luminosity | 9c02cd14cfdc23246c31d278411172f11e7c9d61efd865ea2d0748498531833d

General

Target

8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe
Size

1.2MB
MD5

8e6e55693ebbb6378e968f983042bcb5
SHA1

e1be4d13116159c5fcd2e0641d1f0aaa0070e650
SHA256

9c02cd14cfdc23246c31d278411172f11e7c9d61efd865ea2d0748498531833d
SHA512

9142b4e32b50ee1b0c7b95c91263abbc97d7228e8c06e502bd77596e1e2a66f7723f583c24f2ec72a6c6d0930bc861be3e94f3a90acb2e8298c2fdc5d3fcc2c3
SSDEEP

24576:GRmJkqoQrilOIQ+yMxUaGcpcCv73VGRrwEemIYLevnBS+/RIENZkr3:PJXoQryTiMxUaGc93G3

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity 2 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

Processes:

8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exeschtasks.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\key_name = "C:\\Users\\Admin\\AppData\\Roaming\\MSBuild\\MSBuild.exe"	8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe
1376	schtasks.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\key_name = "C:\\Users\\Admin\\AppData\\Roaming\\MSBuild\\MSBuild.exe"	8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\MSBuild\MSBuild.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe

description pid process target process

PID 552 set thread context of 1172 552 8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1376 schtasks.exe

description	pid	process	target process
PID 552 set thread context of 1172	552	8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe	MSBuild.exe

pid	process
1376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exeMSBuild.exe

pid	process
552	8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe
552	8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe
552	8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe
552	8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe
552	8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe
552	8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe
552	8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe
552	8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe
1172	MSBuild.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe

pid process

552 8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1172 MSBuild.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

1172 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1172	MSBuild.exe

pid	process
1172	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exeMSBuild.exe

description	pid	process	target process
PID 552 wrote to memory of 1172	552	8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe	MSBuild.exe
PID 552 wrote to memory of 1172	552	8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe	MSBuild.exe
PID 552 wrote to memory of 1172	552	8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe	MSBuild.exe
PID 552 wrote to memory of 1172	552	8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe	MSBuild.exe
PID 552 wrote to memory of 1172	552	8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe	MSBuild.exe
PID 1172 wrote to memory of 1376	1172	MSBuild.exe	schtasks.exe
PID 1172 wrote to memory of 1376	1172	MSBuild.exe	schtasks.exe
PID 1172 wrote to memory of 1376	1172	MSBuild.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8e6e55693ebbb6378e968f983042bcb5_JaffaCakes118.exe"
1⤵
- Luminosity
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe' /startup" /f
3⤵
- Luminosity
- Creates scheduled task(s)
PID:1376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MSBuild\MSBuild.exe
Filesize
1.2MB

MD5
8e6e55693ebbb6378e968f983042bcb5

SHA1
e1be4d13116159c5fcd2e0641d1f0aaa0070e650

SHA256
9c02cd14cfdc23246c31d278411172f11e7c9d61efd865ea2d0748498531833d

SHA512
9142b4e32b50ee1b0c7b95c91263abbc97d7228e8c06e502bd77596e1e2a66f7723f583c24f2ec72a6c6d0930bc861be3e94f3a90acb2e8298c2fdc5d3fcc2c3

Download Submit
memory/552-6-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/1172-2-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1172-7-0x0000000073632000-0x0000000073633000-memory.dmp

Filesize
4KB

Download
memory/1172-8-0x0000000073630000-0x0000000073BE1000-memory.dmp

Filesize
5.7MB

Download
memory/1172-9-0x0000000073630000-0x0000000073BE1000-memory.dmp

Filesize
5.7MB

Download
memory/1172-10-0x0000000073632000-0x0000000073633000-memory.dmp

Filesize
4KB

Download
memory/1172-11-0x0000000073630000-0x0000000073BE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads