General

  • Target

    f73d2a6cc30b843a528073f9e89a9474_JaffaCakes118

  • Size

    28KB

  • Sample

    240926-bl52rs1gjb

  • MD5

    f73d2a6cc30b843a528073f9e89a9474

  • SHA1

    138d45ae3a1a04ca532384966495605bc46a1c84

  • SHA256

    91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5

  • SHA512

    c7b7c1313c6a2aaea87469eb3bb6cdd64808cf5fc3c01ea8b6f30f01d38f16dbbd0c2663f3a7e17b27e1b4bc418564f80ed66cc7b424bbda684e6af31ee7ba17

  • SSDEEP

    384:IE0WnRVP3Apm4D8S00sly2icTXvmTX23avDoNrCeJE3WN5s5kzU5MB/ZOVf8Sqla:lP3Iz0f02lXvmD234m5NTUC/2qZY

Score
10/10

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/bf4enpi6

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    lr.tmp.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/bf4enpi6

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      f73d2a6cc30b843a528073f9e89a9474_JaffaCakes118

    • Size

      28KB

    • MD5

      f73d2a6cc30b843a528073f9e89a9474

    • SHA1

      138d45ae3a1a04ca532384966495605bc46a1c84

    • SHA256

      91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5

    • SHA512

      c7b7c1313c6a2aaea87469eb3bb6cdd64808cf5fc3c01ea8b6f30f01d38f16dbbd0c2663f3a7e17b27e1b4bc418564f80ed66cc7b424bbda684e6af31ee7ba17

    • SSDEEP

      384:IE0WnRVP3Apm4D8S00sly2icTXvmTX23avDoNrCeJE3WN5s5kzU5MB/ZOVf8Sqla:lP3Iz0f02lXvmD234m5NTUC/2qZY

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks