Overview

overview

10

Static

static

3

5a7a2143b1...18.exe

windows7-x64

10

5a7a2143b1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2024 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a7a2143b1af1c765c4771c8eb218d7a_JaffaCakes118.exe

  • Size

    568KB

  • MD5

    5a7a2143b1af1c765c4771c8eb218d7a

  • SHA1

    44bff0051333b9f0b11e92334c52139e848a64cd

  • SHA256

    e712e370e41df79390877580930f72642efe97a874730e3eb87184356faa3b15

  • SHA512

    0e0ba548d938f38ba6059df0a007edb074a32639e6d1ccdd93fdea544975892febfeb9aceae0a436fa02b4ef09649b61a0163c282106dcfebcf833f7c038349a

  • SSDEEP

    12288:o3nZMhJ+ubNWSPcxMSaMlZFm88t52CDR0d8sOLKDSOby7:o3nZqfbNPcW22Jt5BDRXsOLYSObU

Score
10/10
latentbotevasionpersistenceprivilege_escalationtrojanupx

Malware Config

Extracted

Family

latentbot

C2

1microsoftx.zapto.org

2microsoftx.zapto.org

3microsoftx.zapto.org

4microsoftx.zapto.org

5microsoftx.zapto.org

6microsoftx.zapto.org

7microsoftx.zapto.org

8microsoftx.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Modifies firewall policy service 3 TTPs 12 IoCs
    evasion
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 3 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 59 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a7a2143b1af1c765c4771c8eb218d7a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5a7a2143b1af1c765c4771c8eb218d7a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3368
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.cmd" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gerichtsdokumente.exe
        Gerichtsdokumente.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3228
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gerichtsdokumente.exe
          C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gerichtsdokumente.exe
          4⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1592
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4468
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Modifies firewall policy service
              • Modifies registry key
              PID:4068
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gerichtsdokumente.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gerichtsdokumente.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1812
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gerichtsdokumente.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gerichtsdokumente.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Modifies firewall policy service
              • Modifies registry key
              PID:4012
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1456
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Modifies firewall policy service
              • Modifies registry key
              PID:1104
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Gerichtsdokumente.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Gerichtsdokumente.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3576
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Gerichtsdokumente.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Gerichtsdokumente.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Modifies firewall policy service
              • Modifies registry key
              PID:1352
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mama.exe
        mama.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1824
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mama.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mama.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1840
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mama.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mama.exe"
            5⤵
            • Modifies firewall policy service
            • Executes dropped EXE
            • Adds Run key to start application
            PID:2204
            • C:\Users\Admin\AppData\Roaming\Security Profile\Shield.exe
              "C:\Users\Admin\AppData\Roaming\Security Profile\Shield.exe" in
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              PID:464
              • C:\Users\Admin\AppData\Roaming\Security Profile\Shield.exe
                "C:\Users\Admin\AppData\Roaming\Security Profile\Shield.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:2852
                • C:\Users\Admin\AppData\Roaming\Security Profile\Shield.exe
                  "C:\Users\Admin\AppData\Roaming\Security Profile\Shield.exe"
                  8⤵
                  • Executes dropped EXE
                  PID:4728
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xd.exe
        xd.exe
        3⤵
        • UAC bypass
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:320
        • C:\ProgramData\wscntfy.exe
          "C:\ProgramData\wscntfy.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:2572
          • C:\Windows\SYSTEM32\netsh.exe
            "netsh.exe" firewall add allowedprogram program="C:\ProgramData\wscntfy.exe" name="Windows-Audio Driver" mode=ENABLE scope=ALL profile=ALL
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:2672
        • C:\Program Files\Common Files\lsmass.exe
          "C:\Program Files\Common Files\lsmass.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify System Firewall

2
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

7
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gerichtsdokumente.exe
    Filesize

    242KB

    MD5

    16043fb0f7ba5fc5d1cab74ceb6c4611

    SHA1

    a35c36636f2bfe12f2960983af494dc0020592bf

    SHA256

    3e7829ce494408e6a4fca4ce9b73aa466b75d03dd023c52155a15b5e5c021666

    SHA512

    0c0e7e8cd31ceae0fb86a032a80d37f6474be20b0eedc61ea1bb5728afe62fa5dc6a0331017f6d4c83312b35019c0528867e2ed361679f9f5e6102336bfc52b1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mama.exe
    Filesize

    204KB

    MD5

    73ea634932081a692e94c729933fd78d

    SHA1

    8d345d3841fae859547ebde9783db5fe535430bf

    SHA256

    21fdfc43f311ee5ed1c8576217fcf1cc56123fc7c5c1ee629f0f785ac2a4ddea

    SHA512

    fded5fc59df79b7eb0932bcea82513d726bf0d6c7efc46c569eacb49577caab6409776d736cf88c1d1225d1ed493e65a39c57306fcfe8dd8231bcd21cc7829f7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.cmd
    Filesize

    57B

    MD5

    1d004b6a7388fab9d12669502debfc52

    SHA1

    81980da8ed8e678e88ba83678029fc848eea692a

    SHA256

    37454df75ca7e2cc685bbc81a6102a3d49d4eaac66630e26c1f16362f9c0dad7

    SHA512

    7c619554ef5014aea6ffddbf870843d079eedf23f7ef51c4e6617062029280d54f9c175cc13da7b7ca9be78fa0a9e28b84ab998fbfe4294358d20b0469c0c3f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xd.exe
    Filesize

    312KB

    MD5

    e18783d6827f1415cb756759d076b683

    SHA1

    f6f130206dfb86f33a6a6fef8dacba8177542085

    SHA256

    6a4254a38b380da0481736e37ee49f3deb07d7fd351d6e1bc61035e5a956a1d1

    SHA512

    9cb5c2d9dd825d9602d66c8cd2dc4887c14f6b464ad9fb7f1a9a33df85d4e67cc42da44c225957192e62f65d2a14a992760b32543326153962e3572e1caa48a2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Security Profile\Shield.exe
    Filesize

    204KB

    MD5

    49a35df5fe3d7c2a760c21340896ea9d

    SHA1

    6cba574cc9fbbf29f21bbf1ef606b6592884c07b

    SHA256

    32d715511e88d07ac4588718711e2b0d2bca03a0fd74f6901c76e012ab4b8c9a

    SHA512

    285eafa2dcdfaf06c621bf84cd3df4576a86b14d593f2eb7ec21811e0195a43775332a7d68d231acdbeb01bcf8dea160d0a674b60d22b4a7f7b16d408346c0d1

    Download Submit

  • memory/320-35-0x0000000001600000-0x000000000160E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1592-121-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-114-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-128-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-24-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-126-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-124-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-99-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-119-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-117-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-26-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-112-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-28-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-110-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-107-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-105-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-103-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-97-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1592-100-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1840-44-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1840-47-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1840-40-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1840-42-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2204-46-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2204-82-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2204-56-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2204-57-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2204-58-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2572-74-0x000000001BEC0000-0x000000001BF22000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2852-90-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2852-89-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2852-93-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/4728-98-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download