latentbot | e672d726f213a8cef50e54c695ec080202a1ce5d6242cb43f2cf1e8bcbd4c9bf

General

Target

ebaab581b2ee931e2c37f264f9540d41_JaffaCakes118.exe
Size

1.1MB
MD5

ebaab581b2ee931e2c37f264f9540d41
SHA1

51de89950ec1db8764c8f9d5fe7a3565036ccc59
SHA256

e672d726f213a8cef50e54c695ec080202a1ce5d6242cb43f2cf1e8bcbd4c9bf
SHA512

1eb0c1426f9eefb6837e5a6fdf77ae4f98e7fc383897ed8e25ddcced31c33f9b3e2314818bf060b9473c770e6b6f57f7fd52dedf94abf2e227f8a8b375ebcd88
SSDEEP

24576:VmS5XmqepapmqRsyYtrWmQ3+7oUVj1Ku7WOU3L5fmaw:Vp+ymXsmGuqrQaw

Score

10^/10

latentbot discovery persistence trojan

Malware Config

Extracted

Family

latentbot

C2

yeniceriler.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 1 IoCs

Processes:

lsass.exe

pid	Process
2836	lsass.exe

Loads dropped DLL 3 IoCs

Processes:

ebaab581b2ee931e2c37f264f9540d41_JaffaCakes118.exelsass.exe

pid	Process
2316	ebaab581b2ee931e2c37f264f9540d41_JaffaCakes118.exe
2316	ebaab581b2ee931e2c37f264f9540d41_JaffaCakes118.exe
2836	lsass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ebaab581b2ee931e2c37f264f9540d41_JaffaCakes118.exelsass.execmd.execmd.exereg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebaab581b2ee931e2c37f264f9540d41_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
2600	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ebaab581b2ee931e2c37f264f9540d41_JaffaCakes118.exelsass.exe

pid	Process
2316	ebaab581b2ee931e2c37f264f9540d41_JaffaCakes118.exe
2836	lsass.exe
2836	lsass.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lsass.exe

pid	Process
2836	lsass.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

ebaab581b2ee931e2c37f264f9540d41_JaffaCakes118.exelsass.execmd.execmd.exe

description	pid	Process	procid_target
PID 2316 wrote to memory of 2836	2316	ebaab581b2ee931e2c37f264f9540d41_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2836	2316	ebaab581b2ee931e2c37f264f9540d41_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2836	2316	ebaab581b2ee931e2c37f264f9540d41_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2836	2316	ebaab581b2ee931e2c37f264f9540d41_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2832	2836	lsass.exe	31
PID 2836 wrote to memory of 2832	2836	lsass.exe	31
PID 2836 wrote to memory of 2832	2836	lsass.exe	31
PID 2836 wrote to memory of 2832	2836	lsass.exe	31
PID 2832 wrote to memory of 2852	2832	cmd.exe	33
PID 2832 wrote to memory of 2852	2832	cmd.exe	33
PID 2832 wrote to memory of 2852	2832	cmd.exe	33
PID 2832 wrote to memory of 2852	2832	cmd.exe	33
PID 2852 wrote to memory of 2600	2852	cmd.exe	34
PID 2852 wrote to memory of 2600	2852	cmd.exe	34
PID 2852 wrote to memory of 2600	2852	cmd.exe	34
PID 2852 wrote to memory of 2600	2852	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\ebaab581b2ee931e2c37f264f9540d41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebaab581b2ee931e2c37f264f9540d41_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Roaming\lsass.exe
  "C:\Users\Admin\AppData\Roaming\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Roaming\lsass.exe \"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Roaming\lsass.exe \"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
143B

MD5
a8d91aa580142ee686b2d5f3eea594a2

SHA1
c8bb4a077c7658599c0a79e7bb6466e2d074d4e7

SHA256
710ab00e3089f3c3a2977bb678308a87d3bfe550efb19f9c542b0b71d4440ec7

SHA512
fab81eb4360d0280b4f4e31f348e566486f5c33900494ca6aaba15deb233e3d02efe1ce53e8ad0725bd75df99d089d6367c097728af1dd83cee54adc08054c1d

Download Submit
C:\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
238KB

MD5
0b3dbeb484b811b80c7b2446ade2fe3d

SHA1
61aba38648814bd458a135bd8b6b71814f881086

SHA256
09c2ca21ad4584cf60b66c442dfda964240f90a691db485c6e37d3eed18b9bce

SHA512
75baee029aee1c563750d0d28df65986df9ad46dc04aa781aa23763bfefccc9787dcb45039961fb5d60f294fe14138ddeda6a6a5ef6a6580ce1ecd786f3fa2f4

Download Submit
\Users\Admin\AppData\Roaming\lsass.exe

Filesize
508KB

MD5
b1ee2759deb955663bf6b2a413396e10

SHA1
ee0ba67250a47a6fb0cf91b7b501446537fdd257

SHA256
f40329aff14a930da8f8cc2e31156dd5dc9c808e41489daeaa4b7c0397cb1373

SHA512
9083497d6496365c56f16b63f2e10ff37829eec4d284de5f7961fb058a41837b9675e60a3c945aaa33d08046e0e0837656c90d3f9996d87b0678568dbf967e6e

Download Submit
memory/2316-13-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2836-16-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2836-26-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2836-27-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads