Overview

overview

10

Static

static

1

ff181c2fde...18.jar

windows7-x64

10

ff181c2fde...18.jar

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ff181c2fde2ed1e091f9cf7a3fb5cb98_JaffaCakes118

  • Size

    166KB

  • Sample

    240421-mqmlrsha48

  • MD5

    ff181c2fde2ed1e091f9cf7a3fb5cb98

  • SHA1

    6471bf5f9a09a393eb9b8f64fde1b4c29ab77657

  • SHA256

    68d86a6264814df91c2b58dd342fe9451134535d42eecbb623051ae616202912

  • SHA512

    d18330c101882d0753afa1dbbce29c6479ec165383fac28f836c0cefb90a20e6cfc173eb512d897fe07b4bac9d7301471279b1b1bbff686e1633b2553719c0c2

  • SSDEEP

    3072:92cMABeMv1CGzHNb3Ptbriienc5797SEwj1vSbSBEwemzD4sd4GF:92seMsStDPtPBRSPj1aPcEsb

Score
10/10
limeratdiscoveryrat

Malware Config

Extracted

Family

limerat

Wallets

1Cs8MjxkXtYwkDKypg8i1Vj5nzhANpgC6y

Attributes
  • aes_key

    2249

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/G9wX4J5m

  • delay

    8

  • download_payload

    false

  • install

    true

  • install_name

    player.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/G9wX4J5m

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      ff181c2fde2ed1e091f9cf7a3fb5cb98_JaffaCakes118

    • Size

      166KB

    • MD5

      ff181c2fde2ed1e091f9cf7a3fb5cb98

    • SHA1

      6471bf5f9a09a393eb9b8f64fde1b4c29ab77657

    • SHA256

      68d86a6264814df91c2b58dd342fe9451134535d42eecbb623051ae616202912

    • SHA512

      d18330c101882d0753afa1dbbce29c6479ec165383fac28f836c0cefb90a20e6cfc173eb512d897fe07b4bac9d7301471279b1b1bbff686e1633b2553719c0c2

    • SSDEEP

      3072:92cMABeMv1CGzHNb3Ptbriienc5797SEwj1vSbSBEwemzD4sd4GF:92seMsStDPtPBRSPj1aPcEsb

    Score
    10/10
    limeratratdiscovery

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks