Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02-05-2024 08:51
Static task
static1
Behavioral task
behavioral1
Sample
0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
0e0c2f38d64b80e354087d81b3efef43
-
SHA1
7999d6174b9c8f871366d08ac41f865f18906f62
-
SHA256
28a6e2fc04546edd1bbcb429f030d76e4c10a2882beab9ed414867946bc48768
-
SHA512
e83b1f0a206d3ea449a0537aace9b796d987c3908c2dcfc6b1a0abd33ebfca373c39cc16f2bf6f4866a29e15a73b331ac513200b9d8438b18800abec3949f98a
-
SSDEEP
24576:4AHnh+eWsN3skA4RV1Hom2KXMmHa97aWtjzjFtuM25j:/h+ZkldoPK8Ya971XjFtAj
Malware Config
Extracted
limerat
1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty
-
aes_key
nulled
-
antivm
true
-
c2_url
https://pastebin.com/raw/cXuQ0V20
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Winservices.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\
-
usb_spread
true
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/cXuQ0V20
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1200 sdchange.exe 1292 sdchange.exe 1748 sdchange.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 pastebin.com 5 pastebin.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum RegAsm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 RegAsm.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x003900000001340c-12.dat autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2460 set thread context of 2720 2460 0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe 28 PID 1200 set thread context of 2448 1200 sdchange.exe 34 PID 1292 set thread context of 592 1292 sdchange.exe 40 PID 1748 set thread context of 1612 1748 sdchange.exe 44 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2520 schtasks.exe 1772 schtasks.exe 2280 schtasks.exe 2204 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2720 RegAsm.exe Token: SeDebugPrivilege 2720 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2720 2460 0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe 28 PID 2460 wrote to memory of 2720 2460 0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe 28 PID 2460 wrote to memory of 2720 2460 0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe 28 PID 2460 wrote to memory of 2720 2460 0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe 28 PID 2460 wrote to memory of 2720 2460 0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe 28 PID 2460 wrote to memory of 2720 2460 0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe 28 PID 2460 wrote to memory of 2720 2460 0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe 28 PID 2460 wrote to memory of 2720 2460 0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe 28 PID 2460 wrote to memory of 2720 2460 0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe 28 PID 2460 wrote to memory of 2520 2460 0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe 29 PID 2460 wrote to memory of 2520 2460 0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe 29 PID 2460 wrote to memory of 2520 2460 0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe 29 PID 2460 wrote to memory of 2520 2460 0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe 29 PID 1428 wrote to memory of 1200 1428 taskeng.exe 33 PID 1428 wrote to memory of 1200 1428 taskeng.exe 33 PID 1428 wrote to memory of 1200 1428 taskeng.exe 33 PID 1428 wrote to memory of 1200 1428 taskeng.exe 33 PID 1200 wrote to memory of 2448 1200 sdchange.exe 34 PID 1200 wrote to memory of 2448 1200 sdchange.exe 34 PID 1200 wrote to memory of 2448 1200 sdchange.exe 34 PID 1200 wrote to memory of 2448 1200 sdchange.exe 34 PID 1200 wrote to memory of 2448 1200 sdchange.exe 34 PID 1200 wrote to memory of 2448 1200 sdchange.exe 34 PID 1200 wrote to memory of 2448 1200 sdchange.exe 34 PID 1200 wrote to memory of 2448 1200 sdchange.exe 34 PID 1200 wrote to memory of 2448 1200 sdchange.exe 34 PID 1200 wrote to memory of 1772 1200 sdchange.exe 35 PID 1200 wrote to memory of 1772 1200 sdchange.exe 35 PID 1200 wrote to memory of 1772 1200 sdchange.exe 35 PID 1200 wrote to memory of 1772 1200 sdchange.exe 35 PID 1428 wrote to memory of 1292 1428 taskeng.exe 39 PID 1428 wrote to memory of 1292 1428 taskeng.exe 39 PID 1428 wrote to memory of 1292 1428 taskeng.exe 39 PID 1428 wrote to memory of 1292 1428 taskeng.exe 39 PID 1292 wrote to memory of 592 1292 sdchange.exe 40 PID 1292 wrote to memory of 592 1292 sdchange.exe 40 PID 1292 wrote to memory of 592 1292 sdchange.exe 40 PID 1292 wrote to memory of 592 1292 sdchange.exe 40 PID 1292 wrote to memory of 592 1292 sdchange.exe 40 PID 1292 wrote to memory of 592 1292 sdchange.exe 40 PID 1292 wrote to memory of 592 1292 sdchange.exe 40 PID 1292 wrote to memory of 592 1292 sdchange.exe 40 PID 1292 wrote to memory of 592 1292 sdchange.exe 40 PID 1292 wrote to memory of 2280 1292 sdchange.exe 41 PID 1292 wrote to memory of 2280 1292 sdchange.exe 41 PID 1292 wrote to memory of 2280 1292 sdchange.exe 41 PID 1292 wrote to memory of 2280 1292 sdchange.exe 41 PID 1428 wrote to memory of 1748 1428 taskeng.exe 43 PID 1428 wrote to memory of 1748 1428 taskeng.exe 43 PID 1428 wrote to memory of 1748 1428 taskeng.exe 43 PID 1428 wrote to memory of 1748 1428 taskeng.exe 43 PID 1748 wrote to memory of 1612 1748 sdchange.exe 44 PID 1748 wrote to memory of 1612 1748 sdchange.exe 44 PID 1748 wrote to memory of 1612 1748 sdchange.exe 44 PID 1748 wrote to memory of 1612 1748 sdchange.exe 44 PID 1748 wrote to memory of 1612 1748 sdchange.exe 44 PID 1748 wrote to memory of 1612 1748 sdchange.exe 44 PID 1748 wrote to memory of 1612 1748 sdchange.exe 44 PID 1748 wrote to memory of 1612 1748 sdchange.exe 44 PID 1748 wrote to memory of 1612 1748 sdchange.exe 44 PID 1748 wrote to memory of 2204 1748 sdchange.exe 45 PID 1748 wrote to memory of 2204 1748 sdchange.exe 45 PID 1748 wrote to memory of 2204 1748 sdchange.exe 45 PID 1748 wrote to memory of 2204 1748 sdchange.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0e0c2f38d64b80e354087d81b3efef43_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2520
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {25FF0BC7-D9D6-4290-93A4-43E9AB2D6731} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\secinit\sdchange.exeC:\Users\Admin\secinit\sdchange.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:2448
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1772
-
-
-
C:\Users\Admin\secinit\sdchange.exeC:\Users\Admin\secinit\sdchange.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:592
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2280
-
-
-
C:\Users\Admin\secinit\sdchange.exeC:\Users\Admin\secinit\sdchange.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:1612
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2204
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD53208b5de2a2664e5e0a1e02553a6f68f
SHA1a85a4faf0770dad510ebc2be8d8f92fe7a7b6aa8
SHA25691252854f5b5d214f0ee4875a5daca0e49c718b884e6f62091678e088e1ea016
SHA51210cfb362fb4f603f0520279d00cddc94047a3c26736a36ee72df5c429c1d9f925b5eadc393f44c84c950da879f4a5beab6721ca18cfdb3a98ffa45de091ed574