Overview

overview

10

Static

static

3

5a7a2143b1...18.exe

windows7-x64

10

5a7a2143b1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2024 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a7a2143b1af1c765c4771c8eb218d7a_JaffaCakes118.exe

  • Size

    568KB

  • MD5

    5a7a2143b1af1c765c4771c8eb218d7a

  • SHA1

    44bff0051333b9f0b11e92334c52139e848a64cd

  • SHA256

    e712e370e41df79390877580930f72642efe97a874730e3eb87184356faa3b15

  • SHA512

    0e0ba548d938f38ba6059df0a007edb074a32639e6d1ccdd93fdea544975892febfeb9aceae0a436fa02b4ef09649b61a0163c282106dcfebcf833f7c038349a

  • SSDEEP

    12288:o3nZMhJ+ubNWSPcxMSaMlZFm88t52CDR0d8sOLKDSOby7:o3nZqfbNPcW22Jt5BDRXsOLYSObU

Score
10/10
latentbotevasionpersistenceprivilege_escalationtrojanupx

Malware Config

Extracted

Family

latentbot

C2

1microsoftx.zapto.org

2microsoftx.zapto.org

3microsoftx.zapto.org

4microsoftx.zapto.org

5microsoftx.zapto.org

6microsoftx.zapto.org

7microsoftx.zapto.org

8microsoftx.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Modifies firewall policy service 3 TTPs 10 IoCs
    evasion
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 13 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a7a2143b1af1c765c4771c8eb218d7a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5a7a2143b1af1c765c4771c8eb218d7a_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:292
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.cmd" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gerichtsdokumente.exe
        Gerichtsdokumente.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gerichtsdokumente.exe
          C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gerichtsdokumente.exe
          4⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2336
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
              PID:2888
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                6⤵
                • Modifies firewall policy service
                • Modifies registry key
                PID:2700
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gerichtsdokumente.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gerichtsdokumente.exe:*:Enabled:Windows Messanger" /f
              5⤵
                PID:2904
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gerichtsdokumente.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gerichtsdokumente.exe:*:Enabled:Windows Messanger" /f
                  6⤵
                  • Modifies firewall policy service
                  • Modifies registry key
                  PID:748
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                5⤵
                  PID:2740
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                    6⤵
                    • Modifies firewall policy service
                    • Modifies registry key
                    PID:3048
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Gerichtsdokumente.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Gerichtsdokumente.exe:*:Enabled:Windows Messanger" /f
                  5⤵
                    PID:2616
                    • C:\Windows\SysWOW64\reg.exe
                      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Gerichtsdokumente.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Gerichtsdokumente.exe:*:Enabled:Windows Messanger" /f
                      6⤵
                      • Modifies firewall policy service
                      • Modifies registry key
                      PID:1536
              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mama.exe
                mama.exe
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                PID:2664
                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mama.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mama.exe"
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  PID:1012
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mama.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mama.exe"
                    5⤵
                    • Modifies firewall policy service
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Adds Run key to start application
                    PID:1196
                    • C:\Users\Admin\AppData\Roaming\Security Deamonu\Shield.exe
                      "C:\Users\Admin\AppData\Roaming\Security Deamonu\Shield.exe" in
                      6⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      • Suspicious use of SetWindowsHookEx
                      PID:524
                      • C:\Users\Admin\AppData\Roaming\Security Deamonu\Shield.exe
                        "C:\Users\Admin\AppData\Roaming\Security Deamonu\Shield.exe"
                        7⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of SetThreadContext
                        PID:392
                        • C:\Users\Admin\AppData\Roaming\Security Deamonu\Shield.exe
                          "C:\Users\Admin\AppData\Roaming\Security Deamonu\Shield.exe"
                          8⤵
                          • Executes dropped EXE
                          PID:1228
              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xd.exe
                xd.exe
                3⤵
                • UAC bypass
                • Adds policy Run key to start application
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Adds Run key to start application
                • Checks whether UAC is enabled
                • Drops file in Program Files directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2468
                • C:\ProgramData\wscntfy.exe
                  "C:\ProgramData\wscntfy.exe"
                  4⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:2880
                  • C:\Windows\system32\netsh.exe
                    "netsh.exe" firewall add allowedprogram program="C:\ProgramData\wscntfy.exe" name="Windows-Audio Driver" mode=ENABLE scope=ALL profile=ALL
                    5⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:2200
                • C:\Program Files\Common Files\lsmass.exe
                  "C:\Program Files\Common Files\lsmass.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2764

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          3
          T1547

          Active Setup

          1
          T1547.014

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Event Triggered Execution

          1
          T1546

          Netsh Helper DLL

          1
          T1546.007

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          3
          T1547

          Active Setup

          1
          T1547.014

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Event Triggered Execution

          1
          T1546

          Netsh Helper DLL

          1
          T1546.007

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          3
          T1562

          Disable or Modify System Firewall

          2
          T1562.004

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          7
          T1112

          Credential Access

          Discovery

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gerichtsdokumente.exe
            Filesize

            242KB

            MD5

            16043fb0f7ba5fc5d1cab74ceb6c4611

            SHA1

            a35c36636f2bfe12f2960983af494dc0020592bf

            SHA256

            3e7829ce494408e6a4fca4ce9b73aa466b75d03dd023c52155a15b5e5c021666

            SHA512

            0c0e7e8cd31ceae0fb86a032a80d37f6474be20b0eedc61ea1bb5728afe62fa5dc6a0331017f6d4c83312b35019c0528867e2ed361679f9f5e6102336bfc52b1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mama.exe
            Filesize

            204KB

            MD5

            73ea634932081a692e94c729933fd78d

            SHA1

            8d345d3841fae859547ebde9783db5fe535430bf

            SHA256

            21fdfc43f311ee5ed1c8576217fcf1cc56123fc7c5c1ee629f0f785ac2a4ddea

            SHA512

            fded5fc59df79b7eb0932bcea82513d726bf0d6c7efc46c569eacb49577caab6409776d736cf88c1d1225d1ed493e65a39c57306fcfe8dd8231bcd21cc7829f7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.cmd
            Filesize

            57B

            MD5

            1d004b6a7388fab9d12669502debfc52

            SHA1

            81980da8ed8e678e88ba83678029fc848eea692a

            SHA256

            37454df75ca7e2cc685bbc81a6102a3d49d4eaac66630e26c1f16362f9c0dad7

            SHA512

            7c619554ef5014aea6ffddbf870843d079eedf23f7ef51c4e6617062029280d54f9c175cc13da7b7ca9be78fa0a9e28b84ab998fbfe4294358d20b0469c0c3f9

            Download Submit

          • \Users\Admin\AppData\Local\Temp\RarSFX0\xd.exe
            Filesize

            312KB

            MD5

            e18783d6827f1415cb756759d076b683

            SHA1

            f6f130206dfb86f33a6a6fef8dacba8177542085

            SHA256

            6a4254a38b380da0481736e37ee49f3deb07d7fd351d6e1bc61035e5a956a1d1

            SHA512

            9cb5c2d9dd825d9602d66c8cd2dc4887c14f6b464ad9fb7f1a9a33df85d4e67cc42da44c225957192e62f65d2a14a992760b32543326153962e3572e1caa48a2

            Download Submit

          • \Users\Admin\AppData\Roaming\Security Deamonu\Shield.exe
            Filesize

            204KB

            MD5

            49a35df5fe3d7c2a760c21340896ea9d

            SHA1

            6cba574cc9fbbf29f21bbf1ef606b6592884c07b

            SHA256

            32d715511e88d07ac4588718711e2b0d2bca03a0fd74f6901c76e012ab4b8c9a

            SHA512

            285eafa2dcdfaf06c621bf84cd3df4576a86b14d593f2eb7ec21811e0195a43775332a7d68d231acdbeb01bcf8dea160d0a674b60d22b4a7f7b16d408346c0d1

            Download Submit

          • memory/392-144-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1012-82-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1012-92-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1012-78-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1012-65-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1012-67-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1012-69-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1012-72-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1012-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1012-75-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1012-73-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1012-80-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1196-95-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1196-84-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1196-98-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1196-97-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1196-96-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1196-88-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1196-86-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1196-110-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1196-91-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1228-154-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/2336-41-0x0000000000400000-0x0000000000473000-memory.dmp

            Filesize

            460KB

            Download

          • memory/2336-49-0x0000000000400000-0x0000000000473000-memory.dmp

            Filesize

            460KB

            Download

          • memory/2336-43-0x0000000000400000-0x0000000000473000-memory.dmp

            Filesize

            460KB

            Download

          • memory/2336-39-0x0000000000400000-0x0000000000473000-memory.dmp

            Filesize

            460KB

            Download

          • memory/2336-151-0x0000000000400000-0x0000000000473000-memory.dmp

            Filesize

            460KB

            Download

          • memory/2468-44-0x00000000003E0000-0x00000000003EE000-memory.dmp

            Filesize

            56KB

            Download