Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11-08-2024 17:10
Static task
static1
Behavioral task
behavioral1
Sample
8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe
-
Size
66KB
-
MD5
8b3c21db4e4189d00b8da6db22ae7387
-
SHA1
6bd9edd982bb103c21b2a3072c16d0274d692f8e
-
SHA256
b31de3ea02144147649b6d3f04abf7b6186a5e783a63bb3b04a3552c153a397f
-
SHA512
1e551f14c66cdfd790c7cf8700e166dbfda95283b2247d200c02516ab676cebc0b6263250554436195efe2e8956be2d8406ebe82b7bee611fc238a9ff0fc86d2
-
SSDEEP
1536:J13Mt0qGK+wM0+nXdNPdwjgu3n3ipmC/k/qSAa0iUHXSjUXCOyZGqL:J13Mt7P+wM0+nXdtejgu3nypr/7RLXSZ
Malware Config
Extracted
limerat
-
aes_key
IRj3SceatjDfweW/qMMw7g==
-
antivm
true
-
c2_url
https://pastebin.com/raw/p8Be8nNX
-
delay
3
-
download_payload
false
-
install
true
-
install_name
Windows Update.exe
-
main_folder
UserProfile
-
pin_spread
false
-
sub_folder
\Windows\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/p8Be8nNX
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4624 Windows Update.exe 4204 Windows Update.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 25 pastebin.com 24 pastebin.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2068 set thread context of 2084 2068 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe 85 PID 4624 set thread context of 4204 4624 Windows Update.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Update.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2028 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4204 Windows Update.exe Token: SeDebugPrivilege 4204 Windows Update.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2084 2068 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe 85 PID 2068 wrote to memory of 2084 2068 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe 85 PID 2068 wrote to memory of 2084 2068 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe 85 PID 2068 wrote to memory of 2084 2068 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe 85 PID 2068 wrote to memory of 2084 2068 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe 85 PID 2068 wrote to memory of 2084 2068 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe 85 PID 2068 wrote to memory of 2084 2068 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe 85 PID 2084 wrote to memory of 2028 2084 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe 92 PID 2084 wrote to memory of 2028 2084 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe 92 PID 2084 wrote to memory of 2028 2084 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe 92 PID 2084 wrote to memory of 4624 2084 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe 94 PID 2084 wrote to memory of 4624 2084 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe 94 PID 2084 wrote to memory of 4624 2084 8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe 94 PID 4624 wrote to memory of 4204 4624 Windows Update.exe 95 PID 4624 wrote to memory of 4204 4624 Windows Update.exe 95 PID 4624 wrote to memory of 4204 4624 Windows Update.exe 95 PID 4624 wrote to memory of 4204 4624 Windows Update.exe 95 PID 4624 wrote to memory of 4204 4624 Windows Update.exe 95 PID 4624 wrote to memory of 4204 4624 Windows Update.exe 95 PID 4624 wrote to memory of 4204 4624 Windows Update.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\Windows\Windows Update.exe'"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2028
-
-
C:\Users\Admin\Windows\Windows Update.exe"C:\Users\Admin\Windows\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\Windows\Windows Update.exe"C:\Users\Admin\Windows\Windows Update.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118.exe.log
Filesize226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
66KB
MD58b3c21db4e4189d00b8da6db22ae7387
SHA16bd9edd982bb103c21b2a3072c16d0274d692f8e
SHA256b31de3ea02144147649b6d3f04abf7b6186a5e783a63bb3b04a3552c153a397f
SHA5121e551f14c66cdfd790c7cf8700e166dbfda95283b2247d200c02516ab676cebc0b6263250554436195efe2e8956be2d8406ebe82b7bee611fc238a9ff0fc86d2