luminosity | bdfb0d576f4f54f95a314462a84449b875e7130c89d44d37942c03b82f22d92f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
Size

1.2MB
MD5

82bd56d1562393f6fe6804679c757e39
SHA1

9f419cea26e9cfce290527a4671b3fc3a49c446d
SHA256

bdfb0d576f4f54f95a314462a84449b875e7130c89d44d37942c03b82f22d92f
SHA512

91908924f04b153ebb992a1b2aa935edceb07f2318c2ccf8a526a74c75448346c17502ae23ef956d6c6fbd881934e53565e6606d0ed918f04f6045c7aacd2714
SSDEEP

24576:pT3yU52y8rvkYzcUYGSvEoH/Ee/i/nNhzAv9nZ4pM:ZC20vkYzc00/Ee/i/DI9UM

Score

10^/10

luminosity discovery persistence rat

Malware Config

Signatures

Luminosity 3 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

description	ioc	pid	Process
		4776	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
		948	schtasks.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\""	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\""	REG.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
Token: SeDebugPrivilege	4228	client.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
4228	client.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 948	4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe	86
PID 4944 wrote to memory of 948	4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe	86
PID 4944 wrote to memory of 948	4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe	86
PID 4228 wrote to memory of 4776	4228	client.exe	89
PID 4228 wrote to memory of 4776	4228	client.exe	89
PID 4228 wrote to memory of 4776	4228	client.exe	89
PID 4944 wrote to memory of 4228	4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe	88
PID 4944 wrote to memory of 4228	4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe	88
PID 4944 wrote to memory of 4228	4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe	88
PID 4944 wrote to memory of 4228	4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe	88
PID 4944 wrote to memory of 4228	4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe	88
PID 4944 wrote to memory of 3448	4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe	94
PID 4944 wrote to memory of 3448	4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe	94
PID 4944 wrote to memory of 3448	4944	82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe	94
PID 4228 wrote to memory of 4404	4228	client.exe	96
PID 4228 wrote to memory of 4404	4228	client.exe	96
PID 4228 wrote to memory of 4404	4228	client.exe	96

C:\Users\Admin\AppData\Local\Temp\82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82bd56d1562393f6fe6804679c757e39_JaffaCakes118.exe"
1⤵
- Luminosity
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest
  2⤵
  - Luminosity
  - System Location Discovery: System Language Discovery
  PID:948
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3448

C:\Program Files (x86)\Client\client.exe
"C:\Program Files (x86)\Client\client.exe" /startup
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest
  2⤵
  - Luminosity
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4776
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
9e3c0fe8c97d8ab6cf2cbc819176a89d

SHA1
2b7b585ffcdb8aae3cd3432a18add5eb5f56472f

SHA256
f2cb3a2bff2481a5415c2312a88bf95e2766e418570178592e1bb1062bdfb0e5

SHA512
794e1457f6b9b4a06235239a9b7363a43a5e9fb28fedc523541533289c1366ef34f3e95e7f2b265948f5193ec0688756f5af6d81ad9c9e283cd8e15b69b06276

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_108A7991F73F2B507007C35661993162

Filesize
471B

MD5
c3441ccd9f517434aed0ea1ea880aa97

SHA1
c40267f98e5cbbe72986456661156d7b131ee7d1

SHA256
a7479fa88249b1c48dd8ec18e5c5f49433d2368d0274fd6f799ff213b05528fd

SHA512
2ef6715e7b8d09cd3716516eb7fbafe85271868295af6b360bf25b6c495f87cae1e980beebac4847eeb1a9e682f8752bc6f3fa6174d5fcadfa1afdb75f20c7dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
404B

MD5
3144b22d2b879f271857284e7b3c04f0

SHA1
5afd40a04006fbcf11a4bfef77d94d93642762f8

SHA256
200fb93b6a501591f59a4911fb388fe72d1cde7050f819de097eb547f47dc22c

SHA512
6139dbfe5132ee0a7e5df74b9a1af27e713f0375e24c59b0fe12af3458af5dc6712b0e1c435c5b26da0665e65c623cbff166bc80f8d2e398422ec6acf8c80182

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_108A7991F73F2B507007C35661993162

Filesize
400B

MD5
836cac8dd7fb6cb4ccea4c7f2cc0dfeb

SHA1
1683d58cd1ca3f38a814d2c07238e5bc80b3fd1b

SHA256
cf6cd472abfab5948c1099d70bfeaca73a9b64b63c0ecf67d4a765be17e7877a

SHA512
f00005625cc663979089c8e5fd4b546111553a2212a32020392829e34cd90a5ad1eae4c64de5a09c40c7f00a3d4a8d2b90f7693f3aaa03a1f2d16c2629cb4f37

Download Submit
memory/4228-18-0x0000000005490000-0x00000000054A7000-memory.dmp

Filesize
92KB

Download
memory/4228-22-0x0000000005490000-0x00000000054A7000-memory.dmp

Filesize
92KB

Download
memory/4228-28-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4228-27-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4228-26-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4228-25-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4228-24-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4228-21-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/4228-20-0x0000000005490000-0x00000000054A7000-memory.dmp

Filesize
92KB

Download
memory/4228-19-0x0000000005490000-0x00000000054A7000-memory.dmp

Filesize
92KB

Download
memory/4228-13-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4944-0-0x0000000074EE2000-0x0000000074EE3000-memory.dmp

Filesize
4KB

Download
memory/4944-1-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4944-2-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4944-11-0x0000000074EE2000-0x0000000074EE3000-memory.dmp

Filesize
4KB

Download
memory/4944-12-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download