latentbot | 13696fe74cc11c0f4956dd7b9b7bf1f1472d4a99db50709f995bfbd661c4f985

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-07-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
Size

258KB
MD5

58dbcf248fa9a4af5d313cd4ef8e3ad6
SHA1

6901a4ad179b518ad698a4472256d1783030a022
SHA256

13696fe74cc11c0f4956dd7b9b7bf1f1472d4a99db50709f995bfbd661c4f985
SHA512

713bd7c925d96bc11f5669bcfe77ab5b221a7d412c69a7a023e2ae8add55307551495e584b9d54c87c41323993b9b0ef4fc3d74d8a2701596c6f8013b87495aa
SSDEEP

3072:5G5rMlaTgOidzLWvI+Mgrq4NebArAntnU9cIw+cMYm0bPw0ctcYYYYYYYYYYYYYc:5GySidW9qaCArAtU9sMAPwJ

Score

10^/10

latentbot persistence trojan

Malware Config

Extracted

Family

latentbot

lorelyfaggot.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 1 IoCs

pid	Process
2052	Svchost.bat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost.bat"	Svchost.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost.bat"	Svchost.bat

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\LimeWire\Shared\World of Warcraft Hack Privat Edition 0.0.25.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File created	C:\Program Files\tesla\files\Adobe_After_Effects CS4 Installer.exe	Svchost.bat
File created	C:\Program Files\kazaa lite k++\my shared folder\Windows 7 Gold Edition.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File created	C:\Program Files\grokster\my grokster\RapidShare Premium Hacker 0.5.1.exe	Svchost.bat
File created	C:\Program Files\kazaa lite\my shared folder\World of Warcraft Hack Privat Edition 0.0.25.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File opened for modification	C:\Program Files\grokster\my grokster\Privat Sexpictures.scr	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File created	C:\Program Files\kazaa lite k++\my shared folder\Counter-Strike Source BonnyHop Hack 0.4 by HaxXTeam.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File created	C:\Program Files\winmx\shared\World of Warcraft Hack Privat Edition 0.0.25.exe	Svchost.bat
File created	C:\Program Files\tesla\files\CS Photoshop 7.0 BetaVersion Cracked.exe	Svchost.bat
File opened for modification	C:\Program Files\LimeWire\Shared\Counter-Strike Source BonnyHop Hack 0.4 by HaxXTeam.exe	Svchost.bat
File created	C:\Program Files\kazaa lite k++\my shared folder\Counter-Strike Source BonnyHop Hack 0.4 by HaxXTeam.exe	Svchost.bat
File created	C:\Program Files\LimeWire\Shared\HaxXoRs Trojan Creator.com	Svchost.bat
File created	C:\Program Files\kazaa\my shared folder\RapidShare Premium Hacker 0.5.1.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File created	C:\Program Files\emule\incoming\Free Razzer-Account Creator 2.0.4.exe	Svchost.bat
File opened for modification	C:\Program Files\eDonkey2000\incoming\Privat Sexpictures.scr	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File created	C:\Program Files\eDonkey2000\incoming\RapidShare Premium Hacker 0.5.1.exe	Svchost.bat
File opened for modification	C:\Program Files\grokster\my grokster\CSS SteamPatch Installer.exe	Svchost.bat
File opened for modification	C:\Program Files\winmx\shared\RapidShare Premium Hacker 0.5.1.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File created	C:\Program Files\LimeWire\Shared\Counter-Strike Source BonnyHop Hack 0.4 by HaxXTeam.exe	Svchost.bat
File opened for modification	C:\Program Files\kazaa lite\my shared folder\x22 100% VAC-Undetected.exe	Svchost.bat
File opened for modification	C:\Program Files\LimeWire\Shared\Msn Hacker 5.3.1 Premium Version.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File opened for modification	C:\Program Files\emule\incoming\Windows 7 Gold Edition.exe	Svchost.bat
File created	C:\Program Files\emule\incoming\CS Photoshop 7.0 BetaVersion Cracked.exe	Svchost.bat
File opened for modification	C:\Program Files\winmx\shared\Counter-Strike Source BonnyHop Hack 0.4 by HaxXTeam.exe	Svchost.bat
File created	C:\Program Files\emule\incoming\Adobe_After_Effects CS4 Installer.exe	Svchost.bat
File opened for modification	C:\Program Files\morpheus\my shared folder\x22 100% VAC-Undetected.exe	Svchost.bat
File opened for modification	C:\Program Files\tesla\files\CSS SteamPatch Installer.exe	Svchost.bat
File created	C:\Program Files\eDonkey2000\incoming\Windows 7 Gold Edition.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File created	C:\Program Files\grokster\my grokster\Msn Hacker 5.3.1 Premium Version.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File opened for modification	C:\Program Files\kazaa lite\my shared folder\World of Warcraft Hack Privat Edition 0.0.25.exe	Svchost.bat
File opened for modification	C:\Program Files\kazaa lite k++\my shared folder\HaxXoRs Trojan Creator.com	Svchost.bat
File opened for modification	C:\Program Files\emule\incoming\World of Warcraft Hack Privat Edition 0.0.25.exe	Svchost.bat
File created	C:\Program Files\morpheus\my shared folder\World of Warcraft Hack Privat Edition 0.0.25.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File created	C:\Program Files\morpheus\my shared folder\Adobe Photoshop CS4 Extended.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File created	C:\Program Files\kazaa lite\my shared folder\Privat Sexpictures.scr	Svchost.bat
File created	C:\Program Files\tesla\files\Windows 7 Gold Edition.exe	Svchost.bat
File created	C:\Program Files\winmx\shared\CSS SteamPatch Installer.exe	Svchost.bat
File opened for modification	C:\Program Files\tesla\files\Privat Sexpictures.scr	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File created	C:\Program Files\kazaa\my shared folder\Free SteamGames Hack.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File opened for modification	C:\Program Files\grokster\my grokster\CSS SteamPatch Installer.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File opened for modification	C:\Program Files\tesla\files\Privat Sexpictures.scr	Svchost.bat
File created	C:\Program Files\kazaa lite\my shared folder\Adobe_After_Effects CS4 Installer.exe	Svchost.bat
File opened for modification	C:\Program Files\LimeWire\Shared\Counter-Strike Source BonnyHop Hack 0.4 by HaxXTeam.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File opened for modification	C:\Program Files\eDonkey2000\incoming\CSS SteamPatch Installer.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File opened for modification	C:\Program Files\LimeWire\Shared\RapidShare Premium Hacker 0.5.1.exe	Svchost.bat
File opened for modification	C:\Program Files\winmx\shared\CSS SteamPatch Installer.exe	Svchost.bat
File created	C:\Program Files\eDonkey2000\incoming\Adobe_After_Effects CS4 Installer.exe	Svchost.bat
File created	C:\Program Files\LimeWire\Shared\Adobe Photoshop CS4 Extended.exe	Svchost.bat
File created	C:\Program Files\kazaa\my shared folder\Adobe_After_Effects CS4 Installer.exe	Svchost.bat
File opened for modification	C:\Program Files\morpheus\my shared folder\RapidShare Premium Hacker 0.5.1.exe	Svchost.bat
File opened for modification	C:\Program Files\kazaa lite\my shared folder\Free SteamGames Hack.exe	Svchost.bat
File opened for modification	C:\Program Files\kazaa\my shared folder\Counter-Strike Source BonnyHop Hack 0.4 by HaxXTeam.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File opened for modification	C:\Program Files\emule\incoming\Free SteamGames Hack.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File opened for modification	C:\Program Files\kazaa lite k++\my shared folder\Free Razzer-Account Creator 2.0.4.exe	Svchost.bat
File created	C:\Program Files\winmx\shared\RapidShare Premium Hacker 0.5.1.exe	Svchost.bat
File created	C:\Program Files\morpheus\my shared folder\HaxXoRs Trojan Creator.com	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File opened for modification	C:\Program Files\morpheus\my shared folder\x22 100% VAC-Undetected.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File opened for modification	C:\Program Files\kazaa lite\my shared folder\Counter-Strike Source BonnyHop Hack 0.4 by HaxXTeam.exe	Svchost.bat
File created	C:\Program Files\kazaa\my shared folder\RapidShare Premium Hacker 0.5.1.exe	Svchost.bat
File opened for modification	C:\Program Files\tesla\files\Windows 7 Gold Edition.exe	Svchost.bat
File created	C:\Program Files\morpheus\my shared folder\Msn Hacker 5.3.1 Premium Version.exe	Svchost.bat
File opened for modification	C:\Program Files\kazaa lite k++\my shared folder\x22 100% VAC-Undetected.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File created	C:\Program Files\kazaa\my shared folder\Msn Hacker 5.3.1 Premium Version.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
File opened for modification	C:\Program Files\kazaa lite\my shared folder\RapidShare Premium Hacker 0.5.1.exe	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat
2052	Svchost.bat

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
Token: SeDebugPrivilege	2052	Svchost.bat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2052	2348	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe	30
PID 2348 wrote to memory of 2052	2348	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe	30
PID 2348 wrote to memory of 2052	2348	58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58dbcf248fa9a4af5d313cd4ef8e3ad6_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Roaming\Svchost.bat
  C:\Users\Admin\AppData\Roaming\Svchost.bat
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Svchost.bat

Filesize
258KB

MD5
58dbcf248fa9a4af5d313cd4ef8e3ad6

SHA1
6901a4ad179b518ad698a4472256d1783030a022

SHA256
13696fe74cc11c0f4956dd7b9b7bf1f1472d4a99db50709f995bfbd661c4f985

SHA512
713bd7c925d96bc11f5669bcfe77ab5b221a7d412c69a7a023e2ae8add55307551495e584b9d54c87c41323993b9b0ef4fc3d74d8a2701596c6f8013b87495aa

Download Submit
memory/2052-17-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-26-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-19-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-18-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-32-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-9-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-12-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-31-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-13-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-10-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-14-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-15-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-16-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-30-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-33-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-29-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-20-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-21-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-22-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-23-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-24-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-25-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-28-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-27-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2348-2-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2348-3-0x000000001B090000-0x000000001B0F0000-memory.dmp

Filesize
384KB

Download
memory/2348-0-0x000007FEF59CE000-0x000007FEF59CF000-memory.dmp

Filesize
4KB

Download
memory/2348-11-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2348-1-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2348-4-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download