latentbot | 5dc147d924897e4952e97d7724a9d401c1036bd37f6e6045e8251ff675599beb

Analysis

max time kernel
140s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Size

813KB
MD5

bf731bb4cf8fc8724c08864334e138a3
SHA1

2fd67abed797cbcb916125cb9d792f82cbad1d34
SHA256

5dc147d924897e4952e97d7724a9d401c1036bd37f6e6045e8251ff675599beb
SHA512

0a3ecd7f719f1b0b6097b686c73a5ae45ee5a7c874fcbfd89bb2e4d833ffd488738bf8704af580835ae228dc97b80f0a225c6b69d16e7d290ea198785d45c563
SSDEEP

12288:IlsKXp4DADHq8v/t43wJHFDhmS/ymmHcSrU0Qn7bcR0GYeATgUhVnRIF:41XptDHLuw1Nb/p93Rn3cR89MUhxRI

Score

10^/10

latentbot defense_evasion discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

latentbot

terranostra.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe:*:Enabled:udsc"	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
4508	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tsunlim = "c:\\windows\\tsunlim.exe"	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\EnableConcurrentSessions = "1"	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\breakts = "0"	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 1 IoCs

Processes:

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\dllcache\termsrv.dll	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

Processes:

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\breakts = "0"	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

Drops file in Windows directory 5 IoCs

Processes:

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.execmd.exe

description	ioc	Process
File created	\??\c:\windows\tsunlim.exe	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\tsunlim.exe	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
File created	C:\WINDOWS\ServicePackFiles\i386\termsrv.dll	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
File created	\??\c:\windows\ipconfig.txt	cmd.exe
File created	\??\c:\windows\ig.fgggf	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

net1.exenet1.exenet.exebf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.execmd.exenet.exenet.exenet1.execmd.exenet1.execmd.execmd.execmd.exenet1.exenetsh.exeipconfig.exenet.execmd.exenet.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exe

pid	Process
1336	ipconfig.exe

Runs net.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exenet.exenet.execmd.execmd.exenet.execmd.execmd.execmd.exenet.exenet.exe

description	pid	Process	procid_target
PID 4764 wrote to memory of 2320	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	84
PID 4764 wrote to memory of 2320	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	84
PID 4764 wrote to memory of 2320	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	84
PID 4764 wrote to memory of 32	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	85
PID 4764 wrote to memory of 32	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	85
PID 4764 wrote to memory of 32	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	85
PID 4764 wrote to memory of 2968	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	86
PID 4764 wrote to memory of 2968	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	86
PID 4764 wrote to memory of 2968	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	86
PID 4764 wrote to memory of 4712	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	87
PID 4764 wrote to memory of 4712	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	87
PID 4764 wrote to memory of 4712	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	87
PID 4764 wrote to memory of 2796	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	89
PID 4764 wrote to memory of 2796	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	89
PID 4764 wrote to memory of 2796	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	89
PID 4764 wrote to memory of 1728	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	91
PID 4764 wrote to memory of 1728	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	91
PID 4764 wrote to memory of 1728	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	91
PID 4764 wrote to memory of 3248	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	92
PID 4764 wrote to memory of 3248	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	92
PID 4764 wrote to memory of 3248	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	92
PID 4764 wrote to memory of 4780	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	93
PID 4764 wrote to memory of 4780	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	93
PID 4764 wrote to memory of 4780	4764	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	93
PID 2968 wrote to memory of 4340	2968	net.exe	100
PID 2968 wrote to memory of 4340	2968	net.exe	100
PID 2968 wrote to memory of 4340	2968	net.exe	100
PID 4712 wrote to memory of 4932	4712	net.exe	102
PID 4712 wrote to memory of 4932	4712	net.exe	102
PID 4712 wrote to memory of 4932	4712	net.exe	102
PID 3248 wrote to memory of 4508	3248	cmd.exe	101
PID 3248 wrote to memory of 4508	3248	cmd.exe	101
PID 3248 wrote to memory of 4508	3248	cmd.exe	101
PID 32 wrote to memory of 2964	32	cmd.exe	103
PID 32 wrote to memory of 2964	32	cmd.exe	103
PID 32 wrote to memory of 2964	32	cmd.exe	103
PID 2964 wrote to memory of 4216	2964	net.exe	104
PID 2964 wrote to memory of 4216	2964	net.exe	104
PID 2964 wrote to memory of 4216	2964	net.exe	104
PID 4780 wrote to memory of 1336	4780	cmd.exe	105
PID 4780 wrote to memory of 1336	4780	cmd.exe	105
PID 4780 wrote to memory of 1336	4780	cmd.exe	105
PID 1728 wrote to memory of 3048	1728	cmd.exe	106
PID 1728 wrote to memory of 3048	1728	cmd.exe	106
PID 1728 wrote to memory of 3048	1728	cmd.exe	106
PID 2796 wrote to memory of 4928	2796	cmd.exe	107
PID 2796 wrote to memory of 4928	2796	cmd.exe	107
PID 2796 wrote to memory of 4928	2796	cmd.exe	107
PID 3048 wrote to memory of 5004	3048	net.exe	108
PID 3048 wrote to memory of 5004	3048	net.exe	108
PID 3048 wrote to memory of 5004	3048	net.exe	108
PID 4928 wrote to memory of 2016	4928	net.exe	109
PID 4928 wrote to memory of 2016	4928	net.exe	109
PID 4928 wrote to memory of 2016	4928	net.exe	109

C:\Users\Admin\AppData\Local\Temp\bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- Modifies security service
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Hide Artifacts: Hidden Users
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /q c:\windows\system32\dllcache\terms*.*
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net user breakts hacker /add
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\SysWOW64\net.exe
    net user breakts hacker /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user breakts hacker /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:4216
- C:\Windows\SysWOW64\net.exe
  net localgroup administradores breakts /add
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup administradores breakts /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4340
- C:\Windows\SysWOW64\net.exe
  net group "Domain Admins" BreakTS /add
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 group "Domain Admins" BreakTS /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop sharedaccess
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wscsvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:5004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode disable
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /all > c:\windows\ipconfig.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\ipconfig.txt

Filesize
1023B

MD5
8f2df37eb28423b9c1d615346191c18d

SHA1
f033102978c4dea08895d6450667d1cc17a75385

SHA256
3dd1b699ca3366316f0e690617387d9f97dad88ac24c2dd5b3c034be52548ef5

SHA512
5fbf30383199e952023a4371e8d52cdd5ba0c2e198e05f77f21ea4fcab8d0050d323f246f75f29c070544b9c642ed8d586383d368acdc0f0c2de067aa5ca585c

Download Submit
memory/4764-0-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/4764-4-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/4764-3-0x0000000009880000-0x0000000009952000-memory.dmp

Filesize
840KB

Download
memory/4764-6-0x0000000009880000-0x0000000009952000-memory.dmp

Filesize
840KB

Download
memory/4764-20-0x0000000009880000-0x0000000009952000-memory.dmp

Filesize
840KB

Download