latentbot | 07f7d5301f0e28754cc7ad1884a6f2210dee5da60dcb7dc3b05602f1197b9d77

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
Size

972KB
MD5

abcad621757e5245711c18b4c3a1c289
SHA1

ecb70053895dd4e0a5936c7545a665b1bb742187
SHA256

07f7d5301f0e28754cc7ad1884a6f2210dee5da60dcb7dc3b05602f1197b9d77
SHA512

48770f5df2dd2b57cec2681716faf8991ac82608f3b9eefec02f4b142df14d7176b8890ce6d3119b46f9bb0a76b339d5d5dfc4a72dfe65329af90c0efc65394c
SSDEEP

24576:KnPV2xWAm5O465P/QqUogjSegBFU68JgtD:mP4QwQt/uuyD

Score

10^/10

latentbot discovery evasion persistence trojan

Malware Config

Extracted

Family

latentbot

hiendsystems.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\PdPADSLdnsConfNet.exe = "C:\\Users\\Admin\\AppData\\Roaming\\PdPADSLdnsConfNet.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Temp\svhost.exe = "C:\\Windows\\Temp\\svhost.exe:*:Enabled:Windows Messanger"	reg.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdPADSLdnsConNetSer .exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdPADSLdnsConNetSer .exe	cmd.exe

Executes dropped EXE 23 IoCs

pid	Process
3020	svhost.exe
2784	svhost.exe
1748	PdPADSLdnsConNetSer .exe
1340	svhost.exe
2584	svhost.exe
296	PdPADSLdnsConNetSer .exe
612	svhost.exe
872	svhost.exe
2004	PdPADSLdnsConNetSer .exe
2076	svhost.exe
1756	svhost.exe
1600	PdPADSLdnsConNetSer .exe
536	svhost.exe
1528	svhost.exe
2756	PdPADSLdnsConNetSer .exe
2608	svhost.exe
2564	svhost.exe
2988	PdPADSLdnsConNetSer .exe
1916	svhost.exe
1472	svhost.exe
628	PdPADSLdnsConNetSer .exe
832	svhost.exe
1944	svhost.exe

Loads dropped DLL 16 IoCs

pid	Process
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2324	cmd.exe
2324	cmd.exe
2324	cmd.exe
2324	cmd.exe
2324	cmd.exe
2324	cmd.exe
2324	cmd.exe
2324	cmd.exe
2324	cmd.exe
2324	cmd.exe
2324	cmd.exe
2324	cmd.exe
2324	cmd.exe
2324	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\PdPADSLdnsConNetSer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PdPADSLdnsConNetSer .exe"	PdPADSLdnsConNetSer .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\PdPADSLdnsConNetSer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PdPADSLdnsConNetSer .exe"	PdPADSLdnsConNetSer .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\PdPADSLdnsConNetSer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PdPADSLdnsConNetSer .exe"	PdPADSLdnsConNetSer .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\PdPADSLdnsConNetSer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PdPADSLdnsConNetSer .exe"	PdPADSLdnsConNetSer .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\PdPADSLdnsConNetSer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PdPADSLdnsConNetSer .exe"	PdPADSLdnsConNetSer .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\PdPADSLdnsConNetSer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PdPADSLdnsConNetSer .exe"	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\PdPADSLdnsConNetSer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PdPADSLdnsConNetSer .exe"	PdPADSLdnsConNetSer .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\PdPADSLdnsConNetSer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PdPADSLdnsConNetSer .exe"	PdPADSLdnsConNetSer .exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 3020	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	33
PID 1748 set thread context of 1340	1748	PdPADSLdnsConNetSer .exe	54
PID 296 set thread context of 612	296	PdPADSLdnsConNetSer .exe	58
PID 2004 set thread context of 2076	2004	PdPADSLdnsConNetSer .exe	62
PID 1600 set thread context of 536	1600	PdPADSLdnsConNetSer .exe	66
PID 2756 set thread context of 2608	2756	PdPADSLdnsConNetSer .exe	70
PID 2988 set thread context of 1916	2988	PdPADSLdnsConNetSer .exe	74
PID 628 set thread context of 832	628	PdPADSLdnsConNetSer .exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PdPADSLdnsConNetSer .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PdPADSLdnsConNetSer .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PdPADSLdnsConNetSer .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PdPADSLdnsConNetSer .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PdPADSLdnsConNetSer .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PdPADSLdnsConNetSer .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PdPADSLdnsConNetSer .exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2724	PING.EXE
2376	PING.EXE
2592	PING.EXE
1800	PING.EXE
1820	PING.EXE
2520	PING.EXE
440	PING.EXE

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2564	reg.exe
3000	reg.exe
2464	reg.exe
3032	reg.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
1800	PING.EXE
1820	PING.EXE
2520	PING.EXE
440	PING.EXE
2724	PING.EXE
2376	PING.EXE
2592	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
1748	PdPADSLdnsConNetSer .exe
1748	PdPADSLdnsConNetSer .exe
1748	PdPADSLdnsConNetSer .exe
1748	PdPADSLdnsConNetSer .exe
1748	PdPADSLdnsConNetSer .exe
1748	PdPADSLdnsConNetSer .exe
1748	PdPADSLdnsConNetSer .exe
1748	PdPADSLdnsConNetSer .exe
1748	PdPADSLdnsConNetSer .exe
1748	PdPADSLdnsConNetSer .exe
1748	PdPADSLdnsConNetSer .exe
1748	PdPADSLdnsConNetSer .exe
1748	PdPADSLdnsConNetSer .exe
1748	PdPADSLdnsConNetSer .exe
1748	PdPADSLdnsConNetSer .exe
1748	PdPADSLdnsConNetSer .exe
1748	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
296	PdPADSLdnsConNetSer .exe
2004	PdPADSLdnsConNetSer .exe
2004	PdPADSLdnsConNetSer .exe
2004	PdPADSLdnsConNetSer .exe
2004	PdPADSLdnsConNetSer .exe
2004	PdPADSLdnsConNetSer .exe
2004	PdPADSLdnsConNetSer .exe
2004	PdPADSLdnsConNetSer .exe
2004	PdPADSLdnsConNetSer .exe
2004	PdPADSLdnsConNetSer .exe
2004	PdPADSLdnsConNetSer .exe
2004	PdPADSLdnsConNetSer .exe
2004	PdPADSLdnsConNetSer .exe
2004	PdPADSLdnsConNetSer .exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
Token: 1	3020	svhost.exe
Token: SeCreateTokenPrivilege	3020	svhost.exe
Token: SeAssignPrimaryTokenPrivilege	3020	svhost.exe
Token: SeLockMemoryPrivilege	3020	svhost.exe
Token: SeIncreaseQuotaPrivilege	3020	svhost.exe
Token: SeMachineAccountPrivilege	3020	svhost.exe
Token: SeTcbPrivilege	3020	svhost.exe
Token: SeSecurityPrivilege	3020	svhost.exe
Token: SeTakeOwnershipPrivilege	3020	svhost.exe
Token: SeLoadDriverPrivilege	3020	svhost.exe
Token: SeSystemProfilePrivilege	3020	svhost.exe
Token: SeSystemtimePrivilege	3020	svhost.exe
Token: SeProfSingleProcessPrivilege	3020	svhost.exe
Token: SeIncBasePriorityPrivilege	3020	svhost.exe
Token: SeCreatePagefilePrivilege	3020	svhost.exe
Token: SeCreatePermanentPrivilege	3020	svhost.exe
Token: SeBackupPrivilege	3020	svhost.exe
Token: SeRestorePrivilege	3020	svhost.exe
Token: SeShutdownPrivilege	3020	svhost.exe
Token: SeDebugPrivilege	3020	svhost.exe
Token: SeAuditPrivilege	3020	svhost.exe
Token: SeSystemEnvironmentPrivilege	3020	svhost.exe
Token: SeChangeNotifyPrivilege	3020	svhost.exe
Token: SeRemoteShutdownPrivilege	3020	svhost.exe
Token: SeUndockPrivilege	3020	svhost.exe
Token: SeSyncAgentPrivilege	3020	svhost.exe
Token: SeEnableDelegationPrivilege	3020	svhost.exe
Token: SeManageVolumePrivilege	3020	svhost.exe
Token: SeImpersonatePrivilege	3020	svhost.exe
Token: SeCreateGlobalPrivilege	3020	svhost.exe
Token: 31	3020	svhost.exe
Token: 32	3020	svhost.exe
Token: 33	3020	svhost.exe
Token: 34	3020	svhost.exe
Token: 35	3020	svhost.exe
Token: SeDebugPrivilege	1748	PdPADSLdnsConNetSer .exe
Token: SeDebugPrivilege	296	PdPADSLdnsConNetSer .exe
Token: SeDebugPrivilege	2004	PdPADSLdnsConNetSer .exe
Token: SeDebugPrivilege	1600	PdPADSLdnsConNetSer .exe
Token: SeDebugPrivilege	2756	PdPADSLdnsConNetSer .exe
Token: SeDebugPrivilege	2988	PdPADSLdnsConNetSer .exe
Token: SeDebugPrivilege	628	PdPADSLdnsConNetSer .exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
3020	svhost.exe
3020	svhost.exe
3020	svhost.exe
3020	svhost.exe
1340	svhost.exe
1340	svhost.exe
612	svhost.exe
612	svhost.exe
2076	svhost.exe
2076	svhost.exe
536	svhost.exe
536	svhost.exe
2608	svhost.exe
2608	svhost.exe
1916	svhost.exe
1916	svhost.exe
832	svhost.exe
832	svhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2636	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2636	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2636	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2636	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	31
PID 2140 wrote to memory of 3020	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	33
PID 2140 wrote to memory of 3020	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	33
PID 2140 wrote to memory of 3020	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	33
PID 2140 wrote to memory of 3020	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	33
PID 2140 wrote to memory of 3020	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	33
PID 2140 wrote to memory of 3020	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	33
PID 2140 wrote to memory of 3020	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	33
PID 2140 wrote to memory of 3020	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	33
PID 2140 wrote to memory of 2784	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	34
PID 2140 wrote to memory of 2784	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	34
PID 2140 wrote to memory of 2784	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	34
PID 2140 wrote to memory of 2784	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	34
PID 2636 wrote to memory of 2552	2636	cmd.exe	35
PID 2636 wrote to memory of 2552	2636	cmd.exe	35
PID 2636 wrote to memory of 2552	2636	cmd.exe	35
