limerat | 55d3d6ed09fa05730edb9372a13567fbc0675eb4815e10cd08478d66bc5b8964

General

Target

405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe
Size

3.6MB
MD5

405cacd2e01aa2630b36a2566d36bb67
SHA1

e42272044591bd7cd54221275702bb95aaf74dca
SHA256

55d3d6ed09fa05730edb9372a13567fbc0675eb4815e10cd08478d66bc5b8964
SHA512

515b040525d544051beb05528221259cfc91cb1923acc51f68c5461cd11ebfb2f736a70465d95b891e126a1ec6ff32217a936166714b03517d978c91642ba293
SSDEEP

24576:rc3Ugs6OlCpGmReZ/dZf6cux+U9qYVgCxLWtVrbjJmv+:LLG+U9qYVgCxwL

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/nUWEE2yv
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Executes dropped EXE 3 IoCs

Processes:

LocalLpblWSfZBy.exeLocalvpVsCaBmPb.exeWinWebShild-x86.3.4.7.exe

pid process

2740 LocalLpblWSfZBy.exe
940 LocalvpVsCaBmPb.exe
1144 WinWebShild-x86.3.4.7.exe
Loads dropped DLL 2 IoCs

Processes:

LocalLpblWSfZBy.exe

pid process

2740 LocalLpblWSfZBy.exe
2740 LocalLpblWSfZBy.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 pastebin.com
5 pastebin.com

pid	process
2740	LocalLpblWSfZBy.exe
940	LocalvpVsCaBmPb.exe
1144	WinWebShild-x86.3.4.7.exe

pid	process
2740	LocalLpblWSfZBy.exe
2740	LocalLpblWSfZBy.exe

flow	ioc
4	pastebin.com
5	pastebin.com

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WinWebShild-x86.3.4.7.exeLocalLpblWSfZBy.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	WinWebShild-x86.3.4.7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	WinWebShild-x86.3.4.7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	LocalLpblWSfZBy.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	LocalLpblWSfZBy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2796 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WinWebShild-x86.3.4.7.exe

description pid process

Token: SeDebugPrivilege 1144 WinWebShild-x86.3.4.7.exe
Token: SeDebugPrivilege 1144 WinWebShild-x86.3.4.7.exe

pid	process
2796	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1144	WinWebShild-x86.3.4.7.exe
Token: SeDebugPrivilege	1144	WinWebShild-x86.3.4.7.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exeLocalLpblWSfZBy.exe

description	pid	process	target process
PID 2316 wrote to memory of 2740	2316	405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe	LocalLpblWSfZBy.exe
PID 2316 wrote to memory of 2740	2316	405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe	LocalLpblWSfZBy.exe
PID 2316 wrote to memory of 2740	2316	405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe	LocalLpblWSfZBy.exe
PID 2316 wrote to memory of 2740	2316	405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe	LocalLpblWSfZBy.exe
PID 2316 wrote to memory of 940	2316	405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe	LocalvpVsCaBmPb.exe
PID 2316 wrote to memory of 940	2316	405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe	LocalvpVsCaBmPb.exe
PID 2316 wrote to memory of 940	2316	405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe	LocalvpVsCaBmPb.exe
PID 2740 wrote to memory of 2796	2740	LocalLpblWSfZBy.exe	schtasks.exe
PID 2740 wrote to memory of 2796	2740	LocalLpblWSfZBy.exe	schtasks.exe
PID 2740 wrote to memory of 2796	2740	LocalLpblWSfZBy.exe	schtasks.exe
PID 2740 wrote to memory of 2796	2740	LocalLpblWSfZBy.exe	schtasks.exe
PID 2740 wrote to memory of 1144	2740	LocalLpblWSfZBy.exe	WinWebShild-x86.3.4.7.exe
PID 2740 wrote to memory of 1144	2740	LocalLpblWSfZBy.exe	WinWebShild-x86.3.4.7.exe
PID 2740 wrote to memory of 1144	2740	LocalLpblWSfZBy.exe	WinWebShild-x86.3.4.7.exe
PID 2740 wrote to memory of 1144	2740	LocalLpblWSfZBy.exe	WinWebShild-x86.3.4.7.exe

