Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 07:52
Static task
static1
Behavioral task
behavioral1
Sample
e0866b5da60a9096b7283e02812a17f7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e0866b5da60a9096b7283e02812a17f7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e0866b5da60a9096b7283e02812a17f7_JaffaCakes118.exe
-
Size
978KB
-
MD5
e0866b5da60a9096b7283e02812a17f7
-
SHA1
68e289646348c0e103bf934f5e788e8641bc1a6f
-
SHA256
a91e2dd8f993e927d9bcda4f53693e7b84bb1e15f5e744cb6c7de405953460c5
-
SHA512
682eb7ff0b54ad2793bc0e6b48c78c8d461dcd25d0b4029b3b8ad9ba37fae4be2abe4df009f84acbcfaa3ebc3f4fad39fadc9951642172834a07bae941a023d8
-
SSDEEP
12288:taWzgMg7v3qnCiMErQohh0F4CCJ8lnyC8rdoH8DV+NmjaQHv+BVNChbddysuYm:saHMv6CorjqnyC8xlDtFP+QvAsuYm
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Luminosity family
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" SSN Generator.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\752379\\SSN Generator.exe\"" SSN Generator.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation e0866b5da60a9096b7283e02812a17f7_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation uncrypted.exe -
Executes dropped EXE 2 IoCs
pid Process 1188 uncrypted.exe 3992 SSN Generator.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft = "\"C:\\ProgramData\\752379\\SSN Generator.exe\"" SSN Generator.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4000-0-0x0000000000400000-0x00000000004D3000-memory.dmp autoit_exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe SSN Generator.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe SSN Generator.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0866b5da60a9096b7283e02812a17f7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uncrypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SSN Generator.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 1188 uncrypted.exe 1188 uncrypted.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe 3992 SSN Generator.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3992 SSN Generator.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3992 SSN Generator.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4000 wrote to memory of 1188 4000 e0866b5da60a9096b7283e02812a17f7_JaffaCakes118.exe 82 PID 4000 wrote to memory of 1188 4000 e0866b5da60a9096b7283e02812a17f7_JaffaCakes118.exe 82 PID 4000 wrote to memory of 1188 4000 e0866b5da60a9096b7283e02812a17f7_JaffaCakes118.exe 82 PID 1188 wrote to memory of 3992 1188 uncrypted.exe 85 PID 1188 wrote to memory of 3992 1188 uncrypted.exe 85 PID 1188 wrote to memory of 3992 1188 uncrypted.exe 85 PID 3992 wrote to memory of 1188 3992 SSN Generator.exe 82 PID 3992 wrote to memory of 1188 3992 SSN Generator.exe 82 PID 3992 wrote to memory of 1188 3992 SSN Generator.exe 82 PID 3992 wrote to memory of 1188 3992 SSN Generator.exe 82 PID 3992 wrote to memory of 1188 3992 SSN Generator.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0866b5da60a9096b7283e02812a17f7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e0866b5da60a9096b7283e02812a17f7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\uncrypted.exe"C:\Users\Admin\AppData\Local\Temp\uncrypted.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\ProgramData\752379\SSN Generator.exe"C:\ProgramData\752379\SSN Generator.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222KB
MD55086a0c6133bac6bdd866dbaa8b5ddf5
SHA16ac84014793dd795c7f448db702ed0ab368cecff
SHA256f102599b7ef74177ad25faa9e4ab4a6fdf2efd7cf13b6fd8d52020072bd18577
SHA512c125a20b5b86a3d87c66f391b1c565eed968470f92fe3a6a0e6dc0102efaae3e8aedfcb4fba4f4784dfafcb13edc33433e8c0d4a8e3e33bd4353eec90135630a
-
Filesize
222KB
MD52cad8ca038dc9b795a3430d1344d9a3b
SHA1d26ff7f5b1b07dca5e5b36e9b30fa38a1798aff6
SHA25624a28213271096aa3e006999127333a588ad93f7970965ea624776ea66ca91e1
SHA51200c75808c4e15f45b8ba6592edfeb97fe4e23bbdc192c04cb0217f80adcacfd73fd823ad1bd36bf532f726a4e9d136cebb1e6cff54525c16dbaeb255164f63f4