limerat | 55d3d6ed09fa05730edb9372a13567fbc0675eb4815e10cd08478d66bc5b8964

General

Target

405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe
Size

3.6MB
MD5

405cacd2e01aa2630b36a2566d36bb67
SHA1

e42272044591bd7cd54221275702bb95aaf74dca
SHA256

55d3d6ed09fa05730edb9372a13567fbc0675eb4815e10cd08478d66bc5b8964
SHA512

515b040525d544051beb05528221259cfc91cb1923acc51f68c5461cd11ebfb2f736a70465d95b891e126a1ec6ff32217a936166714b03517d978c91642ba293
SSDEEP

24576:rc3Ugs6OlCpGmReZ/dZf6cux+U9qYVgCxLWtVrbjJmv+:LLG+U9qYVgCxwL

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/nUWEE2yv
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LocalLpblWSfZBy.exe

Executes dropped EXE 3 IoCs

pid	Process
1364	LocalLpblWSfZBy.exe
4112	LocalvpVsCaBmPb.exe
3496	WinWebShild-x86.3.4.7.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
39	pastebin.com
38	pastebin.com

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	LocalLpblWSfZBy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	WinWebShild-x86.3.4.7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	WinWebShild-x86.3.4.7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	LocalLpblWSfZBy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3484	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	WinWebShild-x86.3.4.7.exe
Token: SeDebugPrivilege	3496	WinWebShild-x86.3.4.7.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 1364	3448	405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe	88
PID 3448 wrote to memory of 1364	3448	405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe	88
PID 3448 wrote to memory of 1364	3448	405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe	88
PID 3448 wrote to memory of 4112	3448	405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe	89
PID 3448 wrote to memory of 4112	3448	405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe	89
PID 1364 wrote to memory of 3484	1364	LocalLpblWSfZBy.exe	99
PID 1364 wrote to memory of 3484	1364	LocalLpblWSfZBy.exe	99
PID 1364 wrote to memory of 3484	1364	LocalLpblWSfZBy.exe	99
PID 1364 wrote to memory of 3496	1364	LocalLpblWSfZBy.exe	101
PID 1364 wrote to memory of 3496	1364	LocalLpblWSfZBy.exe	101
PID 1364 wrote to memory of 3496	1364	LocalLpblWSfZBy.exe	101

C:\Users\Admin\AppData\Local\Temp\405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\405cacd2e01aa2630b36a2566d36bb67_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\LocalLpblWSfZBy.exe
  "C:\Users\Admin\AppData\LocalLpblWSfZBy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn 3ndg4m3 /tr "'C:\Users\Admin\AppData\Local\Temp\Windowsupdate\WinWebShild-x86.3.4.7.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:3484
- - C:\Users\Admin\AppData\Local\Temp\Windowsupdate\WinWebShild-x86.3.4.7.exe
    "C:\Users\Admin\AppData\Local\Temp\Windowsupdate\WinWebShild-x86.3.4.7.exe"
    3⤵
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3496
- C:\Users\Admin\AppData\LocalvpVsCaBmPb.exe
  "C:\Users\Admin\AppData\LocalvpVsCaBmPb.exe"
  2⤵
  - Executes dropped EXE
  PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLpblWSfZBy.exe

Filesize
565KB

MD5
b770462cc92a1e134e87177458b3fdca

SHA1
9df6cf37f9e66490942f440d53e8e9322b773918

SHA256
4ea78ee731dd1ebbef5e26144ca9db420b28370eb8471445a35b73508b58a8f1

SHA512
a4aeb903e2db5899133664d9a884db11a6d2837bfb1bb0a68d270c55343dd2f7fe2d228fd78e6e7e99fe2ed7529d7f3cba2a9ce32837d3119dc4b877daa91f0f

Download Submit
C:\Users\Admin\AppData\LocalvpVsCaBmPb.exe

Filesize
676KB

MD5
a133941d2c514be98b4f93e70c8d6d0b

SHA1
a38fd4ffb244598594cee7ce11c82a54cf08ea75

SHA256
cc43e6ab19ccbc285536eb4b3f3fa356daa7fba69d4ec75d83a1f4e9dd637796

SHA512
29342c484b75efb91e0ca3f8c636acc5ee8d9daf95934a4e013f54593a9843113d179fdc2bdc0c37c7522a05b842a6212f15edac653d601c20fbb925000f5023

Download Submit
memory/1364-33-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/1364-46-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1364-30-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1364-34-0x00000000062C0000-0x0000000006864000-memory.dmp

Filesize
5.6MB

Download
memory/1364-23-0x0000000000A90000-0x0000000000B24000-memory.dmp

Filesize
592KB

Download
memory/1364-25-0x00000000054A0000-0x000000000553C000-memory.dmp

Filesize
624KB

Download
memory/1364-21-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1364-29-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/1364-27-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/3448-24-0x00007FFA2BAA0000-0x00007FFA2C561000-memory.dmp

Filesize
10.8MB

Download
memory/3448-1-0x00007FFA2BAA0000-0x00007FFA2C561000-memory.dmp

Filesize
10.8MB

Download
memory/3448-4-0x000000001B830000-0x000000001B840000-memory.dmp

Filesize
64KB

Download
memory/3448-0-0x0000000000660000-0x00000000009F4000-memory.dmp

Filesize
3.6MB

Download
memory/3448-2-0x000000001B550000-0x000000001B6A8000-memory.dmp

Filesize
1.3MB

Download
memory/3496-47-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/3496-49-0x0000000006600000-0x0000000006692000-memory.dmp

Filesize
584KB

Download
memory/3496-44-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/3496-45-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/3496-48-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/4112-32-0x00007FFA2BAA0000-0x00007FFA2C561000-memory.dmp

Filesize
10.8MB

Download
memory/4112-31-0x000000001ADF0000-0x000000001AE00000-memory.dmp

Filesize
64KB

Download
memory/4112-28-0x00007FFA2BAA0000-0x00007FFA2C561000-memory.dmp

Filesize
10.8MB

Download
memory/4112-26-0x000000001ADF0000-0x000000001AE00000-memory.dmp

Filesize
64KB

Download
memory/4112-22-0x0000000000160000-0x0000000000210000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads