Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 16:37

General

  • Target

    2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe

  • Size

    452KB

  • MD5

    2ae2ff3322d02131f692ace1f71aac6d

  • SHA1

    3c404c9bc2a1fdb546e74dca66e35f4742687679

  • SHA256

    4dda0e4e2597929c136fdbe763d1dd3899253f4188697ea555c71c5996029620

  • SHA512

    683e750d9fc6a9f32a45d680e1db634b3eb071b70b441fc5a1fe7fbc2d1f496d1d4676136d58e3e5458614f10eb4d80f80726eab589186b6b788b51d8190da53

  • SSDEEP

    6144:4hEFvdiblx6L10wOq1MXuDGCdWJPAzu9Tjz4/ri3F5fGTeQD4K9yYC5IzrvsKeT:43Pq1uuD/uE+DfGCQDSZ5m+

Score
10/10

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    jack

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/YtyeDvFZ

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/YtyeDvFZ

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 45 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\Admin\vbc.vbs
      2⤵
      • Drops startup file
      • Loads dropped DLL
      PID:2584
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\vbc.exe

    Filesize

    452KB

    MD5

    2ae2ff3322d02131f692ace1f71aac6d

    SHA1

    3c404c9bc2a1fdb546e74dca66e35f4742687679

    SHA256

    4dda0e4e2597929c136fdbe763d1dd3899253f4188697ea555c71c5996029620

    SHA512

    683e750d9fc6a9f32a45d680e1db634b3eb071b70b441fc5a1fe7fbc2d1f496d1d4676136d58e3e5458614f10eb4d80f80726eab589186b6b788b51d8190da53

  • C:\Users\Admin\vbc.vbs

    Filesize

    263B

    MD5

    e2fa162484a572ea7bb469e513bb2516

    SHA1

    57bdeadcaff9894cabfd5d4258bdeb929aa8e242

    SHA256

    128ba94c436c2308147c945e2321f1625cce2ac3726bdd67a64a75f3932276b7

    SHA512

    5ebaabdfe844de35b8889becb459930baebb996ae1f20992f12f5efea69d426abe5bc43b18fac6d51b1a6b6f4374e593485b09cdd97da8dbe2b244eb02294253

  • memory/2892-12-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2892-14-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2892-13-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2988-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

    Filesize

    4KB

  • memory/2988-1-0x0000000000050000-0x00000000000C6000-memory.dmp

    Filesize

    472KB

  • memory/2988-2-0x00000000004C0000-0x00000000004C8000-memory.dmp

    Filesize

    32KB

  • memory/2988-3-0x0000000000570000-0x00000000005AC000-memory.dmp

    Filesize

    240KB

  • memory/2988-4-0x0000000000510000-0x000000000051C000-memory.dmp

    Filesize

    48KB

  • memory/2988-5-0x0000000074B20000-0x000000007520E000-memory.dmp

    Filesize

    6.9MB

  • memory/2988-15-0x0000000074B20000-0x000000007520E000-memory.dmp

    Filesize

    6.9MB