General

  • Target

    bb2de5629dfeb812b45fb00a6fbadf4e_JaffaCakes118

  • Size

    61KB

  • Sample

    240618-hmmp5s1grc

  • MD5

    bb2de5629dfeb812b45fb00a6fbadf4e

  • SHA1

    e3a3642264eae88eba72c67933057f2dfc2dd2b6

  • SHA256

    fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf

  • SHA512

    3d3a250e9c6ca842daf90d9b666796dc7e8cebce83ed3ab972db052f60fc70418c7aa3f45f45b0ab61f63e7621d147620f20734bc8556e6d614c49abb7eba28d

  • SSDEEP

    1536:2qGaT/1sMrcvwms7Glz0DKVLcBCAGLq1ZjTj:2qRaMrUwmuvDWLcBCAGL8j

Score
10/10

Malware Config

Extracted

Family

limerat

Wallets

1d15EibWVaZg8KADH1wR5phqhtyhbbdCc

Attributes
  • aes_key

    batata1

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/hqkeiAWx

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    twvrsvc.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \TeamViewer\

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/hqkeiAWx

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      bb2de5629dfeb812b45fb00a6fbadf4e_JaffaCakes118

    • Size

      61KB

    • MD5

      bb2de5629dfeb812b45fb00a6fbadf4e

    • SHA1

      e3a3642264eae88eba72c67933057f2dfc2dd2b6

    • SHA256

      fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf

    • SHA512

      3d3a250e9c6ca842daf90d9b666796dc7e8cebce83ed3ab972db052f60fc70418c7aa3f45f45b0ab61f63e7621d147620f20734bc8556e6d614c49abb7eba28d

    • SSDEEP

      1536:2qGaT/1sMrcvwms7Glz0DKVLcBCAGLq1ZjTj:2qRaMrUwmuvDWLcBCAGL8j

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      Cure Tool.exe

    • Size

      9KB

    • MD5

      7658c455f3acdc2b574da9f863855f01

    • SHA1

      c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32

    • SHA256

      8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc

    • SHA512

      7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730

    • SSDEEP

      192:QB+LppLO0OTdyFnEKxx0hRu6nC48MqlkzpwIqyi:k+FRYxKxWhRXC48Ezpwdy

    Score
    1/10
    • Target

      tvsxwrc.exe

    • Size

      28KB

    • MD5

      7374806e51b404de9c639cbff4226eed

    • SHA1

      6c7466e48018fa00ccf53a24615448117697f494

    • SHA256

      5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f

    • SHA512

      5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7

    • SSDEEP

      768:bzRbFf8Wp2hBhLXCidmDUjFQuval1IjyJ:fNp8Wp2hBhui8kFfgqjO

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.