Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    f8c656d9ff2a5c0b21769b4e1033bde7_JaffaCakes118

  • Size

    1.7MB

  • Sample

    240926-t25eaaxbqm

  • MD5

    f8c656d9ff2a5c0b21769b4e1033bde7

  • SHA1

    c2e991aeb28ebf42c1f2dbfcbd4df6e2320ab3d2

  • SHA256

    d6e501f0804b1fd3b62a32366a9845a7fd010a0434dac804ffcec95fa67267a3

  • SHA512

    098b1ce3e5d95d318caccd1ce77be80484f7cef1aae807e3815f32fa2d49f74be7085c2f716187c7d074ea9e239ebfa1e5817b436c9c92e546bfc0e7560096ed

  • SSDEEP

    6144:gCDZnh3bt0kqEZKjwF+IRTA/AntEymXZoelvYihONWKkIAL5wMYDkdIihf/FS/6P:gC1n395ElLNHwWKJAL5D3hna6

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    1205

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/iRjhpqQL

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/iRjhpqQL

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      f8c656d9ff2a5c0b21769b4e1033bde7_JaffaCakes118

    • Size

      1.7MB

    • MD5

      f8c656d9ff2a5c0b21769b4e1033bde7

    • SHA1

      c2e991aeb28ebf42c1f2dbfcbd4df6e2320ab3d2

    • SHA256

      d6e501f0804b1fd3b62a32366a9845a7fd010a0434dac804ffcec95fa67267a3

    • SHA512

      098b1ce3e5d95d318caccd1ce77be80484f7cef1aae807e3815f32fa2d49f74be7085c2f716187c7d074ea9e239ebfa1e5817b436c9c92e546bfc0e7560096ed

    • SSDEEP

      6144:gCDZnh3bt0kqEZKjwF+IRTA/AntEymXZoelvYihONWKkIAL5wMYDkdIihf/FS/6P:gC1n395ElLNHwWKJAL5D3hna6

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks