latentbot | 997784f4e7cc196eb51e63bcadb8f9eb1df487659f7aff1a15b3b261b7386099

Analysis

max time kernel
145s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

506164d289c9268c2d5110fbbd1f869f_JaffaCakes118.exe
Size

229KB
MD5

506164d289c9268c2d5110fbbd1f869f
SHA1

1859f5ab624f041229bf5bcc0fc7e51ce37c1759
SHA256

997784f4e7cc196eb51e63bcadb8f9eb1df487659f7aff1a15b3b261b7386099
SHA512

cce94d6d82bed96da23862ab7b2c85e4000429894fa807b9822084318014a65d58e64ce9988149329489fc05a1fd03e230c94fa5598d7419d76b0e097a9af2ff
SSDEEP

3072:7hergNTIyV6vM3XhfUbsGu/lNovKmvjMHrOitCNbu2ifOf73Nrtahv2m5FIhz:NenlqHrOicNKCTNkx5Fez

Score

10^/10

latentbot persistence trojan

Malware Config

Extracted

Family

latentbot

hostboot267.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 2 IoCs

pid	Process
2276	CryptedFile.exe
2820	winlog.exe

Loads dropped DLL 3 IoCs

pid	Process
2276	CryptedFile.exe
2276	CryptedFile.exe
2276	CryptedFile.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlog.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winlog.exe"	winlog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2276	2988	506164d289c9268c2d5110fbbd1f869f_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2276	2988	506164d289c9268c2d5110fbbd1f869f_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2276	2988	506164d289c9268c2d5110fbbd1f869f_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2276	2988	506164d289c9268c2d5110fbbd1f869f_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2820	2276	CryptedFile.exe	31
PID 2276 wrote to memory of 2820	2276	CryptedFile.exe	31
PID 2276 wrote to memory of 2820	2276	CryptedFile.exe	31
PID 2276 wrote to memory of 2820	2276	CryptedFile.exe	31

C:\Users\Admin\AppData\Local\Temp\506164d289c9268c2d5110fbbd1f869f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\506164d289c9268c2d5110fbbd1f869f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe
  "C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe

Filesize
141KB

MD5
947c974f2b1db545412ae5353acce2c0

SHA1
f6ff7c69cd4ee5bbdd533bb02e74f6b9c46d5ca2

SHA256
48d50670d4e3df6b476284919c12553a59073069291b7127e6538e0ad045e561

SHA512
576e2458b5524168e4946920d9e35ca503d4a6917f0f4064c11faf51edae342e7b553a1e1eb206720e63e6e6abc733577f8ce80b37639f1e8e411265d0976ebe

Download Submit
memory/2276-25-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2820-26-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2988-0-0x000007FEF574E000-0x000007FEF574F000-memory.dmp

Filesize
4KB

Download
memory/2988-1-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-2-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-4-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-14-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads