limerat | 09a8bd138abecc693214e1f0aa82342f0355f4ef81d1af0bc04b72115d6fe322

General

Target

ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118.exe
Size

104KB
MD5

ad4feb0e4a1b1ed0696d584ef354bb19
SHA1

f3ca5de92d8b9e215bb6a80fd6755f5b489b44a0
SHA256

09a8bd138abecc693214e1f0aa82342f0355f4ef81d1af0bc04b72115d6fe322
SHA512

06507ec9488f0073227da3852651a574af18c6ef20a246c5a33fa664c855994b1c41f3d65bf41196752383925c4ff532b54e6592504daab1396d3a008285ed7b
SSDEEP

768:e5DIkiRZGrGl5z0EJ9k5NHsmjb5woIJIIYI4mynugD119L64ljNDiDMw/t39:eWkiRZr0EJqDXjb5Sb

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Wallets

3J9bg27AKvv52V6dv4U99VM58vfSYnfUY6

Attributes

aes_key
svensis
antivm
true
c2_url
https://pastebin.com/raw/7VWPN6dB
delay
3
download_payload
false
install
true
install_name
client.exe
main_folder
Temp
pin_spread
true
sub_folder
\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/7VWPN6dB
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

client.exe

pid process

4416 client.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

9 pastebin.com
10 pastebin.com

pid	process
4416	client.exe

flow	ioc
9	pastebin.com
10	pastebin.com

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118.execlient.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	client.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3780 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

client.exe

description pid process

Token: SeDebugPrivilege 4416 client.exe
Token: SeDebugPrivilege 4416 client.exe

pid	process
3780	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	4416	client.exe
Token: SeDebugPrivilege	4416	client.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118.exe

description	pid	process	target process
PID 940 wrote to memory of 3780	940	ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118.exe	schtasks.exe
PID 940 wrote to memory of 3780	940	ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118.exe	schtasks.exe
PID 940 wrote to memory of 3780	940	ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118.exe	schtasks.exe
PID 940 wrote to memory of 4416	940	ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118.exe	client.exe
PID 940 wrote to memory of 4416	940	ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118.exe	client.exe
PID 940 wrote to memory of 4416	940	ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118.exe	client.exe

C:\Users\Admin\AppData\Local\Temp\ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad4feb0e4a1b1ed0696d584ef354bb19_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\client.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:3780
- C:\Users\Admin\AppData\Local\Temp\client.exe
  "C:\Users\Admin\AppData\Local\Temp\client.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\client.exe

Filesize
104KB

MD5
ad4feb0e4a1b1ed0696d584ef354bb19

SHA1
f3ca5de92d8b9e215bb6a80fd6755f5b489b44a0

SHA256
09a8bd138abecc693214e1f0aa82342f0355f4ef81d1af0bc04b72115d6fe322

SHA512
06507ec9488f0073227da3852651a574af18c6ef20a246c5a33fa664c855994b1c41f3d65bf41196752383925c4ff532b54e6592504daab1396d3a008285ed7b

Download Submit
memory/940-0-0x000000007510E000-0x000000007510F000-memory.dmp

Filesize
4KB

Download
memory/940-1-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/940-2-0x0000000004C10000-0x0000000004CAC000-memory.dmp

Filesize
624KB

Download
memory/940-3-0x0000000004CB0000-0x0000000004D16000-memory.dmp

Filesize
408KB

Download
memory/940-4-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/940-5-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/940-15-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/4416-16-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/4416-17-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/4416-18-0x0000000006E40000-0x0000000006ED2000-memory.dmp

Filesize
584KB

Download
memory/4416-19-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads