Overview

overview

10

Static

static

3

854094ff77...18.exe

windows7-x64

10

854094ff77...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-08-2024 07:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    854094ff77486f4c6a3f1c612bde301f_JaffaCakes118.exe

  • Size

    92KB

  • MD5

    854094ff77486f4c6a3f1c612bde301f

  • SHA1

    c7728dcee24bc3e156d5af91b43b9b553b4ac334

  • SHA256

    4e6ef1e1184a108b432f7cd664246244cee6cd7274143479700f56c855388463

  • SHA512

    ce957e5e16e91b855709b6a8acae5852479be8851e83cc479d4a9efb693db40de956d490d2981c7afd35ebb87c19d3abebf45e568e26498444ffa27b8e2f2e08

  • SSDEEP

    1536:o6t9PDnnGAv25ZjyfeiyI8fCsL+/XV2FiQkRte7/I/lO:o6nK+MN1ifS2l2g8M/lO

Score
10/10
latentbotdefense_evasiondiscoveryevasionpersistencetrojan

Malware Config

Extracted

Family

latentbot

C2

profoundgaming.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Modifies firewall policy service 3 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NTFS ADS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\854094ff77486f4c6a3f1c612bde301f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\854094ff77486f4c6a3f1c612bde301f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Windows\SysWOW64\cmd.exe
      "cmd"
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      PID:1084
    • C:\Users\Admin\AppData\Local\Temp\854094ff77486f4c6a3f1c612bde301f_JaffaCakes118.exe
      854094ff77486f4c6a3f1c612bde301f_JaffaCakes118.exe
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Users\Admin\AppData\Roaming\rundll32.exe
        "C:\Users\Admin\AppData\Roaming\rundll32.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Users\Admin\AppData\Roaming\rundll32.exe
          rundll32.exe
          4⤵
          • Modifies firewall policy service
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2984
        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3712
          • C:\Windows\SysWOW64\cmd.exe
            "cmd"
            5⤵
            • Subvert Trust Controls: Mark-of-the-Web Bypass
            • System Location Discovery: System Language Discovery
            • NTFS ADS
            PID:1976
          • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5088
            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe
              wmpnetvk.exe
              6⤵
                PID:4652
      • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3184
        • C:\Windows\SysWOW64\cmd.exe
          "cmd"
          3⤵
          • Subvert Trust Controls: Mark-of-the-Web Bypass
          • System Location Discovery: System Language Discovery
          • NTFS ADS
          PID:4172
        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2288
          • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe
            wmpnetvk.exe
            4⤵
            • Executes dropped EXE
            PID:1252

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    3
    T1112

    Subvert Trust Controls

    1
    T1553

    SIP and Trust Provider Hijacking

    1
    T1553.003

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe
      Filesize

      8KB

      MD5

      7b82b2f80d81897ef6fdfd4f3821c6e5

      SHA1

      c5d2bf5a4134df0b7b23a134c2610bbd84b999cb

      SHA256

      77a9dc848022de79981a1a1667e2b59658e806c6d8874c325b129a36e51e515e

      SHA512

      81c330f841945033c0ceec57ff709be4cc6350edca1419e254ab3f4231f8991efaf227b989127d6bb746c5d961a224105f3d191a96e5711091681075e4b53ebf

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe
      Filesize

      92KB

      MD5

      854094ff77486f4c6a3f1c612bde301f

      SHA1

      c7728dcee24bc3e156d5af91b43b9b553b4ac334

      SHA256

      4e6ef1e1184a108b432f7cd664246244cee6cd7274143479700f56c855388463

      SHA512

      ce957e5e16e91b855709b6a8acae5852479be8851e83cc479d4a9efb693db40de956d490d2981c7afd35ebb87c19d3abebf45e568e26498444ffa27b8e2f2e08

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe:ZONE.identifier
      Filesize

      27B

      MD5

      130a75a932a2fe57bfea6a65b88da8f6

      SHA1

      b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

      SHA256

      f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

      SHA512

      6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

      Download Submit

    • memory/1932-32-0x00000000748D0000-0x0000000074E81000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1932-62-0x00000000748D0000-0x0000000074E81000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2304-8-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2304-10-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2984-38-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/4928-0-0x00000000748D2000-0x00000000748D3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4928-2-0x00000000748D0000-0x0000000074E81000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4928-1-0x00000000748D0000-0x0000000074E81000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4928-59-0x00000000748D0000-0x0000000074E81000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4928-60-0x00000000748D2000-0x00000000748D3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4928-61-0x00000000748D0000-0x0000000074E81000-memory.dmp

      Filesize

      5.7MB

      Download