Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe
-
Size
625KB
-
MD5
267a4c85d232e2ac38129146e11076fe
-
SHA1
1e8022b879ee79f2fe86ecac410a116b05ac0112
-
SHA256
861b6c9421ebe142f5a3c13817190ab30b5b7b5e68692e886639589b784086e4
-
SHA512
793acc93adfe3c116674bf0ab4122ebe41335dd525034ca78f5f59408976fe62a27ce98a9cbebffa476186324447083f59ecdfa210fac4f872476adedb911567
-
SSDEEP
12288:iSJcHRFHvJTjucJ71RXKvGgKsfUReclQ42dFA3ADj6Dl18WlL0u:2RFHv5jDJDNmKlQ1dFAr0x
Malware Config
Extracted
limerat
359Z6KxMenwvgkA7vpGeBtinJPTj5raZz8
-
aes_key
arglobal
-
antivm
false
-
c2_url
https://pastebin.com/raw/CV5RHE9G
-
delay
3
-
download_payload
true
-
install
false
-
install_name
Wservices.exe
-
main_folder
AppData
-
payload_url
http://23.249.161.100/zaher/zna.exe
-
pin_spread
false
-
sub_folder
\vbc\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/CV5RHE9G
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.url 267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 pastebin.com 6 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2872 set thread context of 2348 2872 267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe 28 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2872 267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe Token: SeDebugPrivilege 2348 RegAsm.exe Token: SeDebugPrivilege 2348 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2348 2872 267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe 28 PID 2872 wrote to memory of 2348 2872 267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe 28 PID 2872 wrote to memory of 2348 2872 267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe 28 PID 2872 wrote to memory of 2348 2872 267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe 28 PID 2872 wrote to memory of 2348 2872 267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe 28 PID 2872 wrote to memory of 2348 2872 267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe 28 PID 2872 wrote to memory of 2348 2872 267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe 28 PID 2872 wrote to memory of 2348 2872 267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe 28 PID 2872 wrote to memory of 2348 2872 267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe 28 PID 2872 wrote to memory of 2348 2872 267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe 28 PID 2872 wrote to memory of 2348 2872 267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\267a4c85d232e2ac38129146e11076fe_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348
-