General
-
Target
fb4b1c387b405584e55516c44f0debb5_JaffaCakes118
-
Size
750KB
-
Sample
240928-chj6katemc
-
MD5
fb4b1c387b405584e55516c44f0debb5
-
SHA1
a83987372d58e2fdff23ef0b5159c286137cc1d6
-
SHA256
edb31b7d2d275a69de5a06ccfed47cd8ebea043e1fe982afe206647c22e252ac
-
SHA512
0e25669fcc2ebf9eacaa8be2249ba49af041725ab0b9de89cfd2546f6cabd3a4f769758f16b6c6a5c2465229d1343cb1ad9fe62d2084d1ca3a665d6e75ec7ced
-
SSDEEP
12288:vR2bUGmcwplDa2786jrPivKNI0jhT6PWxi34C0NLTGNFj2i2p+qkLPLakIv:IbUGmJplDaojrauLMW40NCl2FpBWXW
Malware Config
Extracted
limerat
-
aes_key
123456789
-
antivm
false
-
c2_url
https://pastebin.com/raw/5cXHFyui
-
delay
3
-
download_payload
false
-
install
true
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Targets
-
-
Target
Scan 001.exe
-
Size
884KB
-
MD5
9f9d2f84755edf531b370605b273bce8
-
SHA1
107bb8aff5f090223f34c5da6af3b97899ca66a0
-
SHA256
e424feff6970c9526c287c805fe886f8e4d37c4620094bc7b3619eb5a68e425f
-
SHA512
5a40406e8a03f1f16e540ceb6e5921260863850bf8f0f4ae58d2513567e0d82678886a135a3ad939a38384cc7696d010355c907e795b86d03c0f9d867af80b07
-
SSDEEP
24576:6NA3R5drXdtUjr21HwvzYIOVL8A1jZFQYcHO6lSe:z5bUjrCgzYT8A1jZ63Qe
Score10/10-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1