Overview

overview

10

Static

static

3

4cccaa5cfb...18.exe

windows7-x64

10

4cccaa5cfb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 19:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cccaa5cfb192851d364230d184a0472_JaffaCakes118.exe

  • Size

    1.8MB

  • MD5

    4cccaa5cfb192851d364230d184a0472

  • SHA1

    6453801f53aabd336417b5b2d3d9bad1a5df4527

  • SHA256

    8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75

  • SHA512

    fc01eb8dbceecc31a7ea193ec44417e5648b4efc3d5583d851a6c7e3bb814acac6d82be922cb1e5775429cc07d4c20768a539312539c9bf5f50605ff71c8ad65

  • SSDEEP

    49152:l5+Zvuwcz/f+jGfX8r7xB58y8wBUDutZtpq4gC:Swwcz/mW8h8y8wBUStZtp

Score
10/10
luminositypersistencerat

Malware Config

Signatures

  • Luminosity 2 IoCs

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    ratluminosity
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 23 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cccaa5cfb192851d364230d184a0472_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4cccaa5cfb192851d364230d184a0472_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Luminosity
        • Adds Run key to start application
        PID:2544
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /NP /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f
        3⤵
        • Luminosity
        • Creates scheduled task(s)
        PID:2248
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2168
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2752
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1624
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1648
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1300
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1676
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2608
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1920
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1164
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2304
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1864
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:404
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2372
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1524
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2092
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1592
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2336
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2440
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2148
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:568
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1696
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2016
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\tskmgr.exe.lnk " /f
        3⤵
          PID:2796
      • C:\Users\Admin\AppData\Local\Temp\notepad.exe
        "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:2620

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\FolderN\tskmgr.exe
      Filesize

      1.8MB

      MD5

      4cccaa5cfb192851d364230d184a0472

      SHA1

      6453801f53aabd336417b5b2d3d9bad1a5df4527

      SHA256

      8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75

      SHA512

      fc01eb8dbceecc31a7ea193ec44417e5648b4efc3d5583d851a6c7e3bb814acac6d82be922cb1e5775429cc07d4c20768a539312539c9bf5f50605ff71c8ad65

      Download Submit
    • \Users\Admin\AppData\Local\Temp\File.exe
      Filesize

      857KB

      MD5

      bc6529f2a93dd5eb328963e0b41a855a

      SHA1

      0d3fe448baa8a886fd33541f17e893a8a550640f

      SHA256

      b98c711a375f39574672d49fdb798e70dab73b56c5a605c2cfd55a82d8d1b528

      SHA512

      4b50bc0de71bdbdbe76622d498d70b940e11a5c34b6d58b43765eacb2447d3106da3ac80f3a20e7eed67598bf9875cda9646694724b8fae6d91a7ed97b0bad73

      Download Submit
    • \Users\Admin\AppData\Local\Temp\notepad.exe
      Filesize

      52KB

      MD5

      278edbd499374bf73621f8c1f969d894

      SHA1

      a81170af14747781c5f5f51bb1215893136f0bc0

      SHA256

      c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

      SHA512

      93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

      Download Submit
    • memory/2416-0-0x0000000074A72000-0x0000000074A74000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2620-32-0x0000000000400000-0x00000000004DC000-memory.dmp
      Filesize

      880KB

      Download
    • memory/2620-38-0x0000000000960000-0x0000000000977000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2620-30-0x0000000000400000-0x00000000004DC000-memory.dmp
      Filesize

      880KB

      Download
    • memory/2620-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2620-25-0x0000000000400000-0x00000000004DC000-memory.dmp
      Filesize

      880KB

      Download
    • memory/2620-23-0x0000000000400000-0x00000000004DC000-memory.dmp
      Filesize

      880KB

      Download
    • memory/2620-48-0x0000000000960000-0x0000000000977000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2620-33-0x0000000000400000-0x00000000004DC000-memory.dmp
      Filesize

      880KB

      Download
    • memory/2620-36-0x0000000000960000-0x0000000000977000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2620-21-0x0000000000400000-0x00000000004DC000-memory.dmp
      Filesize

      880KB

      Download
    • memory/2620-43-0x00000000009C0000-0x00000000009C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2620-45-0x00000000009C0000-0x00000000009C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2620-42-0x0000000000960000-0x0000000000977000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2620-40-0x0000000000960000-0x0000000000977000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2620-37-0x0000000000960000-0x0000000000977000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2620-46-0x0000000000960000-0x0000000000977000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2884-12-0x0000000074A70000-0x000000007501B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2884-49-0x0000000074A70000-0x000000007501B000-memory.dmp
      Filesize

      5.7MB

      Download