latentbot | d00fd88e780163fd9d282edc5bf0788fb0533fa99605e86561477fe337467b89

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe
Size

138KB
MD5

502d38dcae1338df8a354aa91b914718
SHA1

7bbe105fe9b441487cf80da7ea0190c42edae83b
SHA256

d00fd88e780163fd9d282edc5bf0788fb0533fa99605e86561477fe337467b89
SHA512

a0ad108d758cab8f517cc967e8aaa7f4c8a1e1b740f2b8c99ecee723d7e8cc2b8c0586ed72c777b1fb92bb307afb889d458d7290e0950d133a17d1de373f4bcf
SSDEEP

3072:lu8fPAknITDcn8bhLw5YHJrDfqp3rLIIZjyCPS8/1cDNr/QyAsrCEl:luOPALk+hLw5YHQpPNjF/+DNbjrN

Score

10^/10

latentbot persistence spyware stealer trojan

Malware Config

Extracted

Family

latentbot

crackseller.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Deletes itself 1 IoCs

pid	Process
1132	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
316	aglau.exe

Loads dropped DLL 2 IoCs

pid	Process
2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe
2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\{985A3A7E-464E-15C9-411D-74EFD21D3ED9} = "C:\\Users\\Admin\\AppData\\Roaming\\Ruta\\aglau.exe"	aglau.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2552 set thread context of 1132	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe	33

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Privacy	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\31132069-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe
316	aglau.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe
Token: SeSecurityPrivilege	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe
Token: SeSecurityPrivilege	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2032	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2032	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2032	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2032	WinMail.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 316	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe	30
PID 2552 wrote to memory of 316	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe	30
PID 2552 wrote to memory of 316	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe	30
PID 2552 wrote to memory of 316	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe	30
PID 316 wrote to memory of 1108	316	aglau.exe	19
PID 316 wrote to memory of 1108	316	aglau.exe	19
PID 316 wrote to memory of 1108	316	aglau.exe	19
PID 316 wrote to memory of 1108	316	aglau.exe	19
PID 316 wrote to memory of 1108	316	aglau.exe	19
PID 316 wrote to memory of 1156	316	aglau.exe	20
PID 316 wrote to memory of 1156	316	aglau.exe	20
PID 316 wrote to memory of 1156	316	aglau.exe	20
PID 316 wrote to memory of 1156	316	aglau.exe	20
PID 316 wrote to memory of 1156	316	aglau.exe	20
PID 316 wrote to memory of 1192	316	aglau.exe	21
PID 316 wrote to memory of 1192	316	aglau.exe	21
PID 316 wrote to memory of 1192	316	aglau.exe	21
PID 316 wrote to memory of 1192	316	aglau.exe	21
PID 316 wrote to memory of 1192	316	aglau.exe	21
PID 316 wrote to memory of 1568	316	aglau.exe	25
PID 316 wrote to memory of 1568	316	aglau.exe	25
PID 316 wrote to memory of 1568	316	aglau.exe	25
PID 316 wrote to memory of 1568	316	aglau.exe	25
PID 316 wrote to memory of 1568	316	aglau.exe	25
PID 316 wrote to memory of 2552	316	aglau.exe	29
PID 316 wrote to memory of 2552	316	aglau.exe	29
PID 316 wrote to memory of 2552	316	aglau.exe	29
PID 316 wrote to memory of 2552	316	aglau.exe	29
PID 316 wrote to memory of 2552	316	aglau.exe	29
PID 2552 wrote to memory of 1132	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe	33
PID 2552 wrote to memory of 1132	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe	33
PID 2552 wrote to memory of 1132	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe	33
PID 2552 wrote to memory of 1132	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe	33
PID 2552 wrote to memory of 1132	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe	33
PID 2552 wrote to memory of 1132	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe	33
PID 2552 wrote to memory of 1132	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe	33
PID 2552 wrote to memory of 1132	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe	33
PID 2552 wrote to memory of 1132	2552	502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe	33
PID 316 wrote to memory of 2780	316	aglau.exe	35
PID 316 wrote to memory of 2780	316	aglau.exe	35
PID 316 wrote to memory of 2780	316	aglau.exe	35
PID 316 wrote to memory of 2780	316	aglau.exe	35
PID 316 wrote to memory of 2780	316	aglau.exe	35
PID 316 wrote to memory of 2644	316	aglau.exe	36
PID 316 wrote to memory of 2644	316	aglau.exe	36
PID 316 wrote to memory of 2644	316	aglau.exe	36
PID 316 wrote to memory of 2644	316	aglau.exe	36
PID 316 wrote to memory of 2644	316	aglau.exe	36
PID 316 wrote to memory of 2004	316	aglau.exe	37
PID 316 wrote to memory of 2004	316	aglau.exe	37
PID 316 wrote to memory of 2004	316	aglau.exe	37
PID 316 wrote to memory of 2004	316	aglau.exe	37
PID 316 wrote to memory of 2004	316	aglau.exe	37
PID 316 wrote to memory of 1100	316	aglau.exe	38
PID 316 wrote to memory of 1100	316	aglau.exe	38
PID 316 wrote to memory of 1100	316	aglau.exe	38
PID 316 wrote to memory of 1100	316	aglau.exe	38
PID 316 wrote to memory of 1100	316	aglau.exe	38

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1156

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\502d38dcae1338df8a354aa91b914718_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Users\Admin\AppData\Roaming\Ruta\aglau.exe
    "C:\Users\Admin\AppData\Roaming\Ruta\aglau.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6a88933d.bat"
    3⤵
    - Deletes itself
    PID:1132

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1568

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2780

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2004

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
446f1a8d1315bd6d774ac9d1bc3cd081

SHA1
e25d167e37d8cea31911d4b6aac8e97796abbbdd

SHA256
26faf80935c58454a09846a1d24a2e5a5a351a947921413c4b97089231cd1525

SHA512
85ada7fe67aecb1d9603c480cf371355e13e7d1cc361c0bfcc862a2eaf76e2d8ab9bccaf4f0a343a1b2a6f1c0ba99a6ef3dfe388dc86ea4a02375f882cf275f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6a88933d.bat

Filesize
271B

MD5
7a140abe691a9447070e76ac1bbeb7d1

SHA1
a4d3aacb1e48888568d6e55436066af749b150f5

SHA256
a9843a12c07ee84a84dd5371879c85e7e2c61253129f48c8a4f0e8c2dc5f264b

SHA512
b4596f72941b39ad22eefb781f517f8a8f4fe2a3c25fae6af6d668caf660800283bd0b0c093978e4658c5652788bbf72570f2f7d1aadfc513900f5ecddeca652

Download Submit
C:\Users\Admin\AppData\Roaming\Insuf\falaa.ahh

Filesize
380B

MD5
76e6bd4ca540ed25cfde278ecae4a55a

SHA1
b0e797557a95df331752d677f2bebb72ed4a5bd3

SHA256
7016e72c235345357e0fda59903fece4ef1d5c1b4ada49c8007b739d14881e7b

SHA512
5114e29106e6a74224aced099f43f82bf5127e378813503366d18586c28ffe22ce0eb6a30803caead2e21c5cd1190bf93a5e79a855d36808858e6074b3725bbe

Download Submit
\Users\Admin\AppData\Roaming\Ruta\aglau.exe

Filesize
138KB

MD5
2c168fc142094c13a4b6a7e73af33b9c

SHA1
b7e5ba671467bfe90bfcbecfae936da26bed601a

SHA256
5193f4e6ee8c1a38952d545dd7ed9162461d13955c1f255534e8e6d7c5eb0640

SHA512
41a0dcd0700a376957318ff631118cfafd19cabbb5668933731d0815b73b13de22ce2490846ce9b34b322f84fef60d82e6596f76590a7824c79e5c486640a9c0

Download Submit
memory/1108-15-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1108-10-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1108-12-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1108-13-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1108-14-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1156-17-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1156-18-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1156-19-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1156-20-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1192-22-0x0000000002560000-0x0000000002587000-memory.dmp

Filesize
156KB

Download
memory/1192-23-0x0000000002560000-0x0000000002587000-memory.dmp

Filesize
156KB

Download
memory/1192-24-0x0000000002560000-0x0000000002587000-memory.dmp

Filesize
156KB

Download
memory/1192-25-0x0000000002560000-0x0000000002587000-memory.dmp

Filesize
156KB

Download
memory/1568-29-0x0000000001D40000-0x0000000001D67000-memory.dmp

Filesize
156KB

Download
memory/1568-30-0x0000000001D40000-0x0000000001D67000-memory.dmp

Filesize
156KB

Download
memory/1568-27-0x0000000001D40000-0x0000000001D67000-memory.dmp

Filesize
156KB

Download
memory/1568-28-0x0000000001D40000-0x0000000001D67000-memory.dmp

Filesize
156KB

Download
memory/2552-122-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-57-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-39-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-37-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-34-0x0000000001D70000-0x0000000001D97000-memory.dmp

Filesize
156KB

Download
memory/2552-33-0x0000000001D70000-0x0000000001D97000-memory.dmp

Filesize
156KB

Download
memory/2552-32-0x0000000001D70000-0x0000000001D97000-memory.dmp

Filesize
156KB

Download
memory/2552-43-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-45-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-47-0x0000000001D70000-0x0000000001D97000-memory.dmp

Filesize
156KB

Download
memory/2552-49-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-51-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-53-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-41-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-61-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-63-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-65-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-67-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-69-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-71-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-73-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-75-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-35-0x0000000001D70000-0x0000000001D97000-memory.dmp

Filesize
156KB

Download
memory/2552-59-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-55-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2552-48-0x0000000077550000-0x0000000077551000-memory.dmp

Filesize
4KB

Download
memory/2552-210-0x0000000001D70000-0x0000000001D97000-memory.dmp

Filesize
156KB

Download
memory/2552-36-0x0000000001D70000-0x0000000001D97000-memory.dmp

Filesize
156KB

Download