limerat | ed29be13a5ecb1fb3c072b8b398ea9dbeae3c1ae389f9b1eb4519be020c882aa

General

Target

78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe
Size

705KB
MD5

78c1fe5e37783f64704335ebae1520f1
SHA1

ea937129d39f86899fa0c103d89dd75cb447c518
SHA256

ed29be13a5ecb1fb3c072b8b398ea9dbeae3c1ae389f9b1eb4519be020c882aa
SHA512

3effec3f9da035c9787078828871d062f72f2d409b8be57778fe64a3b4e2fa836abc51ea34940ab76527a5524d1b5f7b4f69c6745abf243f2d1afab751649b10
SSDEEP

6144:hlSuJBbblPI3sp7ScV1zQWXdo6G8nG4ZUkqa:rHSgf1lKz8ny4

Score

10^/10

limerat discovery rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
IRj3SceatjDfweW/qMMw7g==
antivm
false
c2_url
https://pastebin.com/raw/VWmukkKm
delay
3
download_payload
false
install
true
install_name
Audio Realtek Driver.exe
main_folder
AppData
pin_spread
true
sub_folder
\Audio Realtek Driver\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/VWmukkKm
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

Audio Realtek Driver.exeAudio Realtek Driver.exe

pid process

2488 Audio Realtek Driver.exe
2544 Audio Realtek Driver.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

30 pastebin.com
31 pastebin.com

pid	process
2488	Audio Realtek Driver.exe
2544	Audio Realtek Driver.exe

flow	ioc
30	pastebin.com
31	pastebin.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exeAudio Realtek Driver.exe

description	pid	process	target process
PID 4696 set thread context of 2308	4696	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe
PID 2488 set thread context of 2544	2488	Audio Realtek Driver.exe	Audio Realtek Driver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exeAudio Realtek Driver.exeAudio Realtek Driver.exe78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audio Realtek Driver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audio Realtek Driver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2136 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Audio Realtek Driver.exe

description pid process

Token: SeDebugPrivilege 2544 Audio Realtek Driver.exe
Token: SeDebugPrivilege 2544 Audio Realtek Driver.exe

pid	process
2136	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2544	Audio Realtek Driver.exe
Token: SeDebugPrivilege	2544	Audio Realtek Driver.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exeAudio Realtek Driver.exe

description	pid	process	target process
PID 4696 wrote to memory of 2308	4696	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe
PID 4696 wrote to memory of 2308	4696	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe
PID 4696 wrote to memory of 2308	4696	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe
PID 4696 wrote to memory of 2308	4696	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe
PID 4696 wrote to memory of 2308	4696	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe
PID 4696 wrote to memory of 2308	4696	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe
PID 4696 wrote to memory of 2308	4696	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe
PID 2308 wrote to memory of 2136	2308	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe	schtasks.exe
PID 2308 wrote to memory of 2136	2308	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe	schtasks.exe
PID 2308 wrote to memory of 2136	2308	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe	schtasks.exe
PID 2308 wrote to memory of 2488	2308	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe	Audio Realtek Driver.exe
PID 2308 wrote to memory of 2488	2308	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe	Audio Realtek Driver.exe
PID 2308 wrote to memory of 2488	2308	78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe	Audio Realtek Driver.exe
PID 2488 wrote to memory of 2544	2488	Audio Realtek Driver.exe	Audio Realtek Driver.exe
PID 2488 wrote to memory of 2544	2488	Audio Realtek Driver.exe	Audio Realtek Driver.exe
PID 2488 wrote to memory of 2544	2488	Audio Realtek Driver.exe	Audio Realtek Driver.exe
PID 2488 wrote to memory of 2544	2488	Audio Realtek Driver.exe	Audio Realtek Driver.exe
PID 2488 wrote to memory of 2544	2488	Audio Realtek Driver.exe	Audio Realtek Driver.exe
PID 2488 wrote to memory of 2544	2488	Audio Realtek Driver.exe	Audio Realtek Driver.exe
PID 2488 wrote to memory of 2544	2488	Audio Realtek Driver.exe	Audio Realtek Driver.exe

C:\Users\Admin\AppData\Local\Temp\78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Users\Admin\AppData\Local\Temp\78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Audio Realtek Driver\Audio Realtek Driver.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2136
- - C:\Users\Admin\AppData\Roaming\Audio Realtek Driver\Audio Realtek Driver.exe
    "C:\Users\Admin\AppData\Roaming\Audio Realtek Driver\Audio Realtek Driver.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Roaming\Audio Realtek Driver\Audio Realtek Driver.exe
      "C:\Users\Admin\AppData\Roaming\Audio Realtek Driver\Audio Realtek Driver.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\78c1fe5e37783f64704335ebae1520f1_JaffaCakes118.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Roaming\Audio Realtek Driver\Audio Realtek Driver.exe

Filesize
705KB

MD5
78c1fe5e37783f64704335ebae1520f1

SHA1
ea937129d39f86899fa0c103d89dd75cb447c518

SHA256
ed29be13a5ecb1fb3c072b8b398ea9dbeae3c1ae389f9b1eb4519be020c882aa

SHA512
3effec3f9da035c9787078828871d062f72f2d409b8be57778fe64a3b4e2fa836abc51ea34940ab76527a5524d1b5f7b4f69c6745abf243f2d1afab751649b10

Download Submit
memory/2308-9-0x0000000005560000-0x00000000055FC000-memory.dmp

Filesize
624KB

Download
memory/2308-10-0x00000000054C0000-0x0000000005526000-memory.dmp

Filesize
408KB

Download
memory/2308-24-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2308-12-0x00000000061D0000-0x0000000006774000-memory.dmp

Filesize
5.6MB

Download
memory/2308-7-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2308-3-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2308-11-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2488-25-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2488-26-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2488-31-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/4696-2-0x0000000002BD0000-0x0000000002BD8000-memory.dmp

Filesize
32KB

Download
memory/4696-0-0x000000007461E000-0x000000007461F000-memory.dmp

Filesize
4KB

Download
memory/4696-8-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/4696-1-0x00000000006A0000-0x0000000000756000-memory.dmp

Filesize
728KB

Download
memory/4696-5-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads