latentbot | 78bc319cd75789275f596f4ea94fdc32177107ecb488021426834b48703daf97

General

Target

aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe
Size

1.5MB
MD5

aaa99b4243785f3f874177200a53d2cb
SHA1

20e07b3e62060c294f02d3f93ec703eb0b8e385d
SHA256

78bc319cd75789275f596f4ea94fdc32177107ecb488021426834b48703daf97
SHA512

4409caad70c92e9b3b68c4d402d7f7b00f14b3f32b3021a226906ee90f390654a7b517f48b3fb2e6a96853a01854b4a60093877ce5662d6bcf5fd2e004678566
SSDEEP

24576:l+i2GEBR+w0nGTkC29Tbk+AjWSWgHF0ZBR0v69d0LxvfXsHiDje0dfnMHMekfiLK:lUGEBRAokQ+SWKOX9I3XsHMesfMH1Pvq

Score

10^/10

latentbot discovery persistence trojan

Malware Config

Extracted

Family

latentbot

C2

yeniceriler.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exesetup.exescrss.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	scrss.exe

Executes dropped EXE 3 IoCs

Processes:

setup.exehell koxp v1833.exescrss.exe

pid	Process
4636	setup.exe
4132	hell koxp v1833.exe
2604	scrss.exe

Loads dropped DLL 4 IoCs

Processes:

scrss.exehell koxp v1833.exe

pid	Process
2604	scrss.exe
2604	scrss.exe
4132	hell koxp v1833.exe
4132	hell koxp v1833.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scrss = "\"C:\\Users\\Admin\\AppData\\Local\\scrss.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exesetup.exehell koxp v1833.exescrss.execmd.execmd.exereg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hell koxp v1833.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
1388	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

setup.exescrss.exe

pid	Process
4636	setup.exe
4636	setup.exe
2604	scrss.exe
2604	scrss.exe
2604	scrss.exe
2604	scrss.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

hell koxp v1833.exescrss.exe

pid	Process
4132	hell koxp v1833.exe
2604	scrss.exe
4132	hell koxp v1833.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exesetup.exescrss.execmd.execmd.exe

description	pid	Process	procid_target
PID 1180 wrote to memory of 4636	1180	aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe	86
PID 1180 wrote to memory of 4636	1180	aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe	86
PID 1180 wrote to memory of 4636	1180	aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe	86
PID 4636 wrote to memory of 4132	4636	setup.exe	88
PID 4636 wrote to memory of 4132	4636	setup.exe	88
PID 4636 wrote to memory of 4132	4636	setup.exe	88
PID 4636 wrote to memory of 2604	4636	setup.exe	89
PID 4636 wrote to memory of 2604	4636	setup.exe	89
PID 4636 wrote to memory of 2604	4636	setup.exe	89
PID 2604 wrote to memory of 4972	2604	scrss.exe	90
PID 2604 wrote to memory of 4972	2604	scrss.exe	90
PID 2604 wrote to memory of 4972	2604	scrss.exe	90
PID 4972 wrote to memory of 2952	4972	cmd.exe	92
PID 4972 wrote to memory of 2952	4972	cmd.exe	92
PID 4972 wrote to memory of 2952	4972	cmd.exe	92
PID 2952 wrote to memory of 1388	2952	cmd.exe	93
PID 2952 wrote to memory of 1388	2952	cmd.exe	93
PID 2952 wrote to memory of 1388	2952	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aaa99b4243785f3f874177200a53d2cb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Roaming\Microsoft\setup.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Users\Admin\AppData\Local\hell koxp v1833.exe
    "C:\Users\Admin\AppData\Local\hell koxp v1833.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4132
- - C:\Users\Admin\AppData\Local\scrss.exe
    "C:\Users\Admin\AppData\Local\scrss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4972
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V scrss /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V scrss /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
141B

MD5
c43bd7836a8cf448f69638e14889ace4

SHA1
b7cdd6cabefdecad0f27f0c56215661e3fe2bb60

SHA256
c5d8cfcd50c0a777ec07376edcb4a80b2e22bb8d115c2d2f5718022fb78e82d9

SHA512
077301b1326b81e6069d66e7ddf6605809b74db34a4b131994089bd49787d172052e70ee980b66915bf665385355a80da6a5981bc5f1971b74145f499e73adf2

Download Submit
C:\Users\Admin\AppData\Local\hell koxp v1833.exe

Filesize
100KB

MD5
9046c9a85e2cca9e7772631aa7cb0897

SHA1
eb094d4d62b9b52ba500823d5d9901cd4a3ecbc0

SHA256
4397485a59ffe7dbd98491c5544e19d43f262663c8be15a02bac4d020c4cee28

SHA512
46e73523f7a38db8eb157e83fc933f809862ac20dc2a447dd8e56f828c40b411a29516bac9ecfdc09bee9d0dbcff84dc7098a544d8a0640aad7eedf9be6e9c14

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
238KB

MD5
8380322522bb509450441bfd9eb341be

SHA1
6e72ee00e97d26bd62d956f87d5a8e83fa70104a

SHA256
1bfe346c455fa962ef1113b0ab6915a4b290ddaad7618c94caa8a3f17e2be71e

SHA512
7faa191d0750408db656762f9a98ec56968a88a3c8672b7135576544c67d76370e85634604e3b8d35b2d64ff2a7cfbac75f8f22ee900ba25b957ca1123071c5e

Download Submit
C:\Users\Admin\AppData\Local\scrss.exe

Filesize
444KB

MD5
25608cff73c670b09bf408c82c97439c

SHA1
3e964cb75ea63a5751016ff3517b7ad9591ada36

SHA256
29942edd22b484ba3f6d597e5d38c44272476de6d7fb6f525cf09e247cd1e9e5

SHA512
d23476d4c7bc9f99c9214065c2fe89626c772d92c102dfb9b9dd18e9f039b05712ac5a32dac4780b55b7b5c2b35591c3f36614718dfae087da0b6b2d0696625e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\setup.exe

Filesize
1.0MB

MD5
a141bf6a16c06dccabe0c1e523f74a2f

SHA1
f0dca64f1dfd9a8b1dd7ae154dce5f47291a6c56

SHA256
bf428f058b272800cec5bb24f10298c9264f36f10c29d6c8e58a3bdd12641b42

SHA512
6cea71be7cbdf24c08afd2decac5293a4e687f26b2426792fbaea83696ac7e4a04d000cffb29a2aca76aee6f360801cdc95ed1acd13119b42b54aed22d89bff8

Download Submit
memory/1180-9-0x0000000004000000-0x0000000004193000-memory.dmp

Filesize
1.6MB

Download
memory/1180-0-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2604-35-0x00000000008F0000-0x0000000000930000-memory.dmp

Filesize
256KB

Download
memory/2604-45-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2604-46-0x00000000008F0000-0x0000000000930000-memory.dmp

Filesize
256KB

Download
memory/4132-40-0x0000000002D50000-0x0000000002D90000-memory.dmp

Filesize
256KB

Download
memory/4132-44-0x0000000002D50000-0x0000000002D90000-memory.dmp

Filesize
256KB

Download
memory/4636-30-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads