Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 00:07
Static task
static1
Behavioral task
behavioral1
Sample
522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
-
Size
856KB
-
MD5
522dfea93a76a9903776deddf02ad475
-
SHA1
66276a0d33f4bc1f63fe000da159a05383e60b3b
-
SHA256
6fab25a8710f11d1aa6617eef386bdc8143585e80124f414a82db3406b2f5d92
-
SHA512
389c8ebc9f4643826e7b8e3347e409eb478b52be8e04297f377b8df411a14e0a56be487b376fb0c01d8fb468d33cd9fa335898128f2e3066199af402e3bb57e2
-
SSDEEP
24576:qdhGYxd4mmnMP2hb7dGywJP5IgbDh/Wh4XfjQg:ghR/nm22RfuBI5h4L
Malware Config
Signatures
-
Luminosity 1 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
Processes:
schtasks.exepid process 2832 schtasks.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
REG.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
522dfea93a76a9903776deddf02ad475_JaffaCakes118.exepid process 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
522dfea93a76a9903776deddf02ad475_JaffaCakes118.exepid process 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
522dfea93a76a9903776deddf02ad475_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
522dfea93a76a9903776deddf02ad475_JaffaCakes118.exepid process 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
522dfea93a76a9903776deddf02ad475_JaffaCakes118.exetaskeng.exedescription pid process target process PID 2176 wrote to memory of 2832 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe schtasks.exe PID 2176 wrote to memory of 2832 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe schtasks.exe PID 2176 wrote to memory of 2832 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe schtasks.exe PID 2176 wrote to memory of 2832 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe schtasks.exe PID 2328 wrote to memory of 2544 2328 taskeng.exe client.exe PID 2328 wrote to memory of 2544 2328 taskeng.exe client.exe PID 2328 wrote to memory of 2544 2328 taskeng.exe client.exe PID 2328 wrote to memory of 2544 2328 taskeng.exe client.exe PID 2176 wrote to memory of 2508 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe REG.exe PID 2176 wrote to memory of 2508 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe REG.exe PID 2176 wrote to memory of 2508 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe REG.exe PID 2176 wrote to memory of 2508 2176 522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe REG.exe PID 2328 wrote to memory of 1584 2328 taskeng.exe client.exe PID 2328 wrote to memory of 1584 2328 taskeng.exe client.exe PID 2328 wrote to memory of 1584 2328 taskeng.exe client.exe PID 2328 wrote to memory of 1584 2328 taskeng.exe client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest2⤵
- Luminosity
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:642⤵
- Adds Run key to start application
-
C:\Windows\system32\taskeng.exetaskeng.exe {307AF57E-F6E3-4DAF-8754-2EC659127A1A} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Client\client.exe"C:\Program Files (x86)\Client\client.exe" /startup2⤵
-
C:\Program Files (x86)\Client\client.exe"C:\Program Files (x86)\Client\client.exe" /startup2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2176-0-0x0000000074641000-0x0000000074642000-memory.dmpFilesize
4KB
-
memory/2176-1-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/2176-2-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/2176-3-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/2544-4-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/2544-5-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/2544-6-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB