BKDR_REMCOS.TICOGAN

 Analysis by: Wilbert Vidal

 ALIASES:

Gen:Variant.Graftor.477418 (GData); Gen:Variant.Graftor.477418 (B) (Emsisoft); Gen:Variant.Graftor.477418 (BitDefender)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It creates folders where it drops its files. It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.

  TECHNICAL DETAILS

File Size:

327,680 bytes

File Type:

EXE

Initial Samples Received Date:

19 Mar 2018

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor adds the following folders:

  • %Application Data%\remcos

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.

Autostart Technique

This Backdoor drops the following files:

  • %Application Data%\remcos\logs.dat

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This Backdoor adds the following registry keys:

HKCU\Software\Remcos-03OVEJ
EXEpath = DE 4F 07 B3 6C BC E5 09 94 F6 C9 49 1F 7F 12 73 E1 1E 8F 64 42 34 28 BC AF 49 2C 8A 95 E1 B7 DE 5F 98 0A 26 49 A3 D0 1C 17 D8 92 8A 3F 01 8F E8 9A 9C AA F5 F0 A1 F0 8E 5E 24 63 08 B6 06 46 68 79 8D 09 31 2E 81 68 E4 0A 2C 8F 45 2A 91 56 3E 9F F2 02 D2 4D 53 95 53 D6 20 46 86 6D 2C 60 4B

Other Details

This Backdoor connects to the following possibly malicious URL:

  • {BLOCKED}.{BLOCKED}.227.189:4900

It adds the following scheduled tasks:

  • Task Name: fishtails
    Schedule: every minute
    Task to be run: %Application Data%\Bayou.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)