latentbot | 460044126526dd41770a433cdde95fed48e6580193374d7d294d4658f41547ae

General

Target

4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe
Size

1.1MB
MD5

4cbc8f2138bd0c39befba55b09c65b7f
SHA1

9bbdea4451de2f6290cdbc82ceabb180af50dde9
SHA256

460044126526dd41770a433cdde95fed48e6580193374d7d294d4658f41547ae
SHA512

18908f4542f4e1d428e050813824523e8a43ba303442405a249b4653fa027f6b57be9be865c27eed6841c21832c11dee66b7b14bdd9c7bc9e4f223d4271c5e2f
SSDEEP

24576:egHU/TTU/tpm6FE//Tct4bOsTPFh0uq+VullbArmXay:oU/tpmYSVTL/VullbAKKy

Score

10^/10

latentbot persistence spyware stealer trojan

Malware Config

Extracted

Family

latentbot

C2

butterkuchen1337.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 2 IoCs

pid	Process
2908	Für DriveBy.exe
2752	Svchost.bat

Loads dropped DLL 1 IoCs

pid	Process
2704	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost.bat"	Svchost.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN\ = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost.bat"	Svchost.bat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2648 set thread context of 2704	2648	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2908	Für DriveBy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe
Token: SeDebugPrivilege	2908	Für DriveBy.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2704	2648	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2704	2648	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2704	2648	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2704	2648	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2704	2648	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2704	2648	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2704	2648	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2704	2648	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2704	2648	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2704	2648	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe	30
PID 2704 wrote to memory of 2908	2704	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2908	2704	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2908	2704	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2908	2704	4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe	31
PID 2908 wrote to memory of 2752	2908	Für DriveBy.exe	32
PID 2908 wrote to memory of 2752	2908	Für DriveBy.exe	32
PID 2908 wrote to memory of 2752	2908	Für DriveBy.exe	32

C:\Users\Admin\AppData\Local\Temp\4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4cbc8f2138bd0c39befba55b09c65b7f_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Roaming\Für DriveBy.exe
    "C:\Users\Admin\AppData\Roaming\Für DriveBy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Users\Admin\AppData\Roaming\Svchost.bat
      C:\Users\Admin\AppData\Roaming\Svchost.bat
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Für DriveBy.exe

Filesize
258KB

MD5
3b6113abe90cde76815fef7cc8c3e7a8

SHA1
0ddd4745f087f3f81a9a82b4885cfc0ee806c429

SHA256
4bce68038cd5ba4515a7e17afb4e7e188c2e9ddd3028d6a3bcc01861c6bca430

SHA512
5abd20453f0dc83ab81ec8c49fb75e5d5c09bd13c1e27a1586a70a1db7ef301ba6448962c7b52db36657912350cdf0baa2020d2c4bd7bc677ca0d0385cb7df2d

Download Submit
memory/2648-8-0x0000000074CF0000-0x000000007529B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-2-0x0000000074CF0000-0x000000007529B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-1-0x0000000074CF0000-0x000000007529B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-0-0x0000000074CF1000-0x0000000074CF2000-memory.dmp

Filesize
4KB

Download
memory/2704-3-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2704-7-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2704-5-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2704-19-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2908-14-0x000007FEF602E000-0x000007FEF602F000-memory.dmp

Filesize
4KB

Download
memory/2908-20-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2908-21-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2908-22-0x000000001AD70000-0x000000001ADD0000-memory.dmp

Filesize
384KB

Download
memory/2908-27-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads