Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 12:14
Static task
static1
Behavioral task
behavioral1
Sample
3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe
-
Size
2.4MB
-
MD5
3488b0c364c116f0649c40009a745ba8
-
SHA1
c3e4b049dc44aa1eee0d592f0da97f68317cb222
-
SHA256
8e1aa0b81c431b07d9101bf00ebf8f80575faa99769dfd880ed6ab2c24f87ea3
-
SHA512
82f645d849f19629fb252e89ceada9d480e97c7b4494e54fae9d3da61b5255e58b588ee547b19824ffdabeb664542f26e941c5d960affaeb04d76d5dec2417df
-
SSDEEP
49152:6+gpjnooS1eyMRElV9VDDvRdV0CcCwtuJeL3:6Rso0NPVDZHwtAeL3
Malware Config
Extracted
limerat
-
aes_key
1205
-
antivm
false
-
c2_url
https://pastebin.com/raw/iRjhpqQL
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/iRjhpqQL
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfsdgh.exe.lnk 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2076 svhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 25 pastebin.com 26 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4856 set thread context of 2076 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2008 timeout.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\sdfg\dfsdgh.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe Token: 33 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe Token: SeDebugPrivilege 2076 svhost.exe Token: SeDebugPrivilege 2076 svhost.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4856 wrote to memory of 1164 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 83 PID 4856 wrote to memory of 1164 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 83 PID 4856 wrote to memory of 1164 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 83 PID 4856 wrote to memory of 1088 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 86 PID 4856 wrote to memory of 1088 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 86 PID 4856 wrote to memory of 1088 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 86 PID 4856 wrote to memory of 1388 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 88 PID 4856 wrote to memory of 1388 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 88 PID 4856 wrote to memory of 1388 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 88 PID 4856 wrote to memory of 2076 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 91 PID 4856 wrote to memory of 2076 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 91 PID 4856 wrote to memory of 2076 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 91 PID 4856 wrote to memory of 2076 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 91 PID 4856 wrote to memory of 2076 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 91 PID 4856 wrote to memory of 2076 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 91 PID 4856 wrote to memory of 2076 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 91 PID 4856 wrote to memory of 2264 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 92 PID 4856 wrote to memory of 2264 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 92 PID 4856 wrote to memory of 2264 4856 3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe 92 PID 2264 wrote to memory of 2008 2264 cmd.exe 94 PID 2264 wrote to memory of 2008 2264 cmd.exe 94 PID 2264 wrote to memory of 2008 2264 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe" "%appdata%\sdfg\dfsdgh.exe" /Y2⤵PID:1164
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\sdfg\dfsdgh.exe:Zone.Identifier2⤵
- NTFS ADS
PID:1088
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ren "%appdata%\sdfg\dfsdgh.exe.jpg" dfsdgh.exe2⤵PID:1388
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\sdfg\dfsdgh.exe.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
PID:2008
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
Filesize
2.4MB
MD53488b0c364c116f0649c40009a745ba8
SHA1c3e4b049dc44aa1eee0d592f0da97f68317cb222
SHA2568e1aa0b81c431b07d9101bf00ebf8f80575faa99769dfd880ed6ab2c24f87ea3
SHA51282f645d849f19629fb252e89ceada9d480e97c7b4494e54fae9d3da61b5255e58b588ee547b19824ffdabeb664542f26e941c5d960affaeb04d76d5dec2417df
-
Filesize
200B
MD5249f71028fa2742d4a26ecf30e6b4eb8
SHA1b2a07bd19cab5fd7be8ed0de7ac2934ce7cc3752
SHA256ba381c05e6cd8083abe50136bec85ed088e140610fdac6f449e775e736bf163f
SHA5126ffe6ded3fe52811b15cbab8667c1a970b0391864dceec7051ee87f536619d81005ee7aa082051511f48274288ae5fbefc324603593350122bf507fb3a309ad4