Overview

overview

10

Static

static

3

f8c656d9ff...18.exe

windows7-x64

10

f8c656d9ff...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 16:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8c656d9ff2a5c0b21769b4e1033bde7_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    f8c656d9ff2a5c0b21769b4e1033bde7

  • SHA1

    c2e991aeb28ebf42c1f2dbfcbd4df6e2320ab3d2

  • SHA256

    d6e501f0804b1fd3b62a32366a9845a7fd010a0434dac804ffcec95fa67267a3

  • SHA512

    098b1ce3e5d95d318caccd1ce77be80484f7cef1aae807e3815f32fa2d49f74be7085c2f716187c7d074ea9e239ebfa1e5817b436c9c92e546bfc0e7560096ed

  • SSDEEP

    6144:gCDZnh3bt0kqEZKjwF+IRTA/AntEymXZoelvYihONWKkIAL5wMYDkdIihf/FS/6P:gC1n395ElLNHwWKJAL5D3hna6

Score
10/10
limeratdefense_evasiondiscoveryrat

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    1205

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/iRjhpqQL

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/iRjhpqQL

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8c656d9ff2a5c0b21769b4e1033bde7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f8c656d9ff2a5c0b21769b4e1033bde7_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/f8c656d9ff2a5c0b21769b4e1033bde7_JaffaCakes118.exe" "%appdata%\defsghg\dfgdfge.exe" /Y
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2592
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\defsghg\dfgdfge.exe:Zone.Identifier
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      PID:2816
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ren "%appdata%\defsghg\dfgdfge.exe.jpg" dfgdfge.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:780
    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Roaming\defsghg\dfgdfge.exe.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 300
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\defsghg\dfgdfge.exe
    Filesize

    1.7MB

    MD5

    f8c656d9ff2a5c0b21769b4e1033bde7

    SHA1

    c2e991aeb28ebf42c1f2dbfcbd4df6e2320ab3d2

    SHA256

    d6e501f0804b1fd3b62a32366a9845a7fd010a0434dac804ffcec95fa67267a3

    SHA512

    098b1ce3e5d95d318caccd1ce77be80484f7cef1aae807e3815f32fa2d49f74be7085c2f716187c7d074ea9e239ebfa1e5817b436c9c92e546bfc0e7560096ed

    Download Submit

  • C:\Users\Admin\AppData\Roaming\defsghg\dfgdfge.exe.bat
    Filesize

    204B

    MD5

    e2bddbe36b71e23b16f1721da8f3564c

    SHA1

    b01f1c913bb94b8ba068732065d5da347bf143bc

    SHA256

    8b0219b83d6a50727a4acf2ccf53a04cfd348577d90c2489cf9b0d082d43872d

    SHA512

    c07d35abdc8fd3e366383ad7c92d4dc6adebbd0c2ecf0dd7cd5981f3cf72e6d9e6a9cf00719eb7e016dd0dd677ca5794295a2da1a74a8436b092f737db78868b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\svhost.exe
    Filesize

    255KB

    MD5

    9af17c8393f0970ee5136bd3ffa27001

    SHA1

    4b285b72c1a11285a25f31f2597e090da6bbc049

    SHA256

    71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

    SHA512

    b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

    Download Submit

  • memory/2772-23-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2772-20-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2772-14-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2772-28-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2772-26-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2772-16-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2772-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2772-18-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3048-3-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3048-0-0x00000000740CE000-0x00000000740CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3048-2-0x00000000008C0000-0x000000000090C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3048-1-0x0000000000320000-0x000000000048E000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3048-38-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3048-39-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

    Download