luminosity | 102f3f47b7babe90ea9d6af0913c4036931ec86e2a7c6edd6bce415ed8286cfb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
Size

586KB
MD5

7d39468c9c7a5e722cdf752071865924
SHA1

9b5ba1e2fa3ddad0966fd404c0a01b6be7f2359d
SHA256

102f3f47b7babe90ea9d6af0913c4036931ec86e2a7c6edd6bce415ed8286cfb
SHA512

1e03e8703b72d6ee729895973296d1e5d333089c19efb35bc5850fe43df70bd4c82a77475d0cc0ab427ee1ef5e471148e62296392eead508f14b49df93c2a7ce
SSDEEP

12288:yjWshi3UvdHNc5JQA2ur1e1ckv4y4TWKH2cgqUe:yjdzI5JXWX8C3HqN

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

repair.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	repair.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\128946\\repair.exe\""	repair.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

repair.exerepair.exe

pid process

1144 repair.exe
668 repair.exe

pid	process
1144	repair.exe
668	repair.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

repair.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Mechanic = "\"C:\\ProgramData\\128946\\repair.exe\""	repair.exe

Drops file in System32 directory 2 IoCs

Processes:

repair.exe

description ioc process

File created C:\Windows\SysWOW64\clientsvr.exe repair.exe
File opened for modification C:\Windows\SysWOW64\clientsvr.exe repair.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	repair.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	repair.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exerepair.exe

description	pid	process	target process
PID 220 set thread context of 4024	220	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
PID 1144 set thread context of 668	1144	repair.exe	repair.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

repair.exe7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe

pid	process
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
4024	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
4024	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe
668	repair.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe

pid process

4024 7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

repair.exe

description pid process

Token: SeDebugPrivilege 668 repair.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

repair.exe

pid process

668 repair.exe

pid	process
4024	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	668	repair.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exerepair.exerepair.exe

description	pid	process	target process
PID 220 wrote to memory of 4024	220	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
PID 220 wrote to memory of 4024	220	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
PID 220 wrote to memory of 4024	220	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
PID 220 wrote to memory of 4024	220	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
PID 220 wrote to memory of 4024	220	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
PID 220 wrote to memory of 4024	220	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
PID 220 wrote to memory of 4024	220	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
PID 220 wrote to memory of 4024	220	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
PID 4024 wrote to memory of 1144	4024	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe	repair.exe
PID 4024 wrote to memory of 1144	4024	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe	repair.exe
PID 4024 wrote to memory of 1144	4024	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe	repair.exe
PID 1144 wrote to memory of 668	1144	repair.exe	repair.exe
PID 1144 wrote to memory of 668	1144	repair.exe	repair.exe
PID 1144 wrote to memory of 668	1144	repair.exe	repair.exe
PID 1144 wrote to memory of 668	1144	repair.exe	repair.exe
PID 1144 wrote to memory of 668	1144	repair.exe	repair.exe
PID 1144 wrote to memory of 668	1144	repair.exe	repair.exe
PID 1144 wrote to memory of 668	1144	repair.exe	repair.exe
PID 1144 wrote to memory of 668	1144	repair.exe	repair.exe
PID 668 wrote to memory of 4024	668	repair.exe	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
PID 668 wrote to memory of 4024	668	repair.exe	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
PID 668 wrote to memory of 4024	668	repair.exe	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
PID 668 wrote to memory of 4024	668	repair.exe	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
PID 668 wrote to memory of 4024	668	repair.exe	7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\ProgramData\128946\repair.exe
    "C:\ProgramData\128946\repair.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\ProgramData\128946\repair.exe
      "C:\ProgramData\128946\repair.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\128946\repair.exe

Filesize
586KB

MD5
7d39468c9c7a5e722cdf752071865924

SHA1
9b5ba1e2fa3ddad0966fd404c0a01b6be7f2359d

SHA256
102f3f47b7babe90ea9d6af0913c4036931ec86e2a7c6edd6bce415ed8286cfb

SHA512
1e03e8703b72d6ee729895973296d1e5d333089c19efb35bc5850fe43df70bd4c82a77475d0cc0ab427ee1ef5e471148e62296392eead508f14b49df93c2a7ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5

Filesize
1KB

MD5
1ba25895dc793e6826cbe8d61ddd8293

SHA1
6387cc55cbe9f71ae41b2425192b900a1eb3a54f

SHA256
cc4c5c999ca59e5a62bc3ffe172a61f8cf13cc18c89fe48f628ff2a75bdc508a

SHA512
1ff9b34fdbeae98fa8b534ba12501eb6df983cc67ce4f8ffc4c1ff12631aa8ed36ff349c39a2186e0ac8d9809437106578a746eec3854b54fef38a3cc0adb957

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_244F8153991C95DE7516D65AE7D1F0F6

Filesize
1KB

MD5
698fed73c6635f04ec0093fa2c8e1f06

SHA1
808c6d713938660cdecba1852e640cd3ad4f75dc

SHA256
d4f2375bcfebfa21432f00ba82de5230410004c3290665f8cf33ed96141a59a8

SHA512
4623c3bc06a63e215e80a2b29032f03ac26b13ebd08ccaf37f1767412d8e1a690a954e0064d4a8f738640039f6203df62632b33a78bacab54c20aacbadff355b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_3ED18E5A6C9AC2A20DED4172F963FCFB

Filesize
1KB

MD5
8db5dd7009c601191c2484ddac871337

SHA1
05eb44e0c1e0f9ccb7911ec79c5bfc0c4d180771

SHA256
eb9d685d0317444d5255c66c4afc0612bbbd31e9ebebed9be136762adc1734ec

SHA512
4a1e44db6a28deda2ff71dd9562ed9a16b588934048a862c4a9ce79d0b2a95a973cc3dd2feeb6bc22dea38c4fe30d3d37ca5805a716544a762ffc1e723c303bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5

Filesize
182B

MD5
67e76777f2f819de819b48038e4774bb

SHA1
2c870736da7b4ed8c9ed614a42b6485ce8a95f66

SHA256
3f7c09867894e4ca8dc7e8e0c8469bdbde767505aef5b5a7377a66fac3eef8ce

SHA512
991bd99a731f1abedf8b0b17947295a77c959ba4c72d2807404521c8e302ad0ae2515b6d0c0490df2a6110283f28e6e5ff10e63546a0c3531ff3dda4379e727a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_244F8153991C95DE7516D65AE7D1F0F6

Filesize
398B

MD5
a45cd5a7c10ed9a86550c4bed2772d73

SHA1
0f155ecf23dc7f5bd6b403f03763d7c02f4ec144

SHA256
1477bb08717afa3b8388303dedeabec95db3c3df44fc74f77ffb78da1a3e69fc

SHA512
09f1ece9d0fd9e8438c1dbbf15e814d731d3f7c9997afd933f616d55a8fb64c60bd86961bbf11c41ca20898d0be1f840a442a256b22b70f7f7928e246c39319e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_3ED18E5A6C9AC2A20DED4172F963FCFB

Filesize
394B

MD5
78f5d59b03317c1125cc41d47fcffd1a

SHA1
4ec0ee1eb415bf85e0e3e6db7d77ff467fed66bc

SHA256
e717e64a2045c53a063f411e3ce99baac7b907773b129105c185f55f68a35e67

SHA512
7aef52b87a9904f2e2cd28f22e51479149c1282646c32d8a43152145bfcb6d65e7f2bb10e8941f05fea42ea08250c8e72107ad17404c9775a309f16991fb85d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE

Filesize
408B

MD5
d2fc1d9f4672639549c246402921cf59

SHA1
6a204f2b773a0cfb53d5c812aa15feb04fbc19a0

SHA256
b221adc9adf59b931f3eb90f7bdbfd36b39f6c8c95cfb06234ca45baefe885c8

SHA512
47080755159734b09aff8122fa0efeb1877f9229e30efd33524b9bebbfc3a905bd17f9f1651c92834fc8b9b45729806b7c87289411ca5ba7a0f43c7b65e8e897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\7d39468c9c7a5e722cdf752071865924_JaffaCakes118.exe.log

Filesize
408B

MD5
cd29580176e5cd2cfe25c32540a031b1

SHA1
844900a54849d4622a80fe6e1f60fa570d016d43

SHA256
2ad488ddea8fa2bcdbafade2495ea5573ab36eb0d84dcf171c600514e3078a52

SHA512
28d1b9056572d99e99b31acbcb5b76ba9d546d8527cd666837df40018afb8a3292055428ea7516ba8b98c43d887c82c2456f4dd664d39a73b7c13b0f6d3c528e

Download Submit
memory/220-0-0x0000000074A82000-0x0000000074A83000-memory.dmp

Filesize
4KB

Download
memory/220-25-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/220-22-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/220-2-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/220-1-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/1144-54-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/1144-47-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/1144-46-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/1144-39-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/4024-27-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/4024-26-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/4024-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4024-57-0x00000000072B0000-0x00000000072C7000-memory.dmp

Filesize
92KB

Download
memory/4024-58-0x00000000072B0000-0x00000000072C7000-memory.dmp

Filesize
92KB

Download
memory/4024-59-0x00000000072B0000-0x00000000072C7000-memory.dmp

Filesize
92KB

Download
memory/4024-60-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/4024-61-0x00000000072B0000-0x00000000072C7000-memory.dmp

Filesize
92KB

Download
memory/4024-63-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/4024-64-0x00000000072B0000-0x00000000072C7000-memory.dmp

Filesize
92KB

Download
memory/4024-65-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download