Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    14-08-2021 13:41

General

  • Target

    AML_Commpliance_pdf.js

  • Size

    111KB

  • MD5

    f41c8229b3c54c3ff51191372d9cb790

  • SHA1

    c4d57e6f2b94060a94c4f84863a597c2ef58651d

  • SHA256

    61b69d2a4ca9404f1a5b73fac4790b0a41c7c7f766ba90d5a459612b629bf9b1

  • SHA512

    df6fd5888700d5acc5988821087c7a304e1ceff914320342dd1393f0366c6995828ffd9a82a36b029452215815fdb42e7c7aa9972ef16099fec7d7926a5f6c11

Malware Config

Extracted

Family

limerat

Wallets

1Cs8MjxkXtYwkDKypg8i1Vj5nzhANpgC6y

Attributes
  • aes_key

    2249

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/G9wX4J5m

  • delay

    8

  • download_payload

    false

  • install

    true

  • install_name

    player.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 18 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\AML_Commpliance_pdf.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3988
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jXZTZBjYZp.js"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3336
      • C:\Users\Admin\AppData\Roaming\New-Client.exe
        "C:\Users\Admin\AppData\Roaming\New-Client.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2356
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\player.exe'"
          4⤵
          • Creates scheduled task(s)
          PID:1408
        • C:\Users\Admin\AppData\Roaming\player.exe
          "C:\Users\Admin\AppData\Roaming\player.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3992
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\AML_Commpliance_pdf.js
      2⤵
      • Creates scheduled task(s)
      PID:2752

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\New-Client.exe
    MD5

    1ad564a6ca1520e8886faffc4e0ff1d4

    SHA1

    7d3b61daef1afed73838351dbf788448cf88d031

    SHA256

    2c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4

    SHA512

    b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441

  • C:\Users\Admin\AppData\Roaming\New-Client.exe
    MD5

    1ad564a6ca1520e8886faffc4e0ff1d4

    SHA1

    7d3b61daef1afed73838351dbf788448cf88d031

    SHA256

    2c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4

    SHA512

    b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441

  • C:\Users\Admin\AppData\Roaming\jXZTZBjYZp.js
    MD5

    676c61e12789321127ee39d4f6040e6e

    SHA1

    d28eb6214cc3b5659d758ac1f64c7ad0d9a1d0f5

    SHA256

    c2ac77ca98d95ffa6ad11691c395bf22c564ab87f8dfad3211533a215b89d28b

    SHA512

    439218663821587f1727d7b833dae0991b75ae9f0e5a0761c72984758b3f1750fdca7242f1f8d9626561c3eeab826892d190112b901b1f632df75c820f67e5f8

  • C:\Users\Admin\AppData\Roaming\player.exe
    MD5

    1ad564a6ca1520e8886faffc4e0ff1d4

    SHA1

    7d3b61daef1afed73838351dbf788448cf88d031

    SHA256

    2c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4

    SHA512

    b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441

  • C:\Users\Admin\AppData\Roaming\player.exe
    MD5

    1ad564a6ca1520e8886faffc4e0ff1d4

    SHA1

    7d3b61daef1afed73838351dbf788448cf88d031

    SHA256

    2c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4

    SHA512

    b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441

  • memory/1408-121-0x0000000000000000-mapping.dmp
  • memory/2356-117-0x0000000000000000-mapping.dmp
  • memory/2356-120-0x0000000002CA0000-0x0000000002CA1000-memory.dmp
    Filesize

    4KB

  • memory/2752-116-0x0000000000000000-mapping.dmp
  • memory/3336-114-0x0000000000000000-mapping.dmp
  • memory/3992-122-0x0000000000000000-mapping.dmp
  • memory/3992-125-0x0000000002D70000-0x0000000002D71000-memory.dmp
    Filesize

    4KB