limerat | cc30b16e466aeaab0d08eb9452ae46b4a3317deb826ef22898e62f5ef0e5a598

General

Target

4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe
Size

1.1MB
MD5

4ec653326e753fa16d200e7fea2a4bf4
SHA1

9dedafd15ce239570c762090589742c4d88894c6
SHA256

cc30b16e466aeaab0d08eb9452ae46b4a3317deb826ef22898e62f5ef0e5a598
SHA512

c2639981259d120aca8a178ddab260745ddf0f3d6259fc14745a92f12a27f58a8a2e55178cd554418b43455c1fb4bb3811297bbdcdedb78da21f82b915e8b943
SSDEEP

24576:4AHnh+eWsN3skA4RV1Hom2KXMmHa97aWtjzjFtuM25E:/h+ZkldoPK8Ya971XjFtAE

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Wallets

1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty

Attributes

aes_key
nulled
antivm
true
c2_url
https://pastebin.com/raw/cXuQ0V20
delay
3
download_payload
false
install
false
install_name
Winservices.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/cXuQ0V20
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Executes dropped EXE 3 IoCs

Processes:

sdchange.exesdchange.exesdchange.exe

pid process

2492 sdchange.exe
604 sdchange.exe
3052 sdchange.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 pastebin.com
3 pastebin.com

pid	process
2492	sdchange.exe
604	sdchange.exe
3052	sdchange.exe

flow	ioc
2	pastebin.com
3	pastebin.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	RegAsm.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\secinit\sdchange.exe	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exesdchange.exesdchange.exesdchange.exe

description	pid	process	target process
PID 2128 set thread context of 1692	2128	4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe	RegAsm.exe
PID 2492 set thread context of 1244	2492	sdchange.exe	RegAsm.exe
PID 604 set thread context of 1652	604	sdchange.exe	RegAsm.exe
PID 3052 set thread context of 2368	3052	sdchange.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1532 schtasks.exe
1048 schtasks.exe
2012 schtasks.exe
904 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1692 RegAsm.exe
Token: SeDebugPrivilege 1692 RegAsm.exe

pid	process
1532	schtasks.exe
1048	schtasks.exe
2012	schtasks.exe
904	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1692	RegAsm.exe
Token: SeDebugPrivilege	1692	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exetaskeng.exesdchange.exesdchange.exesdchange.exe

description	pid	process	target process
PID 2128 wrote to memory of 1692	2128	4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe	RegAsm.exe
PID 2128 wrote to memory of 1692	2128	4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe	RegAsm.exe
PID 2128 wrote to memory of 1692	2128	4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe	RegAsm.exe
PID 2128 wrote to memory of 1692	2128	4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe	RegAsm.exe
PID 2128 wrote to memory of 1692	2128	4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe	RegAsm.exe
PID 2128 wrote to memory of 1692	2128	4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe	RegAsm.exe
PID 2128 wrote to memory of 1692	2128	4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe	RegAsm.exe
PID 2128 wrote to memory of 1692	2128	4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe	RegAsm.exe
PID 2128 wrote to memory of 1692	2128	4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe	RegAsm.exe
PID 2128 wrote to memory of 1532	2128	4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe	schtasks.exe
PID 2128 wrote to memory of 1532	2128	4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe	schtasks.exe
PID 2128 wrote to memory of 1532	2128	4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe	schtasks.exe
PID 2128 wrote to memory of 1532	2128	4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe	schtasks.exe
PID 2724 wrote to memory of 2492	2724	taskeng.exe	sdchange.exe
PID 2724 wrote to memory of 2492	2724	taskeng.exe	sdchange.exe
PID 2724 wrote to memory of 2492	2724	taskeng.exe	sdchange.exe
PID 2724 wrote to memory of 2492	2724	taskeng.exe	sdchange.exe
PID 2492 wrote to memory of 1244	2492	sdchange.exe	RegAsm.exe
PID 2492 wrote to memory of 1244	2492	sdchange.exe	RegAsm.exe
PID 2492 wrote to memory of 1244	2492	sdchange.exe	RegAsm.exe
PID 2492 wrote to memory of 1244	2492	sdchange.exe	RegAsm.exe
PID 2492 wrote to memory of 1244	2492	sdchange.exe	RegAsm.exe
PID 2492 wrote to memory of 1244	2492	sdchange.exe	RegAsm.exe
PID 2492 wrote to memory of 1244	2492	sdchange.exe	RegAsm.exe
PID 2492 wrote to memory of 1244	2492	sdchange.exe	RegAsm.exe
PID 2492 wrote to memory of 1244	2492	sdchange.exe	RegAsm.exe
PID 2492 wrote to memory of 1048	2492	sdchange.exe	schtasks.exe
PID 2492 wrote to memory of 1048	2492	sdchange.exe	schtasks.exe
PID 2492 wrote to memory of 1048	2492	sdchange.exe	schtasks.exe
PID 2492 wrote to memory of 1048	2492	sdchange.exe	schtasks.exe
PID 2724 wrote to memory of 604	2724	taskeng.exe	sdchange.exe
PID 2724 wrote to memory of 604	2724	taskeng.exe	sdchange.exe
PID 2724 wrote to memory of 604	2724	taskeng.exe	sdchange.exe
PID 2724 wrote to memory of 604	2724	taskeng.exe	sdchange.exe
PID 604 wrote to memory of 1652	604	sdchange.exe	RegAsm.exe
PID 604 wrote to memory of 1652	604	sdchange.exe	RegAsm.exe
PID 604 wrote to memory of 1652	604	sdchange.exe	RegAsm.exe
PID 604 wrote to memory of 1652	604	sdchange.exe	RegAsm.exe
PID 604 wrote to memory of 1652	604	sdchange.exe	RegAsm.exe
PID 604 wrote to memory of 1652	604	sdchange.exe	RegAsm.exe
PID 604 wrote to memory of 1652	604	sdchange.exe	RegAsm.exe
PID 604 wrote to memory of 1652	604	sdchange.exe	RegAsm.exe
PID 604 wrote to memory of 1652	604	sdchange.exe	RegAsm.exe
PID 604 wrote to memory of 2012	604	sdchange.exe	schtasks.exe
PID 604 wrote to memory of 2012	604	sdchange.exe	schtasks.exe
PID 604 wrote to memory of 2012	604	sdchange.exe	schtasks.exe
PID 604 wrote to memory of 2012	604	sdchange.exe	schtasks.exe
PID 2724 wrote to memory of 3052	2724	taskeng.exe	sdchange.exe
PID 2724 wrote to memory of 3052	2724	taskeng.exe	sdchange.exe
PID 2724 wrote to memory of 3052	2724	taskeng.exe	sdchange.exe
PID 2724 wrote to memory of 3052	2724	taskeng.exe	sdchange.exe
PID 3052 wrote to memory of 2368	3052	sdchange.exe	RegAsm.exe
PID 3052 wrote to memory of 2368	3052	sdchange.exe	RegAsm.exe
PID 3052 wrote to memory of 2368	3052	sdchange.exe	RegAsm.exe
PID 3052 wrote to memory of 2368	3052	sdchange.exe	RegAsm.exe
PID 3052 wrote to memory of 2368	3052	sdchange.exe	RegAsm.exe
PID 3052 wrote to memory of 2368	3052	sdchange.exe	RegAsm.exe
PID 3052 wrote to memory of 2368	3052	sdchange.exe	RegAsm.exe
PID 3052 wrote to memory of 2368	3052	sdchange.exe	RegAsm.exe
PID 3052 wrote to memory of 2368	3052	sdchange.exe	RegAsm.exe
PID 3052 wrote to memory of 904	3052	sdchange.exe	schtasks.exe
PID 3052 wrote to memory of 904	3052	sdchange.exe	schtasks.exe
PID 3052 wrote to memory of 904	3052	sdchange.exe	schtasks.exe
PID 3052 wrote to memory of 904	3052	sdchange.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Maps connected drives based on registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:1532

C:\Windows\system32\taskeng.exe
taskeng.exe {A91154B3-3E28-4E6C-86ED-AF1522B672B2} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\secinit\sdchange.exe
  C:\Users\Admin\secinit\sdchange.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:1048
- C:\Users\Admin\secinit\sdchange.exe
  C:\Users\Admin\secinit\sdchange.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:2012
- C:\Users\Admin\secinit\sdchange.exe
  C:\Users\Admin\secinit\sdchange.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\secinit\sdchange.exe

Filesize
1.1MB

MD5
76a6064229ba6927ab7060bfe57a6262

SHA1
0c0c7c0cbac7de1bb0a0f35a6fb20f487630b051

SHA256
2017564f8d85925f272a19795f4c601fb1a5c40965fb64707affb7bf5d91cfcb

SHA512
9596d6e1741503c6a78b506ab39a9ee7c105bf79fe51b8c8d8d9bb6ddd759d5425dccb327734eb322ecb466d973205f66709cee6b4dc5f586602e60f8064f695

Download Submit
memory/1652-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1692-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1692-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1692-7-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1692-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1692-1-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2128-8-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads