Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 22:34
Static task
static1
Behavioral task
behavioral1
Sample
315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
-
Size
711KB
-
MD5
315f8b3713cf9f60b41303e642d8c69d
-
SHA1
969b4d319121f800c83db9f787cf10ca136d0849
-
SHA256
d8bc76c5ffa22a71f54e28d3ad2bce6979af7572f80489a1501b1d5564b1b7f9
-
SHA512
45bb2f86fa05d22cba101a59b490277403b88b3ec5a8c2ac82c0751e8285acc6e9f21ee01732f33ceb0b1f6f5be35febae8c256b575eb0d96a114be2724f65c1
-
SSDEEP
12288:DLBK0k0UDo/5WPOOkFYntDbclWaXyf0kWas70z48bpz8f8GQGRvEWMAPiB:DLgUG852OOCYnnaXyqNIU8byQEMW/qB
Malware Config
Signatures
-
Luminosity 2 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
description ioc pid Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mgmzFkn4v1bExtcb = "C:\\Users\\Admin\\AppData\\Roaming\\GT6f5qMs4cS7pePq\\CpX6acbOaR1a.exe" 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 2040 schtasks.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mgmzFkn4v1bExtcb = "C:\\Users\\Admin\\AppData\\Roaming\\GT6f5qMs4cS7pePq\\CpX6acbOaR1a.exe" 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Clientx = "\"C:\\Program Files (x86)\\Clientx\\client.exe\" -a /a" 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2496 set thread context of 60 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 88 -
Program crash 1 IoCs
pid pid_target Process procid_target 4352 2496 WerFault.exe 81 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2040 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe Token: SeDebugPrivilege 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2496 wrote to memory of 3016 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 87 PID 2496 wrote to memory of 3016 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 87 PID 2496 wrote to memory of 3016 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 87 PID 2496 wrote to memory of 60 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 88 PID 2496 wrote to memory of 60 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 88 PID 2496 wrote to memory of 60 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 88 PID 2496 wrote to memory of 60 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 88 PID 2496 wrote to memory of 60 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 88 PID 2496 wrote to memory of 60 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 88 PID 2496 wrote to memory of 60 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 88 PID 2496 wrote to memory of 60 2496 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 88 PID 60 wrote to memory of 2040 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 94 PID 60 wrote to memory of 2040 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 94 PID 60 wrote to memory of 2040 60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe"1⤵
- Luminosity
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe"2⤵PID:3016
-
-
C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc onlogon /tn "Clientx" /rl highest /tr "'C:\Program Files (x86)\Clientx\client.exe' /startup" /f3⤵
- Luminosity
- Creates scheduled task(s)
PID:2040
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 11682⤵
- Program crash
PID:4352
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2496 -ip 24961⤵PID:2380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
711KB
MD5315f8b3713cf9f60b41303e642d8c69d
SHA1969b4d319121f800c83db9f787cf10ca136d0849
SHA256d8bc76c5ffa22a71f54e28d3ad2bce6979af7572f80489a1501b1d5564b1b7f9
SHA51245bb2f86fa05d22cba101a59b490277403b88b3ec5a8c2ac82c0751e8285acc6e9f21ee01732f33ceb0b1f6f5be35febae8c256b575eb0d96a114be2724f65c1