General
-
Target
ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118
-
Size
104KB
-
Sample
240615-h6tb2asbqc
-
MD5
ad4feb0e4a1b1ed0696d584ef354bb19
-
SHA1
f3ca5de92d8b9e215bb6a80fd6755f5b489b44a0
-
SHA256
09a8bd138abecc693214e1f0aa82342f0355f4ef81d1af0bc04b72115d6fe322
-
SHA512
06507ec9488f0073227da3852651a574af18c6ef20a246c5a33fa664c855994b1c41f3d65bf41196752383925c4ff532b54e6592504daab1396d3a008285ed7b
-
SSDEEP
768:e5DIkiRZGrGl5z0EJ9k5NHsmjb5woIJIIYI4mynugD119L64ljNDiDMw/t39:eWkiRZr0EJqDXjb5Sb
Malware Config
Extracted
limerat
3J9bg27AKvv52V6dv4U99VM58vfSYnfUY6
-
aes_key
svensis
-
antivm
true
-
c2_url
https://pastebin.com/raw/7VWPN6dB
-
delay
3
-
download_payload
false
-
install
true
-
install_name
client.exe
-
main_folder
Temp
-
pin_spread
true
-
sub_folder
\
-
usb_spread
true
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/7VWPN6dB
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Targets
-
-
Target
ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118
-
Size
104KB
-
MD5
ad4feb0e4a1b1ed0696d584ef354bb19
-
SHA1
f3ca5de92d8b9e215bb6a80fd6755f5b489b44a0
-
SHA256
09a8bd138abecc693214e1f0aa82342f0355f4ef81d1af0bc04b72115d6fe322
-
SHA512
06507ec9488f0073227da3852651a574af18c6ef20a246c5a33fa664c855994b1c41f3d65bf41196752383925c4ff532b54e6592504daab1396d3a008285ed7b
-
SSDEEP
768:e5DIkiRZGrGl5z0EJ9k5NHsmjb5woIJIIYI4mynugD119L64ljNDiDMw/t39:eWkiRZr0EJqDXjb5Sb
Score10/10-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-