Analysis Overview
SHA256
ddbec9c19476fc0a9dcd62250e4b2dde0ea8be7fceb2fbe072d3473dc4bb163f
Threat Level: Known bad
The file 28931c574059113e891a5130dbe61d0d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-06 14:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-06 14:58
Reported
2024-07-06 15:18
Platform
win7-20240705-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\killisrael.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\killisrael.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\killisrael.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\28931c574059113e891a5130dbe61d0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28931c574059113e891a5130dbe61d0d_JaffaCakes118.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\killisrael.exe'"
C:\Users\Admin\AppData\Local\Temp\killisrael.exe
"C:\Users\Admin\AppData\Local\Temp\killisrael.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp |
Files
memory/2408-0-0x000007FEF5343000-0x000007FEF5344000-memory.dmp
memory/2408-1-0x0000000000250000-0x0000000000276000-memory.dmp
memory/2408-2-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp
memory/2408-3-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/2408-4-0x0000000000200000-0x0000000000218000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\killisrael.exe
| MD5 | 28931c574059113e891a5130dbe61d0d |
| SHA1 | 0879598ec6c091aae822654e4516a80b9e763329 |
| SHA256 | ddbec9c19476fc0a9dcd62250e4b2dde0ea8be7fceb2fbe072d3473dc4bb163f |
| SHA512 | ad71bcbb994f121e0e68cc666ea58d231db0f990bbba615df735c8b65bf81835513c8e1a80ff273d87e6e919192887a690ff49e4e9b1d662859e787e389144ae |
memory/2440-10-0x0000000000AD0000-0x0000000000AF6000-memory.dmp
memory/2440-11-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp
memory/2408-12-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp
memory/2440-13-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-06 14:58
Reported
2024-07-06 15:18
Platform
win10v2004-20240704-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
LimeRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\28931c574059113e891a5130dbe61d0d_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\killisrael.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\killisrael.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\killisrael.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 680 wrote to memory of 2152 | N/A | C:\Users\Admin\AppData\Local\Temp\28931c574059113e891a5130dbe61d0d_JaffaCakes118.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 680 wrote to memory of 2152 | N/A | C:\Users\Admin\AppData\Local\Temp\28931c574059113e891a5130dbe61d0d_JaffaCakes118.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 680 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\28931c574059113e891a5130dbe61d0d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\killisrael.exe |
| PID 680 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\28931c574059113e891a5130dbe61d0d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\killisrael.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\28931c574059113e891a5130dbe61d0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28931c574059113e891a5130dbe61d0d_JaffaCakes118.exe"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\killisrael.exe'"
C:\Users\Admin\AppData\Local\Temp\killisrael.exe
"C:\Users\Admin\AppData\Local\Temp\killisrael.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 193.161.193.99:61716 | tcp | |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 193.161.193.99:61716 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 193.161.193.99:61716 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp | |
| DE | 193.161.193.99:61716 | tcp |
Files
memory/680-0-0x00007FF806F73000-0x00007FF806F75000-memory.dmp
memory/680-1-0x0000000000610000-0x0000000000636000-memory.dmp
memory/680-2-0x0000000000E20000-0x0000000000E30000-memory.dmp
memory/680-3-0x00007FF806F70000-0x00007FF807A31000-memory.dmp
memory/680-4-0x0000000000E30000-0x0000000000E48000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\killisrael.exe
| MD5 | 28931c574059113e891a5130dbe61d0d |
| SHA1 | 0879598ec6c091aae822654e4516a80b9e763329 |
| SHA256 | ddbec9c19476fc0a9dcd62250e4b2dde0ea8be7fceb2fbe072d3473dc4bb163f |
| SHA512 | ad71bcbb994f121e0e68cc666ea58d231db0f990bbba615df735c8b65bf81835513c8e1a80ff273d87e6e919192887a690ff49e4e9b1d662859e787e389144ae |
memory/680-17-0x00007FF806F70000-0x00007FF807A31000-memory.dmp
memory/2052-18-0x00007FF806F70000-0x00007FF807A31000-memory.dmp
memory/2052-19-0x00007FF806F70000-0x00007FF807A31000-memory.dmp
memory/2052-20-0x00007FF806F70000-0x00007FF807A31000-memory.dmp