Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\440d7a7357b48507cbf9857064638dfd_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\Windows\Windows Update.exe	N/A

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 2080 set thread context of 2292	N/A	C:\Users\Admin\AppData\Local\Temp\440d7a7357b48507cbf9857064638dfd_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\440d7a7357b48507cbf9857064638dfd_JaffaCakes118.exe
PID 2540 set thread context of 2296	N/A	C:\Users\Admin\Windows\Windows Update.exe	C:\Users\Admin\Windows\Windows Update.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\Windows\Windows Update.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\Windows\Windows Update.exe	N/A

Suspicious use of WriteProcessMemory

Processes

C:\Users\Admin\AppData\Local\Temp\440d7a7357b48507cbf9857064638dfd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\440d7a7357b48507cbf9857064638dfd_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\440d7a7357b48507cbf9857064638dfd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\440d7a7357b48507cbf9857064638dfd_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\Windows\Windows Update.exe'"

C:\Users\Admin\Windows\Windows Update.exe

"C:\Users\Admin\Windows\Windows Update.exe"

C:\Users\Admin\Windows\Windows Update.exe

"C:\Users\Admin\Windows\Windows Update.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	pastebin.com	udp
US	104.20.3.235:443	pastebin.com	tcp
US	8.8.8.8:53	nibiru3.duckdns.org	udp
ES	82.130.171.45:1604	nibiru3.duckdns.org	tcp
ES	82.130.171.45:1604	nibiru3.duckdns.org	tcp
ES	82.130.171.45:1604	nibiru3.duckdns.org	tcp
US	8.8.8.8:53	nibiru3.duckdns.org	udp
ES	82.130.171.45:1604	nibiru3.duckdns.org	tcp
ES	82.130.171.45:1604	nibiru3.duckdns.org	tcp
ES	82.130.171.45:1604	nibiru3.duckdns.org	tcp

Files

memory/2080-0-0x000000007435E000-0x000000007435F000-memory.dmp

memory/2080-1-0x0000000001160000-0x00000000011A2000-memory.dmp

memory/2080-2-0x0000000074350000-0x0000000074A3E000-memory.dmp

memory/2080-3-0x0000000000210000-0x0000000000218000-memory.dmp

memory/2292-8-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2292-6-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2292-4-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2292-11-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2292-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2292-13-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2080-16-0x0000000074350000-0x0000000074A3E000-memory.dmp

memory/2292-18-0x0000000074350000-0x0000000074A3E000-memory.dmp

memory/2292-17-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2292-20-0x0000000074350000-0x0000000074A3E000-memory.dmp

\Users\Admin\Windows\Windows Update.exe

MD5	440d7a7357b48507cbf9857064638dfd
SHA1	fbf4d41cc343cb260d0c320ade3c1271959d6eba
SHA256	bf5ef36eb0ab0ecb25d80207e730177d07961df7b8266167074ddbc3baf5bcb3
SHA512	ee709aa46f4506aa1ce26d0edcdbf9241749ed154e1a8ab2976b691f95469c8cdef168d59ad27773506e433debb0a28550f113f6bb5b7e1e12c994fcd2aa875c

memory/2540-27-0x00000000013A0000-0x00000000013E2000-memory.dmp

memory/2292-28-0x0000000074350000-0x0000000074A3E000-memory.dmp

memory/2296-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-14 03:11

Reported

2024-07-14 03:14

Platform

win10v2004-20240709-en

Max time kernel

134s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\440d7a7357b48507cbf9857064638dfd_JaffaCakes118.exe"

Signatures

LimeRAT

rat limerat

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\440d7a7357b48507cbf9857064638dfd_JaffaCakes118.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\Windows\Windows Update.exe	N/A
N/A	N/A	C:\Users\Admin\Windows\Windows Update.exe	N/A

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 852 set thread context of 2096	N/A	C:\Users\Admin\AppData\Local\Temp\440d7a7357b48507cbf9857064638dfd_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\440d7a7357b48507cbf9857064638dfd_JaffaCakes118.exe
PID 2776 set thread context of 3380	N/A	C:\Users\Admin\Windows\Windows Update.exe	C:\Users\Admin\Windows\Windows Update.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\Windows\Windows Update.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\Windows\Windows Update.exe	N/A

Suspicious use of WriteProcessMemory

Processes

C:\Users\Admin\AppData\Local\Temp\440d7a7357b48507cbf9857064638dfd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\440d7a7357b48507cbf9857064638dfd_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\440d7a7357b48507cbf9857064638dfd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\440d7a7357b48507cbf9857064638dfd_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\Windows\Windows Update.exe'"

C:\Users\Admin\Windows\Windows Update.exe

"C:\Users\Admin\Windows\Windows Update.exe"

C:\Users\Admin\Windows\Windows Update.exe

"C:\Users\Admin\Windows\Windows Update.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	136.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	pastebin.com	udp
US	104.20.3.235:443	pastebin.com	tcp
US	8.8.8.8:53	nibiru3.duckdns.org	udp
US	8.8.8.8:53	235.3.20.104.in-addr.arpa	udp
ES	82.130.171.45:1604	nibiru3.duckdns.org	tcp
US	8.8.8.8:53	183.59.114.20.in-addr.arpa	udp
US	8.8.8.8:53	198.187.3.20.in-addr.arpa	udp
US	8.8.8.8:53	147.142.123.92.in-addr.arpa	udp
ES	82.130.171.45:1604	nibiru3.duckdns.org	tcp
US	8.8.8.8:53	73.144.22.2.in-addr.arpa	udp
ES	82.130.171.45:1604	nibiru3.duckdns.org	tcp
US	8.8.8.8:53	nibiru3.duckdns.org	udp
ES	82.130.171.45:1604	nibiru3.duckdns.org	tcp
US	8.8.8.8:53	22.236.111.52.in-addr.arpa	udp
ES	82.130.171.45:1604	nibiru3.duckdns.org	tcp
ES	82.130.171.45:1604	nibiru3.duckdns.org	tcp

Files

memory/852-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

memory/852-1-0x0000000000320000-0x0000000000362000-memory.dmp

memory/852-2-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/852-3-0x0000000002740000-0x0000000002748000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\440d7a7357b48507cbf9857064638dfd_JaffaCakes118.exe.log

MD5	916851e072fbabc4796d8916c5131092
SHA1	d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256	7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512	07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/852-8-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/2096-7-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/2096-9-0x00000000001F0000-0x00000000001FC000-memory.dmp

memory/2096-10-0x0000000004970000-0x0000000004A0C000-memory.dmp

memory/2096-11-0x0000000004A10000-0x0000000004A76000-memory.dmp

memory/2096-12-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/2096-13-0x0000000005610000-0x0000000005BB4000-memory.dmp

C:\Users\Admin\Windows\Windows Update.exe

MD5	440d7a7357b48507cbf9857064638dfd
SHA1	fbf4d41cc343cb260d0c320ade3c1271959d6eba
SHA256	bf5ef36eb0ab0ecb25d80207e730177d07961df7b8266167074ddbc3baf5bcb3
SHA512	ee709aa46f4506aa1ce26d0edcdbf9241749ed154e1a8ab2976b691f95469c8cdef168d59ad27773506e433debb0a28550f113f6bb5b7e1e12c994fcd2aa875c

memory/2776-25-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/2776-26-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/2776-31-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/2096-32-0x0000000074B90000-0x0000000075340000-memory.dmp

Sample ID	240714-dp2jvsxbjb
Target	440d7a7357b48507cbf9857064638dfd_JaffaCakes118
SHA256	bf5ef36eb0ab0ecb25d80207e730177d07961df7b8266167074ddbc3baf5bcb3
Tags	limerat rat

Malware Analysis Report

2024-09-11 10:20

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files