luminosity | 6fab25a8710f11d1aa6617eef386bdc8143585e80124f414a82db3406b2f5d92

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
Size

856KB
MD5

522dfea93a76a9903776deddf02ad475
SHA1

66276a0d33f4bc1f63fe000da159a05383e60b3b
SHA256

6fab25a8710f11d1aa6617eef386bdc8143585e80124f414a82db3406b2f5d92
SHA512

389c8ebc9f4643826e7b8e3347e409eb478b52be8e04297f377b8df411a14e0a56be487b376fb0c01d8fb468d33cd9fa335898128f2e3066199af402e3bb57e2
SSDEEP

24576:qdhGYxd4mmnMP2hb7dGywJP5IgbDh/Wh4XfjQg:ghR/nm22RfuBI5h4L

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity 1 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

pid	Process
2072	schtasks.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\""	REG.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 2072	884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe	95
PID 884 wrote to memory of 2072	884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe	95
PID 884 wrote to memory of 2072	884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe	95
PID 884 wrote to memory of 2168	884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe	102
PID 884 wrote to memory of 2168	884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe	102
PID 884 wrote to memory of 2168	884	522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe	102

C:\Users\Admin\AppData\Local\Temp\522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest
  2⤵
  - Luminosity
  - Creates scheduled task(s)
  PID:2072
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
  2⤵
  - Adds Run key to start application
  PID:2168

C:\Program Files (x86)\Client\client.exe
"C:\Program Files (x86)\Client\client.exe" /startup
1⤵
PID:5024

C:\Program Files (x86)\Client\client.exe
"C:\Program Files (x86)\Client\client.exe" /startup
1⤵
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\client.exe.log

Filesize
588B

MD5
bbc3cfe1a58732a0477f72ea3d36c7bf

SHA1
fb801263330aa243f63270138ab467a627dffc2e

SHA256
9269d4383b8effa928b7b4a7b38ffa07587b23851f9430fbfe8e7284f845e722

SHA512
5bfdc6520a7a0884e3ccdf26ab0fe536327c9f3330f7f78bed2ed4c89fc31b04ad0c4b4bd6f8f1bca08ef04e46b833b798726dca7f40ccc27c871847ec041be4

Download Submit
memory/884-0-0x0000000075202000-0x0000000075203000-memory.dmp

Filesize
4KB

Download
memory/884-1-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/884-2-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/884-3-0x0000000075202000-0x0000000075203000-memory.dmp

Filesize
4KB

Download
memory/884-4-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/884-5-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/4324-10-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/4324-11-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/4324-12-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/5024-6-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/5024-8-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download