Overview

overview

10

Static

static

5

0ed1010a80...18.exe

windows7-x64

10

0ed1010a80...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118

  • Size

    24.3MB

  • Sample

    240502-sb8hksbd3t

  • MD5

    0ed1010a80a3e115d7800f2618e8b7dc

  • SHA1

    a00cc5b7c932b519d711731012bc4fba7be4e6bd

  • SHA256

    62598bb2bcf8af2ca769137e1a4021256154a6430e95edc5ddee02c4891618a0

  • SHA512

    adc1b2616a7b57fa70c2bf236e2034d6cd2d35ed005967db187a94806d20155df32beb920b54a443725b5684cec145a4102dff6c2a0a801b041a23b9ff3f941d

  • SSDEEP

    393216:d0pgWC+4cw08gMka47tPxDKdUU7K9HuNW7BqTOjDtXLEc3uoTHg:ZXjcCtkJPxkn8uw7Bq8X82g

Score
10/10
imminentlimeratnjratevasionpersistenceratspywaretrojan

Malware Config

Extracted

Family

limerat

Wallets

1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty

Attributes
  • aes_key

    nulled

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/cXuQ0V20

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Winservices.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/cXuQ0V20

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118

    • Size

      24.3MB

    • MD5

      0ed1010a80a3e115d7800f2618e8b7dc

    • SHA1

      a00cc5b7c932b519d711731012bc4fba7be4e6bd

    • SHA256

      62598bb2bcf8af2ca769137e1a4021256154a6430e95edc5ddee02c4891618a0

    • SHA512

      adc1b2616a7b57fa70c2bf236e2034d6cd2d35ed005967db187a94806d20155df32beb920b54a443725b5684cec145a4102dff6c2a0a801b041a23b9ff3f941d

    • SSDEEP

      393216:d0pgWC+4cw08gMka47tPxDKdUU7K9HuNW7BqTOjDtXLEc3uoTHg:ZXjcCtkJPxkn8uw7Bq8X82g

    Score
    10/10
    imminentlimeratnjratevasionpersistenceratspywaretrojan

    • Imminent RAT

      Remote-access trojan based on Imminent Monitor remote admin software.

      trojanspywareimminent

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks