Analysis
-
max time kernel
131s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 07:48
Static task
static1
Behavioral task
behavioral1
Sample
f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe
-
Size
411KB
-
MD5
f9d78ddd7ef2f4200e83aa452d03192c
-
SHA1
979824983e7ff0faf2c3f98c5ddad74c40d0ea7e
-
SHA256
c98e242323138170045011f3ab41dc6a811e7ed7fd27a98e6d12bef5da72181a
-
SHA512
286737f8b8b731e66e8ac9cc3aee7e38ad8a6bd3666be23204a3a0908de1c27faa7d73974546eec061e7f3bcd6ae0c75743a342630c79e30c2c94be37f182ea0
-
SSDEEP
12288:CJKuu0b2YF4NCI+48ykABbPCpmj+uJoSznCn:TqSz4I+48yVBbPCpmSgI
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion adobeupdater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion adobeupdater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion adobeupdater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion adobeupdater.exe -
Executes dropped EXE 4 IoCs
pid Process 1460 adobeupdater.exe 3064 adobeupdater.exe 3040 adobeupdater.exe 2564 adobeupdater.exe -
Loads dropped DLL 2 IoCs
pid Process 1460 adobeupdater.exe 3040 adobeupdater.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1692 set thread context of 2500 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 30 PID 1460 set thread context of 3064 1460 adobeupdater.exe 36 PID 3040 set thread context of 2564 3040 adobeupdater.exe 38 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2596 schtasks.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer adobeupdater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName adobeupdater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName adobeupdater.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS adobeupdater.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS adobeupdater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer adobeupdater.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 1460 adobeupdater.exe 1460 adobeupdater.exe 1460 adobeupdater.exe 1460 adobeupdater.exe 1460 adobeupdater.exe 1460 adobeupdater.exe 1460 adobeupdater.exe 3040 adobeupdater.exe 3040 adobeupdater.exe 3040 adobeupdater.exe 3040 adobeupdater.exe 3040 adobeupdater.exe 3040 adobeupdater.exe 3040 adobeupdater.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe Token: SeDebugPrivilege 1460 adobeupdater.exe Token: SeDebugPrivilege 3040 adobeupdater.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2500 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 1692 wrote to memory of 2596 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 28 PID 1692 wrote to memory of 2596 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 28 PID 1692 wrote to memory of 2596 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 28 PID 1692 wrote to memory of 2596 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 28 PID 1692 wrote to memory of 2500 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 30 PID 1692 wrote to memory of 2500 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 30 PID 1692 wrote to memory of 2500 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 30 PID 1692 wrote to memory of 2500 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 30 PID 1692 wrote to memory of 2500 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 30 PID 1692 wrote to memory of 2500 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 30 PID 1692 wrote to memory of 2500 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 30 PID 1692 wrote to memory of 2500 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 30 PID 1692 wrote to memory of 2500 1692 f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe 30 PID 2656 wrote to memory of 1460 2656 taskeng.exe 35 PID 2656 wrote to memory of 1460 2656 taskeng.exe 35 PID 2656 wrote to memory of 1460 2656 taskeng.exe 35 PID 2656 wrote to memory of 1460 2656 taskeng.exe 35 PID 2656 wrote to memory of 1460 2656 taskeng.exe 35 PID 2656 wrote to memory of 1460 2656 taskeng.exe 35 PID 2656 wrote to memory of 1460 2656 taskeng.exe 35 PID 1460 wrote to memory of 3064 1460 adobeupdater.exe 36 PID 1460 wrote to memory of 3064 1460 adobeupdater.exe 36 PID 1460 wrote to memory of 3064 1460 adobeupdater.exe 36 PID 1460 wrote to memory of 3064 1460 adobeupdater.exe 36 PID 1460 wrote to memory of 3064 1460 adobeupdater.exe 36 PID 1460 wrote to memory of 3064 1460 adobeupdater.exe 36 PID 1460 wrote to memory of 3064 1460 adobeupdater.exe 36 PID 1460 wrote to memory of 3064 1460 adobeupdater.exe 36 PID 1460 wrote to memory of 3064 1460 adobeupdater.exe 36 PID 1460 wrote to memory of 3064 1460 adobeupdater.exe 36 PID 1460 wrote to memory of 3064 1460 adobeupdater.exe 36 PID 1460 wrote to memory of 3064 1460 adobeupdater.exe 36 PID 2656 wrote to memory of 3040 2656 taskeng.exe 37 PID 2656 wrote to memory of 3040 2656 taskeng.exe 37 PID 2656 wrote to memory of 3040 2656 taskeng.exe 37 PID 2656 wrote to memory of 3040 2656 taskeng.exe 37 PID 2656 wrote to memory of 3040 2656 taskeng.exe 37 PID 2656 wrote to memory of 3040 2656 taskeng.exe 37 PID 2656 wrote to memory of 3040 2656 taskeng.exe 37 PID 3040 wrote to memory of 2564 3040 adobeupdater.exe 38 PID 3040 wrote to memory of 2564 3040 adobeupdater.exe 38 PID 3040 wrote to memory of 2564 3040 adobeupdater.exe 38 PID 3040 wrote to memory of 2564 3040 adobeupdater.exe 38 PID 3040 wrote to memory of 2564 3040 adobeupdater.exe 38 PID 3040 wrote to memory of 2564 3040 adobeupdater.exe 38 PID 3040 wrote to memory of 2564 3040 adobeupdater.exe 38 PID 3040 wrote to memory of 2564 3040 adobeupdater.exe 38 PID 3040 wrote to memory of 2564 3040 adobeupdater.exe 38 PID 3040 wrote to memory of 2564 3040 adobeupdater.exe 38 PID 3040 wrote to memory of 2564 3040 adobeupdater.exe 38 PID 3040 wrote to memory of 2564 3040 adobeupdater.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe"1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn test /tr "'C:\Users\Admin\AppData\Roaming\Adobe\adobeupdater.exe'"2⤵
- Creates scheduled task(s)
PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f9d78ddd7ef2f4200e83aa452d03192c_JaffaCakes118.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2500
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {865474D2-6FAD-4CD6-92EC-62FB7A5128A0} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Roaming\Adobe\adobeupdater.exeC:\Users\Admin\AppData\Roaming\Adobe\adobeupdater.exe2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Roaming\Adobe\adobeupdater.exe"C:\Users\Admin\AppData\Roaming\Adobe\adobeupdater.exe"3⤵
- Executes dropped EXE
PID:3064
-
-
-
C:\Users\Admin\AppData\Roaming\Adobe\adobeupdater.exeC:\Users\Admin\AppData\Roaming\Adobe\adobeupdater.exe2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Roaming\Adobe\adobeupdater.exe"C:\Users\Admin\AppData\Roaming\Adobe\adobeupdater.exe"3⤵
- Executes dropped EXE
PID:2564
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
411KB
MD5f9d78ddd7ef2f4200e83aa452d03192c
SHA1979824983e7ff0faf2c3f98c5ddad74c40d0ea7e
SHA256c98e242323138170045011f3ab41dc6a811e7ed7fd27a98e6d12bef5da72181a
SHA512286737f8b8b731e66e8ac9cc3aee7e38ad8a6bd3666be23204a3a0908de1c27faa7d73974546eec061e7f3bcd6ae0c75743a342630c79e30c2c94be37f182ea0