Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 19:51
Static task
static1
Behavioral task
behavioral1
Sample
4cc6941db410630d3d300a6093932339_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
4cc6941db410630d3d300a6093932339_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
4cc6941db410630d3d300a6093932339
-
SHA1
eeaa0601427db44c13f687ae4570f6d77fd4a151
-
SHA256
5209bba177a2075a6c5b1d65906344208405d997f9cab2371b47276d020df858
-
SHA512
21208a11a199809cad1dcf53a59d828a21d0e976e41810e9c27fb281b60476ee70cdf7da560c15d4ff715e36c711ac26153122841a45be9cc6fccd0b3c63bc3a
-
SSDEEP
24576:4AHnh+eWsN3skA4RV1Hom2KXMmHa97aWtjzjFtuM25M:/h+ZkldoPK8Ya971XjFtAM
Malware Config
Extracted
limerat
1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty
-
aes_key
nulled
-
antivm
true
-
c2_url
https://pastebin.com/raw/cXuQ0V20
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Winservices.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\
-
usb_spread
true
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/cXuQ0V20
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 860 sdchange.exe 1836 sdchange.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 pastebin.com 5 pastebin.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum RegAsm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 RegAsm.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00390000000167ef-13.dat autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1932 set thread context of 2488 1932 4cc6941db410630d3d300a6093932339_JaffaCakes118.exe 28 PID 860 set thread context of 1228 860 sdchange.exe 36 PID 1836 set thread context of 1488 1836 sdchange.exe 40 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1584 schtasks.exe 2284 schtasks.exe 1916 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2488 RegAsm.exe Token: SeDebugPrivilege 2488 RegAsm.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 1932 wrote to memory of 2488 1932 4cc6941db410630d3d300a6093932339_JaffaCakes118.exe 28 PID 1932 wrote to memory of 2488 1932 4cc6941db410630d3d300a6093932339_JaffaCakes118.exe 28 PID 1932 wrote to memory of 2488 1932 4cc6941db410630d3d300a6093932339_JaffaCakes118.exe 28 PID 1932 wrote to memory of 2488 1932 4cc6941db410630d3d300a6093932339_JaffaCakes118.exe 28 PID 1932 wrote to memory of 2488 1932 4cc6941db410630d3d300a6093932339_JaffaCakes118.exe 28 PID 1932 wrote to memory of 2488 1932 4cc6941db410630d3d300a6093932339_JaffaCakes118.exe 28 PID 1932 wrote to memory of 2488 1932 4cc6941db410630d3d300a6093932339_JaffaCakes118.exe 28 PID 1932 wrote to memory of 2488 1932 4cc6941db410630d3d300a6093932339_JaffaCakes118.exe 28 PID 1932 wrote to memory of 2488 1932 4cc6941db410630d3d300a6093932339_JaffaCakes118.exe 28 PID 1932 wrote to memory of 2284 1932 4cc6941db410630d3d300a6093932339_JaffaCakes118.exe 29 PID 1932 wrote to memory of 2284 1932 4cc6941db410630d3d300a6093932339_JaffaCakes118.exe 29 PID 1932 wrote to memory of 2284 1932 4cc6941db410630d3d300a6093932339_JaffaCakes118.exe 29 PID 1932 wrote to memory of 2284 1932 4cc6941db410630d3d300a6093932339_JaffaCakes118.exe 29 PID 584 wrote to memory of 860 584 taskeng.exe 35 PID 584 wrote to memory of 860 584 taskeng.exe 35 PID 584 wrote to memory of 860 584 taskeng.exe 35 PID 584 wrote to memory of 860 584 taskeng.exe 35 PID 860 wrote to memory of 1228 860 sdchange.exe 36 PID 860 wrote to memory of 1228 860 sdchange.exe 36 PID 860 wrote to memory of 1228 860 sdchange.exe 36 PID 860 wrote to memory of 1228 860 sdchange.exe 36 PID 860 wrote to memory of 1228 860 sdchange.exe 36 PID 860 wrote to memory of 1228 860 sdchange.exe 36 PID 860 wrote to memory of 1228 860 sdchange.exe 36 PID 860 wrote to memory of 1228 860 sdchange.exe 36 PID 860 wrote to memory of 1228 860 sdchange.exe 36 PID 860 wrote to memory of 1916 860 sdchange.exe 37 PID 860 wrote to memory of 1916 860 sdchange.exe 37 PID 860 wrote to memory of 1916 860 sdchange.exe 37 PID 860 wrote to memory of 1916 860 sdchange.exe 37 PID 584 wrote to memory of 1836 584 taskeng.exe 39 PID 584 wrote to memory of 1836 584 taskeng.exe 39 PID 584 wrote to memory of 1836 584 taskeng.exe 39 PID 584 wrote to memory of 1836 584 taskeng.exe 39 PID 1836 wrote to memory of 1488 1836 sdchange.exe 40 PID 1836 wrote to memory of 1488 1836 sdchange.exe 40 PID 1836 wrote to memory of 1488 1836 sdchange.exe 40 PID 1836 wrote to memory of 1488 1836 sdchange.exe 40 PID 1836 wrote to memory of 1488 1836 sdchange.exe 40 PID 1836 wrote to memory of 1488 1836 sdchange.exe 40 PID 1836 wrote to memory of 1488 1836 sdchange.exe 40 PID 1836 wrote to memory of 1488 1836 sdchange.exe 40 PID 1836 wrote to memory of 1488 1836 sdchange.exe 40 PID 1836 wrote to memory of 1584 1836 sdchange.exe 41 PID 1836 wrote to memory of 1584 1836 sdchange.exe 41 PID 1836 wrote to memory of 1584 1836 sdchange.exe 41 PID 1836 wrote to memory of 1584 1836 sdchange.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cc6941db410630d3d300a6093932339_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4cc6941db410630d3d300a6093932339_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2284
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BA72EEC5-06E6-4947-9E5B-ED3914FA2A6D} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\secinit\sdchange.exeC:\Users\Admin\secinit\sdchange.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:1228
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1916
-
-
-
C:\Users\Admin\secinit\sdchange.exeC:\Users\Admin\secinit\sdchange.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:1488
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1584
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5f655537f8ea21f797a1e917715b12b88
SHA162bf7a87552c8f702f3a3e10f6cb62d414c70cf7
SHA2561316e4d936b5bed9f0973ab963b18af71a186f7f5e4682051c234268c13d764e
SHA512b1c3c79432d8ee769d2cfef8b6ec3610d3566a060344878af47c9ef15de7bba1e73a39e1c704747f5676e08823490a13c1e39def27d0404f09e7669567090004