limerat | 31e5ee4bfed3bc1e491d75bf07958d0141264d736fd25d883125054d4f4d9328

General

Target

259d498a10482929d3331458526047e5_JaffaCakes118.exe
Size

78KB
MD5

259d498a10482929d3331458526047e5
SHA1

9808b64e9dee325393374884344b18e37570a135
SHA256

31e5ee4bfed3bc1e491d75bf07958d0141264d736fd25d883125054d4f4d9328
SHA512

c7dc6460662d59fbe319b56e5a401d2b642aaa6fb5d237ea7a68aaa6df9f39267a0e10ab6bad8156614b9051c9f7d6947d76999bbc313c3153ec8aca63e37ecb
SSDEEP

1536:MkeH1wzPeje9dZld4WwA2z7efZCJrChYZ1sCUpW7c:emmjWLdbwA2LJrQYZ1sCUpW7c

Score

10^/10

limerat evasion persistence rat trojan

Malware Config

Extracted

Family

limerat

Attributes

aes_key
EIYV1V9YH5dE7u4B6kXr
antivm
true
c2_url
https://pastebin.com/raw/LtRQn6ir
delay
3
download_payload
false
install
true
install_name
mswebhook.exe
main_folder
AppData
pin_spread
false
sub_folder
\edge\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/LtRQn6ir
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\Vmware Tools	259d498a10482929d3331458526047e5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\Vmware Tools	mswebhook.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	259d498a10482929d3331458526047e5_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2532	mswebhook.exe
4788	mswebhook.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	259d498a10482929d3331458526047e5_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	259d498a10482929d3331458526047e5_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	mswebhook.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Edge\\mswebhook.exe"	259d498a10482929d3331458526047e5_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	pastebin.com
16	pastebin.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4468 set thread context of 4360	4468	259d498a10482929d3331458526047e5_JaffaCakes118.exe	82
PID 2532 set thread context of 4788	2532	mswebhook.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1404	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4788	mswebhook.exe
Token: SeDebugPrivilege	4788	mswebhook.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 4360	4468	259d498a10482929d3331458526047e5_JaffaCakes118.exe	82
PID 4468 wrote to memory of 4360	4468	259d498a10482929d3331458526047e5_JaffaCakes118.exe	82
PID 4468 wrote to memory of 4360	4468	259d498a10482929d3331458526047e5_JaffaCakes118.exe	82
PID 4468 wrote to memory of 4360	4468	259d498a10482929d3331458526047e5_JaffaCakes118.exe	82
PID 4468 wrote to memory of 4360	4468	259d498a10482929d3331458526047e5_JaffaCakes118.exe	82
PID 4468 wrote to memory of 4360	4468	259d498a10482929d3331458526047e5_JaffaCakes118.exe	82
PID 4468 wrote to memory of 4360	4468	259d498a10482929d3331458526047e5_JaffaCakes118.exe	82
PID 4360 wrote to memory of 1404	4360	259d498a10482929d3331458526047e5_JaffaCakes118.exe	87
PID 4360 wrote to memory of 1404	4360	259d498a10482929d3331458526047e5_JaffaCakes118.exe	87
PID 4360 wrote to memory of 1404	4360	259d498a10482929d3331458526047e5_JaffaCakes118.exe	87
PID 4360 wrote to memory of 2532	4360	259d498a10482929d3331458526047e5_JaffaCakes118.exe	89
PID 4360 wrote to memory of 2532	4360	259d498a10482929d3331458526047e5_JaffaCakes118.exe	89
PID 4360 wrote to memory of 2532	4360	259d498a10482929d3331458526047e5_JaffaCakes118.exe	89
PID 2532 wrote to memory of 4788	2532	mswebhook.exe	90
PID 2532 wrote to memory of 4788	2532	mswebhook.exe	90
PID 2532 wrote to memory of 4788	2532	mswebhook.exe	90
PID 2532 wrote to memory of 4788	2532	mswebhook.exe	90
PID 2532 wrote to memory of 4788	2532	mswebhook.exe	90
PID 2532 wrote to memory of 4788	2532	mswebhook.exe	90
PID 2532 wrote to memory of 4788	2532	mswebhook.exe	90

C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe"
1⤵
- Looks for VMWare Tools registry key
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1404
- - C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe
    "C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe"
    3⤵
    - Looks for VMWare Tools registry key
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe
      "{path}"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\259d498a10482929d3331458526047e5_JaffaCakes118.exe.log

Filesize
418B

MD5
2f51ee33b74ab710e289b65a7b580c9b

SHA1
031f919473e89c4a463360c7a898fda986836470

SHA256
bdb480893a7d1acc95b67f49dd12a0c1f69b75d1908536d0cc1350ebfbb5cc58

SHA512
927bd82da2cc751b6b2c97efc33019b8977f2d78d467b363cf609e27a3ac8986e0b4c3b4d025be9fe87f50db51285b115b97ae7d0ae642daae2910d44ad9ec5a

Download Submit
C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe

Filesize
78KB

MD5
259d498a10482929d3331458526047e5

SHA1
9808b64e9dee325393374884344b18e37570a135

SHA256
31e5ee4bfed3bc1e491d75bf07958d0141264d736fd25d883125054d4f4d9328

SHA512
c7dc6460662d59fbe319b56e5a401d2b642aaa6fb5d237ea7a68aaa6df9f39267a0e10ab6bad8156614b9051c9f7d6947d76999bbc313c3153ec8aca63e37ecb

Download Submit
memory/2532-34-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/2532-29-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/2532-28-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/4360-14-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/4360-8-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4360-12-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/4360-13-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/4360-27-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/4468-7-0x00000000052B0000-0x00000000052BC000-memory.dmp

Filesize
48KB

Download
memory/4468-5-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/4468-11-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/4468-0-0x000000007477E000-0x000000007477F000-memory.dmp

Filesize
4KB

Download
memory/4468-4-0x000000000AFD0000-0x000000000B06C000-memory.dmp

Filesize
624KB

Download
memory/4468-3-0x000000000B3E0000-0x000000000B984000-memory.dmp

Filesize
5.6MB

Download
memory/4468-2-0x00000000030B0000-0x00000000030B6000-memory.dmp

Filesize
24KB

Download
memory/4468-1-0x0000000000E80000-0x0000000000E9C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads