adwind | 1669137d9d09ee215a11a0ec6685beac90196666c1d4d0afced0f633a7c8543a | Triage

Sharing

General

Target

bf97d56c1cd112197f951653c2080814_JaffaCakes118
Size

748KB
Sample

240824-2vbsdstgrb
MD5

bf97d56c1cd112197f951653c2080814
SHA1

08c28f3682b67fbc835f27e292eb4159389f62d9
SHA256

1669137d9d09ee215a11a0ec6685beac90196666c1d4d0afced0f633a7c8543a
SHA512

870add48eae58b1563ec98d9261ca59223c673baee1ad7f7b377506fbf00a61497c3f9531be66c4d80d692e20468056e3a55d0bc9e80a7e8bc4bfcf10ac171ed
SSDEEP

12288:rJ7neJelBrH9xbLDDu7JHixkVB4Fa6QmunUy9ZExR0HJDNrFJZndtbqOTSgcDU:r9x76FCWVg5unUyjK0tzJ5Lr2RU

Score

10^/10

adwind latentbot evasion persistence trojan

Malware Config

Extracted

Family

latentbot

C2

ebukaalilonu.zapto.org

Targets

- Target
  
  bf97d56c1cd112197f951653c2080814_JaffaCakes118
- Size
  
  748KB
- MD5
  
  bf97d56c1cd112197f951653c2080814
- SHA1
  
  08c28f3682b67fbc835f27e292eb4159389f62d9
- SHA256
  
  1669137d9d09ee215a11a0ec6685beac90196666c1d4d0afced0f633a7c8543a
- SHA512
  
  870add48eae58b1563ec98d9261ca59223c673baee1ad7f7b377506fbf00a61497c3f9531be66c4d80d692e20468056e3a55d0bc9e80a7e8bc4bfcf10ac171ed
- SSDEEP
  
  12288:rJ7neJelBrH9xbLDDu7JHixkVB4Fa6QmunUy9ZExR0HJDNrFJZndtbqOTSgcDU:r9x76FCWVg5unUyjK0tzJ5Lr2RU
Score

10^/10

adwind latentbot evasion persistence trojan
- AdWind
  A Java-based RAT family operated as malware-as-a-service.
  trojan adwind
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- UAC bypass
  evasion trojan
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Image File Execution Options Injection

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Image File Execution Options Injection

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

behavioral2

adwindlatentbotevasionpersistencetrojan