC0000-0x00000000755AE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1312-75-0x0000000000400000-0x0000000000479000-memory.dmp

        Filesize

        484KB

        Download

      • memory/1312-72-0x0000000000400000-0x0000000000479000-memory.dmp

        Filesize

        484KB

        Download

      • memory/1312-71-0x0000000000400000-0x0000000000479000-memory.dmp

        Filesize

        484KB

        Download

      • memory/1312-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1660-43-0x0000000000260000-0x0000000000304000-memory.dmp

        Filesize

        656KB

        Download

      • memory/2724-33-0x0000000000400000-0x0000000000479000-memory.dmp

        Filesize

        484KB

        Download

      • memory/2724-15-0x0000000000400000-0x0000000000479000-memory.dmp

        Filesize

        484KB

        Download

      • memory/2724-17-0x0000000000400000-0x0000000000479000-memory.dmp

        Filesize

        484KB

        Download

      • memory/2724-20-0x0000000000400000-0x0000000000479000-memory.dmp

        Filesize

        484KB

        Download

      • memory/2724-21-0x0000000000400000-0x0000000000479000-memory.dmp

        Filesize

        484KB

        Download

      • memory/2724-25-0x0000000000400000-0x0000000000479000-memory.dmp

        Filesize

        484KB

        Download

      • memory/2724-27-0x0000000000400000-0x0000000000479000-memory.dmp

        Filesize

        484KB

        Download

      • memory/2724-32-0x0000000000400000-0x0000000000479000-memory.dmp

        Filesize

        484KB

        Download

      • memory/2724-29-0x0000000000400000-0x0000000000479000-memory.dmp

        Filesize

        484KB

        Download

      • memory/2724-24-0x0000000000400000-0x0000000000479000-memory.dmp

        Filesize

        484KB

        Download

      • memory/2724-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download