Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-08-2024 10:27

General

  • Target

    bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe

  • Size

    17.3MB

  • MD5

    bb5b6495d22a722624313fb4076749cb

  • SHA1

    c7db683ca054476a7ba37932b22ba9d131140213

  • SHA256

    2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2

  • SHA512

    9f5e5c6d1d27143c3d9166fc0620c97a5af06639903e7ea584ba8b24c4756dc7f1fbaee8de6bb9ad3bb45c0a3899fcc3cc7e181dbf151f5075ef9c935fb0c1bc

  • SSDEEP

    393216:rcJYwsM/YX3UZiVEiq+mEwZjGVanL54XVSeygXiWjT3iBGsIcRxiJOzMNe5vjAKG:uYjM/9+EC0tCky4eywf3iosJ6JOAN8v4

Malware Config

Extracted

Family

limerat

Wallets

1CyeYH7fGe5QHyuQf9a7LRfsU3hdEQUHqC

Attributes
  • aes_key

    holamundo

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/4xq9XHX8

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/4xq9XHX8

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\FIPcjETDIhlae2Vs.mp4"
      2⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FIPcjETDIhlae2Vs.mp4

    Filesize

    10.8MB

    MD5

    16573795f77e76bd709b505336d4e6f6

    SHA1

    958f2c96a2023c97e132e25a1ebc59480f326444

    SHA256

    3e30268c17daf5648d1b34fe8a3dbb49bda6cc02e1f2e182452950fbee9d3c3d

    SHA512

    a165f9bdc1cb88d34fc73f7cfba658c6d95d07c175a9b517725f178b217c29dcb8359666bf3fec1ccd04bee70a5ec75d35d458f7517bafb96c5327f761aab783

  • memory/2204-0-0x000000007437E000-0x000000007437F000-memory.dmp

    Filesize

    4KB

  • memory/2204-1-0x00000000011C0000-0x0000000002312000-memory.dmp

    Filesize

    17.3MB

  • memory/2204-2-0x0000000074370000-0x0000000074A5E000-memory.dmp

    Filesize

    6.9MB

  • memory/2204-3-0x0000000007FA0000-0x0000000008AB2000-memory.dmp

    Filesize

    11.1MB

  • memory/2204-4-0x0000000074370000-0x0000000074A5E000-memory.dmp

    Filesize

    6.9MB

  • memory/2204-5-0x0000000006D60000-0x0000000007856000-memory.dmp

    Filesize

    11.0MB

  • memory/2204-6-0x000000007437E000-0x000000007437F000-memory.dmp

    Filesize

    4KB

  • memory/2204-7-0x0000000074370000-0x0000000074A5E000-memory.dmp

    Filesize

    6.9MB

  • memory/2204-11-0x0000000000C60000-0x0000000000C6C000-memory.dmp

    Filesize

    48KB

  • memory/2880-19-0x000000013FE30000-0x000000013FF28000-memory.dmp

    Filesize

    992KB

  • memory/2880-20-0x000007FEF7BB0000-0x000007FEF7BE4000-memory.dmp

    Filesize

    208KB

  • memory/2880-25-0x000007FEF7B90000-0x000007FEF7BA7000-memory.dmp

    Filesize

    92KB

  • memory/2880-28-0x000007FEF6FA0000-0x000007FEF6FB1000-memory.dmp

    Filesize

    68KB

  • memory/2880-21-0x000007FEF63A0000-0x000007FEF6656000-memory.dmp

    Filesize

    2.7MB

  • memory/2880-27-0x000007FEF6FC0000-0x000007FEF6FDD000-memory.dmp

    Filesize

    116KB

  • memory/2880-26-0x000007FEF71A0000-0x000007FEF71B1000-memory.dmp

    Filesize

    68KB

  • memory/2880-24-0x000007FEF7E70000-0x000007FEF7E81000-memory.dmp

    Filesize

    68KB

  • memory/2880-23-0x000007FEFA660000-0x000007FEFA677000-memory.dmp

    Filesize

    92KB

  • memory/2880-22-0x000007FEFB260000-0x000007FEFB278000-memory.dmp

    Filesize

    96KB

  • memory/2880-30-0x000007FEF50E0000-0x000007FEF52EB000-memory.dmp

    Filesize

    2.0MB

  • memory/2880-38-0x000007FEF6A90000-0x000007FEF6AA1000-memory.dmp

    Filesize

    68KB

  • memory/2880-41-0x000007FEF69D0000-0x000007FEF6A37000-memory.dmp

    Filesize

    412KB

  • memory/2880-46-0x000007FEF4E40000-0x000007FEF4E57000-memory.dmp

    Filesize

    92KB

  • memory/2880-45-0x000007FEF4E60000-0x000007FEF4FE0000-memory.dmp

    Filesize

    1.5MB

  • memory/2880-44-0x000007FEF4FE0000-0x000007FEF5037000-memory.dmp

    Filesize

    348KB

  • memory/2880-43-0x000007FEF5040000-0x000007FEF5051000-memory.dmp

    Filesize

    68KB

  • memory/2880-42-0x000007FEF5060000-0x000007FEF50DC000-memory.dmp

    Filesize

    496KB

  • memory/2880-29-0x000007FEF52F0000-0x000007FEF63A0000-memory.dmp

    Filesize

    16.7MB

  • memory/2880-40-0x000007FEF6A40000-0x000007FEF6A70000-memory.dmp

    Filesize

    192KB

  • memory/2880-39-0x000007FEF6A70000-0x000007FEF6A88000-memory.dmp

    Filesize

    96KB

  • memory/2880-37-0x000007FEF6AB0000-0x000007FEF6ACB000-memory.dmp

    Filesize

    108KB

  • memory/2880-36-0x000007FEF6AD0000-0x000007FEF6AE1000-memory.dmp

    Filesize

    68KB

  • memory/2880-35-0x000007FEF6AF0000-0x000007FEF6B01000-memory.dmp

    Filesize

    68KB

  • memory/2880-34-0x000007FEF6B10000-0x000007FEF6B21000-memory.dmp

    Filesize

    68KB

  • memory/2880-33-0x000007FEF6B70000-0x000007FEF6B88000-memory.dmp

    Filesize

    96KB

  • memory/2880-32-0x000007FEF6F70000-0x000007FEF6F91000-memory.dmp

    Filesize

    132KB

  • memory/2880-31-0x000007FEF6B90000-0x000007FEF6BD1000-memory.dmp

    Filesize

    260KB

  • memory/2880-54-0x000007FEF2EE0000-0x000007FEF3121000-memory.dmp

    Filesize

    2.3MB

  • memory/2880-65-0x000007FEF28A0000-0x000007FEF28B3000-memory.dmp

    Filesize

    76KB

  • memory/2880-71-0x000007FEF2390000-0x000007FEF23A1000-memory.dmp

    Filesize

    68KB

  • memory/2880-72-0x000007FEF2320000-0x000007FEF2381000-memory.dmp

    Filesize

    388KB

  • memory/2880-73-0x000007FEF22D0000-0x000007FEF2317000-memory.dmp

    Filesize

    284KB

  • memory/2880-76-0x000007FEF0260000-0x000007FEF02AE000-memory.dmp

    Filesize

    312KB

  • memory/2880-78-0x000007FEF1A90000-0x000007FEF1AC4000-memory.dmp

    Filesize

    208KB

  • memory/2880-77-0x000007FEF0200000-0x000007FEF0257000-memory.dmp

    Filesize

    348KB

  • memory/2880-75-0x000007FEF20D0000-0x000007FEF20E1000-memory.dmp

    Filesize

    68KB

  • memory/2880-74-0x000007FEF2250000-0x000007FEF22C4000-memory.dmp

    Filesize

    464KB

  • memory/2880-70-0x000007FEF26E0000-0x000007FEF26F3000-memory.dmp

    Filesize

    76KB

  • memory/2880-69-0x000007FEF2700000-0x000007FEF272A000-memory.dmp

    Filesize

    168KB

  • memory/2880-68-0x000007FEF2730000-0x000007FEF2742000-memory.dmp

    Filesize

    72KB

  • memory/2880-67-0x000007FEF2750000-0x000007FEF2761000-memory.dmp

    Filesize

    68KB

  • memory/2880-66-0x000007FEF2790000-0x000007FEF2896000-memory.dmp

    Filesize

    1.0MB

  • memory/2880-62-0x000007FEF2910000-0x000007FEF2BC0000-memory.dmp

    Filesize

    2.7MB

  • memory/2880-64-0x000007FEF28C0000-0x000007FEF28E3000-memory.dmp

    Filesize

    140KB

  • memory/2880-63-0x000007FEF28F0000-0x000007FEF2905000-memory.dmp

    Filesize

    84KB

  • memory/2880-61-0x000007FEF2CE0000-0x000007FEF2D42000-memory.dmp

    Filesize

    392KB

  • memory/2880-60-0x000007FEF2D50000-0x000007FEF2D92000-memory.dmp

    Filesize

    264KB

  • memory/2880-59-0x000007FEF2DA0000-0x000007FEF2E65000-memory.dmp

    Filesize

    788KB

  • memory/2880-58-0x000007FEF2E70000-0x000007FEF2E86000-memory.dmp

    Filesize

    88KB

  • memory/2880-57-0x000007FEF2E90000-0x000007FEF2EA1000-memory.dmp

    Filesize

    68KB

  • memory/2880-56-0x000007FEF2EB0000-0x000007FEF2EDF000-memory.dmp

    Filesize

    188KB

  • memory/2880-55-0x000007FEFA650000-0x000007FEFA660000-memory.dmp

    Filesize

    64KB

  • memory/2880-52-0x000007FEF3190000-0x000007FEF32FB000-memory.dmp

    Filesize

    1.4MB

  • memory/2880-53-0x000007FEF3130000-0x000007FEF3187000-memory.dmp

    Filesize

    348KB

  • memory/2880-51-0x000007FEF3300000-0x000007FEF334D000-memory.dmp

    Filesize

    308KB

  • memory/2880-50-0x000007FEF3350000-0x000007FEF3392000-memory.dmp

    Filesize

    264KB

  • memory/2880-49-0x000007FEF33A0000-0x000007FEF33B2000-memory.dmp

    Filesize

    72KB

  • memory/2880-48-0x000007FEF33C0000-0x000007FEF35C6000-memory.dmp

    Filesize

    2.0MB

  • memory/2880-47-0x000007FEF35D0000-0x000007FEF4E3F000-memory.dmp

    Filesize

    24.4MB