Overview

overview

10

Static

static

3

0eb8062d3c...18.exe

windows7-x64

10

0eb8062d3c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    25-06-2024 16:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe

  • Size

    810KB

  • MD5

    0eb8062d3c7a14a325a2e5d8c325f0ba

  • SHA1

    18988994bee5da320a137e4e7bb4ec3ef67f4fd6

  • SHA256

    572e7490570d77c3f37b52fd65dfe7eaa4d46cd716581640b567662a1fbd4831

  • SHA512

    22012f6166f694e0407a87f741c4064a7f2acadf22104a63f47686977327f2c7b59d3e16db5b55b18042e2a9c5c7ffc906306c4253233504a98b450c7f8e7810

  • SSDEEP

    12288:pC6Ut6RJ9mbupafIKsFzq3+lBxnX2Hf4CmmeKc1ett18n4SytyUkmgKGMsd28AeG:9MYMC2IBdUtCgiTyQdbHz3+SH4uG

Score
10/10
latentbotevasiontrojanupx

Malware Config

Extracted

Family

latentbot

C2

1easydung69.zapto.org

2easydung69.zapto.org

3easydung69.zapto.org

4easydung69.zapto.org

5easydung69.zapto.org

6easydung69.zapto.org

7easydung69.zapto.org

8easydung69.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Modifies firewall policy service 3 TTPs 8 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Users\Admin\AppData\Roaming\taskmgr.exe
      C:\Users\Admin\AppData\Roaming\taskmgr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:2500
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskmgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskmgr.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskmgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskmgr.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:2556
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2508
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:2604
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\cvs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cvs.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\cvs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cvs.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:2940
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_wtu80bi.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6134.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6133.tmp"
        3⤵
          PID:1720
      • C:\Users\Admin\AppData\Roaming\0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes1181.exe
        "C:\Users\Admin\AppData\Roaming\0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes1181.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        PID:584

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES6134.tmp
      Filesize

      1KB

      MD5

      026654ca29901eb6e755c0e61b33815d

      SHA1

      51c39dc01f2314587df14ba7ee55e0cc6e3e9842

      SHA256

      02742a86055fb404fdb2f4856a753efb183f52b0ea1f30b2ab2e2b1fd02799d6

      SHA512

      a68bf860cedb190bf054bb585413ed5de72c5e2ca66b6660c244ff5a68404b85043f3a01e214c4b2c3205e30c0d2acac5d2c7ddb5bd3f92dc3acf5194602b7b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_wtu80bi.0.vb
      Filesize

      381B

      MD5

      1049a2311cdb66f3af6111ce8096a7c5

      SHA1

      84c6cb31407639351fe96203eeea848765b77e09

      SHA256

      3518c3c4d7186e037404595ecaab82f5eebafc00828fbe44a57a82166b0b3893

      SHA512

      5e33ac030c1fc83c0f67fcbaf018ad2abb7422dd3e032492179263984de4e608923d49cef35bfcb7fd488092671a0c2159cb04962b73038900ebfb94f1c7f74a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_wtu80bi.cmdline
      Filesize

      235B

      MD5

      6e056432c6099120d2f16abb18f135bf

      SHA1

      aaf550136a713ebfa6b7d01b2041e745fd959f8e

      SHA256

      9dde81ecc72dfeb713cef76663f168773ced51fcbccf9e6d3ce3b1870f910203

      SHA512

      3fc64af7bde5e56b540c872741a2fb18c4b6cd9486bd96cb6df3bfe31b5a286511ed27f8468b84a7e015db073667167b55a2a869cf78645e4ff29a8dde091542

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc6133.tmp
      Filesize

      804B

      MD5

      808f1f55b7a943e385b4a5e7381aa983

      SHA1

      23531226db4edf6d508d1ee474b475158fd99d44

      SHA256

      dda6580d45f9e572c9bb3b1faff4ec29d09fe191809d6388c1088b5bd3b94777

      SHA512

      419da80b6d2ed147bb4382adcc8f17395a703b4fdd5e8f590cd020de1314f461688a3a1cf9c5ed80c5a1e8b2f31d1aba45177b1417bd16f416570c8ba9a5ddca

      Download Submit

    • C:\Users\Admin\AppData\Roaming\0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe
      Filesize

      810KB

      MD5

      0eb8062d3c7a14a325a2e5d8c325f0ba

      SHA1

      18988994bee5da320a137e4e7bb4ec3ef67f4fd6

      SHA256

      572e7490570d77c3f37b52fd65dfe7eaa4d46cd716581640b567662a1fbd4831

      SHA512

      22012f6166f694e0407a87f741c4064a7f2acadf22104a63f47686977327f2c7b59d3e16db5b55b18042e2a9c5c7ffc906306c4253233504a98b450c7f8e7810

      Download Submit

    • C:\Users\Admin\AppData\Roaming\0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes1181.exe
      Filesize

      6KB

      MD5

      e4be76ba5b7a407408b8685361f4c4e3

      SHA1

      89ad99748a3ce55a29960161f17f3e0b416fad45

      SHA256

      d406d8877bb126524d6ceec0cb93c3b13a8ded3f2c15bf4012864fbe8a034185

      SHA512

      e069af591df666813be0e8242e15dc1e518ca90eecc39404b55972f7bb81be04e73fc7ec2c9661678124cb6634296a981f601b468c710bcf0b3e10581c80cada

      Download Submit

    • \Users\Admin\AppData\Roaming\taskmgr.exe
      Filesize

      12KB

      MD5

      d4d99a39dbcf8d2a6a3fd7c52a29ad68

      SHA1

      128301ca279d7cf9f0a5bd6b6105ff5d2f4e76f3

      SHA256

      04f15f3cd3bcde2293f5619a1e3bcafbaffb4e6a6be61d095dda319f181dcfbd

      SHA512

      314401336944460ec4bf9c2005d53f34fcdb871d345f62c10b28483a4b0663476b0d28757e857cd0eb6639eb36b10d2548343fde136f367b84ed13e0b2f9baf9

      Download Submit

    • memory/1904-12-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1904-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1904-22-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1904-21-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1904-24-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1904-23-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1904-10-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1904-14-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1904-69-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1904-57-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1904-18-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1904-64-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1904-63-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1904-61-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1904-60-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1904-54-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1904-55-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1904-56-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2080-0-0x00000000749E1000-0x00000000749E2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2080-53-0x00000000749E0000-0x0000000074F8B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2080-1-0x00000000749E0000-0x0000000074F8B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2080-2-0x00000000749E0000-0x0000000074F8B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3032-45-0x0000000000400000-0x000000000051E000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3032-40-0x0000000000400000-0x000000000051E000-memory.dmp

      Filesize

      1.1MB

      Download