Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
16-05-2024 19:59
General
-
Target
4cccaa5cfb192851d364230d184a0472_JaffaCakes118.exe
-
Size
1.8MB
-
MD5
4cccaa5cfb192851d364230d184a0472
-
SHA1
6453801f53aabd336417b5b2d3d9bad1a5df4527
-
SHA256
8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75
-
SHA512
fc01eb8dbceecc31a7ea193ec44417e5648b4efc3d5583d851a6c7e3bb814acac6d82be922cb1e5775429cc07d4c20768a539312539c9bf5f50605ff71c8ad65
-
SSDEEP
49152:l5+Zvuwcz/f+jGfX8r7xB58y8wBUDutZtpq4gC:Swwcz/mW8h8y8wBUStZtp
Score
10/10
Malware Config
Signatures
-
Luminosity 2 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 22 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cccaa5cfb192851d364230d184a0472_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4cccaa5cfb192851d364230d184a0472_JaffaCakes118.exe"1⤵
- Luminosity
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /NP /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f3⤵
- Luminosity
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\tskmgr.exe.lnk " /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\File.exeFilesize
857KB
MD5bc6529f2a93dd5eb328963e0b41a855a
SHA10d3fe448baa8a886fd33541f17e893a8a550640f
SHA256b98c711a375f39574672d49fdb798e70dab73b56c5a605c2cfd55a82d8d1b528
SHA5124b50bc0de71bdbdbe76622d498d70b940e11a5c34b6d58b43765eacb2447d3106da3ac80f3a20e7eed67598bf9875cda9646694724b8fae6d91a7ed97b0bad73
-
C:\Users\Admin\AppData\Local\Temp\FolderN\tskmgr.exeFilesize
1.8MB
MD54cccaa5cfb192851d364230d184a0472
SHA16453801f53aabd336417b5b2d3d9bad1a5df4527
SHA2568c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75
SHA512fc01eb8dbceecc31a7ea193ec44417e5648b4efc3d5583d851a6c7e3bb814acac6d82be922cb1e5775429cc07d4c20768a539312539c9bf5f50605ff71c8ad65
-
C:\Users\Admin\AppData\Local\Temp\notepad.exeFilesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479
-
memory/212-26-0x0000000074CF0000-0x00000000752A1000-memory.dmpFilesize
5.7MB
-
memory/212-2-0x0000000074CF0000-0x00000000752A1000-memory.dmpFilesize
5.7MB
-
memory/212-1-0x0000000074CF0000-0x00000000752A1000-memory.dmpFilesize
5.7MB
-
memory/212-0-0x0000000074CF2000-0x0000000074CF3000-memory.dmpFilesize
4KB
-
memory/1180-42-0x00000000005D0000-0x00000000005E7000-memory.dmpFilesize
92KB
-
memory/1180-40-0x00000000005D0000-0x00000000005E7000-memory.dmpFilesize
92KB
-
memory/1180-36-0x00000000005D0000-0x00000000005E7000-memory.dmpFilesize
92KB
-
memory/1180-38-0x00000000005D0000-0x00000000005E7000-memory.dmpFilesize
92KB
-
memory/1180-37-0x00000000005D0000-0x00000000005E7000-memory.dmpFilesize
92KB
-
memory/1180-39-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/1856-34-0x0000000004EB0000-0x0000000004EC7000-memory.dmpFilesize
92KB
-
memory/1856-31-0x0000000004EB0000-0x0000000004EC7000-memory.dmpFilesize
92KB
-
memory/1856-29-0x0000000004EB0000-0x0000000004EC7000-memory.dmpFilesize
92KB
-
memory/1856-30-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/1856-28-0x0000000004EB0000-0x0000000004EC7000-memory.dmpFilesize
92KB
-
memory/1856-27-0x0000000004EB0000-0x0000000004EC7000-memory.dmpFilesize
92KB
-
memory/2124-35-0x0000000074CF0000-0x00000000752A1000-memory.dmpFilesize
5.7MB
-
memory/2124-15-0x0000000074CF0000-0x00000000752A1000-memory.dmpFilesize
5.7MB
-
memory/2124-14-0x0000000074CF0000-0x00000000752A1000-memory.dmpFilesize
5.7MB
-
memory/2124-13-0x0000000074CF0000-0x00000000752A1000-memory.dmpFilesize
5.7MB