Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15/08/2024, 23:47

General

  • Target

    9c1c607c7085f6819346979715dda033_JaffaCakes118.exe

  • Size

    981KB

  • MD5

    9c1c607c7085f6819346979715dda033

  • SHA1

    166414beefabaf1866cfdfea8a72b222dcc674dc

  • SHA256

    9b0d3e63e3167214577b30e6f2e19034414f2f565c708f689de51390fe0c772e

  • SHA512

    f1824dd69f9250664c71ae28d5b1045c6551abc5af61f9f44cc0f877de722acb7100d72486584df614979dc27222dba1e1dbeddd02161afc633fab68670176b9

  • SSDEEP

    24576:T/////76QhEtOa5VxNmfFWBlI9G4hOkjIIkGhBLE:fREtO8xNmwB293rIvqB

Malware Config

Extracted

Family

latentbot

C2

1rockanimal.zapto.org

2rockanimal.zapto.org

3rockanimal.zapto.org

4rockanimal.zapto.org

5rockanimal.zapto.org

6rockanimal.zapto.org

7rockanimal.zapto.org

8rockanimal.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c1c607c7085f6819346979715dda033_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9c1c607c7085f6819346979715dda033_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6di0trcl.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1D3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB1D2.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3036
    • C:\Users\Admin\AppData\Local\Temp\TUza5.exe
      "C:\Users\Admin\AppData\Local\Temp\TUza5.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:2688
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aiprvdeb.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3B6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB3B5.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2752
    • C:\Users\Admin\AppData\Local\Temp\bUnQwWvf.exe
      "C:\Users\Admin\AppData\Local\Temp\bUnQwWvf.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Users\Admin\AppData\Local\Temp\b5Srg.exe
      C:\Users\Admin\AppData\Local\Temp\b5Srg.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:864
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\b5Srg.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b5Srg.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\b5Srg.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b5Srg.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1760
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:576
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\IGTN21UM2I.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IGTN21UM2I.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\IGTN21UM2I.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IGTN21UM2I.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESB1D3.tmp

    Filesize

    1KB

    MD5

    c19e36e21f3861e4d8106755d0f32af8

    SHA1

    f720e79b31ce47b08c6afac026b4ea7dffd26bc9

    SHA256

    f4181d937b43274d01cd417116e58e20b3e720fb57013f35a26e5886266c0a96

    SHA512

    bd63a36a7578964baf258d1cf069af399f991fcf0eb66ca8544db9f6ef4eac444e0150b167875205f9637403af7f5be355155e007e70a38ed3a83ca61984330c

  • C:\Users\Admin\AppData\Local\Temp\RESB3B6.tmp

    Filesize

    1KB

    MD5

    6c5c723c607205538f9da0f995ac1eae

    SHA1

    66709ecbb255053235c54b0c450de8fa578f3ab0

    SHA256

    cd6b10e4da5cd9c565aa9a0a976e81a38ed53981e390fa03f8d5c13d16272dd0

    SHA512

    38c72c6fce01cc9102eb53c67ea4d7436b70dc73e9a5eca276e5c46f331dfc5044f52d8d38ca74199689e5ec2ae39270f46e3276471b5ca1a763e5ddd97e0431

  • C:\Users\Admin\AppData\Local\Temp\TUza5.exe

    Filesize

    4KB

    MD5

    2fe4d06b132fcf903e1c479a59f890a7

    SHA1

    9499642e4b50763bfe4ae66218e49a7c8a9f69d6

    SHA256

    b23bc41333f03f4b5c76331b7b3819c33d3029c7ce47ee6b034316124471c2c3

    SHA512

    6d6a7314724881a94a2e374e5d0101006d9c4c0a3231335d6a2b222eb2a6e0dd95e489a9250de1744ec1b533bc1e23aacd8ed2a1d38e1288751b8a287b7e7be8

  • C:\Users\Admin\AppData\Local\Temp\bUnQwWvf.exe

    Filesize

    20KB

    MD5

    b0f29a2310e6c604ae55dbfa07889ef2

    SHA1

    db135993ce46d21e9f67a0f6fafe35d4af76dc8d

    SHA256

    f1a56e8bc78b7ef1dcd68111b1125463f0e43a1f0c92aab7a8052d325e5d64a1

    SHA512

    e631aaff777ab1830b0b5634fcbc87f908cf31a86eb04847d02e523a99f6c79ad8457a0135ed1270e4264e304ca6739f2af3547ed4ba399e00e4781f5607dddf

  • \??\c:\Users\Admin\AppData\Local\Temp\6di0trcl.0.cs

    Filesize

    1KB

    MD5

    e940e1d28d80e3124599d150cc8fb399

    SHA1

    8b8e9390e582e50f9370a5fc14bc85da793b36ba

    SHA256

    73e91506323efce31ff4b24197e6d8e527453a3308dd9d78e38602feb31abad6

    SHA512

    23ee20cc5ca65e67e9d4651b5f90d7c786d84712ec726c4bd725ce40f5241289249fa243b21bb5564aa335e6080f8f775e9eaa47289f8f8c623d44beda25bfd9

  • \??\c:\Users\Admin\AppData\Local\Temp\6di0trcl.cmdline

    Filesize

    258B

    MD5

    6cd551e27b253558b94ef473deb7122d

    SHA1

    06243114d453ece6209ea2c0aabe94a2bf6dc6fb

    SHA256

    7327c4dd82a46ad1a962fc32635c51b1f032c60ebef27251448c488a357be5de

    SHA512

    9057d4b30d3f02fcf345efcfbd77bd9e2fb3c503b68c7ac5281b677c7053323c84d7b272e0010e4e64583ce7e6a45c897031233df6aa96d456e10393610b4038

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCB1D2.tmp

    Filesize

    636B

    MD5

    729f44c1955f67140715900aafbe8403

    SHA1

    f97f52197cdff16634475f1272a6bd5893133206

    SHA256

    36b00dbac3ff22f0d514c99721c3320c95ecaf0e80f80171b40eb0752bc754a6

    SHA512

    142446e606cbad39d89122c409acdef22d9af77ea1332483af08a1069a4308a4b31a8c0809bbcec6a379a98ccb4d4e1d63c50bdbba1ad3e72595de884bd8a5f2

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCB3B5.tmp

    Filesize

    652B

    MD5

    a37aac35a137cd5aa3c2c294239a51a6

    SHA1

    56f6d5860ade02a365e6443d43d09975cf4cf339

    SHA256

    1c3207eeb9c0edf7c1234c30b941c38091d9f1afaf6fde9697c18d1393cb8c79

    SHA512

    f6e945e250eb41d9c99091317581004abce8cc921614fbb37d0fcaa2ce87f65c47d04a9995e46d15430658e73c85e1f4c7777d36a84c45ccc1a85ae59305fd50

  • \??\c:\Users\Admin\AppData\Local\Temp\aiprvdeb.0.cs

    Filesize

    4KB

    MD5

    7df9180c3f5b6196c59973db10b4d440

    SHA1

    2214927c4cbbccc13dc9bba7fecd1089983bae0d

    SHA256

    2f41060f63bf356e7203ebc9d8470cef9857a0e8989e9272f8bbcfd32562b7b0

    SHA512

    00673937e60ef2f830138783ebc05855efa1f579934f5faeb70f40e86bb574e1f5d80cc97471ea930c4f5234acd884b0d80572ef170ecfd384a8a4b0c524db66

  • \??\c:\Users\Admin\AppData\Local\Temp\aiprvdeb.cmdline

    Filesize

    321B

    MD5

    bb288f31969e3963dcf539898d3f55ef

    SHA1

    b5c6389516bfb261b27fa0c759dd419ba0c734af

    SHA256

    ef1448d92d988838accf503c2cedabd68cb47e8e57c14b27d868934b795483db

    SHA512

    a5be4291b19e551a98d665dda6a7e61a6f3c8282d279fdd418a79d882c2b54d0c12a1f86e574e7f2b4cc692fd9fd0fc8715f68dc97a521a720a72e4ef74c5ed3

  • \??\c:\Users\Admin\AppData\Local\Temp\resource.resources

    Filesize

    15KB

    MD5

    db0c52b40bc874c5d7bd341393dedb46

    SHA1

    aba3cb5906f7bf781f29aec29d97a42d00bca493

    SHA256

    a477525c8edd8dcb09abcc36da61222127a221b5caa858d8c0d5284cb5964d98

    SHA512

    441146923575350f4943a5645d954e18c42bcf66384b428f63782d07cd1831f6b67f6a7e24d4e2607ca6529f95c09910285ce33342d554042fa387dd8fd116e3

  • \Users\Admin\AppData\Local\Temp\b5Srg.exe

    Filesize

    31KB

    MD5

    ed797d8dc2c92401985d162e42ffa450

    SHA1

    0f02fc517c7facc4baefde4fe9467fb6488ebabe

    SHA256

    b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

    SHA512

    e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

  • memory/2008-8-0x00000000743C0000-0x000000007496B000-memory.dmp

    Filesize

    5.7MB

  • memory/2008-15-0x00000000743C0000-0x000000007496B000-memory.dmp

    Filesize

    5.7MB

  • memory/2516-59-0x00000000743C0000-0x000000007496B000-memory.dmp

    Filesize

    5.7MB

  • memory/2516-1-0x00000000743C0000-0x000000007496B000-memory.dmp

    Filesize

    5.7MB

  • memory/2516-0-0x00000000743C1000-0x00000000743C2000-memory.dmp

    Filesize

    4KB

  • memory/2516-2-0x00000000743C0000-0x000000007496B000-memory.dmp

    Filesize

    5.7MB

  • memory/2864-48-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2864-51-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2864-46-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2864-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2864-44-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2864-62-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2864-63-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2864-65-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2864-69-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2864-70-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2864-71-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2864-74-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB