luminosity | db92c8e97ca70c655fab9e12b733eb21bec0a778697570b2153097a486dfca56

General

Target

477b2fef777fd553b2bfd475a81ca7c4_JaffaCakes118.exe
Size

504KB
MD5

477b2fef777fd553b2bfd475a81ca7c4
SHA1

e4720bd59c2ce20ddbb7a46ddb2f0cf6948e6302
SHA256

db92c8e97ca70c655fab9e12b733eb21bec0a778697570b2153097a486dfca56
SHA512

fdaeb0c519146ceb2709834d7f7ff17a7179c2bae782e0843f337335882efd61773b2ef8b4c588912e6f084a1e869667c121cb8eb8d64e705a07e24c3f7e4468
SSDEEP

12288:7PUaKD0K/7qdlWFFs5ksLLei+wgKUi+ICe3BiLaw:7cakv/7vMOme1K5zw

Score

10^/10

luminosity rat

Malware Config

Signatures

Luminosity 2 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

Processes:

477b2fef777fd553b2bfd475a81ca7c4_JaffaCakes118.exeschtasks.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	477b2fef777fd553b2bfd475a81ca7c4_JaffaCakes118.exe
5112	schtasks.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

477b2fef777fd553b2bfd475a81ca7c4_JaffaCakes118.exenetprotocol.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	477b2fef777fd553b2bfd475a81ca7c4_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	netprotocol.exe

Executes dropped EXE 3 IoCs

Processes:

netprotocol.exenetprotocol.exespoolsc.exe

pid process

2032 netprotocol.exe
5032 netprotocol.exe
440 spoolsc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

netprotocol.exe

description pid process target process

PID 2032 set thread context of 5032 2032 netprotocol.exe netprotocol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5112 schtasks.exe

description	pid	process	target process
PID 2032 set thread context of 5032	2032	netprotocol.exe	netprotocol.exe

pid	process
5112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

netprotocol.exespoolsc.exenetprotocol.exe

pid	process
2032	netprotocol.exe
440	spoolsc.exe
440	spoolsc.exe
440	spoolsc.exe
440	spoolsc.exe
5032	netprotocol.exe
440	spoolsc.exe
5032	netprotocol.exe
5032	netprotocol.exe
5032	netprotocol.exe
440	spoolsc.exe
5032	netprotocol.exe
5032	netprotocol.exe
5032	netprotocol.exe
5032	netprotocol.exe
5032	netprotocol.exe
5032	netprotocol.exe
440	spoolsc.exe
5032	netprotocol.exe
5032	netprotocol.exe
440	spoolsc.exe
5032	netprotocol.exe
5032	netprotocol.exe
5032	netprotocol.exe
5032	netprotocol.exe
5032	netprotocol.exe
5032	netprotocol.exe
440	spoolsc.exe
5032	netprotocol.exe
5032	netprotocol.exe
440	spoolsc.exe
5032	netprotocol.exe
5032	netprotocol.exe
5032	netprotocol.exe
5032	netprotocol.exe
440	spoolsc.exe
5032	netprotocol.exe
440	spoolsc.exe
5032	netprotocol.exe
5032	netprotocol.exe
440	spoolsc.exe
5032	netprotocol.exe
5032	netprotocol.exe
5032	netprotocol.exe
5032	netprotocol.exe
440	spoolsc.exe
5032	netprotocol.exe
5032	netprotocol.exe
440	spoolsc.exe
5032	netprotocol.exe
5032	netprotocol.exe
440	spoolsc.exe
5032	netprotocol.exe
5032	netprotocol.exe
440	spoolsc.exe
5032	netprotocol.exe
5032	netprotocol.exe
440	spoolsc.exe
5032	netprotocol.exe
5032	netprotocol.exe
440	spoolsc.exe
5032	netprotocol.exe
5032	netprotocol.exe
440	spoolsc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

netprotocol.exespoolsc.exenetprotocol.exe

description pid process

Token: SeDebugPrivilege 2032 netprotocol.exe
Token: SeDebugPrivilege 440 spoolsc.exe
Token: SeDebugPrivilege 5032 netprotocol.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

netprotocol.exe

pid process

5032 netprotocol.exe

description	pid	process
Token: SeDebugPrivilege	2032	netprotocol.exe
Token: SeDebugPrivilege	440	spoolsc.exe
Token: SeDebugPrivilege	5032	netprotocol.exe

pid	process
5032	netprotocol.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

477b2fef777fd553b2bfd475a81ca7c4_JaffaCakes118.exenetprotocol.execmd.exevbc.exenetprotocol.exe

description	pid	process	target process
PID 4152 wrote to memory of 2032	4152	477b2fef777fd553b2bfd475a81ca7c4_JaffaCakes118.exe	netprotocol.exe
PID 4152 wrote to memory of 2032	4152	477b2fef777fd553b2bfd475a81ca7c4_JaffaCakes118.exe	netprotocol.exe
PID 4152 wrote to memory of 2032	4152	477b2fef777fd553b2bfd475a81ca7c4_JaffaCakes118.exe	netprotocol.exe
PID 2032 wrote to memory of 4912	2032	netprotocol.exe	cmd.exe
PID 2032 wrote to memory of 4912	2032	netprotocol.exe	cmd.exe
PID 2032 wrote to memory of 4912	2032	netprotocol.exe	cmd.exe
PID 4912 wrote to memory of 548	4912	cmd.exe	reg.exe
PID 4912 wrote to memory of 548	4912	cmd.exe	reg.exe
PID 4912 wrote to memory of 548	4912	cmd.exe	reg.exe
PID 2032 wrote to memory of 4940	2032	netprotocol.exe	vbc.exe
PID 2032 wrote to memory of 4940	2032	netprotocol.exe	vbc.exe
PID 2032 wrote to memory of 4940	2032	netprotocol.exe	vbc.exe
PID 4940 wrote to memory of 1428	4940	vbc.exe	cvtres.exe
PID 4940 wrote to memory of 1428	4940	vbc.exe	cvtres.exe
PID 4940 wrote to memory of 1428	4940	vbc.exe	cvtres.exe
PID 2032 wrote to memory of 5032	2032	netprotocol.exe	netprotocol.exe
PID 2032 wrote to memory of 5032	2032	netprotocol.exe	netprotocol.exe
PID 2032 wrote to memory of 5032	2032	netprotocol.exe	netprotocol.exe
PID 2032 wrote to memory of 5032	2032	netprotocol.exe	netprotocol.exe
PID 2032 wrote to memory of 5032	2032	netprotocol.exe	netprotocol.exe
PID 2032 wrote to memory of 5032	2032	netprotocol.exe	netprotocol.exe
PID 2032 wrote to memory of 5032	2032	netprotocol.exe	netprotocol.exe
PID 2032 wrote to memory of 5032	2032	netprotocol.exe	netprotocol.exe
PID 2032 wrote to memory of 440	2032	netprotocol.exe	spoolsc.exe
PID 2032 wrote to memory of 440	2032	netprotocol.exe	spoolsc.exe
PID 5032 wrote to memory of 5112	5032	netprotocol.exe	schtasks.exe
PID 5032 wrote to memory of 5112	5032	netprotocol.exe	schtasks.exe
PID 5032 wrote to memory of 5112	5032	netprotocol.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\477b2fef777fd553b2bfd475a81ca7c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\477b2fef777fd553b2bfd475a81ca7c4_JaffaCakes118.exe"
1⤵
- Luminosity
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
      4⤵
      PID:548
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z6dxxvhx.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3604.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98DD2FBC5EFC47218097E8963D74876.TMP"
      4⤵
      PID:1428
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f
      4⤵
      Luminosity
      Creates scheduled task(s)
      PID:5112
- - C:\Users\Admin\AppData\Local\Temp\spoolsc.exe
    "C:\Users\Admin\AppData\Local\Temp\spoolsc.exe" -n
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3604.tmp

Filesize
1KB

MD5
f936b1e3eb838d8b12e34dad8fa44644

SHA1
e23067c418ce7dec40dd30ff4f106dd4c77391e3

SHA256
348051c89f1e636a1d35bda08b035b115d2c825af2e2407ee6e6820c9436ab8c

SHA512
e0b6843bff53549877b7b44d85e203c2d5932372c4d8f47e308e0c1dd12156547eb831af52afaea2d6296df67108565ec5cc8297a33413e45c3cea2f61280126

Download Submit
C:\Users\Admin\AppData\Local\Temp\spoolsc.exe

Filesize
7KB

MD5
3a1914c36b2c43f02922156a37c6a9cf

SHA1
09f9bf3b27b74966939004bafee0c84dcb1695ce

SHA256
14b44149fbdc39b115e26d229f106413f98fcb0f722e52ce1cb00c042a209f7a

SHA512
9e722febdc5aaad2f5ea8ca1b75aee2e63066c152c9cef792c54b4551e5881c87fea8b0d10d2d756d7780bef3104c40f8695a0ca89edb480a27d3f5dfcb2e2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc98DD2FBC5EFC47218097E8963D74876.TMP

Filesize
932B

MD5
7cf1d8d484d60075f253503f2b88be02

SHA1
2184fdabbfc770b08cc4cb51bc5b4c4ede5b0fdf

SHA256
e64dff2b790a8430b9d73c485733c57a15de5c7973cdb17ceeee9b607531dd79

SHA512
2f847c0679b35284ed4886e6d61859c77923584bc8c3d828606e641945ee9c05fd442d4f3299e015815fef906a4cffe13c0e310a5d4302516e1648d1f39cada0

Download Submit
C:\Users\Admin\AppData\Local\Temp\z6dxxvhx.0.vb

Filesize
3KB

MD5
0735df742046fdf2506d580f13413938

SHA1
ecfffda0578caf0d72af86e4d122784fb6605c9e

SHA256
41343d222ec8f8b4034047160a2a469e830b1ed873a5e2d3c9eaca0c5118049b

SHA512
1cd5514638202fab803854e9b4262be7d19408f2ff00e105547bc00f145bb3e7ac29862841aba0bf56d11b28127ec3a9e78dba035ef5b5d9c6c968385f48c765

Download Submit
C:\Users\Admin\AppData\Local\Temp\z6dxxvhx.cmdline

Filesize
200B

MD5
4429abe5e7ff73b09636079a1219c4d7

SHA1
d29475885d1eb9e92cd892811762107203f9a669

SHA256
aa1581699b2669bc712e2027a1072950bdee31cbf4e34be721d3daac903174f2

SHA512
e205fb7cefc488b624e4e6b489e92d91c9214bd353b1bc509e87b38754c8e794fc144f4c2c4bb909acc9ccafd398281341f30bb3cb0b2ef1820d2ab1cedc8292

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe

Filesize
504KB

MD5
477b2fef777fd553b2bfd475a81ca7c4

SHA1
e4720bd59c2ce20ddbb7a46ddb2f0cf6948e6302

SHA256
db92c8e97ca70c655fab9e12b733eb21bec0a778697570b2153097a486dfca56

SHA512
fdaeb0c519146ceb2709834d7f7ff17a7179c2bae782e0843f337335882efd61773b2ef8b4c588912e6f084a1e869667c121cb8eb8d64e705a07e24c3f7e4468

Download Submit
memory/440-40-0x000000001BE30000-0x000000001BED6000-memory.dmp

Filesize
664KB

Download
memory/2032-41-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/2032-20-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/2032-19-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/2032-17-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/4152-0-0x0000000074C52000-0x0000000074C53000-memory.dmp

Filesize
4KB

Download
memory/4152-2-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/4152-1-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/4152-18-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/4940-34-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/4940-26-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/5032-36-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads