latentbot | 26d55d977d85ccbd92ac9204083e039d69db38ac2d0440a7b2cb46f4d0376d3d

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
31-07-2024 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7df47f4f8e7a1ea9520e4e2fd5350153_JaffaCakes118.exe
Size

28KB
MD5

7df47f4f8e7a1ea9520e4e2fd5350153
SHA1

f6fa5844752fff53d608afe0ef5f6c9d3d211dc5
SHA256

26d55d977d85ccbd92ac9204083e039d69db38ac2d0440a7b2cb46f4d0376d3d
SHA512

b1163c852e798bc6ab13cddf144cb30137656d63bea6552bb46e771604f0cdeccb2e55193eb205d8217f5b9f9499eac19daa68a918799661618525947ae40643
SSDEEP

384:YWqNNA5RWT3qdy4TgGtpBiYrJy0bHPqPrqRd6BcHWCkW62qycuseXzVocCAW4W/K:YWqNuHggNybTU6aV6DeXxsY

Score

10^/10

latentbot persistence trojan

Malware Config

Extracted

Family

latentbot

crazyman131.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 1 IoCs

pid	Process
2832	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Logon = "C:\\Users\\Admin\\AppData\\Roaming\\app\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Logon = "C:\\Users\\Admin\\AppData\\Roaming\\app\\winlogon.exe"	7df47f4f8e7a1ea9520e4e2fd5350153_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	7df47f4f8e7a1ea9520e4e2fd5350153_JaffaCakes118.exe
Token: SeDebugPrivilege	2832	winlogon.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2832	2660	7df47f4f8e7a1ea9520e4e2fd5350153_JaffaCakes118.exe	31
PID 2660 wrote to memory of 2832	2660	7df47f4f8e7a1ea9520e4e2fd5350153_JaffaCakes118.exe	31
PID 2660 wrote to memory of 2832	2660	7df47f4f8e7a1ea9520e4e2fd5350153_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\7df47f4f8e7a1ea9520e4e2fd5350153_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7df47f4f8e7a1ea9520e4e2fd5350153_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Roaming\app\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\app\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app\winlogon.exe

Filesize
28KB

MD5
7df47f4f8e7a1ea9520e4e2fd5350153

SHA1
f6fa5844752fff53d608afe0ef5f6c9d3d211dc5

SHA256
26d55d977d85ccbd92ac9204083e039d69db38ac2d0440a7b2cb46f4d0376d3d

SHA512
b1163c852e798bc6ab13cddf144cb30137656d63bea6552bb46e771604f0cdeccb2e55193eb205d8217f5b9f9499eac19daa68a918799661618525947ae40643

Download Submit
memory/2660-0-0x000007FEF5943000-0x000007FEF5944000-memory.dmp

Filesize
4KB

Download
memory/2660-1-0x0000000001100000-0x000000000110E000-memory.dmp

Filesize
56KB

Download
memory/2832-8-0x0000000000D60000-0x0000000000D6E000-memory.dmp

Filesize
56KB

Download
memory/2832-7-0x000007FEF4F53000-0x000007FEF4F54000-memory.dmp

Filesize
4KB

Download
memory/2832-10-0x000007FEF4F50000-0x000007FEF593C000-memory.dmp

Filesize
9.9MB

Download
memory/2832-14-0x000007FEF4F50000-0x000007FEF593C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads