General

  • Target

    bb5b6495d22a722624313fb4076749cb_JaffaCakes118

  • Size

    17.3MB

  • Sample

    240823-mg84eaydqc

  • MD5

    bb5b6495d22a722624313fb4076749cb

  • SHA1

    c7db683ca054476a7ba37932b22ba9d131140213

  • SHA256

    2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2

  • SHA512

    9f5e5c6d1d27143c3d9166fc0620c97a5af06639903e7ea584ba8b24c4756dc7f1fbaee8de6bb9ad3bb45c0a3899fcc3cc7e181dbf151f5075ef9c935fb0c1bc

  • SSDEEP

    393216:rcJYwsM/YX3UZiVEiq+mEwZjGVanL54XVSeygXiWjT3iBGsIcRxiJOzMNe5vjAKG:uYjM/9+EC0tCky4eywf3iosJ6JOAN8v4

Malware Config

Extracted

Family

limerat

Wallets

1CyeYH7fGe5QHyuQf9a7LRfsU3hdEQUHqC

Attributes
  • aes_key

    holamundo

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/4xq9XHX8

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/4xq9XHX8

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      bb5b6495d22a722624313fb4076749cb_JaffaCakes118

    • Size

      17.3MB

    • MD5

      bb5b6495d22a722624313fb4076749cb

    • SHA1

      c7db683ca054476a7ba37932b22ba9d131140213

    • SHA256

      2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2

    • SHA512

      9f5e5c6d1d27143c3d9166fc0620c97a5af06639903e7ea584ba8b24c4756dc7f1fbaee8de6bb9ad3bb45c0a3899fcc3cc7e181dbf151f5075ef9c935fb0c1bc

    • SSDEEP

      393216:rcJYwsM/YX3UZiVEiq+mEwZjGVanL54XVSeygXiWjT3iBGsIcRxiJOzMNe5vjAKG:uYjM/9+EC0tCky4eywf3iosJ6JOAN8v4

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks