Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2024 07:29

General

  • Target

    8d4fc7d9b7f9ae031db6ac350af49861_JaffaCakes118.ps1

  • Size

    39KB

  • MD5

    8d4fc7d9b7f9ae031db6ac350af49861

  • SHA1

    a57c563cc8406ef2ea4a8ad94972f039f053026e

  • SHA256

    3637dfa2d64efeaf36903e17bacd8f832dee3e6d12e3414fd55fed4311498796

  • SHA512

    900e577c29f2976604805420ffd2fad6848657ba408e61dd8883bee55146ce229728527ebdbad2cf12b30b81232345e03761d02f1f0e2301de4de5154d2f6e87

  • SSDEEP

    768:f0tIvRpRaIMLwZ7nPU8dKSPhfVJfQD/yLZlWXKwsl:f0CvDgIvZ7nPXKg3JfqaFlR

Score
10/10

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    pysenuu

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/smgAS6SG

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/smgAS6SG

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\8d4fc7d9b7f9ae031db6ac350af49861_JaffaCakes118.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Users\Admin\AppData\Local\Temp\2142339208\2142339208.exe
      "C:\Users\Admin\AppData\Local\Temp\2142339208\2142339208.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2142339208\2142339208.exe

    Filesize

    29KB

    MD5

    b799e179c6512cdea8fc1b60f3ea68e7

    SHA1

    fd011070db46a5ba428d467b7a1596c186ea7b69

    SHA256

    182c2b7af53fe809c7b3bd3ea738108e20984e9bc982eb183c8311c5dd49640e

    SHA512

    a2301141126dc823b12485337834435dfb526bf339a8712d3ec1aab58e887092dec891eb5cca49aab0b487793d57ca8b3299f7350e31f1e7eba9e67ad0db5c33

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tlyqqavp.k0n.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/1396-0-0x00007FF8010B3000-0x00007FF8010B5000-memory.dmp

    Filesize

    8KB

  • memory/1396-10-0x000001E85C8A0000-0x000001E85C8C2000-memory.dmp

    Filesize

    136KB

  • memory/1396-11-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp

    Filesize

    10.8MB

  • memory/1396-12-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp

    Filesize

    10.8MB

  • memory/1396-23-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp

    Filesize

    10.8MB

  • memory/5104-21-0x0000000074A02000-0x0000000074A03000-memory.dmp

    Filesize

    4KB

  • memory/5104-22-0x0000000074A00000-0x0000000074FB1000-memory.dmp

    Filesize

    5.7MB

  • memory/5104-24-0x0000000074A00000-0x0000000074FB1000-memory.dmp

    Filesize

    5.7MB

  • memory/5104-25-0x0000000074A02000-0x0000000074A03000-memory.dmp

    Filesize

    4KB

  • memory/5104-26-0x0000000074A00000-0x0000000074FB1000-memory.dmp

    Filesize

    5.7MB