luminosity | d8bc76c5ffa22a71f54e28d3ad2bce6979af7572f80489a1501b1d5564b1b7f9

General

Target

315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
Size

711KB
MD5

315f8b3713cf9f60b41303e642d8c69d
SHA1

969b4d319121f800c83db9f787cf10ca136d0849
SHA256

d8bc76c5ffa22a71f54e28d3ad2bce6979af7572f80489a1501b1d5564b1b7f9
SHA512

45bb2f86fa05d22cba101a59b490277403b88b3ec5a8c2ac82c0751e8285acc6e9f21ee01732f33ceb0b1f6f5be35febae8c256b575eb0d96a114be2724f65c1
SSDEEP

12288:DLBK0k0UDo/5WPOOkFYntDbclWaXyf0kWas70z48bpz8f8GQGRvEWMAPiB:DLgUG852OOCYnnaXyqNIU8byQEMW/qB

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity 2 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

Processes:

315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exeschtasks.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mgmzFkn4v1bExtcb = "C:\\Users\\Admin\\AppData\\Roaming\\GT6f5qMs4cS7pePq\\CpX6acbOaR1a.exe"	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
2040	schtasks.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mgmzFkn4v1bExtcb = "C:\\Users\\Admin\\AppData\\Roaming\\GT6f5qMs4cS7pePq\\CpX6acbOaR1a.exe"	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Clientx = "\"C:\\Program Files (x86)\\Clientx\\client.exe\" -a /a"	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

description	pid	process	target process
PID 2496 set thread context of 60	2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4352 2496 WerFault.exe 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2040 schtasks.exe

pid	pid_target	process	target process
4352	2496	WerFault.exe	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

pid	process
2040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

pid	process
2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

pid process

60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

pid	process
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
Token: SeDebugPrivilege	60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

pid process

60 315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

pid	process
60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe

description	pid	process	target process
PID 2496 wrote to memory of 3016	2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
PID 2496 wrote to memory of 3016	2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
PID 2496 wrote to memory of 3016	2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
PID 2496 wrote to memory of 60	2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
PID 2496 wrote to memory of 60	2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
PID 2496 wrote to memory of 60	2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
PID 2496 wrote to memory of 60	2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
PID 2496 wrote to memory of 60	2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
PID 2496 wrote to memory of 60	2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
PID 2496 wrote to memory of 60	2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
PID 2496 wrote to memory of 60	2496	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
PID 60 wrote to memory of 2040	60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe	schtasks.exe
PID 60 wrote to memory of 2040	60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe	schtasks.exe
PID 60 wrote to memory of 2040	60	315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe"
1⤵
- Luminosity
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496

C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe"
2⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\315f8b3713cf9f60b41303e642d8c69d_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc onlogon /tn "Clientx" /rl highest /tr "'C:\Program Files (x86)\Clientx\client.exe' /startup" /f
3⤵
- Luminosity
- Creates scheduled task(s)
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1168
2⤵
- Program crash
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2496 -ip 2496
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\GT6f5qMs4cS7pePq\CpX6acbOaR1a.exe
Filesize
711KB

MD5
315f8b3713cf9f60b41303e642d8c69d

SHA1
969b4d319121f800c83db9f787cf10ca136d0849

SHA256
d8bc76c5ffa22a71f54e28d3ad2bce6979af7572f80489a1501b1d5564b1b7f9

SHA512
45bb2f86fa05d22cba101a59b490277403b88b3ec5a8c2ac82c0751e8285acc6e9f21ee01732f33ceb0b1f6f5be35febae8c256b575eb0d96a114be2724f65c1

Download Submit
memory/60-5-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/60-6-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/60-7-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/60-8-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/60-11-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/2496-0-0x00000000751E2000-0x00000000751E3000-memory.dmp

Filesize
4KB

Download
memory/2496-1-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/2496-2-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/2496-10-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads