luminosity | 22761f5b95ad6b2932fd543292606a4390728e4837a9914c087ee0556b910786

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
Size

418KB
MD5

53474c750c9187e0490082d8e1c11a6d
SHA1

a53490817cd28f7f9d3689c1dff73308e39ea8c0
SHA256

22761f5b95ad6b2932fd543292606a4390728e4837a9914c087ee0556b910786
SHA512

77ffaf942f932c2ec81a1ca2c0b9f321c28745fd8f0cd1f91f8e0b7bd69fc82099b81cd736514309e8f431b7a6cbecf19ee154844587e3fbd1c097ec969c4f92
SSDEEP

12288:qINL5QskZOSBJRVhQKUN3iduyA3fpIyTCP/tkhDzOkZ:n5mZOoJPCF3iduy669ViDykZ

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\187797\\svchost.exe\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\KCAEOBcI.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\YQUGjTcs.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\jjLAQzDp.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\HaKEsoHb.exe"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe

Executes dropped EXE 7 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

2456 svchost.exe
5356 svchost.exe
4240 svchost.exe
3552 svchost.exe
6136 svchost.exe
4824 svchost.exe
3080 svchost.exe

pid	process
2456	svchost.exe
5356	svchost.exe
4240	svchost.exe
3552	svchost.exe
6136	svchost.exe
4824	svchost.exe
3080	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Adobe Startup Utility = "\"C:\\ProgramData\\187797\\svchost.exe\""	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exesvchost.exesvchost.exe

description	pid	process	target process
PID 5780 set thread context of 4604	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 4604 set thread context of 1896	4604	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 2456 set thread context of 4824	2456	svchost.exe	svchost.exe
PID 4824 set thread context of 3080	4824	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe

pid	process
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
1896	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
1896	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe

pid process

1896 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 3080 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

3080 svchost.exe

pid	process
1896	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3080	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.execsc.exe53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.execmd.execsc.execmd.exe53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exesvchost.execsc.exe

