latentbot | ba26910aee89ac869e6f56bcfba36c31c811d7fd5892ec34831873dac1eb3bdf

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe
Size

781KB
MD5

14f75b2eb7c9e8e722489b60d1aac52a
SHA1

a7babe3d0d25689bd4899a95f7d9ac746df7f61d
SHA256

ba26910aee89ac869e6f56bcfba36c31c811d7fd5892ec34831873dac1eb3bdf
SHA512

7010fd8a3f6e24328ba2672b813102f6097505d90f8dab85bae818edc8277e75284003d263c999f22834eb13c70e8282df66585e489468b828028f4c63e6fb83
SSDEEP

12288:L5////cHfaAwe3erIn9Zo/a46rOpqFmORcibq3Uips8Zn4IH:L5////c/aAwbr2oJ6rELOyB3Ui3ZB

Score

10^/10

latentbot evasion persistence trojan

Malware Config

Extracted

Family

latentbot

willsminecraftsvr.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Cry.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cry.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
2584	ABrRL.exe
2524	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe
2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe
2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\javaw.exe"	ABrRL.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2292 set thread context of 2524	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2864	reg.exe
2112	reg.exe
1372	reg.exe
1584	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe
Token: 1	2524	svchost.exe
Token: SeCreateTokenPrivilege	2524	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2524	svchost.exe
Token: SeLockMemoryPrivilege	2524	svchost.exe
Token: SeIncreaseQuotaPrivilege	2524	svchost.exe
Token: SeMachineAccountPrivilege	2524	svchost.exe
Token: SeTcbPrivilege	2524	svchost.exe
Token: SeSecurityPrivilege	2524	svchost.exe
Token: SeTakeOwnershipPrivilege	2524	svchost.exe
Token: SeLoadDriverPrivilege	2524	svchost.exe
Token: SeSystemProfilePrivilege	2524	svchost.exe
Token: SeSystemtimePrivilege	2524	svchost.exe
Token: SeProfSingleProcessPrivilege	2524	svchost.exe
Token: SeIncBasePriorityPrivilege	2524	svchost.exe
Token: SeCreatePagefilePrivilege	2524	svchost.exe
Token: SeCreatePermanentPrivilege	2524	svchost.exe
Token: SeBackupPrivilege	2524	svchost.exe
Token: SeRestorePrivilege	2524	svchost.exe
Token: SeShutdownPrivilege	2524	svchost.exe
Token: SeDebugPrivilege	2524	svchost.exe
Token: SeAuditPrivilege	2524	svchost.exe
Token: SeSystemEnvironmentPrivilege	2524	svchost.exe
Token: SeChangeNotifyPrivilege	2524	svchost.exe
Token: SeRemoteShutdownPrivilege	2524	svchost.exe
Token: SeUndockPrivilege	2524	svchost.exe
Token: SeSyncAgentPrivilege	2524	svchost.exe
Token: SeEnableDelegationPrivilege	2524	svchost.exe
Token: SeManageVolumePrivilege	2524	svchost.exe
Token: SeImpersonatePrivilege	2524	svchost.exe
Token: SeCreateGlobalPrivilege	2524	svchost.exe
Token: 31	2524	svchost.exe
Token: 32	2524	svchost.exe
Token: 33	2524	svchost.exe
Token: 34	2524	svchost.exe
Token: 35	2524	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2524	svchost.exe
2524	svchost.exe
2524	svchost.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2928	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2928	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2928	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2928	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	28
PID 2928 wrote to memory of 2532	2928	csc.exe	30
PID 2928 wrote to memory of 2532	2928	csc.exe	30
PID 2928 wrote to memory of 2532	2928	csc.exe	30
PID 2928 wrote to memory of 2532	2928	csc.exe	30
PID 2292 wrote to memory of 2584	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2584	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2584	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2584	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2524	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2524	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2524	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2524	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2524	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2524	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2524	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2524	2292	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	32
PID 2524 wrote to memory of 2172	2524	svchost.exe	33
PID 2524 wrote to memory of 2172	2524	svchost.exe	33
PID 2524 wrote to memory of 2172	2524	svchost.exe	33
PID 2524 wrote to memory of 2172	2524	svchost.exe	33
PID 2524 wrote to memory of 2564	2524	svchost.exe	34
PID 2524 wrote to memory of 2564	2524	svchost.exe	34
PID 2524 wrote to memory of 2564	2524	svchost.exe	34
PID 2524 wrote to memory of 2564	2524	svchost.exe	34
PID 2524 wrote to memory of 2556	2524	svchost.exe	35
PID 2524 wrote to memory of 2556	2524	svchost.exe	35
PID 2524 wrote to memory of 2556	2524	svchost.exe	35
PID 2524 wrote to memory of 2556	2524	svchost.exe	35
PID 2524 wrote to memory of 2456	2524	svchost.exe	37
PID 2524 wrote to memory of 2456	2524	svchost.exe	37
PID 2524 wrote to memory of 2456	2524	svchost.exe	37
PID 2524 wrote to memory of 2456	2524	svchost.exe	37
PID 2172 wrote to memory of 2864	2172	cmd.exe	41
PID 2172 wrote to memory of 2864	2172	cmd.exe	41
PID 2172 wrote to memory of 2864	2172	cmd.exe	41
PID 2172 wrote to memory of 2864	2172	cmd.exe	41
PID 2564 wrote to memory of 2112	2564	cmd.exe	42
PID 2564 wrote to memory of 2112	2564	cmd.exe	42
PID 2564 wrote to memory of 2112	2564	cmd.exe	42
PID 2564 wrote to memory of 2112	2564	cmd.exe	42
PID 2456 wrote to memory of 1372	2456	cmd.exe	43
PID 2456 wrote to memory of 1372	2456	cmd.exe	43
PID 2456 wrote to memory of 1372	2456	cmd.exe	43
PID 2456 wrote to memory of 1372	2456	cmd.exe	43
PID 2556 wrote to memory of 1584	2556	cmd.exe	44
PID 2556 wrote to memory of 1584	2556	cmd.exe	44
PID 2556 wrote to memory of 1584	2556	cmd.exe	44
PID 2556 wrote to memory of 1584	2556	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uet5bcpu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES197B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC197A.tmp"
    3⤵
    PID:2532
- C:\Users\Admin\AppData\Local\Temp\ABrRL.exe
  "C:\Users\Admin\AppData\Local\Temp\ABrRL.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Cry.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Cry.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Cry.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Cry.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ABrRL.exe

Filesize
4KB

MD5
0f6a88847d1662b127aecbc3339b5dfd

SHA1
7287007f9f1a2e0692a9110f15cfd33b360714b3

SHA256
5988d089da8f75fdb27b3ac5d625f09edbd2028cd625482ec29273c084b9e995

SHA512
7bb795f72f97eaecbbb089517973d00727b8d28eb256e3ba639aaacef3ffb5647b4a32e722e54aaa84893767bc0404ed0b349f1f7f73029cf086b0367a741f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES197B.tmp

Filesize
1KB

MD5
dd24c16f0d45fa352e475874299e946a

SHA1
4608ec6e25538b269bed5b0a87fb91bd378271f7

SHA256
a8d6b2039302bea67e9ff0fb810b0da7a46bdac947519b3927c9216838ed1fd0

SHA512
afd52abfad23a6a16bda7dfbe05dddfa611b4d37decb807a375583537d67cce3a324f8bc08e03d7e0c92b445fb4afed223ee07fe7128ad24819f3acdbe27872f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC197A.tmp

Filesize
636B

MD5
cbdc36004d717169d25c6fffa894d71f

SHA1
1cfb7d7a9054412b42ba09ce95213192b4822aab

SHA256
e85d9aab041cd458db282eed73f554e0365966998cc83ed24761fc7dea161a63

SHA512
676a84925c9f974e55ad5148f8ad2bfebc375c8e59db033cde0200426de5f0304d71dc2947d31d7488ec9b53f65e414cb87f73be8fd2b347e4b515723b29094d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uet5bcpu.0.cs

Filesize
1KB

MD5
55c169ce9f7d94677c877d34a33e11b0

SHA1
aa882688c1114ddb39a5d24c3dec9bfd8adfa559

SHA256
1f59c8448f3dd92a57974773c9694a320e1a2886433007ec4fd661190d41ac79

SHA512
9be8a9eaf9c4bee309243cfc48d1d51e4915a17aaa22a27bc5b3731a8a45d862226ccdb0a4b926ad4a73637120877487844d78355b4c2d3afb958462edbba7d2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uet5bcpu.cmdline

Filesize
258B

MD5
b8474a2f70ee916a3ffe79d1c936a58e

SHA1
d4161cce5ed4e8b7c631dd202076dcf1c0c5f21a

SHA256
8b8a4db544ac59bda91a3b023941edefbf8f76729159dd6d034817b8e61a85a2

SHA512
9891bd76be714b97aa7e60ef110bc3c8ab93e223d22fb62c4b0c468903289d4e19757c9fd1c1c42c587a4bbd2f4cdab2de3612d8930de5678a5ddcd41466046d

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/2292-1-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2292-2-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2292-43-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2292-0-0x0000000074571000-0x0000000074572000-memory.dmp

Filesize
4KB

Download
memory/2524-33-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2524-47-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2524-60-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2524-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2524-30-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2524-28-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2524-59-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2524-44-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2524-45-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2524-26-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2524-49-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2524-51-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2524-52-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2524-53-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2524-56-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2928-10-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2928-15-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads