Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2024 10:27
Static task
static1
Behavioral task
behavioral1
Sample
bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe
-
Size
17.3MB
-
MD5
bb5b6495d22a722624313fb4076749cb
-
SHA1
c7db683ca054476a7ba37932b22ba9d131140213
-
SHA256
2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2
-
SHA512
9f5e5c6d1d27143c3d9166fc0620c97a5af06639903e7ea584ba8b24c4756dc7f1fbaee8de6bb9ad3bb45c0a3899fcc3cc7e181dbf151f5075ef9c935fb0c1bc
-
SSDEEP
393216:rcJYwsM/YX3UZiVEiq+mEwZjGVanL54XVSeygXiWjT3iBGsIcRxiJOzMNe5vjAKG:uYjM/9+EC0tCky4eywf3iosJ6JOAN8v4
Malware Config
Extracted
limerat
1CyeYH7fGe5QHyuQf9a7LRfsU3hdEQUHqC
-
aes_key
holamundo
-
antivm
false
-
c2_url
https://pastebin.com/raw/4xq9XHX8
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/4xq9XHX8
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\WsVt3xEn4xPVyzK7\\hOxv66ZVYqNd.exe\",explorer.exe" bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 42 pastebin.com 43 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2204 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2204 vlc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 948 bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe Token: 33 2392 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2392 AUDIODG.EXE Token: 33 2204 vlc.exe Token: SeIncBasePriorityPrivilege 2204 vlc.exe Token: SeDebugPrivilege 948 bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe 2204 vlc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 948 wrote to memory of 2204 948 bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe 97 PID 948 wrote to memory of 2204 948 bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bb5b6495d22a722624313fb4076749cb_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\34ALL5kXXkA7RWQp.mp4"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2204
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x508 0x50c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.8MB
MD516573795f77e76bd709b505336d4e6f6
SHA1958f2c96a2023c97e132e25a1ebc59480f326444
SHA2563e30268c17daf5648d1b34fe8a3dbb49bda6cc02e1f2e182452950fbee9d3c3d
SHA512a165f9bdc1cb88d34fc73f7cfba658c6d95d07c175a9b517725f178b217c29dcb8359666bf3fec1ccd04bee70a5ec75d35d458f7517bafb96c5327f761aab783