latentbot | 8a475b9ed64dfc045e031c84d54086971c5f3923b4e12839c2d82665e3708a82

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 18:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4ae76ddfeed12c84125007eb18d64ddc_JaffaCakes118.exe
Size

597KB
MD5

4ae76ddfeed12c84125007eb18d64ddc
SHA1

9445dd42f9c617507d609d1bf445eed39d0da427
SHA256

8a475b9ed64dfc045e031c84d54086971c5f3923b4e12839c2d82665e3708a82
SHA512

22269d8bd32e4f16386bf065b7e5d519879cf8c9f127f912c9b6beefb51179438f045a800e056f94fbefa75df7145c6e265ce67f91f7c7fd7218da58fb2de453
SSDEEP

12288:n0ufUG9vKSDkfJWNvzfY0zInjjw/0rYD3nmC/zstEaDR5V/N/ZUs4Hh:h7lDkf0vzfYHnHw/0rYD3n1/zmR5VV/0

Score

10^/10

latentbot persistence trojan

Malware Config

Extracted

Family

latentbot

31dbff04ffa60f2b4.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 1 IoCs

pid	Process
3780	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\WINDOWS\\svchost.exe\" start"	4ae76ddfeed12c84125007eb18d64ddc_JaffaCakes118.exe

Gathers network information 2 TTPs 13 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4936	ipconfig.exe
1768	ipconfig.exe
4560	ipconfig.exe
244	ipconfig.exe
4168	ipconfig.exe
4372	ipconfig.exe
2340	ipconfig.exe
3992	ipconfig.exe
1200	ipconfig.exe
5036	ipconfig.exe
4648	ipconfig.exe
340	ipconfig.exe
1944	ipconfig.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 3780	4296	4ae76ddfeed12c84125007eb18d64ddc_JaffaCakes118.exe	85
PID 4296 wrote to memory of 3780	4296	4ae76ddfeed12c84125007eb18d64ddc_JaffaCakes118.exe	85
PID 4296 wrote to memory of 3780	4296	4ae76ddfeed12c84125007eb18d64ddc_JaffaCakes118.exe	85
PID 3780 wrote to memory of 1200	3780	svchost.exe	87
PID 3780 wrote to memory of 1200	3780	svchost.exe	87
PID 3780 wrote to memory of 1200	3780	svchost.exe	87
PID 3780 wrote to memory of 5036	3780	svchost.exe	89
PID 3780 wrote to memory of 5036	3780	svchost.exe	89
PID 3780 wrote to memory of 5036	3780	svchost.exe	89
PID 3780 wrote to memory of 2340	3780	svchost.exe	91
PID 3780 wrote to memory of 2340	3780	svchost.exe	91
PID 3780 wrote to memory of 2340	3780	svchost.exe	91
PID 3780 wrote to memory of 4168	3780	svchost.exe	95
PID 3780 wrote to memory of 4168	3780	svchost.exe	95
PID 3780 wrote to memory of 4168	3780	svchost.exe	95
PID 3780 wrote to memory of 4936	3780	svchost.exe	98
PID 3780 wrote to memory of 4936	3780	svchost.exe	98
PID 3780 wrote to memory of 4936	3780	svchost.exe	98
PID 3780 wrote to memory of 1768	3780	svchost.exe	100
PID 3780 wrote to memory of 1768	3780	svchost.exe	100
PID 3780 wrote to memory of 1768	3780	svchost.exe	100
PID 3780 wrote to memory of 4648	3780	svchost.exe	102
PID 3780 wrote to memory of 4648	3780	svchost.exe	102
PID 3780 wrote to memory of 4648	3780	svchost.exe	102
PID 3780 wrote to memory of 4560	3780	svchost.exe	104
PID 3780 wrote to memory of 4560	3780	svchost.exe	104
PID 3780 wrote to memory of 4560	3780	svchost.exe	104
PID 3780 wrote to memory of 3992	3780	svchost.exe	106
PID 3780 wrote to memory of 3992	3780	svchost.exe	106
PID 3780 wrote to memory of 3992	3780	svchost.exe	106
PID 3780 wrote to memory of 4372	3780	svchost.exe	108
PID 3780 wrote to memory of 4372	3780	svchost.exe	108
PID 3780 wrote to memory of 4372	3780	svchost.exe	108
PID 3780 wrote to memory of 340	3780	svchost.exe	110
PID 3780 wrote to memory of 340	3780	svchost.exe	110
PID 3780 wrote to memory of 340	3780	svchost.exe	110
PID 3780 wrote to memory of 1944	3780	svchost.exe	112
PID 3780 wrote to memory of 1944	3780	svchost.exe	112
PID 3780 wrote to memory of 1944	3780	svchost.exe	112
PID 3780 wrote to memory of 244	3780	svchost.exe	114
PID 3780 wrote to memory of 244	3780	svchost.exe	114
PID 3780 wrote to memory of 244	3780	svchost.exe	114

C:\Users\Admin\AppData\Local\Temp\4ae76ddfeed12c84125007eb18d64ddc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ae76ddfeed12c84125007eb18d64ddc_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Users\Admin\WINDOWS\svchost.exe
  C:\Users\Admin\WINDOWS\svchost.exe start
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:1200
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:5036
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:2340
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:4168
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:4936
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:1768
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:4648
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:4560
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:3992
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:4372
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:340
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:1944
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\WINDOWS\svchost.exe

Filesize
597KB

MD5
4ae76ddfeed12c84125007eb18d64ddc

SHA1
9445dd42f9c617507d609d1bf445eed39d0da427

SHA256
8a475b9ed64dfc045e031c84d54086971c5f3923b4e12839c2d82665e3708a82

SHA512
22269d8bd32e4f16386bf065b7e5d519879cf8c9f127f912c9b6beefb51179438f045a800e056f94fbefa75df7145c6e265ce67f91f7c7fd7218da58fb2de453

Download Submit
memory/3780-7-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3780-8-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/3780-13-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3780-14-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/4296-0-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4296-1-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/4296-10-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads