General
-
Target
4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118
-
Size
7.4MB
-
Sample
240516-ngrd2aaa7y
-
MD5
4ad1b0398bc3a371a82923383de2d0a4
-
SHA1
9f977029800b4328dc752741156a6a0e5f6fa109
-
SHA256
2877bf056524695a30300cc6f5469202538727e8003ea14e8d13480a59600171
-
SHA512
469300fef819aebfe9dbeacf05f60eb509e31abaef0f596575107c69fbe56f0a95ac92135256e98c21c2e2c027fe2d12e1a5d8c402b59a758fea42fba671618b
-
SSDEEP
98304:Zg560g56dJ0MpqXQg56Mx6rAVQ2QBPAUoU9H0YCg56L8uQhHrqrkjp:a5M5QpU5fvQxAUf9HXp5+hQHrdl
Malware Config
Extracted
remcos
1.7 Pro
Host
seasons444.ddns.net:8128
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
window
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Office_vgqkluqlnw
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
limerat
1BVfdhbuDbDuMXWErhTv8XwgwYP1K34oTD
-
aes_key
MAXS20
-
antivm
false
-
c2_url
https://pastebin.com/raw/vnPLhhBH
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/vnPLhhBH
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Extracted
warzonerat
cornerload.dynu.net:5500
Targets
-
-
Target
4ad1b0398bc3a371a82923383de2d0a4_JaffaCakes118
-
Size
7.4MB
-
MD5
4ad1b0398bc3a371a82923383de2d0a4
-
SHA1
9f977029800b4328dc752741156a6a0e5f6fa109
-
SHA256
2877bf056524695a30300cc6f5469202538727e8003ea14e8d13480a59600171
-
SHA512
469300fef819aebfe9dbeacf05f60eb509e31abaef0f596575107c69fbe56f0a95ac92135256e98c21c2e2c027fe2d12e1a5d8c402b59a758fea42fba671618b
-
SSDEEP
98304:Zg560g56dJ0MpqXQg56Mx6rAVQ2QBPAUoU9H0YCg56L8uQhHrqrkjp:a5M5QpU5fvQxAUf9HXp5+hQHrdl
Score10/10-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Modifies firewall policy service
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Windows security bypass
-
Warzone RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
3