Overview

overview

10

Static

static

3

522dfea93a...18.exe

windows7-x64

10

522dfea93a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2024 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe

  • Size

    856KB

  • MD5

    522dfea93a76a9903776deddf02ad475

  • SHA1

    66276a0d33f4bc1f63fe000da159a05383e60b3b

  • SHA256

    6fab25a8710f11d1aa6617eef386bdc8143585e80124f414a82db3406b2f5d92

  • SHA512

    389c8ebc9f4643826e7b8e3347e409eb478b52be8e04297f377b8df411a14e0a56be487b376fb0c01d8fb468d33cd9fa335898128f2e3066199af402e3bb57e2

  • SSDEEP

    24576:qdhGYxd4mmnMP2hb7dGywJP5IgbDh/Wh4XfjQg:ghR/nm22RfuBI5h4L

Score
10/10
luminositypersistencerat

Malware Config

Signatures

  • Luminosity 1 IoCs

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    ratluminosity
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\522dfea93a76a9903776deddf02ad475_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest
      2⤵
      • Luminosity
      • Creates scheduled task(s)
      PID:2072
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
      2⤵
      • Adds Run key to start application
      PID:2168
  • C:\Program Files (x86)\Client\client.exe
    "C:\Program Files (x86)\Client\client.exe" /startup
    1⤵
      PID:5024
    • C:\Program Files (x86)\Client\client.exe
      "C:\Program Files (x86)\Client\client.exe" /startup
      1⤵
        PID:4324

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\client.exe.log
        Filesize

        588B

        MD5

        bbc3cfe1a58732a0477f72ea3d36c7bf

        SHA1

        fb801263330aa243f63270138ab467a627dffc2e

        SHA256

        9269d4383b8effa928b7b4a7b38ffa07587b23851f9430fbfe8e7284f845e722

        SHA512

        5bfdc6520a7a0884e3ccdf26ab0fe536327c9f3330f7f78bed2ed4c89fc31b04ad0c4b4bd6f8f1bca08ef04e46b833b798726dca7f40ccc27c871847ec041be4

        Download Submit
      • memory/884-0-0x0000000075202000-0x0000000075203000-memory.dmp
        Filesize

        4KB

        Download
      • memory/884-1-0x0000000075200000-0x00000000757B1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/884-2-0x0000000075200000-0x00000000757B1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/884-3-0x0000000075202000-0x0000000075203000-memory.dmp
        Filesize

        4KB

        Download
      • memory/884-4-0x0000000075200000-0x00000000757B1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/884-5-0x0000000075200000-0x00000000757B1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/4324-10-0x0000000075200000-0x00000000757B1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/4324-11-0x0000000075200000-0x00000000757B1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/4324-12-0x0000000075200000-0x00000000757B1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/5024-6-0x0000000075200000-0x00000000757B1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/5024-8-0x0000000075200000-0x00000000757B1000-memory.dmp
        Filesize

        5.7MB

        Download