Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    31-08-2024 04:46

General

  • Target

    cc3eddbcaaecb9c3aa935de36d52794a_JaffaCakes118.exe

  • Size

    236KB

  • MD5

    cc3eddbcaaecb9c3aa935de36d52794a

  • SHA1

    1cfc3b467c7d821ce8f8d2b165075f80956ca405

  • SHA256

    eb15fc02eb127af8c491bf22f234690d8e7581028b6f4cba8a0fc45b186d0553

  • SHA512

    79d8d25ade1381ddadd1606179a6d007d62499bb173187cb822574485397b01bf0ccc9e0797783072e6e863e388438886ac2107be6ed75b87603ef255d4e7dbf

  • SSDEEP

    6144:Kx04/K////////hcmFeiZPBXmKcpCtwyEaDGRZL1MsMyrShpyHIBI/////MFK/F:KocmMitvcpCtF6RZL1M3gIyHIa

Malware Config

Extracted

Family

latentbot

C2

joshdarkcomet.zapto.org

1joshdarkcomet.zapto.org

2joshdarkcomet.zapto.org

3joshdarkcomet.zapto.org

4joshdarkcomet.zapto.org

5joshdarkcomet.zapto.org

6joshdarkcomet.zapto.org

7joshdarkcomet.zapto.org

8joshdarkcomet.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc3eddbcaaecb9c3aa935de36d52794a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cc3eddbcaaecb9c3aa935de36d52794a_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Users\Admin\AppData\Local\Temp\cc3eddbcaaecb9c3aa935de36d52794a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\cc3eddbcaaecb9c3aa935de36d52794a_JaffaCakes118.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2644
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Adds policy Run key to start application
      • Boot or Logon Autostart Execution: Active Setup
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1488
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1624
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:848
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\iexplorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\iexplorer.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\iexplorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\iexplorer.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1496

Network

  • flag-us
    DNS
    joshdarkcomet.zapto.org
    vbc.exe
    Remote address:
    8.8.8.8:53
    Request
    joshdarkcomet.zapto.org
    IN A
    Response
  • flag-us
    DNS
    1joshdarkcomet.zapto.org
    vbc.exe
    Remote address:
    8.8.8.8:53
    Request
    1joshdarkcomet.zapto.org
    IN A
    Response
  • flag-us
    DNS
    2joshdarkcomet.zapto.org
    vbc.exe
    Remote address:
    8.8.8.8:53
    Request
    2joshdarkcomet.zapto.org
    IN A
    Response
  • flag-us
    DNS
    3joshdarkcomet.zapto.org
    vbc.exe
    Remote address:
    8.8.8.8:53
    Request
    3joshdarkcomet.zapto.org
    IN A
    Response
  • flag-us
    DNS
    4joshdarkcomet.zapto.org
    vbc.exe
    Remote address:
    8.8.8.8:53
    Request
    4joshdarkcomet.zapto.org
    IN A
    Response
  • flag-us
    DNS
    5joshdarkcomet.zapto.org
    vbc.exe
    Remote address:
    8.8.8.8:53
    Request
    5joshdarkcomet.zapto.org
    IN A
    Response
  • flag-us
    DNS
    6joshdarkcomet.zapto.org
    vbc.exe
    Remote address:
    8.8.8.8:53
    Request
    6joshdarkcomet.zapto.org
    IN A
    Response
  • flag-us
    DNS
    7joshdarkcomet.zapto.org
    vbc.exe
    Remote address:
    8.8.8.8:53
    Request
    7joshdarkcomet.zapto.org
    IN A
    Response
  • flag-us
    DNS
    8joshdarkcomet.zapto.org
    vbc.exe
    Remote address:
    8.8.8.8:53
    Request
    8joshdarkcomet.zapto.org
    IN A
    Response
No results found
  • 8.8.8.8:53
    joshdarkcomet.zapto.org
    dns
    vbc.exe
    69 B
    129 B
    1
    1

    DNS Request

    joshdarkcomet.zapto.org

  • 8.8.8.8:53
    1joshdarkcomet.zapto.org
    dns
    vbc.exe
    70 B
    130 B
    1
    1

    DNS Request

    1joshdarkcomet.zapto.org

  • 8.8.8.8:53
    2joshdarkcomet.zapto.org
    dns
    vbc.exe
    70 B
    130 B
    1
    1

    DNS Request

    2joshdarkcomet.zapto.org

  • 8.8.8.8:53
    3joshdarkcomet.zapto.org
    dns
    vbc.exe
    70 B
    130 B
    1
    1

    DNS Request

    3joshdarkcomet.zapto.org

  • 8.8.8.8:53
    4joshdarkcomet.zapto.org
    dns
    vbc.exe
    70 B
    130 B
    1
    1

    DNS Request

    4joshdarkcomet.zapto.org

  • 8.8.8.8:53
    5joshdarkcomet.zapto.org
    dns
    vbc.exe
    70 B
    130 B
    1
    1

    DNS Request

    5joshdarkcomet.zapto.org

  • 8.8.8.8:53
    6joshdarkcomet.zapto.org
    dns
    vbc.exe
    70 B
    130 B
    1
    1

    DNS Request

    6joshdarkcomet.zapto.org

  • 8.8.8.8:53
    7joshdarkcomet.zapto.org
    dns
    vbc.exe
    70 B
    130 B
    1
    1

    DNS Request

    7joshdarkcomet.zapto.org

  • 8.8.8.8:53
    8joshdarkcomet.zapto.org
    dns
    vbc.exe
    70 B
    130 B
    1
    1

    DNS Request

    8joshdarkcomet.zapto.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\iexplorer.exe

    Filesize

    1.1MB

    MD5

    34aa912defa18c2c129f1e09d75c1d7e

    SHA1

    9c3046324657505a30ecd9b1fdb46c05bde7d470

    SHA256

    6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

    SHA512

    d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

  • memory/2644-23-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2740-32-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2740-40-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2740-6-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2740-4-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2740-9-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2740-34-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2740-45-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2740-33-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2740-37-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2740-31-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2740-27-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2740-29-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2744-26-0x0000000074B10000-0x00000000750BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2744-8-0x0000000074B10000-0x00000000750BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2760-2-0x0000000074B10000-0x00000000750BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2760-0-0x0000000074B11000-0x0000000074B12000-memory.dmp

    Filesize

    4KB

  • memory/2760-25-0x0000000074B10000-0x00000000750BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2760-24-0x0000000074B10000-0x00000000750BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2760-1-0x0000000074B10000-0x00000000750BB000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.