latentbot | 63566391c791e20b7582f12770587664652de3ee9ec01878989a897eb7e592bd

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe
Size

672KB
MD5

67be4cb241da8e525ee2c6eed0360168
SHA1

9c45aff53d387083f883047680a52e2e7e1835b4
SHA256

63566391c791e20b7582f12770587664652de3ee9ec01878989a897eb7e592bd
SHA512

307dca00363eeee1c5e3fbc5e30234e70a0a441e38926bed2f795008bcabf1e5966b23411fc4e87b33896aeb102b3956d7fb3f13d50a5e994b79d32943671d0a
SSDEEP

12288:8t4EHzD0+6FbfETQXJpvIbmWHnSFX6d1sl+NOP1BaWcQcyG5OtN:o/+ET+QHKrdBaMtN

Score

10^/10

latentbot evasion persistence trojan

Malware Config

Extracted

Family

latentbot

Corbyshitnig.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\ctfmon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\ctfmon.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\WKRM1AY9MB.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WKRM1AY9MB.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
4144	ctfmon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Roaming\\67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe"	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3188 set thread context of 4144	3188	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	90

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3296	reg.exe
3324	reg.exe
4792	reg.exe
3332	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3188	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	3188	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe
Token: 1	4144	ctfmon.exe
Token: SeCreateTokenPrivilege	4144	ctfmon.exe
Token: SeAssignPrimaryTokenPrivilege	4144	ctfmon.exe
Token: SeLockMemoryPrivilege	4144	ctfmon.exe
Token: SeIncreaseQuotaPrivilege	4144	ctfmon.exe
Token: SeMachineAccountPrivilege	4144	ctfmon.exe
Token: SeTcbPrivilege	4144	ctfmon.exe
Token: SeSecurityPrivilege	4144	ctfmon.exe
Token: SeTakeOwnershipPrivilege	4144	ctfmon.exe
Token: SeLoadDriverPrivilege	4144	ctfmon.exe
Token: SeSystemProfilePrivilege	4144	ctfmon.exe
Token: SeSystemtimePrivilege	4144	ctfmon.exe
Token: SeProfSingleProcessPrivilege	4144	ctfmon.exe
Token: SeIncBasePriorityPrivilege	4144	ctfmon.exe
Token: SeCreatePagefilePrivilege	4144	ctfmon.exe
Token: SeCreatePermanentPrivilege	4144	ctfmon.exe
Token: SeBackupPrivilege	4144	ctfmon.exe
Token: SeRestorePrivilege	4144	ctfmon.exe
Token: SeShutdownPrivilege	4144	ctfmon.exe
Token: SeDebugPrivilege	4144	ctfmon.exe
Token: SeAuditPrivilege	4144	ctfmon.exe
Token: SeSystemEnvironmentPrivilege	4144	ctfmon.exe
Token: SeChangeNotifyPrivilege	4144	ctfmon.exe
Token: SeRemoteShutdownPrivilege	4144	ctfmon.exe
Token: SeUndockPrivilege	4144	ctfmon.exe
Token: SeSyncAgentPrivilege	4144	ctfmon.exe
Token: SeEnableDelegationPrivilege	4144	ctfmon.exe
Token: SeManageVolumePrivilege	4144	ctfmon.exe
Token: SeImpersonatePrivilege	4144	ctfmon.exe
Token: SeCreateGlobalPrivilege	4144	ctfmon.exe
Token: 31	4144	ctfmon.exe
Token: 32	4144	ctfmon.exe
Token: 33	4144	ctfmon.exe
Token: 34	4144	ctfmon.exe
Token: 35	4144	ctfmon.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4144	ctfmon.exe
4144	ctfmon.exe
4144	ctfmon.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 4904	3188	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	87
PID 3188 wrote to memory of 4904	3188	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	87
PID 3188 wrote to memory of 4904	3188	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	87
PID 4904 wrote to memory of 3940	4904	csc.exe	89
PID 4904 wrote to memory of 3940	4904	csc.exe	89
PID 4904 wrote to memory of 3940	4904	csc.exe	89
PID 3188 wrote to memory of 4144	3188	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	90
PID 3188 wrote to memory of 4144	3188	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	90
PID 3188 wrote to memory of 4144	3188	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	90
PID 3188 wrote to memory of 4144	3188	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	90
PID 3188 wrote to memory of 4144	3188	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	90
PID 3188 wrote to memory of 4144	3188	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	90
PID 3188 wrote to memory of 4144	3188	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	90
PID 3188 wrote to memory of 4144	3188	67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe	90
PID 4144 wrote to memory of 1640	4144	ctfmon.exe	91
PID 4144 wrote to memory of 1640	4144	ctfmon.exe	91
PID 4144 wrote to memory of 1640	4144	ctfmon.exe	91
PID 4144 wrote to memory of 5100	4144	ctfmon.exe	92
PID 4144 wrote to memory of 5100	4144	ctfmon.exe	92
PID 4144 wrote to memory of 5100	4144	ctfmon.exe	92
PID 4144 wrote to memory of 2456	4144	ctfmon.exe	93
PID 4144 wrote to memory of 2456	4144	ctfmon.exe	93
PID 4144 wrote to memory of 2456	4144	ctfmon.exe	93
PID 4144 wrote to memory of 1336	4144	ctfmon.exe	94
PID 4144 wrote to memory of 1336	4144	ctfmon.exe	94
PID 4144 wrote to memory of 1336	4144	ctfmon.exe	94
PID 1640 wrote to memory of 3332	1640	cmd.exe	99
PID 1640 wrote to memory of 3332	1640	cmd.exe	99
PID 1640 wrote to memory of 3332	1640	cmd.exe	99
PID 2456 wrote to memory of 3324	2456	cmd.exe	100
PID 2456 wrote to memory of 3324	2456	cmd.exe	100
PID 2456 wrote to memory of 3324	2456	cmd.exe	100
PID 5100 wrote to memory of 3296	5100	cmd.exe	101
PID 5100 wrote to memory of 3296	5100	cmd.exe	101
PID 5100 wrote to memory of 3296	5100	cmd.exe	101
PID 1336 wrote to memory of 4792	1336	cmd.exe	102
PID 1336 wrote to memory of 4792	1336	cmd.exe	102
PID 1336 wrote to memory of 4792	1336	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67be4cb241da8e525ee2c6eed0360168_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\svoij7io.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F2F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9F2E.tmp"
    3⤵
    PID:3940
- C:\Users\Admin\AppData\Roaming\ctfmon.exe
  C:\Users\Admin\AppData\Roaming\ctfmon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3332
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ctfmon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ctfmon.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ctfmon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ctfmon.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WKRM1AY9MB.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WKRM1AY9MB.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WKRM1AY9MB.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WKRM1AY9MB.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9F2F.tmp

Filesize
1KB

MD5
34f66ae9ffc20179133321c4873226b3

SHA1
1b404b4176ae741d456bd1ac6c50b0a31ef409c7

SHA256
691f9f8feb00bc4d09d9fc22b8e09bad40b448030224987bccd2d1302fc60b44

SHA512
99dd19806ba92675f9e42ca1a7aab4a34d3c5d25ef3c99de4181804d93c638c2dab4a6fb198a491e8e64c2e223a348edeb04eeefd02416473fbb3ed22f081d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\svoij7io.dll

Filesize
5KB

MD5
01da09a53685ea0a762314f0e4fafbb9

SHA1
f41cb2656e11f4e79b98a43ef6d0abddd065b102

SHA256
8abb78bb13b25d95135bc813aef8fdf5efd811b9c94f878fab150701e2805d89

SHA512
9e288cf570d23bf876d33e16af98210773772d7f9d4bbdd8a660ad4531e2eaa0eff6b37f65d8e4dbafe5ec20ce72c3889047440c06e8c10d4b73410cccd8dbd5

Download Submit
C:\Users\Admin\AppData\Roaming\ctfmon.exe

Filesize
16KB

MD5
793c74ab1a600570301a4c14142747ea

SHA1
ebd0ed2ff0e7dc450d71662d44857ebeee145a25

SHA256
bf5d96ee5d7094930712f4535875e0d5e2f0067a593eeaeec63ce8902f74bfe2

SHA512
e4909309ac7c37a15659cad00bbadad5aba93904e437bb6a7124ff1a4920a17d22d8dd8ae25837e0c15df2424a119009f3454a9468091892908a9dd49ab5c629

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9F2E.tmp

Filesize
652B

MD5
7421b74b29c7b46535ffc5d04a6c5ebf

SHA1
05a6f7fa65a52d8dbdcff0fc8b6c91e84aaf6179

SHA256
3fef7bec125d63e8251184ce33bcd8a2fd2850b0f6670ee8549d0e5c684ce3af

SHA512
f66f53c964b4688abb24dbdbd1b21130281b74ff01482f6f7f93a23062b06df1cf16dcd54024c6292f750437daca47ca3846183f891106151236a53678cef24b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\svoij7io.0.cs

Filesize
4KB

MD5
133eb944405754b31e85f6d10dd9fb0e

SHA1
4dbcc785e30c95d7b187963a511fc90c94771486

SHA256
67d9de518eaa7b129755acfde8ce8771dac635d21181ff1e4620eaeef03fb18b

SHA512
081979cd1e51f09fb0c3fb5a14530bc446513b5238d594d6c345f3d24cb5377f27cdef518f12adec756bae569d9ed3dc5c6ea9ab2375830c41b4f6c38d1cca1e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\svoij7io.cmdline

Filesize
206B

MD5
409e450a0cd7d9928136ac41d777cb1f

SHA1
f38760aff08bf976173dc7612862dfd31694a34d

SHA256
c0fcb1a2a84f35cb5c4f683964c1e209fa43ba55a79c2467ca0d3a3a00c61c80

SHA512
fbb6bb50f0f26e203d141fec9f05927c0f63a5ef1780fd75d15e00b978b3ca80cc4e18bcc711e67bb77f5cf3d92a5174528e38e2fb818d2ef3a39b977cc13de6

Download Submit
memory/3188-33-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3188-32-0x00000000750A2000-0x00000000750A3000-memory.dmp

Filesize
4KB

Download
memory/3188-0-0x00000000750A2000-0x00000000750A3000-memory.dmp

Filesize
4KB

Download
memory/3188-2-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3188-1-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/4144-31-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4144-25-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4144-20-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4144-34-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4144-37-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4144-41-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4144-50-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4904-9-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/4904-16-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download