Overview

overview

10

Static

static

7

f998121d52...18.exe

windows7-x64

10

f998121d52...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f998121d523426ed0afed3d21dfb0d69_JaffaCakes118

  • Size

    380KB

  • Sample

    240419-f254xsah7y

  • MD5

    f998121d523426ed0afed3d21dfb0d69

  • SHA1

    fd4da5a1bd5ec4d6508c78a01f0002a3348df0e7

  • SHA256

    7a9a5279a3ced8e2aabcb0edf0c1f5f935d33b49807de894774ad8f9c51a02f8

  • SHA512

    c701c0bd0a129adb3593e66d6867f605f305a28c02351c3df607505f0e6bbe66d8755d8b9ac8ea22b550b233fed7335a179100b8bf889d843d6a8a540b1334f0

  • SSDEEP

    6144:V6C4vUQ2R02etDfet3Agp0q9ygbX+1RzDU8vTMpcvEF:V7Q002e1saMJcR/VbKcvi

Score
10/10
limeratagilenetrat

Malware Config

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/tDBQY6gT

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      f998121d523426ed0afed3d21dfb0d69_JaffaCakes118

    • Size

      380KB

    • MD5

      f998121d523426ed0afed3d21dfb0d69

    • SHA1

      fd4da5a1bd5ec4d6508c78a01f0002a3348df0e7

    • SHA256

      7a9a5279a3ced8e2aabcb0edf0c1f5f935d33b49807de894774ad8f9c51a02f8

    • SHA512

      c701c0bd0a129adb3593e66d6867f605f305a28c02351c3df607505f0e6bbe66d8755d8b9ac8ea22b550b233fed7335a179100b8bf889d843d6a8a540b1334f0

    • SSDEEP

      6144:V6C4vUQ2R02etDfet3Agp0q9ygbX+1RzDU8vTMpcvEF:V7Q002e1saMJcR/VbKcvi

    Score
    10/10
    limeratagilenetrat

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks