Extracted

• • Target

    687caf067849f388fbe442a4c2650765_JaffaCakes118

  • Size

    1.1MB

  • MD5

    687caf067849f388fbe442a4c2650765

  • SHA1

    1e80d2bd0005f4a2f43c7ebf246a6922c667898e

  • SHA256

    fe755742c5e65ce96b1c21e84bec688153d7bae1a89d4e3299a5802fec5805da

  • SHA512

    e823441bdf42099ff521ebbf5187733801e79eb447f6ee55d6fc333066313881ed2404d1a53b8db469d5be7c4f37e10bf21ae307d8824e314c0b3da0c238685f

  • SSDEEP

    24576:0E2hlP2AQ94zrk0TjO0duGNHbQXGR50393DsJgWRV:REPYV0G47Q2R50tzsBRV

  Score

  10^/10

  latentbotbootkitdiscoveryevasionpersistencetrojanupx

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot

  • Modifies WinLogon for persistence

    persistence

  • Adds policy Run key to start application

    persistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks whether UAC is enabled

    evasiontrojan

  • Modifies WinLogon

    persistence

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2