Overview

overview

10

Static

static

3

315f8b3713...18.exe

windows7-x64

6

315f8b3713...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 22:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

  • Size

    711KB

  • MD5

    315f8b3713cf9f60b41303e642d8c69d

  • SHA1

    969b4d319121f800c83db9f787cf10ca136d0849

  • SHA256

    d8bc76c5ffa22a71f54e28d3ad2bce6979af7572f80489a1501b1d5564b1b7f9

  • SHA512

    45bb2f86fa05d22cba101a59b490277403b88b3ec5a8c2ac82c0751e8285acc6e9f21ee01732f33ceb0b1f6f5be35febae8c256b575eb0d96a114be2724f65c1

  • SSDEEP

    12288:DLBK0k0UDo/5WPOOkFYntDbclWaXyf0kWas70z48bpz8f8GQGRvEWMAPiB:DLgUG852OOCYnnaXyqNIU8byQEMW/qB

Score
10/10
luminositypersistencerat

Malware Config

Signatures

  • Luminosity 2 IoCs

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    ratluminosity
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe"
    1⤵
    • Luminosity
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe"
      2⤵
        PID:3016
      • C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:60
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc onlogon /tn "Clientx" /rl highest /tr "'C:\Program Files (x86)\Clientx\client.exe' /startup" /f
          3⤵
          • Luminosity
          • Creates scheduled task(s)
          PID:2040
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1168
        2⤵
        • Program crash
        PID:4352
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2496 -ip 2496
      1⤵
        PID:2380

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\GT6f5qMs4cS7pePq\CpX6acbOaR1a.exe
        Filesize

        711KB

        MD5

        315f8b3713cf9f60b41303e642d8c69d

        SHA1

        969b4d319121f800c83db9f787cf10ca136d0849

        SHA256

        d8bc76c5ffa22a71f54e28d3ad2bce6979af7572f80489a1501b1d5564b1b7f9

        SHA512

        45bb2f86fa05d22cba101a59b490277403b88b3ec5a8c2ac82c0751e8285acc6e9f21ee01732f33ceb0b1f6f5be35febae8c256b575eb0d96a114be2724f65c1

        Download Submit

      • memory/60-5-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/60-6-0x00000000751E0000-0x0000000075791000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/60-7-0x00000000751E0000-0x0000000075791000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/60-8-0x00000000751E0000-0x0000000075791000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/60-11-0x00000000751E0000-0x0000000075791000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2496-0-0x00000000751E2000-0x00000000751E3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2496-1-0x00000000751E0000-0x0000000075791000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2496-2-0x00000000751E0000-0x0000000075791000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2496-10-0x00000000751E0000-0x0000000075791000-memory.dmp

        Filesize

        5.7MB

        Download