description	pid	process	target process
PID 5780 wrote to memory of 2524	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	csc.exe
PID 5780 wrote to memory of 2524	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	csc.exe
PID 5780 wrote to memory of 2524	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	csc.exe
PID 2524 wrote to memory of 5324	2524	csc.exe	cvtres.exe
PID 2524 wrote to memory of 5324	2524	csc.exe	cvtres.exe
PID 2524 wrote to memory of 5324	2524	csc.exe	cvtres.exe
PID 5780 wrote to memory of 1828	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 5780 wrote to memory of 1828	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 5780 wrote to memory of 1828	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 5780 wrote to memory of 4604	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 5780 wrote to memory of 4604	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 5780 wrote to memory of 4604	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 5780 wrote to memory of 4604	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 5780 wrote to memory of 4604	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 5780 wrote to memory of 4604	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 5780 wrote to memory of 4604	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 5780 wrote to memory of 4604	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 5780 wrote to memory of 4192	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	cmd.exe
PID 5780 wrote to memory of 4192	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	cmd.exe
PID 5780 wrote to memory of 4192	5780	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	cmd.exe
PID 4604 wrote to memory of 4940	4604	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	csc.exe
PID 4604 wrote to memory of 4940	4604	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	csc.exe
PID 4604 wrote to memory of 4940	4604	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	csc.exe
PID 4192 wrote to memory of 712	4192	cmd.exe	reg.exe
PID 4192 wrote to memory of 712	4192	cmd.exe	reg.exe
PID 4192 wrote to memory of 712	4192	cmd.exe	reg.exe
PID 4940 wrote to memory of 3624	4940	csc.exe	cvtres.exe
PID 4940 wrote to memory of 3624	4940	csc.exe	cvtres.exe
PID 4940 wrote to memory of 3624	4940	csc.exe	cvtres.exe
PID 4604 wrote to memory of 1896	4604	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 4604 wrote to memory of 1896	4604	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 4604 wrote to memory of 1896	4604	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 4604 wrote to memory of 1896	4604	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 4604 wrote to memory of 1896	4604	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 4604 wrote to memory of 1896	4604	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 4604 wrote to memory of 1896	4604	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 4604 wrote to memory of 1896	4604	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 4604 wrote to memory of 2596	4604	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	cmd.exe
PID 4604 wrote to memory of 2596	4604	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	cmd.exe
PID 4604 wrote to memory of 2596	4604	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	cmd.exe
PID 2596 wrote to memory of 5328	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 5328	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 5328	2596	cmd.exe	reg.exe
PID 1896 wrote to memory of 2456	1896	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	svchost.exe
PID 1896 wrote to memory of 2456	1896	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	svchost.exe
PID 1896 wrote to memory of 2456	1896	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	svchost.exe
PID 2456 wrote to memory of 4280	2456	svchost.exe	csc.exe
PID 2456 wrote to memory of 4280	2456	svchost.exe	csc.exe
PID 2456 wrote to memory of 4280	2456	svchost.exe	csc.exe
PID 4280 wrote to memory of 2288	4280	csc.exe	cvtres.exe
PID 4280 wrote to memory of 2288	4280	csc.exe	cvtres.exe
PID 4280 wrote to memory of 2288	4280	csc.exe	cvtres.exe
PID 2456 wrote to memory of 3552	2456	svchost.exe	svchost.exe
PID 2456 wrote to memory of 3552	2456	svchost.exe	svchost.exe
PID 2456 wrote to memory of 3552	2456	svchost.exe	svchost.exe
PID 2456 wrote to memory of 6136	2456	svchost.exe	svchost.exe
PID 2456 wrote to memory of 6136	2456	svchost.exe	svchost.exe
PID 2456 wrote to memory of 6136	2456	svchost.exe	svchost.exe
PID 2456 wrote to memory of 5356	2456	svchost.exe	svchost.exe
PID 2456 wrote to memory of 5356	2456	svchost.exe	svchost.exe
PID 2456 wrote to memory of 5356	2456	svchost.exe	svchost.exe
PID 2456 wrote to memory of 4240	2456	svchost.exe	svchost.exe
PID 2456 wrote to memory of 4240	2456	svchost.exe	svchost.exe
PID 2456 wrote to memory of 4240	2456	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zf7x1xlp.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45A5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC45A4.tmp"
3⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe"
2⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ydhyucie.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES496E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC496D.tmp"
4⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe"
3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1896

C:\ProgramData\187797\svchost.exe
"C:\ProgramData\187797\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tagqtnzs.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES571A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5719.tmp"
6⤵
PID:2288

C:\ProgramData\187797\svchost.exe
"C:\ProgramData\187797\svchost.exe"
5⤵
- Executes dropped EXE
PID:3552

C:\ProgramData\187797\svchost.exe
"C:\ProgramData\187797\svchost.exe"
5⤵
- Executes dropped EXE
PID:6136

C:\ProgramData\187797\svchost.exe
"C:\ProgramData\187797\svchost.exe"
5⤵
- Executes dropped EXE
PID:5356

C:\ProgramData\187797\svchost.exe
"C:\ProgramData\187797\svchost.exe"
5⤵
- Executes dropped EXE
PID:4240

C:\ProgramData\187797\svchost.exe
"C:\ProgramData\187797\svchost.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m71v4vor.cmdline"
6⤵
PID:5184

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58FE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC58FD.tmp"
7⤵
PID:4324

C:\ProgramData\187797\svchost.exe
"C:\ProgramData\187797\svchost.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3080

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\HaKEsoHb.exe"
6⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\HaKEsoHb.exe"
7⤵
- Modifies WinLogon for persistence
PID:5608

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\jjLAQzDp.exe"
5⤵
PID:5888

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\jjLAQzDp.exe"
6⤵
- Modifies WinLogon for persistence
PID:5156

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\YQUGjTcs.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\YQUGjTcs.exe"
4⤵
- Modifies WinLogon for persistence
PID:5328

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\KCAEOBcI.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\KCAEOBcI.exe"
3⤵
- Modifies WinLogon for persistence
PID:712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\187797\svchost.exe
Filesize
418KB

MD5
53474c750c9187e0490082d8e1c11a6d

SHA1
a53490817cd28f7f9d3689c1dff73308e39ea8c0

SHA256
22761f5b95ad6b2932fd543292606a4390728e4837a9914c087ee0556b910786

SHA512
77ffaf942f932c2ec81a1ca2c0b9f321c28745fd8f0cd1f91f8e0b7bd69fc82099b81cd736514309e8f431b7a6cbecf19ee154844587e3fbd1c097ec969c4f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe.log
Filesize
223B

MD5
1cc4c5b51e50ec74a6880b50ecbee28b

SHA1
1ba7bb0e86c3d23fb0dc8bf16798d37afb4c4aba

SHA256
0556734df26e82e363d47748a3ceedd5c23ea4b9ded6e68bd5c373c1c9f8777b

SHA512
5d5532602b381125b24a9bd78781ed722ce0c862214ef17e7d224d269e6e7045c919ab19896dd8d9ae8920726092efe0ffb776a77a9a9539c4a70188d5a4c706

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES45A5.tmp
Filesize
1KB

MD5
af3a7002039992a603e3247f0b88cfbb

SHA1
9921b837657e7ff8916d1278710524718ecce324

SHA256
d6bd4c654b8e4270d5b114bc62ef5970ea73b6836ae134610b97755b0ff45929

SHA512
658a36e14d1afba9c9f62fd504c2e4951251866047c38d24c5989fd713ce18903a34d565c4785c4f047d0c53e86503ab489ebde2f998c5bf426a94156eb9b7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES496E.tmp
Filesize
1KB

MD5
46dbf3c930fe0ea6bcf8d6524b5f26ce

SHA1
5526e6acd14fc8e715aad1b5d6f11230a3805a88

SHA256
238f062419085aaeb5d3f4512cecaf4dc75c8267c87f1f7a3077611123d6118f

SHA512
3ed7c9372e05945be79a8e2edd7528719165f33b6a8cceda6c8ff57d0a825392da07228b2b63d02d73993c206cd99be55f8837c0a42ef2321b56900a646a33f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES571A.tmp
Filesize
1KB

MD5
557c3294678fa0895f0b3f9ab1935d70

SHA1
afe73ba352d55e69af0fd96fc780995c531da036

SHA256
456330d7b5d6801e4ff47d847c1081626710ae92653959818c50899c463d1e62

SHA512
7d4697f777c38ecea8b08e610468efb0a51dc1f7c90726c6e72b8d27fd68dbe03319f18dd3a8efe07044f4b5c5b939ad16e40b89435ad30bc2ea007b01bef427

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES58FE.tmp
Filesize
1KB

MD5
e13e83abd95afe24003a3338ee47fc00

SHA1
54e85183ed93906d0f854345239dc532e3f8f384

SHA256
be21129f429d9b6f268c50f410c649639021d0c3716e834d2a3d5e9abbb657bb

SHA512
e454630c58d587a02bc24aa5567e92651284c2bb9b0ac050e87c2dcae869125e5d7ac31554da122a66d0bfd575431b3a686317950585017bf0d489bd6882f665

Download Submit
C:\Users\Admin\AppData\Local\Temp\m71v4vor.dll
Filesize
556KB

MD5
3e72bf3a38c841fcc62daea0b940db14

SHA1
bab08c7152dae7c49dbf3edc159505d7ca987a82

SHA256
474ed92f52771683da034359baf9de6447486062158aebeac75e78797204b272

SHA512
dc9415192ced1ec80c8f7f5c696f821b5f15fac0db79da0278c4f3a613fee4007b8d879ac6524a2aa0532b4d538d60d4a10168178ce8a754801d28d209174ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tagqtnzs.dll
Filesize
828KB

MD5
07a301e1cb0b88b3fc18a33dfe35c9a8

SHA1
271b4f8f7973da90f4613f0a88fbf83dcc52046e

SHA256
1d492a2fc65d0cfaf65c4aa92759b33abeb6e92703c8be59913daa88f6ecc465

SHA512
b4e804d6dbc8924fd055ab64edc292db35ece97d3cb20a066d5e89d09b7d426edba6320488a7a4132fdd0c30e411a80e36d8586c328fb0d7a93bd254cdc52cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydhyucie.dll
Filesize
556KB

MD5
169aeedbe59402d4056a017c477bc8aa

SHA1
b36189583061cbe9245f2c0404711549a392b7dd

SHA256
0f52e0e26e1e7b96b0e3af8189c49f97e70f46ab8935445623eb925a42d3819c

SHA512
4fe048b1c52f07f4f4d69ba2a72f9d0cad1a4d756309d494440bbd825bda54b15d9d8b92c6f6169fc314716ae5cfded4c25594c335184bd4aa36d10bfbeff007

Download Submit
C:\Users\Admin\AppData\Local\Temp\zf7x1xlp.dll
Filesize
828KB

MD5
5c01937d3815dd04536ca35ccf0579d1

SHA1
09d96d2a8d4c1fb3ddcd7a31a6ec11a0ca7fdc91

SHA256
b16343a1d9b1f26f49fa1865743191ed33dfe310523d8d813b295fa8da94dff2

SHA512
f4416fdafff20526a616c653104ad59e2208f0c2c82c1db760c70ddef4a38f62ccacca8ecb9cf71bf6f93bb82301377804305b13ae58f20d42244d2f8e9a7916

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC45A4.tmp
Filesize
652B

MD5
b2ba7a91f10a3a22757da34b4d027f01

SHA1
392d6b95f91e7b8aa94b9dc951139c0a46c6eaae

SHA256
27cc48c2b1bc72d1dd79830c457562557535086096d38adf6eaafa285f783a32

SHA512
581ba505706444cb95a9a2788fe6504741c782dea21216fb609778146005338e85c7853acb7ca9959780d88e84b6cdfb3fd196df0361b197adeabab4e9406dc2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC496D.tmp
Filesize
652B

MD5
2d074f2975a70e97d50414050fa023a7

SHA1
d3062dd6e2c6fd2709d13bd5fbe5ed42e12f64ef

SHA256
2b643e9463832a9ece29a48bed5ac0c1866c051611d1d3c9311e8e8f505e7db8

SHA512
bc7b4c2a05c0967bed15ab21a460692d8eb406f352b04e33ffc6b22c30481d49b687614e918805d05779c3100352a2b32e4bc5e463973f577bc08f884777341b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5719.tmp
Filesize
652B

MD5
521df6385ab4fa3bf3be70867f505a58

SHA1
cb2b1c689bc2b065da00c108239acfca098a5165

SHA256
65619f41bc7325269f315a3a171487ade5321a60429afd2c777e4d3b59bb8acb

SHA512
7c3c40992c2d620c988ef4c348972d85dfd6d95ceed6128cda52440e2c297e8fc284b31a013ee6890463403dbce1d6ad5fc963aafd17419fb782ffb9f81aac95

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC58FD.tmp
Filesize
652B

MD5
a5f849cae71d1eb3d440ca182ba4682a

SHA1
3637bde5e0259f46d19386b47acfa868efb9285c

SHA256
7048566a79348f3517e21c4b4a23037020425698420e269c19bb7965b47cd5dd

SHA512
eac7ce2bbb1f10ded22b6c6cbfb02c10b764b4494460c207e81bb311505db1805a034cacf46608eb4b4ddc8742dc0d19121c68107188ed8802c57c5b52268d01

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m71v4vor.cmdline
Filesize
196B

MD5
9e2c11eeabf3abf3fd429055b999d337

SHA1
c3d3e0ba80a73108e55dc498a0f76635c8e39005

SHA256
dcd7b28aef4595ebca934c2a2b37370873a3632a8585642a14e340c427d0e0d7

SHA512
10a3dab93d5d810a653f3869dc8989c003d465df8a62a9190cf8a7eea87f69180a830379e37d2347e92f067235f0587867563e99d82bf662f462e936b6b92c31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tagqtnzs.cmdline
Filesize
196B

MD5
2e44d2bbebc5aaf65c5b4557b2e545e0

SHA1
949ecfabea66c09ff07c1bf38fa3d10e4241607d

SHA256
4f9445590ed628fe70105ed11689c621f70d4b3de3c1844b7e629a93ddd5a269

SHA512
1a6beac860c63db5cc828d1494ae022ba14f36025e9b5b33328a920429b8e3609b013c239e9dbe6391d53e302a6b87d21acaf6c08b5cb5a7e283bde9399d8de2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp44AA.tmp.txt
Filesize
407KB

MD5
3fc0338c5b131613c2d4a8555d9d7775

SHA1
c67542ffa9a87ffd8df40025ccc62c2a15dde83a

SHA256
74af134a8b7df9e7bb5198a3e3a3e957eb49bf2b565e402929c913573cf8300e

SHA512
ef2e8cc5710fb45eefc9a5241d506dac8ceee25ec886efbb262958d64ceaf86e219a6185f20dd13a68fa8c9f3c6c0860fabcea4eb2cfd310a6cac9a051367a56

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp47F6.tmp.txt
Filesize
271KB

MD5
e7311b28ef77fe20a83d1ea042945293

SHA1
3b8edf149437d35e4ba4241ddd85a7140827fcee

SHA256
bfd1b696ef37f194027c9cf109e251fc5ff73de3a09d09ff77aabb4ae77ae534

SHA512
d2711d9dd9b4a61c0db6b238477833ad5a8f56698436fb281fdc8af28d7d66d25de96379ed7a633c32854315891ea0c7a870e635b915c26b2c936cb56c442cc1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ydhyucie.cmdline
Filesize
196B

MD5
c9ad2cd57c4a2143f3026096c585dcdd

SHA1
794df6e179f97c264487d3bf2a67b20e743a7a78

SHA256
0b8b4cb70472a71fddf27617008b0d396f247467ab62b703663fece0813659c4

SHA512
7556e94b89eba3941ffcb2e0006aa9a55147761a5895570e6682d3d350bfc4d013f510545faddde45f47a549c437d5c1fec4ade52dcf68e95507beabcee9b4be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zf7x1xlp.cmdline
Filesize
196B

MD5
f95ce9efe926caa6f8e953b38e1efb4b

SHA1
7b481fb2c9210867d1642bf552eced0aeca7c3e4

SHA256
55cc71b142d373f9b65ca7cc8ce9186642b460a54dfc4455f00758bdf095a481

SHA512
9fc564136a2d18e8a7e9a987dff9c9fbaa892bb158d7ee755e2515e4d1d58425e47c3ca7e3b42a75c9cba393adb62cf6f2f65cca72ac24d7afa2a22428264ef1

Download Submit
memory/1896-117-0x0000000006E20000-0x0000000006E37000-memory.dmp

Filesize
92KB

Download
memory/1896-120-0x0000000006E40000-0x0000000006E41000-memory.dmp

Filesize
4KB

Download
memory/1896-119-0x0000000006E20000-0x0000000006E37000-memory.dmp

Filesize
92KB

Download
memory/1896-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1896-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1896-118-0x0000000006E20000-0x0000000006E37000-memory.dmp

Filesize
92KB

Download
memory/1896-121-0x0000000006E20000-0x0000000006E37000-memory.dmp

Filesize
92KB

Download
memory/1896-123-0x0000000006E20000-0x0000000006E37000-memory.dmp

Filesize
92KB

Download
memory/2524-13-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/2524-20-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/4604-25-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4604-57-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/4604-28-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/4604-29-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/4604-35-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/4604-23-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4604-24-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4940-46-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/4940-41-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/5780-36-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/5780-0-0x0000000074A52000-0x0000000074A53000-memory.dmp

Filesize
4KB

Download
memory/5780-2-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/5780-1-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download