latentbot | c925a08142e38938c60d7cd2c0183749fe979707224b7a1fd1d164514e97245b

General

Target

bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe
Size

108KB
MD5

bf431a57b9c1e56e7161451e6722ebaa
SHA1

531fb464e9c0b1009686f64038f3e82bce7a92fa
SHA256

c925a08142e38938c60d7cd2c0183749fe979707224b7a1fd1d164514e97245b
SHA512

41bf5f4ad9b6d7cddc2158bf33e411f737c8c4bf25b9622cf4bf209dc7c0f3658150c4e8913f11e888e151e5576ddb78f1364262c654a1a66504eb7f7aed3cd7
SSDEEP

3072:01+MJKrUnFYY5z1i0Nmbi5fJBNL/Jjoout:kIrPj0NmWtNNjooS

Score

10^/10

latentbot modiloader discovery evasion trojan upx

Malware Config

Extracted

Family

latentbot

C2

ibryzyoussef.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe

ModiLoader Second Stage 15 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3676-16-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/3676-17-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/3676-20-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/3676-23-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/3676-26-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/3676-29-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/3676-32-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/3676-35-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/3676-38-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/3676-41-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/3676-44-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/3676-47-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/3676-50-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/3676-53-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/3676-56-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2

Loads dropped DLL 4 IoCs

Processes:

bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe

pid	Process
3676	bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe
3676	bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe
3676	bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe
3676	bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3676-0-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/3676-16-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/3676-17-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/3676-20-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/3676-23-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/3676-26-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/3676-29-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/3676-32-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/3676-35-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/3676-38-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/3676-41-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/3676-44-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/3676-47-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/3676-50-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/3676-53-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/3676-56-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	3676	bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe
Token: SeBackupPrivilege	1360	vssvc.exe
Token: SeRestorePrivilege	1360	vssvc.exe
Token: SeAuditPrivilege	1360	vssvc.exe
Token: SeDebugPrivilege	3676	bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe

pid	Process
3676	bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe
3676	bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bf431a57b9c1e56e7161451e6722ebaa_JaffaCakes118.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmsetac.dll

Filesize
32KB

MD5
2c1b6b73da6f51fe2859274ba5190f80

SHA1
f458c1e70dcf508493aba27b1588ed727df13552

SHA256
283e1619c5449d50c666534f2f4184521183e15b39a36f666de92703ecac1560

SHA512
7036c07e23ea8249141f36fd45732b38b7e2109a2a955ac8239ce6dc5936be95aeded2e546256092205ff62d4f09b4568c6437ee4dcfed6de22f5a4916a8a201

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/3676-20-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3676-29-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3676-12-0x00000000035C0000-0x00000000035CE000-memory.dmp

Filesize
56KB

Download
memory/3676-15-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/3676-16-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3676-17-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3676-18-0x0000000002200000-0x0000000002208000-memory.dmp

Filesize
32KB

Download
memory/3676-19-0x00000000035C0000-0x00000000035CE000-memory.dmp

Filesize
56KB

Download
memory/3676-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3676-23-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3676-26-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3676-8-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/3676-32-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3676-35-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3676-38-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3676-41-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3676-44-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3676-47-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3676-50-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3676-53-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3676-56-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads