Overview

overview

10

Static

static

3

2fdafb254c...18.exe

windows7-x64

10

2fdafb254c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2fdafb254cd0b250ce4d2330cfe10d1a_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    2fdafb254cd0b250ce4d2330cfe10d1a

  • SHA1

    73fbf34a64f560f236fea960ba7055e211f168f9

  • SHA256

    7883a94c3bd1af3f49dd72ff193742c26a849d54ff25cd91a9b78553b0e8d7bf

  • SHA512

    3cd78a0b6864d377350b17f8cdbdd72a3bd5879aa6007690077b560efe53f64bfbfaef14c906c16a15bf6f0a6915c9834a6cd6ed1665e848f39588e195520901

  • SSDEEP

    49152:W84BBskoGYvcxD8Bvj1j65e6t1UbvIyQ+dp7m4:W8kBnoGfKBpAeeUbgf+Xi

Score
10/10
luminositypersistencerat

Malware Config

Signatures

  • Luminosity 2 IoCs

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    ratluminosity
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 23 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2fdafb254cd0b250ce4d2330cfe10d1a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2fdafb254cd0b250ce4d2330cfe10d1a_JaffaCakes118.exe"
    1⤵
    • Luminosity
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Local\Temp\Tskmgr.exe
      "C:\Users\Admin\AppData\Local\Temp\Tskmgr.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4964
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /NP /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f
        3⤵
        • Luminosity
        • Creates scheduled task(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:3420
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4616
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1868
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4640
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4628
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4384
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:3488
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4260
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:824
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4596
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1464
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1548
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2984
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4968
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4228
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2932
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2144
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2852
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1204
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2504
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:3696
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4264
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:3148
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\Tskmgr.exe.lnk " /f
        3⤵
          PID:4452
      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4444

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Tskmgr.exe
      Filesize

      857KB

      MD5

      bc6529f2a93dd5eb328963e0b41a855a

      SHA1

      0d3fe448baa8a886fd33541f17e893a8a550640f

      SHA256

      b98c711a375f39574672d49fdb798e70dab73b56c5a605c2cfd55a82d8d1b528

      SHA512

      4b50bc0de71bdbdbe76622d498d70b940e11a5c34b6d58b43765eacb2447d3106da3ac80f3a20e7eed67598bf9875cda9646694724b8fae6d91a7ed97b0bad73

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      Filesize

      52KB

      MD5

      a64daca3cfbcd039df3ec29d3eddd001

      SHA1

      eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

      SHA256

      403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

      SHA512

      b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

      Download Submit
    • memory/2292-0-0x0000000074682000-0x0000000074683000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2292-1-0x0000000074680000-0x0000000074C31000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2292-2-0x0000000074680000-0x0000000074C31000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2292-23-0x0000000074680000-0x0000000074C31000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3420-39-0x00000000012E0000-0x00000000012F7000-memory.dmp
      Filesize

      92KB

      Download
    • memory/3420-37-0x00000000012E0000-0x00000000012F7000-memory.dmp
      Filesize

      92KB

      Download
    • memory/3420-34-0x00000000012E0000-0x00000000012F7000-memory.dmp
      Filesize

      92KB

      Download
    • memory/3420-36-0x0000000000F00000-0x0000000000F01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3420-33-0x00000000012E0000-0x00000000012F7000-memory.dmp
      Filesize

      92KB

      Download
    • memory/3420-35-0x00000000012E0000-0x00000000012F7000-memory.dmp
      Filesize

      92KB

      Download
    • memory/4444-31-0x00000000056D0000-0x00000000056E7000-memory.dmp
      Filesize

      92KB

      Download
    • memory/4444-28-0x00000000056D0000-0x00000000056E7000-memory.dmp
      Filesize

      92KB

      Download
    • memory/4444-24-0x00000000056D0000-0x00000000056E7000-memory.dmp
      Filesize

      92KB

      Download
    • memory/4444-26-0x00000000056D0000-0x00000000056E7000-memory.dmp
      Filesize

      92KB

      Download
    • memory/4444-25-0x00000000056D0000-0x00000000056E7000-memory.dmp
      Filesize

      92KB

      Download
    • memory/4444-27-0x00000000056F0000-0x00000000056F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4444-19-0x0000000000430000-0x000000000050C000-memory.dmp
      Filesize

      880KB

      Download
    • memory/5060-32-0x0000000074680000-0x0000000074C31000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/5060-15-0x0000000074680000-0x0000000074C31000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/5060-14-0x0000000074680000-0x0000000074C31000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/5060-13-0x0000000074680000-0x0000000074C31000-memory.dmp
      Filesize

      5.7MB

      Download