latentbot | 79b02064715e60884ee53f29f23221564de7e3b8e984e65fca0082fdffdcf79b

Analysis

max time kernel
150s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
Size

258KB
MD5

b532e05e779500bdc9e81ab68df32054
SHA1

9d8b85646be71642dea0f488d5aa0b82e9fd75f2
SHA256

79b02064715e60884ee53f29f23221564de7e3b8e984e65fca0082fdffdcf79b
SHA512

8bf8199dc7fbf9121a2e15174d9506e8630a1cbc75aa5ac56fd97e01be8d517408b939b0bb3b6263adc86a7a5a1b12753d3cedee62ebdbd59aa17e8f28eab91e
SSDEEP

3072:5G5rMlaTgOidzLWvI+Mgrq4NebArAntnU9cIw+cMYm0bPw0ctcYYYYYYYYYYYYYc:5GySidW9qaCArAtU9sMAPwJ

Score

10^/10

latentbot persistence trojan

Malware Config

Extracted

Family

latentbot

lorelyfaggot.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 1 IoCs

Processes:

Svchost.bat

pid	Process
3036	Svchost.bat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Svchost.bat

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost.bat"	Svchost.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Svchost.bat"	Svchost.bat

Drops file in Program Files directory 64 IoCs

Processes:

b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exeSvchost.bat

description	ioc	Process
File opened for modification	C:\Program Files\eDonkey2000\incoming\RapidShare Premium Hacker 0.5.1.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File opened for modification	C:\Program Files\kazaa lite k++\my shared folder\x22 100% VAC-Undetected.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File opened for modification	C:\Program Files\emule\incoming\Privat Sexpictures.scr	Svchost.bat
File opened for modification	C:\Program Files\grokster\my grokster\Counter-Strike Source BonnyHop Hack 0.4 by HaxXTeam.exe	Svchost.bat
File opened for modification	C:\Program Files\winmx\shared\Free SteamGames Hack.exe	Svchost.bat
File opened for modification	C:\Program Files\kazaa lite\my shared folder\Msn Hacker 5.3.1 Premium Version.exe	Svchost.bat
File created	C:\Program Files\winmx\shared\Privat Sexpictures.scr	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\tesla\files\HaxXoRs Trojan Creator.com	Svchost.bat
File opened for modification	C:\Program Files\kazaa lite k++\my shared folder\Privat Sexpictures.scr	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\LimeWire\Shared\Adobe_After_Effects CS4 Installer.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\morpheus\my shared folder\CS Photoshop 7.0 BetaVersion Cracked.exe	Svchost.bat
File opened for modification	C:\Program Files\grokster\my grokster\x22 100% VAC-Undetected.exe	Svchost.bat
File opened for modification	C:\Program Files\eDonkey2000\incoming\World of Warcraft Hack Privat Edition 0.0.25.exe	Svchost.bat
File opened for modification	C:\Program Files\kazaa lite\my shared folder\Free Razzer-Account Creator 2.0.4.exe	Svchost.bat
File created	C:\Program Files\kazaa lite\my shared folder\CS Photoshop 7.0 BetaVersion Cracked.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File opened for modification	C:\Program Files\kazaa lite\my shared folder\Counter-Strike Source BonnyHop Hack 0.4 by HaxXTeam.exe	Svchost.bat
File opened for modification	C:\Program Files\LimeWire\Shared\x22 100% VAC-Undetected.exe	Svchost.bat
File opened for modification	C:\Program Files\tesla\files\Free Razzer-Account Creator 2.0.4.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\kazaa lite\my shared folder\HaxXoRs Trojan Creator.com	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File opened for modification	C:\Program Files\morpheus\my shared folder\Free SteamGames Hack.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File opened for modification	C:\Program Files\tesla\files\Adobe Photoshop CS4 Extended.exe	Svchost.bat
File opened for modification	C:\Program Files\grokster\my grokster\Free SteamGames Hack.exe	Svchost.bat
File created	C:\Program Files\morpheus\my shared folder\Privat Sexpictures.scr	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\eDonkey2000\incoming\Windows 7 Gold Edition.exe	Svchost.bat
File created	C:\Program Files\grokster\my grokster\Counter-Strike Source BonnyHop Hack 0.4 by HaxXTeam.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File opened for modification	C:\Program Files\emule\incoming\Counter-Strike Source BonnyHop Hack 0.4 by HaxXTeam.exe	Svchost.bat
File created	C:\Program Files\kazaa lite k++\my shared folder\Msn Hacker 5.3.1 Premium Version.exe	Svchost.bat
File created	C:\Program Files\eDonkey2000\incoming\World of Warcraft Hack Privat Edition 0.0.25.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\winmx\shared\Free Razzer-Account Creator 2.0.4.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File opened for modification	C:\Program Files\morpheus\my shared folder\Adobe_After_Effects CS4 Installer.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\morpheus\my shared folder\HaxXoRs Trojan Creator.com	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File opened for modification	C:\Program Files\LimeWire\Shared\CS Photoshop 7.0 BetaVersion Cracked.exe	Svchost.bat
File created	C:\Program Files\kazaa\my shared folder\x22 100% VAC-Undetected.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File opened for modification	C:\Program Files\grokster\my grokster\CSS SteamPatch Installer.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File opened for modification	C:\Program Files\kazaa lite k++\my shared folder\Msn Hacker 5.3.1 Premium Version.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File opened for modification	C:\Program Files\LimeWire\Shared\Adobe_After_Effects CS4 Installer.exe	Svchost.bat
File opened for modification	C:\Program Files\kazaa lite\my shared folder\Adobe_After_Effects CS4 Installer.exe	Svchost.bat
File created	C:\Program Files\emule\incoming\Free Razzer-Account Creator 2.0.4.exe	Svchost.bat
File created	C:\Program Files\eDonkey2000\incoming\Free Razzer-Account Creator 2.0.4.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\emule\incoming\Privat Sexpictures.scr	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\kazaa lite\my shared folder\Counter-Strike Source BonnyHop Hack 0.4 by HaxXTeam.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File opened for modification	C:\Program Files\grokster\my grokster\Counter-Strike Source BonnyHop Hack 0.4 by HaxXTeam.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\winmx\shared\RapidShare Premium Hacker 0.5.1.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File opened for modification	C:\Program Files\morpheus\my shared folder\HaxXoRs Trojan Creator.com	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\kazaa\my shared folder\Free Razzer-Account Creator 2.0.4.exe	Svchost.bat
File opened for modification	C:\Program Files\kazaa lite k++\my shared folder\Counter-Strike Source BonnyHop Hack 0.4 by HaxXTeam.exe	Svchost.bat
File opened for modification	C:\Program Files\eDonkey2000\incoming\Msn Hacker 5.3.1 Premium Version.exe	Svchost.bat
File created	C:\Program Files\tesla\files\Free SteamGames Hack.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\morpheus\my shared folder\Privat Sexpictures.scr	Svchost.bat
File created	C:\Program Files\kazaa\my shared folder\Free Razzer-Account Creator 2.0.4.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\grokster\my grokster\Privat Sexpictures.scr	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\kazaa lite k++\my shared folder\Msn Hacker 5.3.1 Premium Version.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File opened for modification	C:\Program Files\tesla\files\Msn Hacker 5.3.1 Premium Version.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\eDonkey2000\incoming\Free Razzer-Account Creator 2.0.4.exe	Svchost.bat
File created	C:\Program Files\winmx\shared\CSS SteamPatch Installer.exe	Svchost.bat
File opened for modification	C:\Program Files\emule\incoming\Free Razzer-Account Creator 2.0.4.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File opened for modification	C:\Program Files\kazaa lite\my shared folder\Adobe Photoshop CS4 Extended.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\morpheus\my shared folder\Free SteamGames Hack.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\kazaa lite\my shared folder\Windows 7 Gold Edition.exe	Svchost.bat
File opened for modification	C:\Program Files\grokster\my grokster\HaxXoRs Trojan Creator.com	Svchost.bat
File opened for modification	C:\Program Files\kazaa lite\my shared folder\x22 100% VAC-Undetected.exe	Svchost.bat
File opened for modification	C:\Program Files\grokster\my grokster\CS Photoshop 7.0 BetaVersion Cracked.exe	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
File created	C:\Program Files\kazaa lite k++\my shared folder\Counter-Strike Source BonnyHop Hack 0.4 by HaxXTeam.exe	Svchost.bat
File created	C:\Program Files\morpheus\my shared folder\HaxXoRs Trojan Creator.com	Svchost.bat

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exeSvchost.bat

pid	Process
1768	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat
3036	Svchost.bat

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exeSvchost.bat

description	pid	Process
Token: SeDebugPrivilege	1768	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
Token: SeDebugPrivilege	3036	Svchost.bat

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1768 wrote to memory of 3036	1768	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe	29
PID 1768 wrote to memory of 3036	1768	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe	29
PID 1768 wrote to memory of 3036	1768	b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b532e05e779500bdc9e81ab68df32054_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Roaming\Svchost.bat
  C:\Users\Admin\AppData\Roaming\Svchost.bat
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Svchost.bat

Filesize
258KB

MD5
b532e05e779500bdc9e81ab68df32054

SHA1
9d8b85646be71642dea0f488d5aa0b82e9fd75f2

SHA256
79b02064715e60884ee53f29f23221564de7e3b8e984e65fca0082fdffdcf79b

SHA512
8bf8199dc7fbf9121a2e15174d9506e8630a1cbc75aa5ac56fd97e01be8d517408b939b0bb3b6263adc86a7a5a1b12753d3cedee62ebdbd59aa17e8f28eab91e

Download Submit
memory/1768-12-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/1768-1-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/1768-2-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/1768-3-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/1768-4-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/1768-0-0x000007FEF5B7E000-0x000007FEF5B7F000-memory.dmp

Filesize
4KB

Download
memory/3036-19-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-23-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-10-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-13-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-14-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-15-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-16-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-17-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-18-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-9-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-20-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-21-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-22-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-11-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-24-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-25-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-26-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-27-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-28-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-29-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-30-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-31-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-32-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-33-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-34-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download