General
-
Target
bb5b6495d22a722624313fb4076749cb_JaffaCakes118
-
Size
17.3MB
-
Sample
240823-mg84eaydqc
-
MD5
bb5b6495d22a722624313fb4076749cb
-
SHA1
c7db683ca054476a7ba37932b22ba9d131140213
-
SHA256
2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2
-
SHA512
9f5e5c6d1d27143c3d9166fc0620c97a5af06639903e7ea584ba8b24c4756dc7f1fbaee8de6bb9ad3bb45c0a3899fcc3cc7e181dbf151f5075ef9c935fb0c1bc
-
SSDEEP
393216:rcJYwsM/YX3UZiVEiq+mEwZjGVanL54XVSeygXiWjT3iBGsIcRxiJOzMNe5vjAKG:uYjM/9+EC0tCky4eywf3iosJ6JOAN8v4
Static task
static1
Behavioral task
behavioral1
Sample
bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
limerat
1CyeYH7fGe5QHyuQf9a7LRfsU3hdEQUHqC
-
aes_key
holamundo
-
antivm
false
-
c2_url
https://pastebin.com/raw/4xq9XHX8
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/4xq9XHX8
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Targets
-
-
Target
bb5b6495d22a722624313fb4076749cb_JaffaCakes118
-
Size
17.3MB
-
MD5
bb5b6495d22a722624313fb4076749cb
-
SHA1
c7db683ca054476a7ba37932b22ba9d131140213
-
SHA256
2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2
-
SHA512
9f5e5c6d1d27143c3d9166fc0620c97a5af06639903e7ea584ba8b24c4756dc7f1fbaee8de6bb9ad3bb45c0a3899fcc3cc7e181dbf151f5075ef9c935fb0c1bc
-
SSDEEP
393216:rcJYwsM/YX3UZiVEiq+mEwZjGVanL54XVSeygXiWjT3iBGsIcRxiJOzMNe5vjAKG:uYjM/9+EC0tCky4eywf3iosJ6JOAN8v4
Score10/10-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-