limerat | 4dda0e4e2597929c136fdbe763d1dd3899253f4188697ea555c71c5996029620

General

Target

2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe
Size

452KB
MD5

2ae2ff3322d02131f692ace1f71aac6d
SHA1

3c404c9bc2a1fdb546e74dca66e35f4742687679
SHA256

4dda0e4e2597929c136fdbe763d1dd3899253f4188697ea555c71c5996029620
SHA512

683e750d9fc6a9f32a45d680e1db634b3eb071b70b441fc5a1fe7fbc2d1f496d1d4676136d58e3e5458614f10eb4d80f80726eab589186b6b788b51d8190da53
SSDEEP

6144:4hEFvdiblx6L10wOq1MXuDGCdWJPAzu9Tjz4/ri3F5fGTeQD4K9yYC5IzrvsKeT:43Pq1uuD/uE+DfGCQDSZ5m+

Score

10^/10

limerat agilenet rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
jack
antivm
false
c2_url
https://pastebin.com/raw/YtyeDvFZ
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/YtyeDvFZ
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Drops startup file 1 IoCs

Processes:

cscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.Lnk cscript.exe
Loads dropped DLL 1 IoCs

Processes:

cscript.exe

pid process

2584 cscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.Lnk	cscript.exe

pid	process
2584	cscript.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2988-3-0x0000000000570000-0x00000000005AC000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 45 IoCs

Web Service

T1102

Processes:

flow	ioc
4	pastebin.com
20	pastebin.com
15	pastebin.com
30	pastebin.com
31	pastebin.com
33	pastebin.com
37	pastebin.com
48	pastebin.com
7	pastebin.com
11	pastebin.com
27	pastebin.com
29	pastebin.com
36	pastebin.com
16	pastebin.com
19	pastebin.com
17	pastebin.com
24	pastebin.com
38	pastebin.com
46	pastebin.com
5	pastebin.com
13	pastebin.com
32	pastebin.com
34	pastebin.com
40	pastebin.com
43	pastebin.com
9	pastebin.com
18	pastebin.com
21	pastebin.com
22	pastebin.com
25	pastebin.com
26	pastebin.com
39	pastebin.com
41	pastebin.com
8	pastebin.com
14	pastebin.com
44	pastebin.com
28	pastebin.com
12	pastebin.com
23	pastebin.com
35	pastebin.com
42	pastebin.com
45	pastebin.com
47	pastebin.com
6	pastebin.com
10	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe

description pid process target process

PID 2988 set thread context of 2892 2988 2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe

pid process

2988 2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 2892 RegAsm.exe
Token: SeDebugPrivilege 2892 RegAsm.exe

description	pid	process	target process
PID 2988 set thread context of 2892	2988	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	RegAsm.exe

pid	process
2988	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2892	RegAsm.exe
Token: SeDebugPrivilege	2892	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe

description	pid	process	target process
PID 2988 wrote to memory of 2584	2988	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	cscript.exe
PID 2988 wrote to memory of 2584	2988	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	cscript.exe
PID 2988 wrote to memory of 2584	2988	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	cscript.exe
PID 2988 wrote to memory of 2584	2988	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	cscript.exe
PID 2988 wrote to memory of 2892	2988	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	RegAsm.exe
PID 2988 wrote to memory of 2892	2988	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	RegAsm.exe
PID 2988 wrote to memory of 2892	2988	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	RegAsm.exe
PID 2988 wrote to memory of 2892	2988	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	RegAsm.exe
PID 2988 wrote to memory of 2892	2988	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	RegAsm.exe
PID 2988 wrote to memory of 2892	2988	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	RegAsm.exe
PID 2988 wrote to memory of 2892	2988	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	RegAsm.exe
PID 2988 wrote to memory of 2892	2988	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\Admin\vbc.vbs
2⤵
- Drops startup file
- Loads dropped DLL
PID:2584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vbc.exe

Filesize
452KB

MD5
2ae2ff3322d02131f692ace1f71aac6d

SHA1
3c404c9bc2a1fdb546e74dca66e35f4742687679

SHA256
4dda0e4e2597929c136fdbe763d1dd3899253f4188697ea555c71c5996029620

SHA512
683e750d9fc6a9f32a45d680e1db634b3eb071b70b441fc5a1fe7fbc2d1f496d1d4676136d58e3e5458614f10eb4d80f80726eab589186b6b788b51d8190da53

Download Submit
C:\Users\Admin\vbc.vbs

Filesize
263B

MD5
e2fa162484a572ea7bb469e513bb2516

SHA1
57bdeadcaff9894cabfd5d4258bdeb929aa8e242

SHA256
128ba94c436c2308147c945e2321f1625cce2ac3726bdd67a64a75f3932276b7

SHA512
5ebaabdfe844de35b8889becb459930baebb996ae1f20992f12f5efea69d426abe5bc43b18fac6d51b1a6b6f4374e593485b09cdd97da8dbe2b244eb02294253

Download Submit
memory/2892-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2892-14-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2892-13-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2988-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/2988-1-0x0000000000050000-0x00000000000C6000-memory.dmp

Filesize
472KB

Download
memory/2988-2-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/2988-3-0x0000000000570000-0x00000000005AC000-memory.dmp

Filesize
240KB

Download
memory/2988-4-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2988-5-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-15-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads