latentbot | 63566391c791e20b7582f12770587664652de3ee9ec01878989a897eb7e592bd

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe
Size

672KB
MD5

67be4cb241da8e525ee2c6eed0360168
SHA1

9c45aff53d387083f883047680a52e2e7e1835b4
SHA256

63566391c791e20b7582f12770587664652de3ee9ec01878989a897eb7e592bd
SHA512

307dca00363eeee1c5e3fbc5e30234e70a0a441e38926bed2f795008bcabf1e5966b23411fc4e87b33896aeb102b3956d7fb3f13d50a5e994b79d32943671d0a
SSDEEP

12288:8t4EHzD0+6FbfETQXJpvIbmWHnSFX6d1sl+NOP1BaWcQcyG5OtN:o/+ET+QHKrdBaMtN

Score

10^/10

latentbot evasion persistence trojan

Malware Config

Extracted

Family

latentbot

Corbyshitnig.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\ctfmon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\ctfmon.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\WKRM1AY9MB.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WKRM1AY9MB.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	ctfmon.exe

Loads dropped DLL 2 IoCs

pid	Process
2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe
2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Roaming\\67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe"	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 2536	2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	33

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2616	reg.exe
2964	reg.exe
2984	reg.exe
1756	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe
Token: 1	2536	ctfmon.exe
Token: SeCreateTokenPrivilege	2536	ctfmon.exe
Token: SeAssignPrimaryTokenPrivilege	2536	ctfmon.exe
Token: SeLockMemoryPrivilege	2536	ctfmon.exe
Token: SeIncreaseQuotaPrivilege	2536	ctfmon.exe
Token: SeMachineAccountPrivilege	2536	ctfmon.exe
Token: SeTcbPrivilege	2536	ctfmon.exe
Token: SeSecurityPrivilege	2536	ctfmon.exe
Token: SeTakeOwnershipPrivilege	2536	ctfmon.exe
Token: SeLoadDriverPrivilege	2536	ctfmon.exe
Token: SeSystemProfilePrivilege	2536	ctfmon.exe
Token: SeSystemtimePrivilege	2536	ctfmon.exe
Token: SeProfSingleProcessPrivilege	2536	ctfmon.exe
Token: SeIncBasePriorityPrivilege	2536	ctfmon.exe
Token: SeCreatePagefilePrivilege	2536	ctfmon.exe
Token: SeCreatePermanentPrivilege	2536	ctfmon.exe
Token: SeBackupPrivilege	2536	ctfmon.exe
Token: SeRestorePrivilege	2536	ctfmon.exe
Token: SeShutdownPrivilege	2536	ctfmon.exe
Token: SeDebugPrivilege	2536	ctfmon.exe
Token: SeAuditPrivilege	2536	ctfmon.exe
Token: SeSystemEnvironmentPrivilege	2536	ctfmon.exe
Token: SeChangeNotifyPrivilege	2536	ctfmon.exe
Token: SeRemoteShutdownPrivilege	2536	ctfmon.exe
Token: SeUndockPrivilege	2536	ctfmon.exe
Token: SeSyncAgentPrivilege	2536	ctfmon.exe
Token: SeEnableDelegationPrivilege	2536	ctfmon.exe
Token: SeManageVolumePrivilege	2536	ctfmon.exe
Token: SeImpersonatePrivilege	2536	ctfmon.exe
Token: SeCreateGlobalPrivilege	2536	ctfmon.exe
Token: 31	2536	ctfmon.exe
Token: 32	2536	ctfmon.exe
Token: 33	2536	ctfmon.exe
Token: 34	2536	ctfmon.exe
Token: 35	2536	ctfmon.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2536	ctfmon.exe
2536	ctfmon.exe
2536	ctfmon.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1960	2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	30
PID 2088 wrote to memory of 1960	2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	30
PID 2088 wrote to memory of 1960	2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	30
PID 2088 wrote to memory of 1960	2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2500	1960	csc.exe	32
PID 1960 wrote to memory of 2500	1960	csc.exe	32
PID 1960 wrote to memory of 2500	1960	csc.exe	32
PID 1960 wrote to memory of 2500	1960	csc.exe	32
PID 2088 wrote to memory of 2536	2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	33
PID 2088 wrote to memory of 2536	2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	33
PID 2088 wrote to memory of 2536	2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	33
PID 2088 wrote to memory of 2536	2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	33
PID 2088 wrote to memory of 2536	2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	33
PID 2088 wrote to memory of 2536	2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	33
PID 2088 wrote to memory of 2536	2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	33
PID 2088 wrote to memory of 2536	2088	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	33
PID 2536 wrote to memory of 2896	2536	ctfmon.exe	34
PID 2536 wrote to memory of 2896	2536	ctfmon.exe	34
PID 2536 wrote to memory of 2896	2536	ctfmon.exe	34
PID 2536 wrote to memory of 2896	2536	ctfmon.exe	34
PID 2536 wrote to memory of 2792	2536	ctfmon.exe	35
PID 2536 wrote to memory of 2792	2536	ctfmon.exe	35
PID 2536 wrote to memory of 2792	2536	ctfmon.exe	35
PID 2536 wrote to memory of 2792	2536	ctfmon.exe	35
PID 2536 wrote to memory of 2748	2536	ctfmon.exe	36
PID 2536 wrote to memory of 2748	2536	ctfmon.exe	36
PID 2536 wrote to memory of 2748	2536	ctfmon.exe	36
PID 2536 wrote to memory of 2748	2536	ctfmon.exe	36
PID 2536 wrote to memory of 3008	2536	ctfmon.exe	37
PID 2536 wrote to memory of 3008	2536	ctfmon.exe	37
PID 2536 wrote to memory of 3008	2536	ctfmon.exe	37
PID 2536 wrote to memory of 3008	2536	ctfmon.exe	37
PID 3008 wrote to memory of 2964	3008	cmd.exe	43
PID 3008 wrote to memory of 2964	3008	cmd.exe	43
PID 3008 wrote to memory of 2964	3008	cmd.exe	43
PID 3008 wrote to memory of 2964	3008	cmd.exe	43
PID 2896 wrote to memory of 2984	2896	cmd.exe	42
PID 2896 wrote to memory of 2984	2896	cmd.exe	42
PID 2896 wrote to memory of 2984	2896	cmd.exe	42
PID 2896 wrote to memory of 2984	2896	cmd.exe	42
PID 2748 wrote to memory of 2616	2748	cmd.exe	44
PID 2748 wrote to memory of 2616	2748	cmd.exe	44
PID 2748 wrote to memory of 2616	2748	cmd.exe	44
PID 2748 wrote to memory of 2616	2748	cmd.exe	44
PID 2792 wrote to memory of 1756	2792	cmd.exe	45
PID 2792 wrote to memory of 1756	2792	cmd.exe	45
PID 2792 wrote to memory of 1756	2792	cmd.exe	45
PID 2792 wrote to memory of 1756	2792	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-butykb5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F1E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9F1D.tmp"
    3⤵
    PID:2500
- C:\Users\Admin\AppData\Roaming\ctfmon.exe
  C:\Users\Admin\AppData\Roaming\ctfmon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ctfmon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ctfmon.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ctfmon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ctfmon.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WKRM1AY9MB.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WKRM1AY9MB.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WKRM1AY9MB.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WKRM1AY9MB.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-butykb5.dll

Filesize
5KB

MD5
d7ee565d9f4b064ae5161c6c7ad4eb57

SHA1
2b02f03b2f98a27be753d0fbad11a9a2ac62f23c

SHA256
e7fe3f5e4c8e37be41020a113b4bf29342c599f42d3452560c694540a77b232f

SHA512
1e8edc1bdb81df6d56b229959391c1a8debf5bc35c37ee9f06bd4ac02f4fa484ca92728d82ac4ba5226204b618ffbb4df4b19b28191c29aa0d9502a57eaf5dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F1E.tmp

Filesize
1KB

MD5
74eec0c8fe32178e9632b7d31ef9c39f

SHA1
a66ba4baf06a4f00ffd604f27815541d07263037

SHA256
e87dc5c5b8f0d6dcb3d6eabb948f0fbb98690ee8f9d5211dbb18e3d417f76c5f

SHA512
4163b7dc50e30eef01104ec9773caaf0d6f9f972687bc9d7b11350bc978b221e5cab5b9374d3065bf3c3d6c33cf61bdb073e4a0703ceb90c5cf48ff3ea0e8a5a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-butykb5.0.cs

Filesize
4KB

MD5
133eb944405754b31e85f6d10dd9fb0e

SHA1
4dbcc785e30c95d7b187963a511fc90c94771486

SHA256
67d9de518eaa7b129755acfde8ce8771dac635d21181ff1e4620eaeef03fb18b

SHA512
081979cd1e51f09fb0c3fb5a14530bc446513b5238d594d6c345f3d24cb5377f27cdef518f12adec756bae569d9ed3dc5c6ea9ab2375830c41b4f6c38d1cca1e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-butykb5.cmdline

Filesize
206B

MD5
a784c18a2ae361e12cb0cb7b027e99d9

SHA1
e7a159eb706a0351f07a1663b03f23fcb817271d

SHA256
c5e66f06b8b2b6c83e7baa7b9a7b2d8b02df4e37e5a2e6576f44b8a9af00abe1

SHA512
f144001f1266d71284fdf2eecbf2bb87615c12ca5eff0f70a5a2425e2378b62a6b8cba32d43b5468d216de90eaa10d49ecd9a55c3d5fb4f3e54183611a22687b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9F1D.tmp

Filesize
652B

MD5
25f995d2774c5199806f8e0214a163d1

SHA1
532ea866f4c84317ac66cf95bad1a0537719f02e

SHA256
579e8649344a54bbe6fa3f18590e1624c4d5f7a24f96a7c41359ba59608c7531

SHA512
6fd97034eaad3780cd34f45bcd61048c5a8c35ceaad056c2e3c3b219ac6e07c646ceac69422e4ef65fb9054e1c12f279616249b7540247fa056c668a3b063810

Download Submit
\Users\Admin\AppData\Roaming\ctfmon.exe

Filesize
16KB

MD5
793c74ab1a600570301a4c14142747ea

SHA1
ebd0ed2ff0e7dc450d71662d44857ebeee145a25

SHA256
bf5d96ee5d7094930712f4535875e0d5e2f0067a593eeaeec63ce8902f74bfe2

SHA512
e4909309ac7c37a15659cad00bbadad5aba93904e437bb6a7124ff1a4920a17d22d8dd8ae25837e0c15df2424a119009f3454a9468091892908a9dd49ab5c629

Download Submit
memory/1960-9-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/1960-16-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2088-0-0x0000000074901000-0x0000000074902000-memory.dmp

Filesize
4KB

Download
memory/2088-2-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2088-1-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2088-43-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2536-26-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2536-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2536-27-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2536-30-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2536-37-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2536-42-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2536-25-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2536-44-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2536-47-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2536-48-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2536-51-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download