PID 2636 wrote to memory of 2552	2636	cmd.exe	35
PID 3020 wrote to memory of 2224	3020	svhost.exe	36
PID 3020 wrote to memory of 2224	3020	svhost.exe	36
PID 3020 wrote to memory of 2224	3020	svhost.exe	36
PID 3020 wrote to memory of 2224	3020	svhost.exe	36
PID 3020 wrote to memory of 2580	3020	svhost.exe	37
PID 3020 wrote to memory of 2580	3020	svhost.exe	37
PID 3020 wrote to memory of 2580	3020	svhost.exe	37
PID 3020 wrote to memory of 2580	3020	svhost.exe	37
PID 3020 wrote to memory of 2844	3020	svhost.exe	39
PID 3020 wrote to memory of 2844	3020	svhost.exe	39
PID 3020 wrote to memory of 2844	3020	svhost.exe	39
PID 3020 wrote to memory of 2844	3020	svhost.exe	39
PID 3020 wrote to memory of 2996	3020	svhost.exe	40
PID 3020 wrote to memory of 2996	3020	svhost.exe	40
PID 3020 wrote to memory of 2996	3020	svhost.exe	40
PID 3020 wrote to memory of 2996	3020	svhost.exe	40
PID 2224 wrote to memory of 2564	2224	cmd.exe	44
PID 2224 wrote to memory of 2564	2224	cmd.exe	44
PID 2224 wrote to memory of 2564	2224	cmd.exe	44
PID 2224 wrote to memory of 2564	2224	cmd.exe	44
PID 2844 wrote to memory of 2464	2844	cmd.exe	45
PID 2844 wrote to memory of 2464	2844	cmd.exe	45
PID 2844 wrote to memory of 2464	2844	cmd.exe	45
PID 2844 wrote to memory of 2464	2844	cmd.exe	45
PID 2580 wrote to memory of 3000	2580	cmd.exe	46
PID 2580 wrote to memory of 3000	2580	cmd.exe	46
PID 2580 wrote to memory of 3000	2580	cmd.exe	46
PID 2580 wrote to memory of 3000	2580	cmd.exe	46
PID 2552 wrote to memory of 2972	2552	wscript.exe	48
PID 2552 wrote to memory of 2972	2552	wscript.exe	48
PID 2552 wrote to memory of 2972	2552	wscript.exe	48
PID 2552 wrote to memory of 2972	2552	wscript.exe	48
PID 2996 wrote to memory of 3032	2996	cmd.exe	47
PID 2996 wrote to memory of 3032	2996	cmd.exe	47
PID 2996 wrote to memory of 3032	2996	cmd.exe	47
PID 2996 wrote to memory of 3032	2996	cmd.exe	47
PID 2140 wrote to memory of 2324	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	50
PID 2140 wrote to memory of 2324	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	50
PID 2140 wrote to memory of 2324	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	50
PID 2140 wrote to memory of 2324	2140	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	50
PID 2324 wrote to memory of 2520	2324	cmd.exe	52
PID 2324 wrote to memory of 2520	2324	cmd.exe	52
PID 2324 wrote to memory of 2520	2324	cmd.exe	52
PID 2324 wrote to memory of 2520	2324	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\caca.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\caca2.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\caca2.bat" "
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      PID:2972
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svhost.exe" /t REG_SZ /d "C:\Windows\Temp\svhost.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svhost.exe" /t REG_SZ /d "C:\Windows\Temp\svhost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\PdPADSLdnsConfNet.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\PdPADSLdnsConfNet.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\PdPADSLdnsConfNet.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\PdPADSLdnsConfNet.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3032
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\per.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2520
- - C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe
    "C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1340
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:2584
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:440
- - C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe
    "C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:296
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:612
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:872
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe
    "C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2076
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:1756
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2376
- - C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe
    "C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:536
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:1528
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2592
- - C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe
    "C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2608
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:2564
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1800
- - C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe
    "C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1916
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:1472
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1820
- - C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe
    "C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:628
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:832
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\caca.bat

Filesize
47B

MD5
58ccb87aa1da4939df403810f1e68b6b

SHA1
dc8551f41682e5cb1dd25af3f11a789b1d37b295

SHA256
eccc9f27214ff49689c1f597c0d3d3a3e45391064fd0baa9b5e0e03931b7822b

SHA512
17ad698f496a445c5cbd0972df9fe966081a3cbee33fb7d7e003890ae946c65687b85b9b16990a872338d00d798b82dee06e86bd2d38b01ad292048134688fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\caca2.bat

Filesize
173B

MD5
236c25bb7937d845004e48da5c0c691f

SHA1
a324af5b92c7399c6f24314ec155364ff045b785

SHA256
ef042cdd5d0c6e0490969e76d8587a8559ac1d4165535582cac2731e4f5c4852

SHA512
32f6c877953ab2d9a889b97f524803cdd737c3a0f976d6e52049d087368cd5b522ebaa39c99c3f771d717325012e28bffe12403f916fd721f34cce775caf5c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\per.bat

Filesize
122B

MD5
79de65b41aa667fffeed2da4bc54653e

SHA1
76153364791bceff63281427abc916d7a850b6cf

SHA256
dd54cf19657eb7fb1bf3b9e85914701a4a9fb70582778217774cc24f4547b2af

SHA512
d434a011856174095b5a6f5527c0cc360404c1100799ea63fa1d0b04b90ab00b9246e7ed396136d0978f16dee8b5d5e885b16cb53f558dc1a57f9581802080ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32-.txt

Filesize
972KB

MD5
abcad621757e5245711c18b4c3a1c289

SHA1
ecb70053895dd4e0a5936c7545a665b1bb742187

SHA256
07f7d5301f0e28754cc7ad1884a6f2210dee5da60dcb7dc3b05602f1197b9d77

SHA512
48770f5df2dd2b57cec2681716faf8991ac82608f3b9eefec02f4b142df14d7176b8890ce6d3119b46f9bb0a76b339d5d5dfc4a72dfe65329af90c0efc65394c

Download Submit
C:\Windows\Temp\svhost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/536-140-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/612-101-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1340-80-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2076-120-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2140-2-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2140-0-0x0000000074621000-0x0000000074622000-memory.dmp

Filesize
4KB

Download
memory/2140-63-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2140-1-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2140-52-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2140-8-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2608-159-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3020-26-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3020-64-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3020-53-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3020-84-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3020-85-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3020-23-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3020-103-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3020-105-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3020-25-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3020-123-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3020-124-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3020-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3020-142-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3020-144-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3020-35-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download