latentbot | 8fa8658250cc2ad2d38231a4398bf4557e1696c9addfc8aa08d9acff15e09d80

General

Target

955026d0cce01ca24e370fc92b191388_JaffaCakes118.exe
Size

290KB
MD5

955026d0cce01ca24e370fc92b191388
SHA1

a8ec01ebbc32e98c8d3b5e77046099a13568c2f3
SHA256

8fa8658250cc2ad2d38231a4398bf4557e1696c9addfc8aa08d9acff15e09d80
SHA512

07ad433cc4b7f55a42bcf892291e1b1f6b7e6c5900458aeb49c3d732ee405f3469f52151248dd11f53cf7b685a8be1072a0eaef7457cef2ff9a1307e0b0c885f
SSDEEP

6144:OgSEOvlo2IDz1gVMlsOjrf1uXrJCoazgu/YuJdZb/7xFz+hfiRhz5TeboX:OCOvlo2xVksOrfExu/Zxb/n8QHO+

Score

10^/10

latentbot discovery persistence trojan

Malware Config

Extracted

Family

latentbot

C2

emmanuelisay.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

server.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68C7BDA9-A9DF-448D-8D14-8C4A7374CC62}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68C7BDA9-A9DF-448D-8D14-8C4A7374CC62}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\server.exe"	server.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2240	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid	Process
2552	server.exe

Loads dropped DLL 2 IoCs

Processes:

955026d0cce01ca24e370fc92b191388_JaffaCakes118.exe

pid	Process
2680	955026d0cce01ca24e370fc92b191388_JaffaCakes118.exe
2680	955026d0cce01ca24e370fc92b191388_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

955026d0cce01ca24e370fc92b191388_JaffaCakes118.exeserver.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	955026d0cce01ca24e370fc92b191388_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

955026d0cce01ca24e370fc92b191388_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2680 wrote to memory of 2552	2680	955026d0cce01ca24e370fc92b191388_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2552	2680	955026d0cce01ca24e370fc92b191388_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2552	2680	955026d0cce01ca24e370fc92b191388_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2552	2680	955026d0cce01ca24e370fc92b191388_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2240	2680	955026d0cce01ca24e370fc92b191388_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2240	2680	955026d0cce01ca24e370fc92b191388_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2240	2680	955026d0cce01ca24e370fc92b191388_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2240	2680	955026d0cce01ca24e370fc92b191388_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\955026d0cce01ca24e370fc92b191388_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\955026d0cce01ca24e370fc92b191388_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\server.exe
  "C:\Users\Admin\AppData\Local\server.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\melt.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\melt.bat

Filesize
137B

MD5
e694db0fd59f4008fe71005a5e5cad38

SHA1
3b89451d272ee91802ae806bb3b7a802ab7b09d0

SHA256
d009e18eb5fa9938922ff8384611368954dc01b1cf8024b43c440ac972a150e4

SHA512
da14c113ae3c55562ac5b3e536045cbcb5364a52d526ff29510ef017fc07da7542820abcb7ee910ec52a7e6b8ffff3ec75f45215f948031babaf53e8a43df592

Download Submit
\Users\Admin\AppData\Local\server.exe

Filesize
290KB

MD5
955026d0cce01ca24e370fc92b191388

SHA1
a8ec01ebbc32e98c8d3b5e77046099a13568c2f3

SHA256
8fa8658250cc2ad2d38231a4398bf4557e1696c9addfc8aa08d9acff15e09d80

SHA512
07ad433cc4b7f55a42bcf892291e1b1f6b7e6c5900458aeb49c3d732ee405f3469f52151248dd11f53cf7b685a8be1072a0eaef7457cef2ff9a1307e0b0c885f

Download Submit
memory/2552-19-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2680-17-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads