latentbot | ba26910aee89ac869e6f56bcfba36c31c811d7fd5892ec34831873dac1eb3bdf

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe
Size

781KB
MD5

14f75b2eb7c9e8e722489b60d1aac52a
SHA1

a7babe3d0d25689bd4899a95f7d9ac746df7f61d
SHA256

ba26910aee89ac869e6f56bcfba36c31c811d7fd5892ec34831873dac1eb3bdf
SHA512

7010fd8a3f6e24328ba2672b813102f6097505d90f8dab85bae818edc8277e75284003d263c999f22834eb13c70e8282df66585e489468b828028f4c63e6fb83
SSDEEP

12288:L5////cHfaAwe3erIn9Zo/a46rOpqFmORcibq3Uips8Zn4IH:L5////c/aAwbr2oJ6rELOyB3Ui3ZB

Score

10^/10

latentbot evasion persistence trojan

Malware Config

Extracted

Family

latentbot

willsminecraftsvr.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Cry.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cry.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3264	ABrRL.exe
3932	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\javaw.exe"	ABrRL.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2880 set thread context of 3932	2880	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
364	reg.exe
4940	reg.exe
3324	reg.exe
4020	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe
Token: 1	3932	svchost.exe
Token: SeCreateTokenPrivilege	3932	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3932	svchost.exe
Token: SeLockMemoryPrivilege	3932	svchost.exe
Token: SeIncreaseQuotaPrivilege	3932	svchost.exe
Token: SeMachineAccountPrivilege	3932	svchost.exe
Token: SeTcbPrivilege	3932	svchost.exe
Token: SeSecurityPrivilege	3932	svchost.exe
Token: SeTakeOwnershipPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeSystemProfilePrivilege	3932	svchost.exe
Token: SeSystemtimePrivilege	3932	svchost.exe
Token: SeProfSingleProcessPrivilege	3932	svchost.exe
Token: SeIncBasePriorityPrivilege	3932	svchost.exe
Token: SeCreatePagefilePrivilege	3932	svchost.exe
Token: SeCreatePermanentPrivilege	3932	svchost.exe
Token: SeBackupPrivilege	3932	svchost.exe
Token: SeRestorePrivilege	3932	svchost.exe
Token: SeShutdownPrivilege	3932	svchost.exe
Token: SeDebugPrivilege	3932	svchost.exe
Token: SeAuditPrivilege	3932	svchost.exe
Token: SeSystemEnvironmentPrivilege	3932	svchost.exe
Token: SeChangeNotifyPrivilege	3932	svchost.exe
Token: SeRemoteShutdownPrivilege	3932	svchost.exe
Token: SeUndockPrivilege	3932	svchost.exe
Token: SeSyncAgentPrivilege	3932	svchost.exe
Token: SeEnableDelegationPrivilege	3932	svchost.exe
Token: SeManageVolumePrivilege	3932	svchost.exe
Token: SeImpersonatePrivilege	3932	svchost.exe
Token: SeCreateGlobalPrivilege	3932	svchost.exe
Token: 31	3932	svchost.exe
Token: 32	3932	svchost.exe
Token: 33	3932	svchost.exe
Token: 34	3932	svchost.exe
Token: 35	3932	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3932	svchost.exe
3932	svchost.exe
3932	svchost.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2948	2880	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	82
PID 2880 wrote to memory of 2948	2880	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	82
PID 2880 wrote to memory of 2948	2880	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	82
PID 2948 wrote to memory of 3668	2948	csc.exe	84
PID 2948 wrote to memory of 3668	2948	csc.exe	84
PID 2948 wrote to memory of 3668	2948	csc.exe	84
PID 2880 wrote to memory of 3264	2880	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	85
PID 2880 wrote to memory of 3264	2880	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	85
PID 2880 wrote to memory of 3264	2880	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	85
PID 2880 wrote to memory of 3932	2880	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	86
PID 2880 wrote to memory of 3932	2880	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	86
PID 2880 wrote to memory of 3932	2880	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	86
PID 2880 wrote to memory of 3932	2880	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	86
PID 2880 wrote to memory of 3932	2880	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	86
PID 2880 wrote to memory of 3932	2880	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	86
PID 2880 wrote to memory of 3932	2880	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	86
PID 2880 wrote to memory of 3932	2880	14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe	86
PID 3932 wrote to memory of 4100	3932	svchost.exe	87
PID 3932 wrote to memory of 4100	3932	svchost.exe	87
PID 3932 wrote to memory of 4100	3932	svchost.exe	87
PID 3932 wrote to memory of 4004	3932	svchost.exe	88
PID 3932 wrote to memory of 4004	3932	svchost.exe	88
PID 3932 wrote to memory of 4004	3932	svchost.exe	88
PID 3932 wrote to memory of 4136	3932	svchost.exe	89
PID 3932 wrote to memory of 4136	3932	svchost.exe	89
PID 3932 wrote to memory of 4136	3932	svchost.exe	89
PID 3932 wrote to memory of 2500	3932	svchost.exe	90
PID 3932 wrote to memory of 2500	3932	svchost.exe	90
PID 3932 wrote to memory of 2500	3932	svchost.exe	90
PID 4136 wrote to memory of 3324	4136	cmd.exe	95
PID 4136 wrote to memory of 3324	4136	cmd.exe	95
PID 4136 wrote to memory of 3324	4136	cmd.exe	95
PID 2500 wrote to memory of 4020	2500	cmd.exe	96
PID 2500 wrote to memory of 4020	2500	cmd.exe	96
PID 2500 wrote to memory of 4020	2500	cmd.exe	96
PID 4100 wrote to memory of 364	4100	cmd.exe	97
PID 4100 wrote to memory of 364	4100	cmd.exe	97
PID 4100 wrote to memory of 364	4100	cmd.exe	97
PID 4004 wrote to memory of 4940	4004	cmd.exe	98
PID 4004 wrote to memory of 4940	4004	cmd.exe	98
PID 4004 wrote to memory of 4940	4004	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2t1qo_uq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C1D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4C1C.tmp"
    3⤵
    PID:3668
- C:\Users\Admin\AppData\Local\Temp\ABrRL.exe
  "C:\Users\Admin\AppData\Local\Temp\ABrRL.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3264
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:364
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Cry.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Cry.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Cry.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Cry.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ABrRL.exe

Filesize
4KB

MD5
a4fefaf447b640e9624cad13c38e2f1e

SHA1
3bcd38dadb328f5211ddd33e06dec18396782602

SHA256
20dd2763928cba2eb9f1116cac8f1814df848297b693feda5bf194b9602ef93d

SHA512
285cb0296dfc27d951c8a95ba8f1132d70a1d07099e35f6d060dd10632b5f1dfb6266e7e06da4f9a0257fb51d5146967389773209cb94f5cf63871e466d54313

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C1D.tmp

Filesize
1KB

MD5
3d497df83e9255e5cf3576e63f373bc2

SHA1
6913f0b1b17ecfe0b5e06a3e7d5d1d6d84c4b5ea

SHA256
e69c227396d8ae360306d869b831cb6afa2cabf83d144863c6c1ac7c23775273

SHA512
9b5b06ff88235341e505f2b680960b061c2dae5aa51ad3b0b5987f42416b9deea3915fa4246b26508ded30128ebc9e38b6dd67e5725eb4e7c0fd679774bfb6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2t1qo_uq.0.cs

Filesize
1KB

MD5
55c169ce9f7d94677c877d34a33e11b0

SHA1
aa882688c1114ddb39a5d24c3dec9bfd8adfa559

SHA256
1f59c8448f3dd92a57974773c9694a320e1a2886433007ec4fd661190d41ac79

SHA512
9be8a9eaf9c4bee309243cfc48d1d51e4915a17aaa22a27bc5b3731a8a45d862226ccdb0a4b926ad4a73637120877487844d78355b4c2d3afb958462edbba7d2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2t1qo_uq.cmdline

Filesize
258B

MD5
d9caa5830fdcc9a55fb9e38fe915cc43

SHA1
4a8f19c8f23c7a99d6b81c4361bf882d4a40cab5

SHA256
a0920d2209291ab2dabbaf742a6a62aea38376f02b3f4cbeb1eeaded86a2fb16

SHA512
cc2a4388bd103ca085ccd52070d393db8e2f9269c3aceb5ea0c2c7d179bca64168ded42841829c70383967e354cbd3215f063dbba73e9ee96df9a7b4498b5b3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4C1C.tmp

Filesize
636B

MD5
cbdc36004d717169d25c6fffa894d71f

SHA1
1cfb7d7a9054412b42ba09ce95213192b4822aab

SHA256
e85d9aab041cd458db282eed73f554e0365966998cc83ed24761fc7dea161a63

SHA512
676a84925c9f974e55ad5148f8ad2bfebc375c8e59db033cde0200426de5f0304d71dc2947d31d7488ec9b53f65e414cb87f73be8fd2b347e4b515723b29094d

Download Submit
memory/2880-31-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/2880-1-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/2880-2-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/2880-0-0x0000000075512000-0x0000000075513000-memory.dmp

Filesize
4KB

Download
memory/2948-10-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/2948-15-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/3264-39-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/3264-21-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/3932-41-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3932-34-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3932-37-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3932-38-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3932-29-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3932-24-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3932-42-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3932-43-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3932-45-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3932-46-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3932-49-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3932-51-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3932-55-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads