Overview

overview

10

Static

static

5

018e93f668...18.exe

windows7-x64

10

018e93f668...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    018e93f66899228a3e980f8fa671c021_JaffaCakes118

  • Size

    24.3MB

  • Sample

    240426-ys4tlsca6s

  • MD5

    018e93f66899228a3e980f8fa671c021

  • SHA1

    76c9e359cf572757ba0bf5e372de1780f5fbae05

  • SHA256

    46141664081fd940edcf0db0adcd081736a3bd5e2f9639037fc598e558104b31

  • SHA512

    1804d279136feda7c468c63486d15e1b57f1c028d7e926cb733bf8f7c2c7d4b5b3506457b282393182cdcc7a71966b2ba9148d7b8f473a7367bace2b680b0056

  • SSDEEP

    393216:d0pgWC+4cw08gMka47tPxDKdUU7K9HuNW7BqTOjDtXLEc3uoTHn:ZXjcCtkJPxkn8uw7Bq8X82n

Score
10/10
imminentlimeratnjratevasionpersistenceratspywaretrojan

Malware Config

Extracted

Family

limerat

Wallets

1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty

Attributes
  • aes_key

    nulled

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/cXuQ0V20

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Winservices.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Targets

    • Target

      018e93f66899228a3e980f8fa671c021_JaffaCakes118

    • Size

      24.3MB

    • MD5

      018e93f66899228a3e980f8fa671c021

    • SHA1

      76c9e359cf572757ba0bf5e372de1780f5fbae05

    • SHA256

      46141664081fd940edcf0db0adcd081736a3bd5e2f9639037fc598e558104b31

    • SHA512

      1804d279136feda7c468c63486d15e1b57f1c028d7e926cb733bf8f7c2c7d4b5b3506457b282393182cdcc7a71966b2ba9148d7b8f473a7367bace2b680b0056

    • SSDEEP

      393216:d0pgWC+4cw08gMka47tPxDKdUU7K9HuNW7BqTOjDtXLEc3uoTHn:ZXjcCtkJPxkn8uw7Bq8X82n

    Score
    10/10
    imminentlimeratnjratevasionpersistenceratspywaretrojan

    • Imminent RAT

      Remote-access trojan based on Imminent Monitor remote admin software.

      trojanspywareimminent

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks