limerat | 2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3

General

Target

c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe
Size

225KB
MD5

c71d20c012f7b4350c4a934afcd130f2
SHA1

a967ff6228345830899dbeb0a4471a22780ddea7
SHA256

2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3
SHA512

393e51cc49e885095718896e9c5313dc9f8d10d8410f062b051b7ddad06c4518214444df1e91e62adc81a73cb14f27dd3a86eeea8ea1218a1edca9a6f01329f1
SSDEEP

1536:iyfFtVj5LJ0DJ90D97D9uYGnS7XlaOFE56i504iiF/wZHVN:iyfDyRSE8E57/jFWT

Score

10^/10

limerat discovery rat

Malware Config

Extracted

Family

limerat

Wallets

359Z6KxMenwvgkA7vpGeBtinJPTj5raZz8

Attributes

aes_key
zynova@56070
antivm
false
c2_url
https://pastebin.com/raw/PyH9MBfx
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
true
sub_folder
\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Drops startup file 1 IoCs

Processes:

c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ethernet.url	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

23 pastebin.com
24 pastebin.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe

description pid process target process

PID 1416 set thread context of 5036 1416 c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe RegAsm.exe

flow	ioc
23	pastebin.com
24	pastebin.com

description	pid	process	target process
PID 1416 set thread context of 5036	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RegAsm.exec71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.execsc.execvtres.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1184 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe

pid process

1416 c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe
1416 c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe

pid	process
1184	schtasks.exe

pid	process
1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe
1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe
Token: SeDebugPrivilege	5036	RegAsm.exe
Token: SeDebugPrivilege	5036	RegAsm.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 1416 wrote to memory of 3904	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	csc.exe
PID 1416 wrote to memory of 3904	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	csc.exe
PID 1416 wrote to memory of 3904	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	csc.exe
PID 3904 wrote to memory of 1180	3904	csc.exe	cvtres.exe
PID 3904 wrote to memory of 1180	3904	csc.exe	cvtres.exe
PID 3904 wrote to memory of 1180	3904	csc.exe	cvtres.exe
PID 1416 wrote to memory of 4072	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	schtasks.exe
PID 1416 wrote to memory of 4072	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	schtasks.exe
PID 1416 wrote to memory of 4072	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	schtasks.exe
PID 1416 wrote to memory of 1184	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	schtasks.exe
PID 1416 wrote to memory of 1184	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	schtasks.exe
PID 1416 wrote to memory of 1184	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	schtasks.exe
PID 1416 wrote to memory of 5036	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 1416 wrote to memory of 5036	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 1416 wrote to memory of 5036	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 1416 wrote to memory of 5036	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 1416 wrote to memory of 5036	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 1416 wrote to memory of 5036	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 1416 wrote to memory of 5036	1416	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aup0upta\aup0upta.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F4F.tmp" "c:\Users\Admin\AppData\Local\Temp\aup0upta\CSC4D272ED692B1498F96E2ECEFE34D56F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1180
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /query
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4072
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /sc MINUTE /tn Ethernet /MO 1 /tr "C:\Users\Admin\AppData\Roaming\global\Ethernet.exe\
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1184
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8F4F.tmp

Filesize
1KB

MD5
21d5c0129b427cbc7b53af6edfd5dd04

SHA1
a146d608ff6f175d7fcd7e7e9a6d00a1cf3cdd2f

SHA256
e8c677b134c17fd1560df1fb9256eb476aa574482fd0c87e346ebbb092166ec6

SHA512
363658b0e7c205c6f24293090707d15aacbdfdde26cae5ac63ae84c3a9933e0fc1b195ce8ee114453ead1d5e7bb9553846621186a6d9ce92e6020d37e1c62a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aup0upta\aup0upta.dll

Filesize
8KB

MD5
074c7cab2195f24367df2c2a2f2a7c8b

SHA1
b90b1b11b04450f71981e2a1416b0eff1fff1857

SHA256
f075cf1417d97f797d0eaadfd7efb7bb8c77d5dcd9dfb9c62a747d34a1902fb7

SHA512
ebab94c7cc4ac6e5b3ff948f70d2f902e7a4e8caa91fb14fcdf4b9557daaa9f75c16ab7798cd854d81273aa304aab5b4aeccec0f90ccc1f9974904000a2c13e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aup0upta\aup0upta.pdb

Filesize
23KB

MD5
3b3ee0379675858bae7e394bd3a97bd3

SHA1
a6fa529f95cf31c785302627e4de46c9f3d9b333

SHA256
b4ef534d2aac27fcd02b0ae440e611110af2c92fb4793f9a9f749b93913cff0a

SHA512
790190e7bb9d9df24b5a9b762812dbe709e424ca227cf83216a01569be33696d0eac2be15b181dad4a9192b1fd912824aacce0f13a6faca62ff97392420f18ab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aup0upta\CSC4D272ED692B1498F96E2ECEFE34D56F.TMP

Filesize
1KB

MD5
e1417fea20be26a8d953952ee88bb2bf

SHA1
12d0c328c613c71ef5de38545cc730d9998b5cfd

SHA256
461f8b5710cdb7d373e1f10055a058988146e30c8b60e77d7822c4f20246e983

SHA512
b05579846187efff18f9352b2d825cb18e8810eb42a0be1561289f41ec6e588f2786e878fc6b0e01132a30dc4c753bc8900de3293e7bf05418648195b0c11119

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aup0upta\aup0upta.0.cs

Filesize
9KB

MD5
38ca37eafe03d8f9c9324484795402bf

SHA1
4cc028fd81e7dcdbf9de360b71f0d66259a7a399

SHA256
10272281e324dac2e39caa13af6c447ede6f2a64da9bf2ca47388d693c5f7424

SHA512
3f625b39aa0c83318f8ea30b468497ace4baf1f1bcb77fa3718aa5cbc94a6bbd474163bbc639a4fff9ae1e8a4061709f929d7e4bd265344fb12e6bd0b64a48d6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aup0upta\aup0upta.cmdline

Filesize
312B

MD5
2bde97034e6ea0d5c7e6bfcb0cbf34a8

SHA1
bc703c32e13a5679badfcdbc2b4f0656769b9ce9

SHA256
f546d3f0eda031b527cc0583ec4bd0a66aaa2bcf1ad8158b147861b1445e6c1f

SHA512
d4771faa2b556edde8ebec9e7c4d13842bd8424b5bdfaf4686ca0c1d4dc35805c6d66bcbd30d0442da2afa818b7323184f865761bb48b3018fcfff07518970e6

Download Submit
memory/1416-21-0x0000000005710000-0x0000000005728000-memory.dmp

Filesize
96KB

Download
memory/1416-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/1416-3-0x00000000054C0000-0x00000000054C8000-memory.dmp

Filesize
32KB

Download
memory/1416-2-0x0000000005530000-0x00000000055C2000-memory.dmp

Filesize
584KB

Download
memory/1416-1-0x0000000000B50000-0x0000000000B76000-memory.dmp

Filesize
152KB

Download
memory/1416-19-0x00000000054F0000-0x00000000054F8000-memory.dmp

Filesize
32KB

Download
memory/1416-4-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/1416-22-0x0000000005740000-0x000000000574C000-memory.dmp

Filesize
48KB

Download
memory/1416-29-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/1416-26-0x0000000005A70000-0x0000000005B0C000-memory.dmp

Filesize
624KB

Download
memory/1416-25-0x0000000005760000-0x000000000576C000-memory.dmp

Filesize
48KB

Download
memory/5036-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5036-30-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/5036-31-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads