Malware Analysis Report

2024-09-11 10:01

Sample ID 240508-te6ntseg69
Target 259d498a10482929d3331458526047e5_JaffaCakes118
SHA256 31e5ee4bfed3bc1e491d75bf07958d0141264d736fd25d883125054d4f4d9328
Tags
limerat evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

31e5ee4bfed3bc1e491d75bf07958d0141264d736fd25d883125054d4f4d9328

Threat Level: Known bad

The file 259d498a10482929d3331458526047e5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

limerat evasion persistence rat trojan

LimeRAT

Looks for VMWare Tools registry key

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-08 15:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 15:59

Reported

2024-05-08 16:01

Platform

win7-20240508-en

Max time kernel

128s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe"

Signatures

LimeRAT

rat limerat

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\Vmware Tools C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Edge\\mswebhook.exe" C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1256 set thread context of 1320 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
PID 1256 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
PID 1256 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
PID 1256 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
PID 1256 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
PID 1256 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
PID 1256 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
PID 1256 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
PID 1320 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1320 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1320 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1320 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe

"{path}"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe'"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
DE 45.84.196.28:1111 tcp
DE 45.84.196.28:1111 tcp
DE 45.84.196.28:1111 tcp
DE 45.84.196.28:1111 tcp
DE 45.84.196.28:1111 tcp
DE 45.84.196.28:1111 tcp

Files

memory/1256-0-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

memory/1256-1-0x0000000001210000-0x000000000122C000-memory.dmp

memory/1256-2-0x00000000004C0000-0x00000000004C6000-memory.dmp

memory/1256-3-0x0000000074AF0000-0x00000000751DE000-memory.dmp

memory/1256-5-0x0000000000520000-0x000000000052C000-memory.dmp

memory/1320-6-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1320-10-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1320-13-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1320-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1320-8-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1320-17-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1320-15-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1256-19-0x0000000074AF0000-0x00000000751DE000-memory.dmp

memory/1320-18-0x0000000074AF0000-0x00000000751DE000-memory.dmp

C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe

MD5 259d498a10482929d3331458526047e5
SHA1 9808b64e9dee325393374884344b18e37570a135
SHA256 31e5ee4bfed3bc1e491d75bf07958d0141264d736fd25d883125054d4f4d9328
SHA512 c7dc6460662d59fbe319b56e5a401d2b642aaa6fb5d237ea7a68aaa6df9f39267a0e10ab6bad8156614b9051c9f7d6947d76999bbc313c3153ec8aca63e37ecb

memory/1320-21-0x0000000074AF0000-0x00000000751DE000-memory.dmp

memory/1320-22-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 15:59

Reported

2024-05-08 16:01

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe"

Signatures

LimeRAT

rat limerat

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\Vmware Tools C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\Vmware Tools C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Edge\\mswebhook.exe" C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4468 set thread context of 4360 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
PID 2532 set thread context of 4788 N/A C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4468 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
PID 4468 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
PID 4468 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
PID 4468 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
PID 4468 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
PID 4468 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
PID 4468 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe
PID 4360 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4360 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4360 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4360 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe
PID 4360 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe
PID 4360 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe
PID 2532 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe
PID 2532 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe
PID 2532 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe
PID 2532 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe
PID 2532 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe
PID 2532 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe
PID 2532 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe

Processes

C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\259d498a10482929d3331458526047e5_JaffaCakes118.exe

"{path}"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe'"

C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe

"C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe"

C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.112:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 112.61.62.23.in-addr.arpa udp
NL 23.62.61.112:443 www.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
DE 45.84.196.28:1111 tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
DE 45.84.196.28:1111 tcp
DE 45.84.196.28:1111 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 52.111.229.43:443 tcp
DE 45.84.196.28:1111 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 45.84.196.28:1111 tcp
DE 45.84.196.28:1111 tcp

Files

memory/4468-0-0x000000007477E000-0x000000007477F000-memory.dmp

memory/4468-1-0x0000000000E80000-0x0000000000E9C000-memory.dmp

memory/4468-2-0x00000000030B0000-0x00000000030B6000-memory.dmp

memory/4468-3-0x000000000B3E0000-0x000000000B984000-memory.dmp

memory/4468-4-0x000000000AFD0000-0x000000000B06C000-memory.dmp

memory/4468-5-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/4468-7-0x00000000052B0000-0x00000000052BC000-memory.dmp

memory/4360-8-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\259d498a10482929d3331458526047e5_JaffaCakes118.exe.log

MD5 2f51ee33b74ab710e289b65a7b580c9b
SHA1 031f919473e89c4a463360c7a898fda986836470
SHA256 bdb480893a7d1acc95b67f49dd12a0c1f69b75d1908536d0cc1350ebfbb5cc58
SHA512 927bd82da2cc751b6b2c97efc33019b8977f2d78d467b363cf609e27a3ac8986e0b4c3b4d025be9fe87f50db51285b115b97ae7d0ae642daae2910d44ad9ec5a

memory/4468-11-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/4360-12-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/4360-13-0x0000000005560000-0x00000000055C6000-memory.dmp

memory/4360-14-0x0000000074770000-0x0000000074F20000-memory.dmp

C:\Users\Admin\AppData\Roaming\edge\mswebhook.exe

MD5 259d498a10482929d3331458526047e5
SHA1 9808b64e9dee325393374884344b18e37570a135
SHA256 31e5ee4bfed3bc1e491d75bf07958d0141264d736fd25d883125054d4f4d9328
SHA512 c7dc6460662d59fbe319b56e5a401d2b642aaa6fb5d237ea7a68aaa6df9f39267a0e10ab6bad8156614b9051c9f7d6947d76999bbc313c3153ec8aca63e37ecb

memory/4360-27-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/2532-28-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/2532-29-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/2532-34-0x0000000074770000-0x0000000074F20000-memory.dmp