Overview

overview

10

Static

static

1

678a836b41...80.jar

windows7-x64

10

678a836b41...80.jar

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 11:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    678a836b41b132da287f0da90e822480.jar

  • Size

    166KB

  • MD5

    678a836b41b132da287f0da90e822480

  • SHA1

    d4eec0106a8fffcb9c850ba515b18a84c42f7973

  • SHA256

    73536c89f6d0063c32c17294ae8aedd69b75fc9b5adb6848749a0b811241ea8e

  • SHA512

    221a6dbf894d8b58f1a4357df8e774b13783ad08d805b48df0ce57dbd9579118f49fe1248ea023711d2684a650d02a4789f50d6ca6986e71fd7857fed0f3aec4

  • SSDEEP

    3072:O2OP/lXyajtcnHLEt+UUN3VEggvwMoGc6OFULv3rFLZmVjDBEDmhIJLPcaZMXpFd:ny/liajqnHLEt+lVEg25o16OCLRl2DqC

Score
10/10
limeratdiscoveryrat

Malware Config

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/G9wX4J5m

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\678a836b41b132da287f0da90e822480.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4600
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\ddowgooevv.js
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Program Files\Java\jre-1.8\bin\javaw.exe
        "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\rulrquxbxx.txt"
        3⤵
        • Drops file in Program Files directory
        PID:2856
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\wgQDzEaaot.js"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3388
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:4156
  • C:\Users\Admin\AppData\Roaming\New-Client.exe
    "C:\Users\Admin\AppData\Roaming\New-Client.exe"
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\player.exe'"
      2⤵
      • Creates scheduled task(s)
      PID:3156
    • C:\Users\Admin\AppData\Roaming\player.exe
      "C:\Users\Admin\AppData\Roaming\player.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    035ccf1bef2a15d762225b13cbefe1c9

    SHA1

    72c84c81ddf6a185625253afdaa21662dcea3774

    SHA256

    19b069aa53d951438229a508831f9e2fc7814136d13878e0ddbce0eb354aecc4

    SHA512

    ee102c3f27d3aa425972bc2aabf2dfd7b5b24c6f42c1d352d38aeed2e685e18d0e9fe552a5bb417bee76c5d9a440b8a3fe759eec828325b29d225217cb9d32d7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\New-Client.exe
    Filesize

    28KB

    MD5

    1ad564a6ca1520e8886faffc4e0ff1d4

    SHA1

    7d3b61daef1afed73838351dbf788448cf88d031

    SHA256

    2c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4

    SHA512

    b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441

    Download Submit

  • C:\Users\Admin\AppData\Roaming\rulrquxbxx.txt
    Filesize

    64KB

    MD5

    4ba645586c7a9a3eb998cf5a8238104b

    SHA1

    db7acef39adbc260eea6d728e4811c6b0c2f8a73

    SHA256

    b06f08da6734add59c3a3ccea97d4f1e12e70903f583e2647ef69c7e26924b2f

    SHA512

    07e647733efd6c798de0fcb61dbbea349251960384b68ab2d90e365696e98a6bc593cbb8e1bc000e47fecfa9a891f23f43c1ea65b829c9d4ce60158ffa28a0cb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wgQDzEaaot.js
    Filesize

    53KB

    MD5

    34257f43cd09bb9f9aa171b8d5d40d15

    SHA1

    2205fc3296c2fa97706700c4e6d6f7ef1f185892

    SHA256

    8b2a8b2e8d7b89e72c2fbdbb79596f9d4dcc0a4304c566ee26bd5b966a099568

    SHA512

    b16feb70bddc57e556be7db50242a50a600e4775d6a64af64be2d25c055e2e7d0bf292b9c318ff1ddfd9d994995b2f27e47e22b216e864e39d579560ba8c9b08

    Download Submit

  • C:\Users\Admin\ddowgooevv.js
    Filesize

    280KB

    MD5

    aaafafd3890c93c59000316f96108b99

    SHA1

    5fba17bdc35acbb86e1cb63ea443553770552214

    SHA256

    36664de87581e5777c3c975ad9e430ce8ac2ff80c24b565d7b40aaba75106727

    SHA512

    a18aa97f92d612ba6c383cec57f88f5e1097171222db1eccfaff0e35019832d80f3adeb88097525b9658c950e44c461e73c4136c24b081844e4dcda37cf38543

    Download Submit

  • memory/2568-42-0x0000000074FB0000-0x0000000075561000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2568-41-0x0000000001410000-0x0000000001420000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2568-63-0x0000000074FB0000-0x0000000075561000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2856-43-0x0000010969CF0000-0x0000010969CF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2856-48-0x000001096B4F0000-0x000001096C4F0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2856-52-0x000001096B780000-0x000001096B790000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2856-53-0x000001096B790000-0x000001096B7A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2856-51-0x000001096B770000-0x000001096B780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2856-31-0x000001096B4F0000-0x000001096C4F0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2856-66-0x000001096B4F0000-0x000001096C4F0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/4600-14-0x000001F1929C0000-0x000001F1929C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4600-4-0x000001F1929E0000-0x000001F1939E0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/4732-65-0x0000000000A20000-0x0000000000A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4732-64-0x0000000074FB0000-0x0000000075561000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4732-68-0x0000000000A20000-0x0000000000A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4732-67-0x0000000074FB0000-0x0000000075561000-memory.dmp

    Filesize

    5.7MB

    Download