General
-
Target
2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118
-
Size
452KB
-
Sample
240509-t4tqkabf81
-
MD5
2ae2ff3322d02131f692ace1f71aac6d
-
SHA1
3c404c9bc2a1fdb546e74dca66e35f4742687679
-
SHA256
4dda0e4e2597929c136fdbe763d1dd3899253f4188697ea555c71c5996029620
-
SHA512
683e750d9fc6a9f32a45d680e1db634b3eb071b70b441fc5a1fe7fbc2d1f496d1d4676136d58e3e5458614f10eb4d80f80726eab589186b6b788b51d8190da53
-
SSDEEP
6144:4hEFvdiblx6L10wOq1MXuDGCdWJPAzu9Tjz4/ri3F5fGTeQD4K9yYC5IzrvsKeT:43Pq1uuD/uE+DfGCQDSZ5m+
Malware Config
Extracted
limerat
-
aes_key
jack
-
antivm
false
-
c2_url
https://pastebin.com/raw/YtyeDvFZ
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/YtyeDvFZ
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Targets
-
-
Target
2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118
-
Size
452KB
-
MD5
2ae2ff3322d02131f692ace1f71aac6d
-
SHA1
3c404c9bc2a1fdb546e74dca66e35f4742687679
-
SHA256
4dda0e4e2597929c136fdbe763d1dd3899253f4188697ea555c71c5996029620
-
SHA512
683e750d9fc6a9f32a45d680e1db634b3eb071b70b441fc5a1fe7fbc2d1f496d1d4676136d58e3e5458614f10eb4d80f80726eab589186b6b788b51d8190da53
-
SSDEEP
6144:4hEFvdiblx6L10wOq1MXuDGCdWJPAzu9Tjz4/ri3F5fGTeQD4K9yYC5IzrvsKeT:43Pq1uuD/uE+DfGCQDSZ5m+
Score10/10-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-