Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-10-2024 21:35

General

  • Target

    4a1d5155676794951ccdec7aaf181567_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    4a1d5155676794951ccdec7aaf181567

  • SHA1

    108bb8ba55e8657815ff7deefc8b4b22e59608d6

  • SHA256

    ce575fd964bbf7f36b42ba99c3d15f613f8df809ed8317598f8fd8f7e5ad728c

  • SHA512

    58fe81f2ce37861b8087b501a4015b0b0a4be5a5473de8728473edc3764931cfd7635de0b89d6633cb1c102432533c461d6517096ed45e613a4c5c9ebe1726da

  • SSDEEP

    24576:s3nZqfb4jBSHzuk+bUf4s90JIYHDosyTaqMyAnXxTvNuhSd3P3JlF2+c9L6nGC:sjsutAf4sCWZUXxLIhU3P3fFbmGGC

Malware Config

Signatures

  • Luminosity 3 IoCs

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a1d5155676794951ccdec7aaf181567_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4a1d5155676794951ccdec7aaf181567_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\pi1rviy6sl\FeQ2zT.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" m8q1.dll sx
        3⤵
        • Checks computer location settings
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4844
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v pi1rviy6sl /t REG_SZ /d "C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:4912
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4724
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v pi1rviy6sl /t REG_SZ /d "C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs" /f
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1908
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && copy /Y "C:\Users\Admin\pi1rviy6sl\x" C:\pi1rviy6slpi1rviy6sl\x && copy /Y "C:\Users\Admin\pi1rviy6sl\m8q1.dll" C:\pi1rviy6slpi1rviy6sl\m8q1.dll
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:5000
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2148
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /TR C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs /MO 1 /TN pi1rviy6sl /SC MINUTE
          4⤵
          • Luminosity
          • System Location Discovery: System Language Discovery
          PID:4760
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1460
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3684
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\pi1rviy6slpi1rviy6sl\m8q1.dll sx
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4692
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\pi1rviy6slpi1rviy6sl\m8q1.dll sx
        3⤵
        • Checks computer location settings
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1296
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v pi1rviy6sl /t REG_SZ /d "C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:4112
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2504
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v pi1rviy6sl /t REG_SZ /d "C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs" /f
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2588
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && copy /Y "C:\pi1rviy6slpi1rviy6sl\x" C:\pi1rviy6slpi1rviy6sl\x && copy /Y "C:\pi1rviy6slpi1rviy6sl\m8q1.dll" C:\pi1rviy6slpi1rviy6sl\m8q1.dll
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1248
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /TR C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs /MO 1 /TN pi1rviy6sl /SC MINUTE
          4⤵
          • Luminosity
          • System Location Discovery: System Language Discovery
          PID:1084
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"
          4⤵
            PID:916
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1028
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Windows\System32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\pi1rviy6slpi1rviy6sl\m8q1.dll sx
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\pi1rviy6slpi1rviy6sl\m8q1.dll sx
          3⤵
          • Checks computer location settings
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1036
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v pi1rviy6sl /t REG_SZ /d "C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs" /f
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:3740
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              5⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:540
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v pi1rviy6sl /t REG_SZ /d "C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs" /f
              5⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:1080
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && copy /Y "C:\pi1rviy6slpi1rviy6sl\x" C:\pi1rviy6slpi1rviy6sl\x && copy /Y "C:\pi1rviy6slpi1rviy6sl\m8q1.dll" C:\pi1rviy6slpi1rviy6sl\m8q1.dll
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:4784
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              5⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1896
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /TR C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs /MO 1 /TN pi1rviy6sl /SC MINUTE
            4⤵
            • Luminosity
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1584
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\regasm.exe.log

      Filesize

      408B

      MD5

      42157868488d3ef98c00e3fa12f064be

      SHA1

      aad391be9ac3f6ce1ced49583690486a5f4186fb

      SHA256

      b9520170e84597186ba5cc223b9c2773f70d0cda088950bae2182e3b2237995c

      SHA512

      8f4a4bd63ceefc34158ea23f3a73dcc2848eeacdba8355d1251a96b4e0c18e2f3b0c4939be359f874f81fe4ee63283b8be43a70fe2dbaa2e64784333d10a2471

    • C:\Users\Admin\AppData\Local\Temp\lol.bin

      Filesize

      79KB

      MD5

      4c1b980906a53081d6391edfac398081

      SHA1

      5f8cd1bcd7b31c6eae1d50cf529942708ebd7b57

      SHA256

      61ca1f44e719686495a6cf55e0527dd8678098d4738bd15bf5b95569df6670ba

      SHA512

      21db58e71a797d92f0823eaad9327694053df92c1d9bdde30011ec2d69d67e48003d5d80823fb9094d727f128051387e90e3b4a9349b3c5377e022e308a61757

    • C:\Users\Admin\pi1rviy6sl\FeQ2zT.vbs

      Filesize

      101B

      MD5

      77e6d73b21c5c834cfbef3159b981cd4

      SHA1

      4fb085f7dde09eb567951df3ea25f64a769600c2

      SHA256

      20afd3844eb51d22dd83733737ffcc6306e20e37842c206b256a59b0b5d67944

      SHA512

      840a9f0311592b54ceb2a016a9ff91e961b3ffe5cfba049402a0c803b060f518441a2c75fbaae21a6c4772a9581199d42a12094353a2b763aebfb39f69484ee9

    • C:\Users\Admin\pi1rviy6sl\m8q1.dll

      Filesize

      10.6MB

      MD5

      694af45d3117ff8c3e517d0ba3a5966a

      SHA1

      ac187edbee726a94f93eb11aac7989bd3ae5d96b

      SHA256

      2c2f169880796b15549e38caa2a8638637532a9d28b15884b07d78c47d365f6d

      SHA512

      0d3b9eb58634f1c15ab66b9af858c9a67ab3492ff08f3a4a6d789ff9b23c977f9fe8122f0503025d9a8c14897d1f707d7d3c38071af56295689bb8a07d7b4a96

    • C:\Users\Admin\pi1rviy6sl\x

      Filesize

      1.4MB

      MD5

      5227ba6411b79fc00134d5e41c5654bb

      SHA1

      e46c9aee2f530b6cc46dabc358efaf42cd12f9d8

      SHA256

      5de223a370937c2a381a02d213d55a3a7869efb40d2273cf47bac4f70f179250

      SHA512

      752d5be8428074c610ee6fed3ebd3c79ec5c81adf841e97e77260ce5180a641aeedfd02ce9021562a2dd1e21cc6f4b7472fa505ce291de1f0045b75b4200aa49

    • C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs

      Filesize

      140B

      MD5

      cdacde29c11575533852e09500a01e44

      SHA1

      93024bf043880e1ba56551160d902b45cd3d6e02

      SHA256

      7b748c06cc50601d5303efe5e71f3882ec2f31fc6364187b012c759d133518fa

      SHA512

      bed9b5cf513e97ecfa6d08f5bf51e773ca2b5495e00c5dd2d0e928b7cc113971cb9adc76afa815e27d982de5df05350817e36d787d2851b9ce3a5c1a2f0746db

    • memory/1036-39-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

    • memory/1296-31-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

    • memory/1460-16-0x0000000000400000-0x00000000004DC000-memory.dmp

      Filesize

      880KB

    • memory/4844-12-0x0000000001290000-0x0000000001291000-memory.dmp

      Filesize

      4KB

    • memory/4844-17-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

    • memory/4844-18-0x0000000001540000-0x0000000001557000-memory.dmp

      Filesize

      92KB

    • memory/4844-13-0x0000000001540000-0x0000000001557000-memory.dmp

      Filesize

      92KB