latentbot | aa772cb2dcbf58d84be623fd90095bc137cf033e4b2edfd5ebef0696136f7b5f

General

Target

9d1302d7bf9da006d6157f438376d4a2_JaffaCakes118.exe
Size

1.9MB
MD5

9d1302d7bf9da006d6157f438376d4a2
SHA1

90dbdaca78757b6647d01fcee8979768b5248c63
SHA256

aa772cb2dcbf58d84be623fd90095bc137cf033e4b2edfd5ebef0696136f7b5f
SHA512

90c78bf2bbe9c072874081658f378ef2546313f080530f999ec5ad99ddcb7fed913cb1ccc26496b2a909935f7163e5d14bd5144a3d7e0847e7baee65b7c58446
SSDEEP

24576:AaeH5Z7Y4LvYQNqTwVfqiSvtDsg/u8cAWTU/m0Su/K4AAXT9IOLzycJNNym7dty4:AP0mqTGywgG8/vx/K4AADLz7NpT6rG

Score

10^/10

latentbot discovery persistence trojan

Malware Config

Extracted

Family

latentbot

C2

yeniceriler.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 3 IoCs

pid	Process
2752	standard.exe
1128	PATRONUS KOXP BETA V2.EXE
2784	RUNDLL.EXE

Loads dropped DLL 8 IoCs

pid	Process
2688	9d1302d7bf9da006d6157f438376d4a2_JaffaCakes118.exe
2688	9d1302d7bf9da006d6157f438376d4a2_JaffaCakes118.exe
2752	standard.exe
2752	standard.exe
2752	standard.exe
2752	standard.exe
2784	RUNDLL.EXE
1128	PATRONUS KOXP BETA V2.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d1302d7bf9da006d6157f438376d4a2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	standard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PATRONUS KOXP BETA V2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUNDLL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2668	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2688	9d1302d7bf9da006d6157f438376d4a2_JaffaCakes118.exe
2752	standard.exe
2752	standard.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1128	PATRONUS KOXP BETA V2.EXE
1128	PATRONUS KOXP BETA V2.EXE
1128	PATRONUS KOXP BETA V2.EXE
2784	RUNDLL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2752	2688	9d1302d7bf9da006d6157f438376d4a2_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2752	2688	9d1302d7bf9da006d6157f438376d4a2_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2752	2688	9d1302d7bf9da006d6157f438376d4a2_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2752	2688	9d1302d7bf9da006d6157f438376d4a2_JaffaCakes118.exe	30
PID 2752 wrote to memory of 1128	2752	standard.exe	31
PID 2752 wrote to memory of 1128	2752	standard.exe	31
PID 2752 wrote to memory of 1128	2752	standard.exe	31
PID 2752 wrote to memory of 1128	2752	standard.exe	31
PID 2752 wrote to memory of 2784	2752	standard.exe	32
PID 2752 wrote to memory of 2784	2752	standard.exe	32
PID 2752 wrote to memory of 2784	2752	standard.exe	32
PID 2752 wrote to memory of 2784	2752	standard.exe	32
PID 2784 wrote to memory of 2552	2784	RUNDLL.EXE	33
PID 2784 wrote to memory of 2552	2784	RUNDLL.EXE	33
PID 2784 wrote to memory of 2552	2784	RUNDLL.EXE	33
PID 2784 wrote to memory of 2552	2784	RUNDLL.EXE	33
PID 2552 wrote to memory of 2620	2552	cmd.exe	35
PID 2552 wrote to memory of 2620	2552	cmd.exe	35
PID 2552 wrote to memory of 2620	2552	cmd.exe	35
PID 2552 wrote to memory of 2620	2552	cmd.exe	35
PID 2620 wrote to memory of 2668	2620	cmd.exe	36
PID 2620 wrote to memory of 2668	2620	cmd.exe	36
PID 2620 wrote to memory of 2668	2620	cmd.exe	36
PID 2620 wrote to memory of 2668	2620	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\9d1302d7bf9da006d6157f438376d4a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9d1302d7bf9da006d6157f438376d4a2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\standard.exe
  C:\Users\Admin\AppData\Local\Temp\\standard.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Roaming\PATRONUS KOXP BETA V2.EXE
    "C:\Users\Admin\AppData\Roaming\PATRONUS KOXP BETA V2.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1128
- - C:\Users\Admin\AppData\Roaming\RUNDLL.EXE
    "C:\Users\Admin\AppData\Roaming\RUNDLL.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
145B

MD5
6b8393408a3f2df19ff1e68a4f720729

SHA1
03cbc980dd47a33bdfa18be80cbd3efdbbaf95c6

SHA256
623fecae412449f60ffd8f38862e73504124afb0754952a45103daff0de5a7c9

SHA512
235e3c1f0074282c8cd8d6d9b6dc0c71ae591f5ca6a2f2248f832359a1a452cfce26b5f80fddc5acd5aae811630441b640212b9b7a885f2d69e67813d8d846ca

Download Submit
C:\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
93KB

MD5
19fc09ffc7c367c396bd944ac36929e5

SHA1
09b4b657ca58881a649e16fc5dffe921e4f05056

SHA256
2d881e059893bc0bfb41d2a515f4ecca0e372df9048a00c873381eb9ae950852

SHA512
d15f9d8099f11611ea117b8302f27362180c4898e1bd52bc026d9a00b5a3010508b5c6fc65fb7dadf20f388c841296703acbd78abe44948ddcd643b530372577

Download Submit
\Users\Admin\AppData\Local\Temp\standard.exe

Filesize
1.6MB

MD5
727584e17fda8988d86807c98474a9ed

SHA1
f081fc566519766c0615de85881e126716010001

SHA256
5cd588f0b934df695ca1c4c68e4c37e8b9e4e37c5df2269554f0f93eab8c158d

SHA512
4c60066f4ca225a57b6aa9d5784dacb93de0d8ff4218929c3937c4f0d27bcfc0514c0f479b85d742fa352c93de854e6e3ebe731e30d4496a53c3171b209c6ebd

Download Submit
\Users\Admin\AppData\Roaming\patronus koxp beta v2.exe

Filesize
312KB

MD5
b5c1d15af4fbffc007455d6f4d04d44b

SHA1
9a1408ec20408e9ec28b69f7f99f5f890382de1d

SHA256
f7224cea711bb0918ed5ca8c857349a9d7fc0498b37ae7267fd2298ec284aa2e

SHA512
b6a2ac51af38cb6fd967a4f5dbf63655553cd2aa82658b237e73f55bc3a8ae625ee72f7ce04e232bcd6bdd752801b1ac3a6717f53edc0b4bd7bb91543a27f18e

Download Submit
\Users\Admin\AppData\Roaming\rundll.exe

Filesize
678KB

MD5
b4d736875783a1048e6e216d3b2b38c6

SHA1
1496c92d77fef5a02934bccec920c08ea97f43f7

SHA256
1de33c51c314957f3fc1084cbeac14ac6b1552da21b7fd91e604aca00e514b98

SHA512
d64d43663330caef3f8a65a37b9ab93b4a662308776faf390f3d1b59e9540572b7f262b04acd3737a90fbe542773ac94e32413058d84024c6c3e388e918a3865

Download Submit
memory/1128-37-0x0000000000600000-0x000000000061C000-memory.dmp

Filesize
112KB

Download
memory/1128-46-0x0000000000600000-0x000000000061C000-memory.dmp

Filesize
112KB

Download
memory/2688-10-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2752-30-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2752-8-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2784-34-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2784-48-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2784-47-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads