Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 06:21
Static task
static1
Behavioral task
behavioral1
Sample
4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
4ec653326e753fa16d200e7fea2a4bf4
-
SHA1
9dedafd15ce239570c762090589742c4d88894c6
-
SHA256
cc30b16e466aeaab0d08eb9452ae46b4a3317deb826ef22898e62f5ef0e5a598
-
SHA512
c2639981259d120aca8a178ddab260745ddf0f3d6259fc14745a92f12a27f58a8a2e55178cd554418b43455c1fb4bb3811297bbdcdedb78da21f82b915e8b943
-
SSDEEP
24576:4AHnh+eWsN3skA4RV1Hom2KXMmHa97aWtjzjFtuM25E:/h+ZkldoPK8Ya971XjFtAE
Malware Config
Extracted
limerat
1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty
-
aes_key
nulled
-
antivm
true
-
c2_url
https://pastebin.com/raw/cXuQ0V20
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Winservices.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\
-
usb_spread
true
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/cXuQ0V20
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2492 sdchange.exe 604 sdchange.exe 3052 sdchange.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 pastebin.com 3 pastebin.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum RegAsm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 RegAsm.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0009000000015cb7-11.dat autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2128 set thread context of 1692 2128 4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe 28 PID 2492 set thread context of 1244 2492 sdchange.exe 34 PID 604 set thread context of 1652 604 sdchange.exe 40 PID 3052 set thread context of 2368 3052 sdchange.exe 44 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1532 schtasks.exe 1048 schtasks.exe 2012 schtasks.exe 904 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1692 RegAsm.exe Token: SeDebugPrivilege 1692 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2128 wrote to memory of 1692 2128 4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe 28 PID 2128 wrote to memory of 1692 2128 4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe 28 PID 2128 wrote to memory of 1692 2128 4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe 28 PID 2128 wrote to memory of 1692 2128 4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe 28 PID 2128 wrote to memory of 1692 2128 4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe 28 PID 2128 wrote to memory of 1692 2128 4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe 28 PID 2128 wrote to memory of 1692 2128 4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe 28 PID 2128 wrote to memory of 1692 2128 4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe 28 PID 2128 wrote to memory of 1692 2128 4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe 28 PID 2128 wrote to memory of 1532 2128 4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe 29 PID 2128 wrote to memory of 1532 2128 4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe 29 PID 2128 wrote to memory of 1532 2128 4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe 29 PID 2128 wrote to memory of 1532 2128 4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe 29 PID 2724 wrote to memory of 2492 2724 taskeng.exe 33 PID 2724 wrote to memory of 2492 2724 taskeng.exe 33 PID 2724 wrote to memory of 2492 2724 taskeng.exe 33 PID 2724 wrote to memory of 2492 2724 taskeng.exe 33 PID 2492 wrote to memory of 1244 2492 sdchange.exe 34 PID 2492 wrote to memory of 1244 2492 sdchange.exe 34 PID 2492 wrote to memory of 1244 2492 sdchange.exe 34 PID 2492 wrote to memory of 1244 2492 sdchange.exe 34 PID 2492 wrote to memory of 1244 2492 sdchange.exe 34 PID 2492 wrote to memory of 1244 2492 sdchange.exe 34 PID 2492 wrote to memory of 1244 2492 sdchange.exe 34 PID 2492 wrote to memory of 1244 2492 sdchange.exe 34 PID 2492 wrote to memory of 1244 2492 sdchange.exe 34 PID 2492 wrote to memory of 1048 2492 sdchange.exe 35 PID 2492 wrote to memory of 1048 2492 sdchange.exe 35 PID 2492 wrote to memory of 1048 2492 sdchange.exe 35 PID 2492 wrote to memory of 1048 2492 sdchange.exe 35 PID 2724 wrote to memory of 604 2724 taskeng.exe 39 PID 2724 wrote to memory of 604 2724 taskeng.exe 39 PID 2724 wrote to memory of 604 2724 taskeng.exe 39 PID 2724 wrote to memory of 604 2724 taskeng.exe 39 PID 604 wrote to memory of 1652 604 sdchange.exe 40 PID 604 wrote to memory of 1652 604 sdchange.exe 40 PID 604 wrote to memory of 1652 604 sdchange.exe 40 PID 604 wrote to memory of 1652 604 sdchange.exe 40 PID 604 wrote to memory of 1652 604 sdchange.exe 40 PID 604 wrote to memory of 1652 604 sdchange.exe 40 PID 604 wrote to memory of 1652 604 sdchange.exe 40 PID 604 wrote to memory of 1652 604 sdchange.exe 40 PID 604 wrote to memory of 1652 604 sdchange.exe 40 PID 604 wrote to memory of 2012 604 sdchange.exe 41 PID 604 wrote to memory of 2012 604 sdchange.exe 41 PID 604 wrote to memory of 2012 604 sdchange.exe 41 PID 604 wrote to memory of 2012 604 sdchange.exe 41 PID 2724 wrote to memory of 3052 2724 taskeng.exe 43 PID 2724 wrote to memory of 3052 2724 taskeng.exe 43 PID 2724 wrote to memory of 3052 2724 taskeng.exe 43 PID 2724 wrote to memory of 3052 2724 taskeng.exe 43 PID 3052 wrote to memory of 2368 3052 sdchange.exe 44 PID 3052 wrote to memory of 2368 3052 sdchange.exe 44 PID 3052 wrote to memory of 2368 3052 sdchange.exe 44 PID 3052 wrote to memory of 2368 3052 sdchange.exe 44 PID 3052 wrote to memory of 2368 3052 sdchange.exe 44 PID 3052 wrote to memory of 2368 3052 sdchange.exe 44 PID 3052 wrote to memory of 2368 3052 sdchange.exe 44 PID 3052 wrote to memory of 2368 3052 sdchange.exe 44 PID 3052 wrote to memory of 2368 3052 sdchange.exe 44 PID 3052 wrote to memory of 904 3052 sdchange.exe 45 PID 3052 wrote to memory of 904 3052 sdchange.exe 45 PID 3052 wrote to memory of 904 3052 sdchange.exe 45 PID 3052 wrote to memory of 904 3052 sdchange.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4ec653326e753fa16d200e7fea2a4bf4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1532
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A91154B3-3E28-4E6C-86ED-AF1522B672B2} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\secinit\sdchange.exeC:\Users\Admin\secinit\sdchange.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:1244
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1048
-
-
-
C:\Users\Admin\secinit\sdchange.exeC:\Users\Admin\secinit\sdchange.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:1652
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2012
-
-
-
C:\Users\Admin\secinit\sdchange.exeC:\Users\Admin\secinit\sdchange.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:2368
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:904
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD576a6064229ba6927ab7060bfe57a6262
SHA10c0c7c0cbac7de1bb0a0f35a6fb20f487630b051
SHA2562017564f8d85925f272a19795f4c601fb1a5c40965fb64707affb7bf5d91cfcb
SHA5129596d6e1741503c6a78b506ab39a9ee7c105bf79fe51b8c8d8d9bb6ddd759d5425dccb327734eb322ecb466d973205f66709cee6b4dc5f586602e60f8064f695