Overview

overview

10

Static

static

10

07c27d514b...18.exe

windows7-x64

10

07c27d514b...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    07c27d514bfbde4482b8e1b6ea27b456_JaffaCakes118

  • Size

    28KB

  • Sample

    240429-qlsh1abh3x

  • MD5

    07c27d514bfbde4482b8e1b6ea27b456

  • SHA1

    535e1b3f81abcfcbae2066f28f3bcbded60e6829

  • SHA256

    37d6832272f4b87fd9194539e17c5da57b8c4508d54e586b8c6bcf8b856f82be

  • SHA512

    f69492a2c8a6eca0abfb57f4b7e0d9bd347f8c8b6e952ce1998b13bf0df898e47ad87dfb3d28f6a47ff8e7652fd4ed3305fce5103b4c3e9ec29fd8af599555d2

  • SSDEEP

    384:OE0WnRV4+emNHpoyfaDhVSY5+1SsVhsLDFqvDuNrCeJE3WN52kOQIEvHSEfrwHTU:D4q2yi9Vb+1SeSJok5NUkCkWTtfEY

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    yourmomisobesaporcodio

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/Si5Hcuvu

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    RuntimeBroker.exe

  • main_folder

    UserProfile

  • pin_spread

    false

  • sub_folder

    \VM\

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/Si5Hcuvu

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      07c27d514bfbde4482b8e1b6ea27b456_JaffaCakes118

    • Size

      28KB

    • MD5

      07c27d514bfbde4482b8e1b6ea27b456

    • SHA1

      535e1b3f81abcfcbae2066f28f3bcbded60e6829

    • SHA256

      37d6832272f4b87fd9194539e17c5da57b8c4508d54e586b8c6bcf8b856f82be

    • SHA512

      f69492a2c8a6eca0abfb57f4b7e0d9bd347f8c8b6e952ce1998b13bf0df898e47ad87dfb3d28f6a47ff8e7652fd4ed3305fce5103b4c3e9ec29fd8af599555d2

    • SSDEEP

      384:OE0WnRV4+emNHpoyfaDhVSY5+1SsVhsLDFqvDuNrCeJE3WN52kOQIEvHSEfrwHTU:D4q2yi9Vb+1SeSJok5NUkCkWTtfEY

    Score
    10/10
    limeratrat

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks