Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
10-05-2024 15:45
General
-
Target
2fdafb254cd0b250ce4d2330cfe10d1a_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
2fdafb254cd0b250ce4d2330cfe10d1a
-
SHA1
73fbf34a64f560f236fea960ba7055e211f168f9
-
SHA256
7883a94c3bd1af3f49dd72ff193742c26a849d54ff25cd91a9b78553b0e8d7bf
-
SHA512
3cd78a0b6864d377350b17f8cdbdd72a3bd5879aa6007690077b560efe53f64bfbfaef14c906c16a15bf6f0a6915c9834a6cd6ed1665e848f39588e195520901
-
SSDEEP
49152:W84BBskoGYvcxD8Bvj1j65e6t1UbvIyQ+dp7m4:W8kBnoGfKBpAeeUbgf+Xi
Score
10/10
Malware Config
Signatures
-
Luminosity 2 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 22 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fdafb254cd0b250ce4d2330cfe10d1a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2fdafb254cd0b250ce4d2330cfe10d1a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Tskmgr.exe"C:\Users\Admin\AppData\Local\Temp\Tskmgr.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Luminosity
- Adds Run key to start application
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /NP /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f3⤵
- Luminosity
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\Tskmgr.exe.lnk " /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\Tskmgr.exeFilesize
857KB
MD5bc6529f2a93dd5eb328963e0b41a855a
SHA10d3fe448baa8a886fd33541f17e893a8a550640f
SHA256b98c711a375f39574672d49fdb798e70dab73b56c5a605c2cfd55a82d8d1b528
SHA5124b50bc0de71bdbdbe76622d498d70b940e11a5c34b6d58b43765eacb2447d3106da3ac80f3a20e7eed67598bf9875cda9646694724b8fae6d91a7ed97b0bad73
-
\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
memory/1664-0-0x0000000074752000-0x0000000074754000-memory.dmpFilesize
8KB
-
memory/2000-59-0x0000000000020000-0x0000000000037000-memory.dmpFilesize
92KB
-
memory/2000-57-0x0000000000020000-0x0000000000037000-memory.dmpFilesize
92KB
-
memory/2000-51-0x0000000000020000-0x0000000000037000-memory.dmpFilesize
92KB
-
memory/2000-53-0x0000000000020000-0x0000000000037000-memory.dmpFilesize
92KB
-
memory/2000-56-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2000-49-0x0000000000020000-0x0000000000037000-memory.dmpFilesize
92KB
-
memory/2124-62-0x0000000000140000-0x0000000000157000-memory.dmpFilesize
92KB
-
memory/2124-64-0x0000000000140000-0x0000000000157000-memory.dmpFilesize
92KB
-
memory/2124-66-0x0000000000140000-0x0000000000157000-memory.dmpFilesize
92KB
-
memory/2124-69-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/2532-12-0x0000000074750000-0x0000000074CFB000-memory.dmpFilesize
5.7MB
-
memory/2532-46-0x0000000074750000-0x0000000074CFB000-memory.dmpFilesize
5.7MB
-
memory/2572-22-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/2572-35-0x0000000000560000-0x0000000000577000-memory.dmpFilesize
92KB
-
memory/2572-37-0x0000000000560000-0x0000000000577000-memory.dmpFilesize
92KB
-
memory/2572-43-0x0000000000560000-0x0000000000577000-memory.dmpFilesize
92KB
-
memory/2572-45-0x0000000000560000-0x0000000000577000-memory.dmpFilesize
92KB
-
memory/2572-40-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/2572-42-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/2572-39-0x0000000000560000-0x0000000000577000-memory.dmpFilesize
92KB
-
memory/2572-34-0x0000000000560000-0x0000000000577000-memory.dmpFilesize
92KB
-
memory/2572-33-0x0000000000560000-0x0000000000577000-memory.dmpFilesize
92KB
-
memory/2572-30-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/2572-29-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/2572-20-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/2572-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2572-27-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/2572-18-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB