Analysis Overview
SHA256
ce7373c120d221aa19a299f4e186bf15139e1fa93bd56e2d8f7cb5c4a6f0c445
Threat Level: Known bad
The file af74ac50d79d06a2277d623b5bc99836_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 17:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 17:00
Reported
2024-06-15 17:02
Platform
win7-20240611-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1440 set thread context of 2472 | N/A | C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe |
| PID 2708 set thread context of 1576 | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe'"
C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 3.121.182.157:1111 | tcp | |
| DE | 3.121.182.157:1111 | tcp |
Files
memory/1440-0-0x000000007451E000-0x000000007451F000-memory.dmp
memory/1440-1-0x0000000001030000-0x0000000001084000-memory.dmp
memory/1440-2-0x0000000074510000-0x0000000074BFE000-memory.dmp
memory/1440-3-0x00000000009E0000-0x00000000009F8000-memory.dmp
memory/1440-4-0x000000007451E000-0x000000007451F000-memory.dmp
memory/1440-5-0x0000000074510000-0x0000000074BFE000-memory.dmp
memory/2472-6-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2472-18-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2472-8-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2472-16-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2472-14-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2472-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2472-10-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2472-19-0x0000000074510000-0x0000000074BFE000-memory.dmp
memory/1440-20-0x0000000074510000-0x0000000074BFE000-memory.dmp
memory/1440-21-0x0000000074510000-0x0000000074BFE000-memory.dmp
memory/2472-23-0x0000000074510000-0x0000000074BFE000-memory.dmp
\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe
| MD5 | af74ac50d79d06a2277d623b5bc99836 |
| SHA1 | 5ed134f92db0ea1f15c74ee117bf1d5c2a93a079 |
| SHA256 | ce7373c120d221aa19a299f4e186bf15139e1fa93bd56e2d8f7cb5c4a6f0c445 |
| SHA512 | 59409b81c6904172077b07986ae3bb53905bed136a183d9eac7d61cef50295489a4cb63d8c6560f318a0a8c57b01559439d82efc5d940acd7d10964e9426f443 |
memory/2472-31-0x0000000074510000-0x0000000074BFE000-memory.dmp
memory/2708-30-0x0000000000020000-0x0000000000074000-memory.dmp
memory/1576-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 17:00
Reported
2024-06-15 17:02
Platform
win10v2004-20240611-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
LimeRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5008 set thread context of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe |
| PID 1700 set thread context of 4084 | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe'"
C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 3.121.182.157:1111 | tcp | |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| DE | 3.121.182.157:1111 | tcp |
Files
memory/5008-0-0x0000000074D8E000-0x0000000074D8F000-memory.dmp
memory/5008-1-0x0000000000DA0000-0x0000000000DF4000-memory.dmp
memory/5008-2-0x00000000057E0000-0x000000000587C000-memory.dmp
memory/5008-3-0x0000000005E30000-0x00000000063D4000-memory.dmp
memory/5008-4-0x0000000005880000-0x0000000005912000-memory.dmp
memory/5008-5-0x00000000057A0000-0x00000000057AA000-memory.dmp
memory/5008-6-0x0000000005AB0000-0x0000000005B06000-memory.dmp
memory/5008-7-0x0000000074D80000-0x0000000075530000-memory.dmp
memory/5008-8-0x0000000006FA0000-0x0000000006FB8000-memory.dmp
memory/5008-9-0x0000000074D8E000-0x0000000074D8F000-memory.dmp
memory/5008-10-0x0000000074D80000-0x0000000075530000-memory.dmp
memory/4848-11-0x0000000000400000-0x000000000040C000-memory.dmp
memory/4848-12-0x0000000074D80000-0x0000000075530000-memory.dmp
memory/5008-14-0x0000000074D80000-0x0000000075530000-memory.dmp
memory/5008-15-0x0000000074D80000-0x0000000075530000-memory.dmp
memory/4848-16-0x0000000005530000-0x0000000005596000-memory.dmp
memory/4848-17-0x0000000074D80000-0x0000000075530000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Google\GoogleUpdate.exe
| MD5 | af74ac50d79d06a2277d623b5bc99836 |
| SHA1 | 5ed134f92db0ea1f15c74ee117bf1d5c2a93a079 |
| SHA256 | ce7373c120d221aa19a299f4e186bf15139e1fa93bd56e2d8f7cb5c4a6f0c445 |
| SHA512 | 59409b81c6904172077b07986ae3bb53905bed136a183d9eac7d61cef50295489a4cb63d8c6560f318a0a8c57b01559439d82efc5d940acd7d10964e9426f443 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\af74ac50d79d06a2277d623b5bc99836_JaffaCakes118.exe.log
| MD5 | 17573558c4e714f606f997e5157afaac |
| SHA1 | 13e16e9415ceef429aaf124139671ebeca09ed23 |
| SHA256 | c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553 |
| SHA512 | f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc |
memory/4848-30-0x0000000074D80000-0x0000000075530000-memory.dmp