Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
18-05-2024 00:07
General
-
Target
522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
-
Size
856KB
-
MD5
522dfea93a76a9903776deddf02ad475
-
SHA1
66276a0d33f4bc1f63fe000da159a05383e60b3b
-
SHA256
6fab25a8710f11d1aa6617eef386bdc8143585e80124f414a82db3406b2f5d92
-
SHA512
389c8ebc9f4643826e7b8e3347e409eb478b52be8e04297f377b8df411a14e0a56be487b376fb0c01d8fb468d33cd9fa335898128f2e3066199af402e3bb57e2
-
SSDEEP
24576:qdhGYxd4mmnMP2hb7dGywJP5IgbDh/Wh4XfjQg:ghR/nm22RfuBI5h4L
Score
10/10
Malware Config
Signatures
-
Luminosity 1 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest2⤵
- Luminosity
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:642⤵
- Adds Run key to start application
-
C:\Windows\system32\taskeng.exetaskeng.exe {307AF57E-F6E3-4DAF-8754-2EC659127A1A} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Client\client.exe"C:\Program Files (x86)\Client\client.exe" /startup2⤵
-
C:\Program Files (x86)\Client\client.exe"C:\Program Files (x86)\Client\client.exe" /startup2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2176-0-0x0000000074641000-0x0000000074642000-memory.dmpFilesize
4KB
-
memory/2176-1-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/2176-2-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/2176-3-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/2544-4-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/2544-5-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/2544-6-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB