Malware Analysis Report

2024-09-11 10:02

Sample ID 240419-f254xsah7y
Target f998121d523426ed0afed3d21dfb0d69_JaffaCakes118
SHA256 7a9a5279a3ced8e2aabcb0edf0c1f5f935d33b49807de894774ad8f9c51a02f8
Tags
agilenet limerat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a9a5279a3ced8e2aabcb0edf0c1f5f935d33b49807de894774ad8f9c51a02f8

Threat Level: Known bad

The file f998121d523426ed0afed3d21dfb0d69_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

agilenet limerat rat

LimeRAT

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-19 05:23

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 05:23

Reported

2024-04-19 05:25

Platform

win7-20240215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\System32\Window Security Notification.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\System32\Window Security Notification.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\System32\Window Security Notification.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\System32\Window Security Notification.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe C:\Users\Admin\System32\Window Security Notification.exe
PID 2328 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe C:\Users\Admin\System32\Window Security Notification.exe
PID 2328 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe C:\Users\Admin\System32\Window Security Notification.exe
PID 2328 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe C:\Users\Admin\System32\Window Security Notification.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\System32\Window Security Notification.exe'"

C:\Users\Admin\System32\Window Security Notification.exe

"C:\Users\Admin\System32\Window Security Notification.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp

Files

memory/2328-0-0x00000000742E0000-0x000000007488B000-memory.dmp

memory/2328-1-0x0000000000C30000-0x0000000000C70000-memory.dmp

memory/2328-2-0x00000000742E0000-0x000000007488B000-memory.dmp

memory/2328-9-0x0000000074160000-0x00000000741BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\658fe764-17b2-4bab-9272-0ccf7d8dc77a\AgileDotNetRT.dll

MD5 edd74be9723cdc6a5692954f0e51c9f3
SHA1 e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
SHA256 55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
SHA512 80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3

memory/2328-10-0x0000000073990000-0x00000000739B8000-memory.dmp

\Users\Admin\System32\Window Security Notification.exe

MD5 f998121d523426ed0afed3d21dfb0d69
SHA1 fd4da5a1bd5ec4d6508c78a01f0002a3348df0e7
SHA256 7a9a5279a3ced8e2aabcb0edf0c1f5f935d33b49807de894774ad8f9c51a02f8
SHA512 c701c0bd0a129adb3593e66d6867f605f305a28c02351c3df607505f0e6bbe66d8755d8b9ac8ea22b550b233fed7335a179100b8bf889d843d6a8a540b1334f0

memory/2328-24-0x00000000742E0000-0x000000007488B000-memory.dmp

memory/2744-23-0x0000000074160000-0x00000000741BB000-memory.dmp

memory/2744-25-0x0000000073990000-0x00000000739B8000-memory.dmp

memory/2328-26-0x0000000073990000-0x00000000739B8000-memory.dmp

memory/2744-27-0x00000000742E0000-0x000000007488B000-memory.dmp

memory/2744-28-0x0000000000100000-0x0000000000140000-memory.dmp

memory/2744-29-0x0000000073990000-0x00000000739B8000-memory.dmp

memory/2744-30-0x00000000742E0000-0x000000007488B000-memory.dmp

memory/2744-31-0x0000000000100000-0x0000000000140000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 05:23

Reported

2024-04-19 05:25

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe"

Signatures

LimeRAT

rat limerat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\System32\Window Security Notification.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\System32\Window Security Notification.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\System32\Window Security Notification.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\System32\Window Security Notification.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4764 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4764 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4764 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe C:\Users\Admin\System32\Window Security Notification.exe
PID 4764 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe C:\Users\Admin\System32\Window Security Notification.exe
PID 4764 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe C:\Users\Admin\System32\Window Security Notification.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\System32\Window Security Notification.exe'"

C:\Users\Admin\System32\Window Security Notification.exe

"C:\Users\Admin\System32\Window Security Notification.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp
US 8.8.8.8:53 Ahmi-24483.portmap.io udp

Files

memory/4764-0-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/4764-1-0x00000000749F0000-0x0000000074FA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\658fe764-17b2-4bab-9272-0ccf7d8dc77a\AgileDotNetRT.dll

MD5 edd74be9723cdc6a5692954f0e51c9f3
SHA1 e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
SHA256 55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
SHA512 80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3

memory/4764-9-0x0000000001530000-0x0000000001540000-memory.dmp

memory/4764-11-0x0000000072F00000-0x0000000072F28000-memory.dmp

memory/4764-10-0x0000000073710000-0x000000007376B000-memory.dmp

C:\Users\Admin\System32\Window Security Notification.exe

MD5 f998121d523426ed0afed3d21dfb0d69
SHA1 fd4da5a1bd5ec4d6508c78a01f0002a3348df0e7
SHA256 7a9a5279a3ced8e2aabcb0edf0c1f5f935d33b49807de894774ad8f9c51a02f8
SHA512 c701c0bd0a129adb3593e66d6867f605f305a28c02351c3df607505f0e6bbe66d8755d8b9ac8ea22b550b233fed7335a179100b8bf889d843d6a8a540b1334f0

memory/4952-27-0x0000000073710000-0x000000007376B000-memory.dmp

memory/4952-28-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/4952-29-0x00000000019B0000-0x00000000019C0000-memory.dmp

memory/4764-30-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/4952-31-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/4952-32-0x0000000072F00000-0x0000000072F28000-memory.dmp

memory/4764-24-0x0000000072F00000-0x0000000072F28000-memory.dmp

memory/4952-33-0x00000000019B0000-0x00000000019C0000-memory.dmp

memory/4952-34-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/4952-35-0x00000000019B0000-0x00000000019C0000-memory.dmp

memory/4952-36-0x0000000072F00000-0x0000000072F28000-memory.dmp

memory/4952-37-0x00000000019B0000-0x00000000019C0000-memory.dmp