latentbot | ee268b91629f196135bc24c194a32afceddaf6b7db0b9d27bdd68818ad887016

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
Size

868KB
MD5

a8871e8d7fe2e9c0476b1b9c191ab16d
SHA1

73f3bd2dde3a7c006276c8f3732cadf8ab0a01f2
SHA256

ee268b91629f196135bc24c194a32afceddaf6b7db0b9d27bdd68818ad887016
SHA512

d22d1e23bce03d604c4160f9a4eca30687fbc06d158b1d6111708977ae3c0b1fb0cd0ff4e4966d13fd88e7fcc54bbcd9e6964fb06ae39e1235016692273d30aa
SSDEEP

12288:qo2VOCmcf8ySc8+i0jJdbBmvS2mIAwOh+2b9M204PnY8MQz5tCcAPzc5yuLofrgq:5a/pB2bmIkA2b9Z04PBMQb7i45ypzga

Score

10^/10

latentbot bootkit discovery evasion persistence trojan upx

Malware Config

Extracted

Family

latentbot

1juliagaetz.zapto.org

2juliagaetz.zapto.org

3juliagaetz.zapto.org

4juliagaetz.zapto.org

5juliagaetz.zapto.org

6juliagaetz.zapto.org

7juliagaetz.zapto.org

8juliagaetz.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies firewall policy service 3 TTPs 18 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\MKH3VSB8QJ.exe = "C:\\Users\\Admin\\AppData\\Roaming\\MKH3VSB8QJ.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\YPD1T0MXKQ.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YPD1T0MXKQ.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RT3A2QOp8.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\YPD1T0MXKQ.exe = "C:\\Users\\Admin\\AppData\\Roaming\\YPD1T0MXKQ.exe:*:Enabled:Windows Messanger"	reg.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	YPD1T0MXKQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\YPD1T0MXKQ.exe"	YPD1T0MXKQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	RT3A2QOp8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\MKH3VSB8QJ.exe"	RT3A2QOp8.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{7E97FCF9-DFFF-A410-94DC-FC6FD4ADEC2D}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\YPD1T0MXKQ.exe"	YPD1T0MXKQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBBAEB0F-AF95-F4EE-2EDA-7CF5FAFADFFB}	RT3A2QOp8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBBAEB0F-AF95-F4EE-2EDA-7CF5FAFADFFB}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\MKH3VSB8QJ.exe"	RT3A2QOp8.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{DBBAEB0F-AF95-F4EE-2EDA-7CF5FAFADFFB}	RT3A2QOp8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{DBBAEB0F-AF95-F4EE-2EDA-7CF5FAFADFFB}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\MKH3VSB8QJ.exe"	RT3A2QOp8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E97FCF9-DFFF-A410-94DC-FC6FD4ADEC2D}	YPD1T0MXKQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E97FCF9-DFFF-A410-94DC-FC6FD4ADEC2D}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\YPD1T0MXKQ.exe"	YPD1T0MXKQ.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{7E97FCF9-DFFF-A410-94DC-FC6FD4ADEC2D}	YPD1T0MXKQ.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
1156	YPD1T0MXKQ.exe
3852	RT3A2QOp8.exe
4572	RT3A2QOp8.exe
232	RT3A2QOp8.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c0000000233d8-12.dat	upx
behavioral2/memory/1156-19-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/232-45-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/232-49-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/232-47-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1156-59-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1156-63-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/232-66-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1156-69-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/232-72-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1156-76-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/232-80-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1156-83-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/232-86-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1156-89-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/232-92-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1156-95-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/232-98-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1156-101-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/232-104-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1156-107-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1156-113-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/232-116-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1156-119-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/232-122-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1156-125-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/232-128-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1156-131-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/232-134-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1156-137-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1156-143-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\YPD1T0MXKQ.exe"	YPD1T0MXKQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\MKH3VSB8QJ.exe"	RT3A2QOp8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\MKH3VSB8QJ.exe"	RT3A2QOp8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\YPD1T0MXKQ.exe"	YPD1T0MXKQ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	RT3A2QOp8.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3304 set thread context of 2336	3304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	87
PID 3852 set thread context of 4572	3852	RT3A2QOp8.exe	90
PID 4572 set thread context of 232	4572	RT3A2QOp8.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RT3A2QOp8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RT3A2QOp8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YPD1T0MXKQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RT3A2QOp8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

T1112

pid	Process
3092	reg.exe
3548	reg.exe
2180	reg.exe
3728	reg.exe
3512	reg.exe
5092	reg.exe
2728	reg.exe
3300	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 1	1156	YPD1T0MXKQ.exe
Token: SeCreateTokenPrivilege	1156	YPD1T0MXKQ.exe
Token: SeAssignPrimaryTokenPrivilege	1156	YPD1T0MXKQ.exe
Token: SeLockMemoryPrivilege	1156	YPD1T0MXKQ.exe
Token: SeIncreaseQuotaPrivilege	1156	YPD1T0MXKQ.exe
Token: SeMachineAccountPrivilege	1156	YPD1T0MXKQ.exe
Token: SeTcbPrivilege	1156	YPD1T0MXKQ.exe
Token: SeSecurityPrivilege	1156	YPD1T0MXKQ.exe
Token: SeTakeOwnershipPrivilege	1156	YPD1T0MXKQ.exe
Token: SeLoadDriverPrivilege	1156	YPD1T0MXKQ.exe
Token: SeSystemProfilePrivilege	1156	YPD1T0MXKQ.exe
Token: SeSystemtimePrivilege	1156	YPD1T0MXKQ.exe
Token: SeProfSingleProcessPrivilege	1156	YPD1T0MXKQ.exe
Token: SeIncBasePriorityPrivilege	1156	YPD1T0MXKQ.exe
Token: SeCreatePagefilePrivilege	1156	YPD1T0MXKQ.exe
Token: SeCreatePermanentPrivilege	1156	YPD1T0MXKQ.exe
Token: SeBackupPrivilege	1156	YPD1T0MXKQ.exe
Token: SeRestorePrivilege	1156	YPD1T0MXKQ.exe
Token: SeShutdownPrivilege	1156	YPD1T0MXKQ.exe
Token: SeDebugPrivilege	1156	YPD1T0MXKQ.exe
Token: SeAuditPrivilege	1156	YPD1T0MXKQ.exe
Token: SeSystemEnvironmentPrivilege	1156	YPD1T0MXKQ.exe
Token: SeChangeNotifyPrivilege	1156	YPD1T0MXKQ.exe
Token: SeRemoteShutdownPrivilege	1156	YPD1T0MXKQ.exe
Token: SeUndockPrivilege	1156	YPD1T0MXKQ.exe
Token: SeSyncAgentPrivilege	1156	YPD1T0MXKQ.exe
Token: SeEnableDelegationPrivilege	1156	YPD1T0MXKQ.exe
Token: SeManageVolumePrivilege	1156	YPD1T0MXKQ.exe
Token: SeImpersonatePrivilege	1156	YPD1T0MXKQ.exe
Token: SeCreateGlobalPrivilege	1156	YPD1T0MXKQ.exe
Token: 31	1156	YPD1T0MXKQ.exe
Token: 32	1156	YPD1T0MXKQ.exe
Token: 33	1156	YPD1T0MXKQ.exe
Token: 34	1156	YPD1T0MXKQ.exe
Token: 35	1156	YPD1T0MXKQ.exe
Token: 1	232	RT3A2QOp8.exe
Token: SeCreateTokenPrivilege	232	RT3A2QOp8.exe
Token: SeAssignPrimaryTokenPrivilege	232	RT3A2QOp8.exe
Token: SeLockMemoryPrivilege	232	RT3A2QOp8.exe
Token: SeIncreaseQuotaPrivilege	232	RT3A2QOp8.exe
Token: SeMachineAccountPrivilege	232	RT3A2QOp8.exe
Token: SeTcbPrivilege	232	RT3A2QOp8.exe
Token: SeSecurityPrivilege	232	RT3A2QOp8.exe
Token: SeTakeOwnershipPrivilege	232	RT3A2QOp8.exe
Token: SeLoadDriverPrivilege	232	RT3A2QOp8.exe
Token: SeSystemProfilePrivilege	232	RT3A2QOp8.exe
Token: SeSystemtimePrivilege	232	RT3A2QOp8.exe
Token: SeProfSingleProcessPrivilege	232	RT3A2QOp8.exe
Token: SeIncBasePriorityPrivilege	232	RT3A2QOp8.exe
Token: SeCreatePagefilePrivilege	232	RT3A2QOp8.exe
Token: SeCreatePermanentPrivilege	232	RT3A2QOp8.exe
Token: SeBackupPrivilege	232	RT3A2QOp8.exe
Token: SeRestorePrivilege	232	RT3A2QOp8.exe
Token: SeShutdownPrivilege	232	RT3A2QOp8.exe
Token: SeDebugPrivilege	232	RT3A2QOp8.exe
Token: SeAuditPrivilege	232	RT3A2QOp8.exe
Token: SeSystemEnvironmentPrivilege	232	RT3A2QOp8.exe
Token: SeChangeNotifyPrivilege	232	RT3A2QOp8.exe
Token: SeRemoteShutdownPrivilege	232	RT3A2QOp8.exe
Token: SeUndockPrivilege	232	RT3A2QOp8.exe
Token: SeSyncAgentPrivilege	232	RT3A2QOp8.exe
Token: SeEnableDelegationPrivilege	232	RT3A2QOp8.exe
Token: SeManageVolumePrivilege	232	RT3A2QOp8.exe
Token: SeImpersonatePrivilege	232	RT3A2QOp8.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
2336	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
1156	YPD1T0MXKQ.exe
1156	YPD1T0MXKQ.exe
3852	RT3A2QOp8.exe
4572	RT3A2QOp8.exe
232	RT3A2QOp8.exe
232	RT3A2QOp8.exe
232	RT3A2QOp8.exe
1156	YPD1T0MXKQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 2336	3304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	87
PID 3304 wrote to memory of 2336	3304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	87
PID 3304 wrote to memory of 2336	3304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	87
PID 3304 wrote to memory of 2336	3304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	87
PID 3304 wrote to memory of 2336	3304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	87
PID 3304 wrote to memory of 2336	3304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	87
PID 3304 wrote to memory of 2336	3304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	87
PID 3304 wrote to memory of 2336	3304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	87
PID 2336 wrote to memory of 1156	2336	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	88
PID 2336 wrote to memory of 1156	2336	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	88
PID 2336 wrote to memory of 1156	2336	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	88
PID 2336 wrote to memory of 3852	2336	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	89
PID 2336 wrote to memory of 3852	2336	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	89
PID 2336 wrote to memory of 3852	2336	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	89
PID 3852 wrote to memory of 4572	3852	RT3A2QOp8.exe	90
PID 3852 wrote to memory of 4572	3852	RT3A2QOp8.exe	90
PID 3852 wrote to memory of 4572	3852	RT3A2QOp8.exe	90
PID 3852 wrote to memory of 4572	3852	RT3A2QOp8.exe	90
PID 3852 wrote to memory of 4572	3852	RT3A2QOp8.exe	90
PID 3852 wrote to memory of 4572	3852	RT3A2QOp8.exe	90
PID 3852 wrote to memory of 4572	3852	RT3A2QOp8.exe	90
PID 3852 wrote to memory of 4572	3852	RT3A2QOp8.exe	90
PID 4572 wrote to memory of 232	4572	RT3A2QOp8.exe	91
PID 4572 wrote to memory of 232	4572	RT3A2QOp8.exe	91
PID 4572 wrote to memory of 232	4572	RT3A2QOp8.exe	91
PID 4572 wrote to memory of 232	4572	RT3A2QOp8.exe	91
PID 4572 wrote to memory of 232	4572	RT3A2QOp8.exe	91
PID 4572 wrote to memory of 232	4572	RT3A2QOp8.exe	91
PID 4572 wrote to memory of 232	4572	RT3A2QOp8.exe	91
PID 4572 wrote to memory of 232	4572	RT3A2QOp8.exe	91
PID 232 wrote to memory of 4748	232	RT3A2QOp8.exe	92
PID 232 wrote to memory of 4748	232	RT3A2QOp8.exe	92
PID 232 wrote to memory of 4748	232	RT3A2QOp8.exe	92
PID 232 wrote to memory of 1532	232	RT3A2QOp8.exe	93
PID 232 wrote to memory of 1532	232	RT3A2QOp8.exe	93
PID 232 wrote to memory of 1532	232	RT3A2QOp8.exe	93
PID 232 wrote to memory of 2444	232	RT3A2QOp8.exe	94
PID 232 wrote to memory of 2444	232	RT3A2QOp8.exe	94
PID 232 wrote to memory of 2444	232	RT3A2QOp8.exe	94
PID 232 wrote to memory of 1480	232	RT3A2QOp8.exe	95
PID 232 wrote to memory of 1480	232	RT3A2QOp8.exe	95
PID 232 wrote to memory of 1480	232	RT3A2QOp8.exe	95
PID 4748 wrote to memory of 3300	4748	cmd.exe	100
PID 4748 wrote to memory of 3300	4748	cmd.exe	100
PID 4748 wrote to memory of 3300	4748	cmd.exe	100
PID 2444 wrote to memory of 3548	2444	cmd.exe	101
PID 2444 wrote to memory of 3548	2444	cmd.exe	101
PID 2444 wrote to memory of 3548	2444	cmd.exe	101
PID 1480 wrote to memory of 3092	1480	cmd.exe	102
PID 1480 wrote to memory of 3092	1480	cmd.exe	102
PID 1480 wrote to memory of 3092	1480	cmd.exe	102
PID 1532 wrote to memory of 2180	1532	cmd.exe	103
PID 1532 wrote to memory of 2180	1532	cmd.exe	103
PID 1532 wrote to memory of 2180	1532	cmd.exe	103
PID 1156 wrote to memory of 2848	1156	YPD1T0MXKQ.exe	108
PID 1156 wrote to memory of 2848	1156	YPD1T0MXKQ.exe	108
PID 1156 wrote to memory of 2848	1156	YPD1T0MXKQ.exe	108
PID 1156 wrote to memory of 1624	1156	YPD1T0MXKQ.exe	109
PID 1156 wrote to memory of 1624	1156	YPD1T0MXKQ.exe	109
PID 1156 wrote to memory of 1624	1156	YPD1T0MXKQ.exe	109
PID 1156 wrote to memory of 4644	1156	YPD1T0MXKQ.exe	110
PID 1156 wrote to memory of 4644	1156	YPD1T0MXKQ.exe	110
PID 1156 wrote to memory of 4644	1156	YPD1T0MXKQ.exe	110
PID 1156 wrote to memory of 4512	1156	YPD1T0MXKQ.exe	111

C:\Users\Admin\AppData\Local\Temp\a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\AppData\Local\Temp\a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\YPD1T0MXKQ.exe
    "C:\Users\Admin\AppData\Local\Temp\YPD1T0MXKQ.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2848
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\YPD1T0MXKQ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YPD1T0MXKQ.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1624
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\YPD1T0MXKQ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YPD1T0MXKQ.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4644
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\YPD1T0MXKQ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YPD1T0MXKQ.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4512
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\YPD1T0MXKQ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YPD1T0MXKQ.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2728
- - C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe
    "C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe
      "C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4572
    - - C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:232
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3300
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe:*:Enabled:Windows Messanger" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe:*:Enabled:Windows Messanger" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2180
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3548
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MKH3VSB8QJ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MKH3VSB8QJ.exe:*:Enabled:Windows Messanger" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MKH3VSB8QJ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MKH3VSB8QJ.exe:*:Enabled:Windows Messanger" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe

Filesize
436KB

MD5
8c3aa7ee66dd0e83ab8d546212dccae6

SHA1
03c373c4924259807b6a74d6d4b8f9305fa1fd39

SHA256
b06b54515a86705c2d7e54bea6d92df09a313aee119e1f3974fb910c5f60968d

SHA512
8b625c08ef22cfabe58a966b90def1309d04ce030669e55d70ee1c6615b27e22b72f3f02316cfa7f9f5e788bcbfa375f00b02b4e6e0a37294eead14fe3d8a153

Download Submit
C:\Users\Admin\AppData\Local\Temp\YPD1T0MXKQ.exe

Filesize
162KB

MD5
cab361c6b9025935a054c8b42135a850

SHA1
5aef399df5e884a7ba0031adb7666cbb829a716c

SHA256
320dbe17b2b61797119975af9ac0a868499da1b27f9ea4abfd62f7224dc1f540

SHA512
293bdafd7c39e4666e3241f9e102c6bd7391faa1adc22245d6caa04473e20eef63fb14dbfe1924548d16e3f800b3bd28828d40995900fa862c15f05e74648fb6

Download Submit
C:\Users\Admin\AppData\Roaming\yup

Filesize
34B

MD5
baf87294474a9dc7482704549f0196fc

SHA1
10554134c71965c7b4438851c25e8c7673ae9846

SHA256
83555614e1caa609462f55e5186ba9e4d0fa6b17554a1bfca28ddd65688d0e54

SHA512
74c7d59ca4d5cb50bf1880457319ad28ef6fb1bf10168d69061fef332b7292f7b9312854963a7e8951725d95f18e600cb3316de41ecb6f1de9ff203fa839d606

Download Submit
memory/232-45-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/232-72-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/232-134-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/232-128-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/232-122-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/232-116-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/232-104-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/232-86-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/232-80-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/232-47-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/232-98-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/232-92-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/232-49-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/232-66-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1156-113-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1156-119-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1156-76-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1156-143-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1156-63-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1156-137-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1156-101-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1156-89-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1156-59-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1156-95-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1156-83-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1156-19-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1156-131-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1156-107-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1156-125-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1156-69-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2336-35-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2336-5-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2336-3-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/3304-0-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3852-31-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4572-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads