Overview

overview

10

Static

static

7

3dbb00c316...18.exe

windows7-x64

10

3dbb00c316...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-07-2024 14:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3dbb00c31685692e642fbd2aad6a3d58_JaffaCakes118.exe

  • Size

    451KB

  • MD5

    3dbb00c31685692e642fbd2aad6a3d58

  • SHA1

    8a3941564d1194deda519ff91d146bf0eb3392fb

  • SHA256

    447c83388c5421ae282ecc957bb30ae7b17e388b8dd6a9aa31a6700b4be72cef

  • SHA512

    a8efbc712991ee8b1194d1862f4d54337634d3628e464c03f061913fb6276a90920dde557e611cefa64a6afbc09d4972a4188dec203a381cfd60444815403d53

  • SSDEEP

    6144:2K3HTNGVvHI2zBHng5HaVsbZgRnyR4mULJhkHM6jI7H1D7puVS:x3HcVvo21ga0aQ4HLJhkHM6jI7VD7w

Score
10/10
latentbotevasionpersistencetrojanupx

Malware Config

Extracted

Family

latentbot

C2

1juliagaetz.zapto.org

2juliagaetz.zapto.org

3juliagaetz.zapto.org

4juliagaetz.zapto.org

5juliagaetz.zapto.org

6juliagaetz.zapto.org

7juliagaetz.zapto.org

8juliagaetz.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Modifies firewall policy service 3 TTPs 10 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3dbb00c31685692e642fbd2aad6a3d58_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3dbb00c31685692e642fbd2aad6a3d58_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Adds Run key to start application
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:544
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\3dbb00c31685692e642fbd2aad6a3d58_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3dbb00c31685692e642fbd2aad6a3d58_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:916
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\3dbb00c31685692e642fbd2aad6a3d58_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3dbb00c31685692e642fbd2aad6a3d58_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:2900
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:1916
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:3552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3372-0-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3372-4-0x0000000075C51000-0x0000000075C52000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3372-5-0x0000000075C30000-0x0000000075D20000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3372-6-0x0000000075C30000-0x0000000075D20000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3372-7-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3372-10-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3372-11-0x0000000075C30000-0x0000000075D20000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3372-15-0x0000000075C30000-0x0000000075D20000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3372-20-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3372-27-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3372-30-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3372-33-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3372-37-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3372-40-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3372-43-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3372-53-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download