latentbot | 78bc319cd75789275f596f4ea94fdc32177107ecb488021426834b48703daf97

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe
Size

1.5MB
MD5

aaa99b4243785f3f874177200a53d2cb
SHA1

20e07b3e62060c294f02d3f93ec703eb0b8e385d
SHA256

78bc319cd75789275f596f4ea94fdc32177107ecb488021426834b48703daf97
SHA512

4409caad70c92e9b3b68c4d402d7f7b00f14b3f32b3021a226906ee90f390654a7b517f48b3fb2e6a96853a01854b4a60093877ce5662d6bcf5fd2e004678566
SSDEEP

24576:l+i2GEBR+w0nGTkC29Tbk+AjWSWgHF0ZBR0v69d0LxvfXsHiDje0dfnMHMekfiLK:lUGEBRAokQ+SWKOX9I3XsHMesfMH1Pvq

Score

10^/10

latentbot discovery persistence trojan

Malware Config

Extracted

Family

latentbot

yeniceriler.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 3 IoCs

Processes:

setup.exehell koxp v1833.exescrss.exe

pid	Process
2168	setup.exe
2276	hell koxp v1833.exe
1720	scrss.exe

Loads dropped DLL 16 IoCs

Processes:

aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exesetup.exehell koxp v1833.exescrss.exe

pid	Process
2232	aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe
2168	setup.exe
2168	setup.exe
2168	setup.exe
2168	setup.exe
2168	setup.exe
2276	hell koxp v1833.exe
2276	hell koxp v1833.exe
2276	hell koxp v1833.exe
2168	setup.exe
2168	setup.exe
1720	scrss.exe
1720	scrss.exe
1720	scrss.exe
1720	scrss.exe
2276	hell koxp v1833.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\scrss = "\"C:\\Users\\Admin\\AppData\\Local\\scrss.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exeaaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exesetup.exehell koxp v1833.exescrss.execmd.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hell koxp v1833.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
2712	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

setup.exescrss.exe

pid	Process
2168	setup.exe
1720	scrss.exe
1720	scrss.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

hell koxp v1833.exescrss.exe

pid	Process
2276	hell koxp v1833.exe
1720	scrss.exe
2276	hell koxp v1833.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exesetup.exescrss.execmd.execmd.exe

description	pid	Process	procid_target
PID 2232 wrote to memory of 2168	2232	aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2168	2232	aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2168	2232	aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2168	2232	aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2168	2232	aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2168	2232	aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2168	2232	aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2276	2168	setup.exe	29
PID 2168 wrote to memory of 2276	2168	setup.exe	29
PID 2168 wrote to memory of 2276	2168	setup.exe	29
PID 2168 wrote to memory of 2276	2168	setup.exe	29
PID 2168 wrote to memory of 2276	2168	setup.exe	29
PID 2168 wrote to memory of 2276	2168	setup.exe	29
PID 2168 wrote to memory of 2276	2168	setup.exe	29
PID 2168 wrote to memory of 1720	2168	setup.exe	30
PID 2168 wrote to memory of 1720	2168	setup.exe	30
PID 2168 wrote to memory of 1720	2168	setup.exe	30
PID 2168 wrote to memory of 1720	2168	setup.exe	30
PID 2168 wrote to memory of 1720	2168	setup.exe	30
PID 2168 wrote to memory of 1720	2168	setup.exe	30
PID 2168 wrote to memory of 1720	2168	setup.exe	30
PID 1720 wrote to memory of 2732	1720	scrss.exe	31
PID 1720 wrote to memory of 2732	1720	scrss.exe	31
PID 1720 wrote to memory of 2732	1720	scrss.exe	31
PID 1720 wrote to memory of 2732	1720	scrss.exe	31
PID 1720 wrote to memory of 2732	1720	scrss.exe	31
PID 1720 wrote to memory of 2732	1720	scrss.exe	31
PID 1720 wrote to memory of 2732	1720	scrss.exe	31
PID 2732 wrote to memory of 3064	2732	cmd.exe	33
PID 2732 wrote to memory of 3064	2732	cmd.exe	33
PID 2732 wrote to memory of 3064	2732	cmd.exe	33
PID 2732 wrote to memory of 3064	2732	cmd.exe	33
PID 2732 wrote to memory of 3064	2732	cmd.exe	33
PID 2732 wrote to memory of 3064	2732	cmd.exe	33
PID 2732 wrote to memory of 3064	2732	cmd.exe	33
PID 3064 wrote to memory of 2712	3064	cmd.exe	34
PID 3064 wrote to memory of 2712	3064	cmd.exe	34
PID 3064 wrote to memory of 2712	3064	cmd.exe	34
PID 3064 wrote to memory of 2712	3064	cmd.exe	34
PID 3064 wrote to memory of 2712	3064	cmd.exe	34
PID 3064 wrote to memory of 2712	3064	cmd.exe	34
PID 3064 wrote to memory of 2712	3064	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Roaming\Microsoft\setup.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Local\hell koxp v1833.exe
    "C:\Users\Admin\AppData\Local\hell koxp v1833.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2276
- - C:\Users\Admin\AppData\Local\scrss.exe
    "C:\Users\Admin\AppData\Local\scrss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V scrss /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V scrss /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
141B

MD5
c43bd7836a8cf448f69638e14889ace4

SHA1
b7cdd6cabefdecad0f27f0c56215661e3fe2bb60

SHA256
c5d8cfcd50c0a777ec07376edcb4a80b2e22bb8d115c2d2f5718022fb78e82d9

SHA512
077301b1326b81e6069d66e7ddf6605809b74db34a4b131994089bd49787d172052e70ee980b66915bf665385355a80da6a5981bc5f1971b74145f499e73adf2

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
238KB

MD5
8380322522bb509450441bfd9eb341be

SHA1
6e72ee00e97d26bd62d956f87d5a8e83fa70104a

SHA256
1bfe346c455fa962ef1113b0ab6915a4b290ddaad7618c94caa8a3f17e2be71e

SHA512
7faa191d0750408db656762f9a98ec56968a88a3c8672b7135576544c67d76370e85634604e3b8d35b2d64ff2a7cfbac75f8f22ee900ba25b957ca1123071c5e

Download Submit
C:\Users\Admin\AppData\Local\scrss.exe

Filesize
444KB

MD5
25608cff73c670b09bf408c82c97439c

SHA1
3e964cb75ea63a5751016ff3517b7ad9591ada36

SHA256
29942edd22b484ba3f6d597e5d38c44272476de6d7fb6f525cf09e247cd1e9e5

SHA512
d23476d4c7bc9f99c9214065c2fe89626c772d92c102dfb9b9dd18e9f039b05712ac5a32dac4780b55b7b5c2b35591c3f36614718dfae087da0b6b2d0696625e

Download Submit
\Users\Admin\AppData\Local\hell koxp v1833.exe

Filesize
100KB

MD5
9046c9a85e2cca9e7772631aa7cb0897

SHA1
eb094d4d62b9b52ba500823d5d9901cd4a3ecbc0

SHA256
4397485a59ffe7dbd98491c5544e19d43f262663c8be15a02bac4d020c4cee28

SHA512
46e73523f7a38db8eb157e83fc933f809862ac20dc2a447dd8e56f828c40b411a29516bac9ecfdc09bee9d0dbcff84dc7098a544d8a0640aad7eedf9be6e9c14

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\setup.exe

Filesize
1.0MB

MD5
a141bf6a16c06dccabe0c1e523f74a2f

SHA1
f0dca64f1dfd9a8b1dd7ae154dce5f47291a6c56

SHA256
bf428f058b272800cec5bb24f10298c9264f36f10c29d6c8e58a3bdd12641b42

SHA512
6cea71be7cbdf24c08afd2decac5293a4e687f26b2426792fbaea83696ac7e4a04d000cffb29a2aca76aee6f360801cdc95ed1acd13119b42b54aed22d89bff8

Download Submit
memory/1720-40-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/1720-58-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/1720-57-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1720-59-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2168-36-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2232-8-0x0000000004000000-0x0000000004193000-memory.dmp

Filesize
1.6MB

Download
memory/2232-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2276-47-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/2276-56-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download