General
-
Target
cc166b3ea155fd47e3380f79d66e982e_JaffaCakes118
-
Size
1.1MB
-
Sample
240831-cy3b3s1emk
-
MD5
cc166b3ea155fd47e3380f79d66e982e
-
SHA1
e66dcd125112794858f360172e937691657ca098
-
SHA256
d6955d8ae626ce1f4f2ca6f0a40805b9a14d6837e68083233944f0565bd855e1
-
SHA512
296252cd91831cc1cb75342a209f8ee5b8cde55edd06bc8c842d2c478459c485a990a3bf6d6fc0ef4031cd336088ac12a33ec10cb487a11b5548aa87d7d94a13
-
SSDEEP
24576:SAHnh+eWsN3skA4RV1Hom2KXMmHaas+nsm1ZOGP5:Vh+ZkldoPK8YaaBvZO2
Malware Config
Extracted
limerat
1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty
-
aes_key
nulled
-
antivm
true
-
c2_url
https://pastebin.com/raw/cXuQ0V20
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Winservices.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\Services\
-
usb_spread
true
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/cXuQ0V20
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Targets
-
-
Target
cc166b3ea155fd47e3380f79d66e982e_JaffaCakes118
-
Size
1.1MB
-
MD5
cc166b3ea155fd47e3380f79d66e982e
-
SHA1
e66dcd125112794858f360172e937691657ca098
-
SHA256
d6955d8ae626ce1f4f2ca6f0a40805b9a14d6837e68083233944f0565bd855e1
-
SHA512
296252cd91831cc1cb75342a209f8ee5b8cde55edd06bc8c842d2c478459c485a990a3bf6d6fc0ef4031cd336088ac12a33ec10cb487a11b5548aa87d7d94a13
-
SSDEEP
24576:SAHnh+eWsN3skA4RV1Hom2KXMmHaas+nsm1ZOGP5:Vh+ZkldoPK8YaaBvZO2
Score10/10-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Drops startup file
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-