General
-
Target
aa8857d0ba54f7b4e5c2fb504982dce7_JaffaCakes118
-
Size
282KB
-
Sample
240614-tav2ja1cmp
-
MD5
aa8857d0ba54f7b4e5c2fb504982dce7
-
SHA1
f8c8721da281b38b840990c2f889b5b4df37b3f3
-
SHA256
72fccc6c2dc000ba8b26ce900b1fffe7aa2db978c38c6084c16aeddeb0220ee1
-
SHA512
bfd80a92d0f4e7452b7b424d0d3d9c5aefbf6332ab7dcb9fc44af4e810c926044fdfef14034decc61117368f59f48f8fede81420206f56e643cca657cd4e193a
-
SSDEEP
6144:4wwfyCEtnExE0UU5Gp+5Z77YhvIrSCSmv5CbxH+YXuRPvA3Avw5w:bwfSGE0UU5sE8IrSChCbxHHXuRP+hy
Static task
static1
Behavioral task
behavioral1
Sample
6823446575259753736886975965041853397966791866351969758355871156607314985293129427412447934361131985.exe
Resource
win7-20240221-en
Malware Config
Extracted
remcos
2.0.0 Pro
Host
3.bgf4s9ydfe.in:17176
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
csrss.exe
-
copy_folder
Microsoft
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
hJUGggsgXzza85-82ZKTS
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
68234465752597537368869759650418533979667918663519697583558711566073149852931294274124479343611319855032447576013648097242505659.exe
-
Size
1.3MB
-
MD5
40a7044dd6942281633dec3ad851d3a6
-
SHA1
72f02333c9dacd2682b2b4587a26c72fb4993a9b
-
SHA256
8e38f305b316191c779c9f309a3f80d6bf24e9ded3acc4e956552d7a562252ae
-
SHA512
3a05a2b580d7cd46266dce05d8b01b3b6c0bde64f5d43bfc6e2cba61d8ba3ffe1fbb95d9ecc16db031f589c0edb92608d41c08886a444c16089afa5f95dee272
-
SSDEEP
6144:FwhjUApfWf1FrvjxnEF/ts4H67gpOajvfxEflsFW:cJUFrvjxne1dHwUO2vfxEflsU
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1