Malware Analysis Report

2024-09-11 10:02

Sample ID 240419-f254xsah7y
Target f998121d523426ed0afed3d21dfb0d69_JaffaCakes118
SHA256 7a9a5279a3ced8e2aabcb0edf0c1f5f935d33b49807de894774ad8f9c51a02f8
Tags
agilenet limerat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a9a5279a3ced8e2aabcb0edf0c1f5f935d33b49807de894774ad8f9c51a02f8

Threat Level: Known bad

The file f998121d523426ed0afed3d21dfb0d69_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

agilenet limerat rat

LimeRAT

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-19 05:23

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 05:23

Reported

2024-04-19 05:25

Platform

win7-20240215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\System32\Window Security Notification.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\System32\Window Security Notification.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\System32\Window Security Notification.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\System32\Window Security Notification.exe'"

C:\Users\Admin\System32\Window Security Notification.exe

"C:\Users\Admin\System32\Window Security Notification.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp

Files

memory/2328-0-0x00000000742E0000-0x000000007488B000-memory.dmp

memory/2328-1-0x0000000000C30000-0x0000000000C70000-memory.dmp

memory/2328-2-0x00000000742E0000-0x000000007488B000-memory.dmp

memory/2328-9-0x0000000074160000-0x00000000741BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\658fe764-17b2-4bab-9272-0ccf7d8dc77a\AgileDotNetRT.dll

MD5 edd74be9723cdc6a5692954f0e51c9f3
SHA1 e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
SHA256 55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
SHA512 80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3

memory/2328-10-0x0000000073990000-0x00000000739B8000-memory.dmp

\Users\Admin\System32\Window Security Notification.exe

MD5 f998121d523426ed0afed3d21dfb0d69
SHA1 fd4da5a1bd5ec4d6508c78a01f0002a3348df0e7
SHA256 7a9a5279a3ced8e2aabcb0edf0c1f5f935d33b49807de894774ad8f9c51a02f8
SHA512 c701c0bd0a129adb3593e66d6867f605f305a28c02351c3df607505f0e6bbe66d8755d8b9ac8ea22b550b233fed7335a179100b8bf889d843d6a8a540b1334f0

memory/2328-24-0x00000000742E0000-0x000000007488B000-memory.dmp

memory/2744-23-0x0000000074160000-0x00000000741BB000-memory.dmp

memory/2744-25-0x0000000073990000-0x00000000739B8000-memory.dmp

memory/2328-26-0x0000000073990000-0x00000000739B8000-memory.dmp

memory/2744-27-0x00000000742E0000-0x000000007488B000-memory.dmp

memory/2744-28-0x0000000000100000-0x0000000000140000-memory.dmp

memory/2744-29-0x0000000073990000-0x00000000739B8000-memory.dmp

memory/2744-30-0x00000000742E0000-0x000000007488B000-memory.dmp

memory/2744-31-0x0000000000100000-0x0000000000140000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 05:23

Reported

2024-04-19 05:25

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe"

Signatures

LimeRAT

rat limerat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\System32\Window Security Notification.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\System32\Window Security Notification.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\System32\Window Security Notification.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\System32\Window Security Notification.exe'"

C:\Users\Admin\System32\Window Security Notification.exe

"C:\Users\Admin\System32\Window Security Notification.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp

Files

memory/4764-0-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/4764-1-0x00000000749F0000-0x0000000074FA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\658fe764-17b2-4bab-9272-0ccf7d8dc77a\AgileDotNetRT.dll

MD5 edd74be9723cdc6a5692954f0e51c9f3
SHA1 e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
SHA256 55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
SHA512 80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3

memory/4764-9-0x0000000001530000-0x0000000001540000-memory.dmp

memory/4764-11-0x0000000072F00000-0x0000000072F28000-memory.dmp

memory/4764-10-0x0000000073710000-0x000000007376B000-memory.dmp

C:\Users\Admin\System32\Window Security Notification.exe

MD5 f998121d523426ed0afed3d21dfb0d69
SHA1 fd4da5a1bd5ec4d6508c78a01f0002a3348df0e7
SHA256 7a9a5279a3ced8e2aabcb0edf0c1f5f935d33b49807de894774ad8f9c51a02f8
SHA512 c701c0bd0a129adb3593e66d6867f605f305a28c02351c3df607505f0e6bbe66d8755d8b9ac8ea22b550b233fed7335a179100b8bf889d843d6a8a540b1334f0

memory/4952-27-0x0000000073710000-0x000000007376B000-memory.dmp

memory/4952-28-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/4952-29-0x00000000019B0000-0x00000000019C0000-memory.dmp

memory/4764-30-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/4952-31-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/4952-32-0x0000000072F00000-0x0000000072F28000-memory.dmp

memory/4764-24-0x0000000072F00000-0x0000000072F28000-memory.dmp

memory/4952-33-0x00000000019B0000-0x00000000019C0000-memory.dmp

memory/4952-34-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/4952-35-0x00000000019B0000-0x00000000019C0000-memory.dmp

memory/4952-36-0x0000000072F00000-0x0000000072F28000-memory.dmp

memory/4952-37-0x00000000019B0000-0x00000000019C0000-memory.dmp