Overview

overview

10

Static

static

3

1580de0781...18.exe

windows7-x64

10

1580de0781...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 09:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1580de07812e8327fa45cac871a7d0fa_JaffaCakes118.exe

  • Size

    89KB

  • MD5

    1580de07812e8327fa45cac871a7d0fa

  • SHA1

    887c01ee1254c93b2506ffdaa97b9833e454b5f9

  • SHA256

    b7a2082ded2f96c5d5ad618b0368ff4530c4bed5594217b8a8e8d0de7c346873

  • SHA512

    8ad94a2da86d9f6f478e04ec36fe7a33ad4f7df0bf14f19e987c6d2b508b1c9f06431b38ecb66db9c632d9a4727286e175585b3061b4be2ad0db36f1c3c4fed6

  • SSDEEP

    1536:LxeLXlA3C0+BGV1j9Po2rV9KL/74pYMHfkpumnxGeHfuS:LALg9lV1ZPo2rV9K7Y8pumMSfuS

Score
10/10
limeratrat

Malware Config

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1580de07812e8327fa45cac871a7d0fa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1580de07812e8327fa45cac871a7d0fa_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\killisrael.exe'"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2780
    • C:\Users\Admin\AppData\Local\Temp\killisrael.exe
      "C:\Users\Admin\AppData\Local\Temp\killisrael.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\killisrael.exe
    Filesize

    89KB

    MD5

    1580de07812e8327fa45cac871a7d0fa

    SHA1

    887c01ee1254c93b2506ffdaa97b9833e454b5f9

    SHA256

    b7a2082ded2f96c5d5ad618b0368ff4530c4bed5594217b8a8e8d0de7c346873

    SHA512

    8ad94a2da86d9f6f478e04ec36fe7a33ad4f7df0bf14f19e987c6d2b508b1c9f06431b38ecb66db9c632d9a4727286e175585b3061b4be2ad0db36f1c3c4fed6

    Download Submit

  • memory/2228-0-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2228-1-0x0000000000D30000-0x0000000000D4C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2228-2-0x00000000003D0000-0x00000000003F6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2228-3-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2228-4-0x00000000003F0000-0x0000000000400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2228-5-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2228-12-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2912-11-0x0000000000BC0000-0x0000000000BDC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2912-13-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2912-14-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2912-15-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

    Filesize

    9.9MB

    Download