C:\Users\Admin\AppData\Local\Temp\405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\LocalLpblWSfZBy.exe
"C:\Users\Admin\AppData\LocalLpblWSfZBy.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn 3ndg4m3 /tr "'C:\Users\Admin\AppData\Local\Temp\Windowsupdate\WinWebShild-x86.3.4.7.exe'"
3⤵
- Creates scheduled task(s)
PID:2796

C:\Users\Admin\AppData\Local\Temp\Windowsupdate\WinWebShild-x86.3.4.7.exe
"C:\Users\Admin\AppData\Local\Temp\Windowsupdate\WinWebShild-x86.3.4.7.exe"
3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Users\Admin\AppData\LocalvpVsCaBmPb.exe
"C:\Users\Admin\AppData\LocalvpVsCaBmPb.exe"
2⤵
- Executes dropped EXE
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLpblWSfZBy.exe
Filesize
565KB

MD5
b770462cc92a1e134e87177458b3fdca

SHA1
9df6cf37f9e66490942f440d53e8e9322b773918

SHA256
4ea78ee731dd1ebbef5e26144ca9db420b28370eb8471445a35b73508b58a8f1

SHA512
a4aeb903e2db5899133664d9a884db11a6d2837bfb1bb0a68d270c55343dd2f7fe2d228fd78e6e7e99fe2ed7529d7f3cba2a9ce32837d3119dc4b877daa91f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5DB0.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\LocalvpVsCaBmPb.exe
Filesize
676KB

MD5
a133941d2c514be98b4f93e70c8d6d0b

SHA1
a38fd4ffb244598594cee7ce11c82a54cf08ea75

SHA256
cc43e6ab19ccbc285536eb4b3f3fa356daa7fba69d4ec75d83a1f4e9dd637796

SHA512
29342c484b75efb91e0ca3f8c636acc5ee8d9daf95934a4e013f54593a9843113d179fdc2bdc0c37c7522a05b842a6212f15edac653d601c20fbb925000f5023

Download Submit
memory/940-25-0x000007FEF5B50000-0x000007FEF653C000-memory.dmp

Filesize
9.9MB

Download
memory/940-27-0x000000001AFF0000-0x000000001B070000-memory.dmp

Filesize
512KB

Download
memory/940-19-0x000007FEF5B50000-0x000007FEF653C000-memory.dmp

Filesize
9.9MB

Download
memory/940-21-0x0000000000230000-0x00000000002E0000-memory.dmp

Filesize
704KB

Download
memory/940-24-0x000000001AFF0000-0x000000001B070000-memory.dmp

Filesize
512KB

Download
memory/1144-80-0x00000000046C0000-0x0000000004700000-memory.dmp

Filesize
256KB

Download
memory/1144-42-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1144-43-0x00000000046C0000-0x0000000004700000-memory.dmp

Filesize
256KB

Download
memory/1144-39-0x0000000000850000-0x00000000008E4000-memory.dmp

Filesize
592KB

Download
memory/1144-41-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-3-0x000000001B540000-0x000000001B5C0000-memory.dmp

Filesize
512KB

Download
memory/2316-20-0x000007FEF5B50000-0x000007FEF653C000-memory.dmp

Filesize
9.9MB

Download
memory/2316-0-0x0000000000E50000-0x00000000011E4000-memory.dmp

Filesize
3.6MB

Download
memory/2316-1-0x000007FEF5B50000-0x000007FEF653C000-memory.dmp

Filesize
9.9MB

Download
memory/2316-2-0x000000001AF60000-0x000000001B0B8000-memory.dmp

Filesize
1.3MB

Download
memory/2740-22-0x0000000000980000-0x0000000000A14000-memory.dmp

Filesize
592KB

Download
memory/2740-40-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-29-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/2740-26-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-23-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads