Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 09:58
Static task
static1
Behavioral task
behavioral1
Sample
297051f6830b2eb05bc0df7fa7aaf531_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
297051f6830b2eb05bc0df7fa7aaf531_JaffaCakes118.exe
-
Size
590KB
-
MD5
297051f6830b2eb05bc0df7fa7aaf531
-
SHA1
f1789f45cd5771e1a41c59bf5bbce9bdeee33f88
-
SHA256
e24b14a6b6b94da0b5cd5db79e856d8ea9df6d8d1308971a59ed0ab202b45643
-
SHA512
dfe9054949788328a73f078e671c0c8993aaa6ef11076d065877b8256dfabf4ca5e4c2e6ec210fff8620db99d8823a6a3181d151bf40c7a867687b1c0d5820e8
-
SSDEEP
12288:D45BTx/i6u9xugEIyiPKDClYPa5/+CPcHDgy0S+Ckpo9wI9txMpwJXeu:sE6SIihYdqqNKpV
Malware Config
Extracted
limerat
359Z6KxMenwvgkA7vpGeBtinJPTj5raZz8
-
aes_key
arglobal
-
antivm
false
-
c2_url
https://pastebin.com/raw/CV5RHE9G
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/CV5RHE9G
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win32.url 297051f6830b2eb05bc0df7fa7aaf531_JaffaCakes118.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 44 IoCs
flow ioc 31 pastebin.com 40 pastebin.com 49 pastebin.com 51 pastebin.com 28 pastebin.com 29 pastebin.com 32 pastebin.com 35 pastebin.com 56 pastebin.com 58 pastebin.com 9 pastebin.com 25 pastebin.com 33 pastebin.com 62 pastebin.com 64 pastebin.com 63 pastebin.com 27 pastebin.com 37 pastebin.com 39 pastebin.com 48 pastebin.com 50 pastebin.com 61 pastebin.com 1 pastebin.com 5 pastebin.com 10 pastebin.com 36 pastebin.com 38 pastebin.com 41 pastebin.com 57 pastebin.com 2 pastebin.com 7 pastebin.com 11 pastebin.com 14 pastebin.com 53 pastebin.com 55 pastebin.com 54 pastebin.com 60 pastebin.com 68 pastebin.com 6 pastebin.com 8 pastebin.com 30 pastebin.com 34 pastebin.com 52 pastebin.com 59 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1236 set thread context of 2412 1236 297051f6830b2eb05bc0df7fa7aaf531_JaffaCakes118.exe 81 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1236 297051f6830b2eb05bc0df7fa7aaf531_JaffaCakes118.exe Token: SeDebugPrivilege 2412 RegAsm.exe Token: SeDebugPrivilege 2412 RegAsm.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1236 wrote to memory of 2412 1236 297051f6830b2eb05bc0df7fa7aaf531_JaffaCakes118.exe 81 PID 1236 wrote to memory of 2412 1236 297051f6830b2eb05bc0df7fa7aaf531_JaffaCakes118.exe 81 PID 1236 wrote to memory of 2412 1236 297051f6830b2eb05bc0df7fa7aaf531_JaffaCakes118.exe 81 PID 1236 wrote to memory of 2412 1236 297051f6830b2eb05bc0df7fa7aaf531_JaffaCakes118.exe 81 PID 1236 wrote to memory of 2412 1236 297051f6830b2eb05bc0df7fa7aaf531_JaffaCakes118.exe 81 PID 1236 wrote to memory of 2412 1236 297051f6830b2eb05bc0df7fa7aaf531_JaffaCakes118.exe 81 PID 1236 wrote to memory of 2412 1236 297051f6830b2eb05bc0df7fa7aaf531_JaffaCakes118.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\297051f6830b2eb05bc0df7fa7aaf531_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\297051f6830b2eb05bc0df7fa7aaf531_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412
-