Overview

overview

10

Static

static

3

c4bd87c328...18.exe

windows7-x64

10

c4bd87c328...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    27-08-2024 09:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4bd87c3284cab7b4a4d4039af0f933e_JaffaCakes118.exe

  • Size

    428KB

  • MD5

    c4bd87c3284cab7b4a4d4039af0f933e

  • SHA1

    f99fbf47be97d05942aaa7de443ee60d1fde7c30

  • SHA256

    55caca52abf37a49b12a02e66216185dce838bb0222921647148ee495c1d1c08

  • SHA512

    8d8ba14128507d03cf67c88b676763038bb631579ba981ba43e83e807c6250ea6ca3e5d1db30f2e4162515236b0f4940a08100b511a78ccced8506d11ae6accd

  • SSDEEP

    12288:B7tb3KcX80ljcF82LnZ84bd4zRrnKorz:dtmOjYZdbdilj

Score
10/10
latentbotdiscoveryevasionpersistencetrojan

Malware Config

Extracted

Family

latentbot

C2

cheloulenoir.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Modifies firewall policy service 3 TTPs 8 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4bd87c3284cab7b4a4d4039af0f933e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c4bd87c3284cab7b4a4d4039af0f933e_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe
      "C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Users\Admin\AppData\Roaming\WinSec.exe
        C:\Users\Admin\AppData\Roaming\WinSec.exe
        3⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1640
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2568
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2512
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2588
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2420
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\TIEGHZKC55.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\TIEGHZKC55.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2600
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\TIEGHZKC55.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\TIEGHZKC55.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\WinSec.exe
    Filesize

    31KB

    MD5

    ed797d8dc2c92401985d162e42ffa450

    SHA1

    0f02fc517c7facc4baefde4fe9467fb6488ebabe

    SHA256

    b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

    SHA512

    e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe
    Filesize

    276KB

    MD5

    441d047bd699525d4e3268e25e16e1b8

    SHA1

    65d9070ef5ba0f8dea0face8f3a2c8525111d63e

    SHA256

    cbbf088b87bb798c35e955281026571835656d25c75aa6a994b9fb89e6070bfe

    SHA512

    3717bcf2e929da78b8b1b62e78f81a7171c050ea0fa948f587a7a2ab02a32446d573c613f019df6206461aa7fdc6b4b6fc15a0ce9f58a5438e0b319ed46d7a28

    Download Submit

  • memory/2744-17-0x00000000742F0000-0x000000007489B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2744-38-0x00000000742F0000-0x000000007489B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2744-15-0x00000000742F0000-0x000000007489B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2744-16-0x00000000742F0000-0x000000007489B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2764-27-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2764-49-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2764-61-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2764-33-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2764-30-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2764-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2764-60-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2764-25-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2764-23-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2764-57-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2764-44-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2764-45-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2764-48-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2764-52-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2764-51-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2824-14-0x00000000742F0000-0x000000007489B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2824-1-0x00000000742F0000-0x000000007489B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2824-0-0x00000000742F1000-0x00000000742F2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-2-0x00000000742F0000-0x000000007489B000-memory.dmp

    Filesize

    5.7MB

    Download