limerat | 4dda0e4e2597929c136fdbe763d1dd3899253f4188697ea555c71c5996029620

General

Target

2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe
Size

452KB
MD5

2ae2ff3322d02131f692ace1f71aac6d
SHA1

3c404c9bc2a1fdb546e74dca66e35f4742687679
SHA256

4dda0e4e2597929c136fdbe763d1dd3899253f4188697ea555c71c5996029620
SHA512

683e750d9fc6a9f32a45d680e1db634b3eb071b70b441fc5a1fe7fbc2d1f496d1d4676136d58e3e5458614f10eb4d80f80726eab589186b6b788b51d8190da53
SSDEEP

6144:4hEFvdiblx6L10wOq1MXuDGCdWJPAzu9Tjz4/ri3F5fGTeQD4K9yYC5IzrvsKeT:43Pq1uuD/uE+DfGCQDSZ5m+

Score

10^/10

limerat agilenet rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
jack
antivm
false
c2_url
https://pastebin.com/raw/YtyeDvFZ
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/YtyeDvFZ
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

cscript.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.Lnk	cscript.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/4172-3-0x0000000004BB0000-0x0000000004BEC000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 49 IoCs

Web Service

T1102

Processes:

flow	ioc
4	pastebin.com
60	pastebin.com
62	pastebin.com
2	pastebin.com
21	pastebin.com
50	pastebin.com
73	pastebin.com
58	pastebin.com
26	pastebin.com
32	pastebin.com
39	pastebin.com
68	pastebin.com
53	pastebin.com
54	pastebin.com
1	pastebin.com
25	pastebin.com
33	pastebin.com
57	pastebin.com
63	pastebin.com
71	pastebin.com
5	pastebin.com
30	pastebin.com
37	pastebin.com
55	pastebin.com
69	pastebin.com
36	pastebin.com
66	pastebin.com
67	pastebin.com
28	pastebin.com
34	pastebin.com
41	pastebin.com
65	pastebin.com
70	pastebin.com
59	pastebin.com
7	pastebin.com
29	pastebin.com
56	pastebin.com
64	pastebin.com
72	pastebin.com
27	pastebin.com
31	pastebin.com
42	pastebin.com
61	pastebin.com
6	pastebin.com
43	pastebin.com
38	pastebin.com
44	pastebin.com
35	pastebin.com
40	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe

description	pid	Process	procid_target
PID 4172 set thread context of 3348	4172	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe

pid	Process
4172	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegAsm.exe

description	pid	Process
Token: SeDebugPrivilege	3348	RegAsm.exe
Token: SeDebugPrivilege	3348	RegAsm.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe

description	pid	Process	procid_target
PID 4172 wrote to memory of 1652	4172	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	81
PID 4172 wrote to memory of 1652	4172	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	81
PID 4172 wrote to memory of 1652	4172	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	81
PID 4172 wrote to memory of 3348	4172	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	83
PID 4172 wrote to memory of 3348	4172	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	83
PID 4172 wrote to memory of 3348	4172	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	83
PID 4172 wrote to memory of 3348	4172	2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\Admin\vbc.vbs
  2⤵
  - Drops startup file
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vbc.exe

Filesize
452KB

MD5
2ae2ff3322d02131f692ace1f71aac6d

SHA1
3c404c9bc2a1fdb546e74dca66e35f4742687679

SHA256
4dda0e4e2597929c136fdbe763d1dd3899253f4188697ea555c71c5996029620

SHA512
683e750d9fc6a9f32a45d680e1db634b3eb071b70b441fc5a1fe7fbc2d1f496d1d4676136d58e3e5458614f10eb4d80f80726eab589186b6b788b51d8190da53

Download Submit
C:\Users\Admin\vbc.vbs

Filesize
263B

MD5
e2fa162484a572ea7bb469e513bb2516

SHA1
57bdeadcaff9894cabfd5d4258bdeb929aa8e242

SHA256
128ba94c436c2308147c945e2321f1625cce2ac3726bdd67a64a75f3932276b7

SHA512
5ebaabdfe844de35b8889becb459930baebb996ae1f20992f12f5efea69d426abe5bc43b18fac6d51b1a6b6f4374e593485b09cdd97da8dbe2b244eb02294253

Download Submit
memory/3348-16-0x0000000070C90000-0x0000000071241000-memory.dmp

Filesize
5.7MB

Download
memory/3348-14-0x0000000070C92000-0x0000000070C93000-memory.dmp

Filesize
4KB

Download
memory/3348-19-0x0000000070C90000-0x0000000071241000-memory.dmp

Filesize
5.7MB

Download
memory/3348-18-0x0000000070C90000-0x0000000071241000-memory.dmp

Filesize
5.7MB

Download
memory/3348-17-0x0000000070C92000-0x0000000070C93000-memory.dmp

Filesize
4KB

Download
memory/3348-15-0x0000000070C90000-0x0000000071241000-memory.dmp

Filesize
5.7MB

Download
memory/3348-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4172-13-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/4172-3-0x0000000004BB0000-0x0000000004BEC000-memory.dmp

Filesize
240KB

Download
memory/4172-1-0x0000000000240000-0x00000000002B6000-memory.dmp

Filesize
472KB

Download
memory/4172-0-0x000000007509E000-0x000000007509F000-memory.dmp

Filesize
4KB

Download
memory/4172-2-0x0000000002700000-0x0000000002708000-memory.dmp

Filesize
32KB

Download
memory/4172-5-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/4172-4-0x0000000002750000-0x000000000275C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads