Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 07:52

General

  • Target

    e0866b5da60a9096b7283e02812a17f7_JaffaCakes118.exe

  • Size

    978KB

  • MD5

    e0866b5da60a9096b7283e02812a17f7

  • SHA1

    68e289646348c0e103bf934f5e788e8641bc1a6f

  • SHA256

    a91e2dd8f993e927d9bcda4f53693e7b84bb1e15f5e744cb6c7de405953460c5

  • SHA512

    682eb7ff0b54ad2793bc0e6b48c78c8d461dcd25d0b4029b3b8ad9ba37fae4be2abe4df009f84acbcfaa3ebc3f4fad39fadc9951642172834a07bae941a023d8

  • SSDEEP

    12288:taWzgMg7v3qnCiMErQohh0F4CCJ8lnyC8rdoH8DV+NmjaQHv+BVNChbddysuYm:saHMv6CorjqnyC8xlDtFP+QvAsuYm

Malware Config

Signatures

  • Luminosity

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

  • Luminosity family
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0866b5da60a9096b7283e02812a17f7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e0866b5da60a9096b7283e02812a17f7_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Users\Admin\AppData\Local\Temp\uncrypted.exe
      "C:\Users\Admin\AppData\Local\Temp\uncrypted.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\ProgramData\752379\SSN Generator.exe
        "C:\ProgramData\752379\SSN Generator.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\aut87BE.tmp

    Filesize

    222KB

    MD5

    5086a0c6133bac6bdd866dbaa8b5ddf5

    SHA1

    6ac84014793dd795c7f448db702ed0ab368cecff

    SHA256

    f102599b7ef74177ad25faa9e4ab4a6fdf2efd7cf13b6fd8d52020072bd18577

    SHA512

    c125a20b5b86a3d87c66f391b1c565eed968470f92fe3a6a0e6dc0102efaae3e8aedfcb4fba4f4784dfafcb13edc33433e8c0d4a8e3e33bd4353eec90135630a

  • C:\Users\Admin\AppData\Local\Temp\uncrypted.exe

    Filesize

    222KB

    MD5

    2cad8ca038dc9b795a3430d1344d9a3b

    SHA1

    d26ff7f5b1b07dca5e5b36e9b30fa38a1798aff6

    SHA256

    24a28213271096aa3e006999127333a588ad93f7970965ea624776ea66ca91e1

    SHA512

    00c75808c4e15f45b8ba6592edfeb97fe4e23bbdc192c04cb0217f80adcacfd73fd823ad1bd36bf532f726a4e9d136cebb1e6cff54525c16dbaeb255164f63f4

  • memory/1188-38-0x0000000006B60000-0x0000000006B77000-memory.dmp

    Filesize

    92KB

  • memory/1188-41-0x0000000006B60000-0x0000000006B77000-memory.dmp

    Filesize

    92KB

  • memory/1188-18-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

  • memory/1188-19-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

  • memory/1188-46-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

  • memory/1188-45-0x0000000006B60000-0x0000000006B77000-memory.dmp

    Filesize

    92KB

  • memory/1188-17-0x0000000074AC2000-0x0000000074AC3000-memory.dmp

    Filesize

    4KB

  • memory/1188-35-0x0000000074AC2000-0x0000000074AC3000-memory.dmp

    Filesize

    4KB

  • memory/1188-36-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

  • memory/1188-37-0x0000000006B60000-0x0000000006B77000-memory.dmp

    Filesize

    92KB

  • memory/1188-40-0x0000000006B80000-0x0000000006B81000-memory.dmp

    Filesize

    4KB

  • memory/1188-39-0x0000000006B60000-0x0000000006B77000-memory.dmp

    Filesize

    92KB

  • memory/3992-32-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

  • memory/3992-43-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

  • memory/3992-31-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

  • memory/3992-30-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

  • memory/4000-0-0x0000000000400000-0x00000000004D3000-memory.dmp

    Filesize

    844KB