Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 14:14
Static task
static1
Behavioral task
behavioral1
Sample
eb80f0edd33be1b48cdc87241aa8bd98_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
eb80f0edd33be1b48cdc87241aa8bd98_JaffaCakes118.exe
-
Size
639KB
-
MD5
eb80f0edd33be1b48cdc87241aa8bd98
-
SHA1
ed3ee82a414a6bcafcc4708ac70f8f584b383690
-
SHA256
9d6ade1d690124086d594c06ba8db497434c560fc7d9b4a8a4df12ffa441836f
-
SHA512
e2c30c2de08231e902c004c0fce16779b6f9ec2d5112189f0defe23becb086104d937106651d72042faeeb7b45cc892ca602914dae9740c3d1ab99afc4d9f331
-
SSDEEP
12288:A8+G7GuSGjXFhMkDh9nrw2qYCjK74A/+bn2u:A1unjXIi9nrhCjK74c+y
Malware Config
Extracted
limerat
359Z6KxMenwvgkA7vpGeBtinJPTj5raZz8
-
aes_key
arglobal
-
antivm
false
-
c2_url
https://pastebin.com/raw/CV5RHE9G
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/CV5RHE9G
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.url eb80f0edd33be1b48cdc87241aa8bd98_JaffaCakes118.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 13 pastebin.com 14 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2208 set thread context of 1248 2208 eb80f0edd33be1b48cdc87241aa8bd98_JaffaCakes118.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb80f0edd33be1b48cdc87241aa8bd98_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2208 eb80f0edd33be1b48cdc87241aa8bd98_JaffaCakes118.exe Token: SeDebugPrivilege 1248 RegAsm.exe Token: SeDebugPrivilege 1248 RegAsm.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2208 wrote to memory of 1248 2208 eb80f0edd33be1b48cdc87241aa8bd98_JaffaCakes118.exe 82 PID 2208 wrote to memory of 1248 2208 eb80f0edd33be1b48cdc87241aa8bd98_JaffaCakes118.exe 82 PID 2208 wrote to memory of 1248 2208 eb80f0edd33be1b48cdc87241aa8bd98_JaffaCakes118.exe 82 PID 2208 wrote to memory of 1248 2208 eb80f0edd33be1b48cdc87241aa8bd98_JaffaCakes118.exe 82 PID 2208 wrote to memory of 1248 2208 eb80f0edd33be1b48cdc87241aa8bd98_JaffaCakes118.exe 82 PID 2208 wrote to memory of 1248 2208 eb80f0edd33be1b48cdc87241aa8bd98_JaffaCakes118.exe 82 PID 2208 wrote to memory of 1248 2208 eb80f0edd33be1b48cdc87241aa8bd98_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb80f0edd33be1b48cdc87241aa8bd98_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eb80f0edd33be1b48cdc87241aa8bd98_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1248
-