Overview

overview

10

Static

static

3

868a9e62c0...18.exe

windows7-x64

10

868a9e62c0...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2024 17:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    868a9e62c032b2b4549b32413cbbca17_JaffaCakes118.exe

  • Size

    89KB

  • MD5

    868a9e62c032b2b4549b32413cbbca17

  • SHA1

    86be819fc9c9c8dc435120a5fb6262ae7be70d93

  • SHA256

    e1f1687889454c0e2fc33905898844ffba1816566d96e543128a4d60af25102a

  • SHA512

    38590c14f1d9bb4da3e1f3a8770d1c126c22f5a748aafb728d00d938a739681d78bf16403cd2ecc38c6699e8d7bab63fb12ecf7dc599d80dd342053a83a00c26

  • SSDEEP

    1536:8r8ugkF5Ew/JN1qHd0jy4MjydK5MF1OPklWz01TuSo7EHDyokkIPEDMyF3C4:vwxN1Od0TMjydKk1h40ASo7EHuokkaE3

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/7sALhsP2

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Limerat family
    limerat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\868a9e62c032b2b4549b32413cbbca17_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\868a9e62c032b2b4549b32413cbbca17_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3088
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Secure.exe'"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1952
    • C:\Users\Admin\AppData\Local\Temp\Secure.exe
      "C:\Users\Admin\AppData\Local\Temp\Secure.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Secure.exe
    Filesize

    89KB

    MD5

    868a9e62c032b2b4549b32413cbbca17

    SHA1

    86be819fc9c9c8dc435120a5fb6262ae7be70d93

    SHA256

    e1f1687889454c0e2fc33905898844ffba1816566d96e543128a4d60af25102a

    SHA512

    38590c14f1d9bb4da3e1f3a8770d1c126c22f5a748aafb728d00d938a739681d78bf16403cd2ecc38c6699e8d7bab63fb12ecf7dc599d80dd342053a83a00c26

    Download Submit

  • memory/3088-6-0x00007FFA08120000-0x00007FFA08BE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3088-2-0x0000000003060000-0x0000000003076000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3088-3-0x0000000003080000-0x000000000309C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3088-4-0x00000000030A0000-0x00000000030B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3088-5-0x00000000030B0000-0x00000000030C6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3088-0-0x00007FFA08123000-0x00007FFA08125000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3088-1-0x0000000000FE0000-0x0000000000FFC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3088-19-0x00007FFA08123000-0x00007FFA08125000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3088-22-0x00007FFA08120000-0x00007FFA08BE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3176-18-0x00007FFA08120000-0x00007FFA08BE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3176-21-0x00007FFA08120000-0x00007FFA08BE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3176-23-0x00007FFA08120000-0x00007FFA08BE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3176-24-0x00007FFA08120000-0x00007FFA08BE1000-memory.dmp

    Filesize

    10.8MB

    Download