Extracted

• • Target

    502d38dcae1338df8a354aa91b914718_JaffaCakes118

  • Size

    138KB

  • MD5

    502d38dcae1338df8a354aa91b914718

  • SHA1

    7bbe105fe9b441487cf80da7ea0190c42edae83b

  • SHA256

    d00fd88e780163fd9d282edc5bf0788fb0533fa99605e86561477fe337467b89

  • SHA512

    a0ad108d758cab8f517cc967e8aaa7f4c8a1e1b740f2b8c99ecee723d7e8cc2b8c0586ed72c777b1fb92bb307afb889d458d7290e0950d133a17d1de373f4bcf

  • SSDEEP

    3072:lu8fPAknITDcn8bhLw5YHJrDfqp3rLIIZjyCPS8/1cDNr/QyAsrCEl:luOPALk+hLw5YHQpPNjF/+DNbjrN

  Score

  10^/10

  latentbotpersistencespywarestealertrojan

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2