Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2024 20:36
Static task
static1
Behavioral task
behavioral1
Sample
6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe
-
Size
644KB
-
MD5
6cafc54eb9f1f8edd7a8aba870cccac8
-
SHA1
7431abbd950d29abae893e55f5d242907d9b573e
-
SHA256
2dc2c2f771e0e4df28b8b539afd9b6ae71084f4be073b7f3ff0bba98f228e121
-
SHA512
9b4e8c563e1d67a3ebdb2ed4609f1b68adf155caefbbf8218e54e74e4c9d28d51e380c9791f766cd8ae76f861ec0b4c88bc66002a40220c7b3c05dec61b046e4
-
SSDEEP
12288:Zl8klHeJTjhAX1T90fw/bTHDV+IZevFlxRLBa7mQj:ZxUC/PD7ea5
Malware Config
Signatures
-
Luminosity 2 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 4060 schtasks.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "\"C:\\Program Files (x86)\\Client\\msdcc.exe\" -a /a" 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3304 set thread context of 3572 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4060 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe Token: SeDebugPrivilege 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3304 wrote to memory of 516 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 97 PID 3304 wrote to memory of 516 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 97 PID 3304 wrote to memory of 516 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 97 PID 3304 wrote to memory of 4404 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 98 PID 3304 wrote to memory of 4404 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 98 PID 3304 wrote to memory of 4404 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 98 PID 3304 wrote to memory of 3572 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 99 PID 3304 wrote to memory of 3572 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 99 PID 3304 wrote to memory of 3572 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 99 PID 3304 wrote to memory of 3572 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 99 PID 3304 wrote to memory of 3572 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 99 PID 3304 wrote to memory of 3572 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 99 PID 3304 wrote to memory of 3572 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 99 PID 3304 wrote to memory of 3572 3304 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 99 PID 3572 wrote to memory of 4060 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 100 PID 3572 wrote to memory of 4060 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 100 PID 3572 wrote to memory of 4060 3572 6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe"1⤵
- Luminosity
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe"2⤵PID:516
-
-
C:\Users\Admin\AppData\Local\Temp\6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe"2⤵PID:4404
-
-
C:\Users\Admin\AppData\Local\Temp\6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\msdcc.exe' /startup" /f3⤵
- Luminosity
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4060
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\6cafc54eb9f1f8edd7a8aba870cccac8_JaffaCakes118.exe.log
Filesize224B
MD59c4b66f77f12558c48b620ddfb44029d
SHA1446651db643b943ec37b9b3599655e211a4bc73e
SHA25642f723d18283fda6a0904046cc29ee8d10e562d20c7615259a46ae9c0e4c9708
SHA512983aed0ec15a79b716ac6dc080146e4ed098c117c31167053fb5971649dc621d1db5292fdd76f3010f094b75d57ea0bdb35bc829c6ba37e4d276b266361dee8e