General
-
Target
004317b8cf9bf0a8595424977cecddd0_JaffaCakes118
-
Size
57KB
-
Sample
240426-h42kmabd8y
-
MD5
004317b8cf9bf0a8595424977cecddd0
-
SHA1
c934425794991d88255a7597118c940066342743
-
SHA256
34d54fc11ec26dc3645995c8cad58d22976293e6af1ec3789cfab640ace146b4
-
SHA512
6e8cffd8784f2c938746f713f0eadf46e6a07c984add2770c24ba6713c789ea6d956660486b3993787cf832a17e4df20f2c95a10a1eb425697e0b5a57080b6e1
-
SSDEEP
768:aWNc4ivigIwf+afPMwngwSGUIYKrBsDK9WL1C/GlI5tOGc9C45uD65R4UDiFHUBI:9zZO7fEwgwyIlrBd+JlcMbItYxxfrO
Malware Config
Extracted
limerat
-
aes_key
fSDFvase32f2@hj5
-
antivm
true
-
c2_url
https://pastebin.com/raw/iRwDeTN3
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
true
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/iRwDeTN3
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Targets
-
-
Target
004317b8cf9bf0a8595424977cecddd0_JaffaCakes118
-
Size
57KB
-
MD5
004317b8cf9bf0a8595424977cecddd0
-
SHA1
c934425794991d88255a7597118c940066342743
-
SHA256
34d54fc11ec26dc3645995c8cad58d22976293e6af1ec3789cfab640ace146b4
-
SHA512
6e8cffd8784f2c938746f713f0eadf46e6a07c984add2770c24ba6713c789ea6d956660486b3993787cf832a17e4df20f2c95a10a1eb425697e0b5a57080b6e1
-
SSDEEP
768:aWNc4ivigIwf+afPMwngwSGUIYKrBsDK9WL1C/GlI5tOGc9C45uD65R4UDiFHUBI:9zZO7fEwgwyIlrBd+JlcMbItYxxfrO
Score10/10-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-