General

  • Target

    e37eb3092d8fa42f9ae201a0228e4100_JaffaCakes118

  • Size

    568KB

  • Sample

    240915-2hf7cawblf

  • MD5

    e37eb3092d8fa42f9ae201a0228e4100

  • SHA1

    8b3ded6ed64bb66ca7e5cdab8958646fa978aa75

  • SHA256

    b14e71d5bcad365216db8480e29b7b8dc8182c07e72a287fa470e08de0d9c20e

  • SHA512

    df14d17dca662b29317c11adba30a945a364d17bc0516edb6224c8874c17d8cfdad671ad8ab433aaf8b76137d62d82cfd88c52943ed3e9c4c0ab8d51cfb45ea3

  • SSDEEP

    12288:dPg3IWCxPUcpBhHtMBA07i2bGSJxAAITfhnFVel9AMi:dg2tUcpRVai2z0xdnFVel9c

Malware Config

Extracted

Family

latentbot

C2

1xxxdarkxxx.zapto.org

2xxxdarkxxx.zapto.org

3xxxdarkxxx.zapto.org

4xxxdarkxxx.zapto.org

5xxxdarkxxx.zapto.org

6xxxdarkxxx.zapto.org

7xxxdarkxxx.zapto.org

8xxxdarkxxx.zapto.org

Targets

    • Target

      e37eb3092d8fa42f9ae201a0228e4100_JaffaCakes118

    • Size

      568KB

    • MD5

      e37eb3092d8fa42f9ae201a0228e4100

    • SHA1

      8b3ded6ed64bb66ca7e5cdab8958646fa978aa75

    • SHA256

      b14e71d5bcad365216db8480e29b7b8dc8182c07e72a287fa470e08de0d9c20e

    • SHA512

      df14d17dca662b29317c11adba30a945a364d17bc0516edb6224c8874c17d8cfdad671ad8ab433aaf8b76137d62d82cfd88c52943ed3e9c4c0ab8d51cfb45ea3

    • SSDEEP

      12288:dPg3IWCxPUcpBhHtMBA07i2bGSJxAAITfhnFVel9AMi:dg2tUcpRVai2z0xdnFVel9c

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Modifies firewall policy service

    • Adds policy Run key to start application

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks